Computerworld

Smartphones and tablets create huge corporate security challenge

Adapting security and management for the new generation of mobile devices -- everything from the Apple iPhone and iPad to Google Android devices to name a few -- is turning out to be a huge corporate challenge.

More on mobile security: Smartphones, devices spark IT security melee

"We're struggling to get our arms around it," says Tim Mathias, senior director of IT security at Thomson Reuters, whose 55,000 employees worldwide provide news, business information and technology related to financial, media and healthcare. He adds: "It's a struggle with a technology created for individuals that's ended up being an important tool for the workplace."

The RIM Blackberry, designed for the corporate world, has traditionally been the smartphone that Thomson Reuters gave its employees. But early last year, many were asking if they could use their other devices, primarily the iPhone and Android devices, for work.

Mathias says management decided to say yes.

"We thought it might improve the ability to recruit talent, or lower costs, or help from a morale perspective," Mathias says. One of its corporate divisions launched a pilot to connect iPhone, iPads and Androids up to the corporate email server, with the understanding that any employee using their own device for work would handle their own support issues and not go to IT for assistance, though IT staff did set up a knowledge portal to help them along.

In order to find out what mobile-device management and security systems could be used, another division at Thomson Reuters issued a request-for-information (RFI) to industry. But last year, that division didn't see what it wanted, though it will likely take a fresh look later this year.

Today, several thousand devices, mainly the Apple iPhone and iPad, are syncing up with the corporate e-mail system at Thomson Reuters, Mathias says. Even though the company believes it's going in the right direction with smartphones and tablets, Mathias says the reality is that it's turning out to be a lot harder than what had been the practice of centrally-managing and securing the corporate-owned BlackBerry.

"Today, we have no corporate-wide policy specific to the mobile device," acknowledges Mathias, adding "we do have a code of conduct and business ethics that apply everywhere."

But as the company evolves its security strategy, Mathias says one of the main risks he sees is the downloading of apps, especially for Google Android, since that cybercriminals have been sneaking Trojan-embedded apps into Google marketplace.

Malware apps are also a main source of concern at Troy, Mich.,-based auto-parts manufacturer Inteva Products, where smartphones are part of corporate-issued gear.

Inteva has traditionally issued Blackberries to employees but is starting a migration to Android devices for a variety of reasons, one being that its ERP workflow application is easier to see and use on it, says Dennis Hodges, CIO at Inteva. "We wouldn't have looked at Android if we felt we couldn't have security for it."

Inteva uses Virtela's cloud-based service based on security and management software for both Blackberry and Android which will let the Inteva IT department monitor and ensure that password policy is enforced, it can remotely wipe or lock the device, and it can keep unwanted apps off the smartphones, as well as facilitate configuration management.

The service costs about $5 per user per month, Hodges says, adding, "It will also tell you about roaming charges, which is a huge piece of cell phone costs." The Virtela service continuously monitors each device based on the policy-based security and management controls and can send an alert within 15 minutes if something seems out of place.

High-tech vendor Unisys has embraced the idea of employees using personal smartphones and tablets for business — up to a point.

Under its "Bring Your Own Technology Program," employees using personal devices must sign an acceptable-use policy that includes agreement to surrender the device at the request of Unisys for any investigation.

About 3,000 devices are enrolled in the program. But according to Patricia Titus, chief information security officer at Unisys, there's a line drawn on what employees can access with these personally-own smartphones and tablets.

"It's not the company jewels," says Titus, referring to certain corporate databases, but more like the calendaring function. To gain access to more sensitive information, employees could use a corporate laptop with Juniper security software that ensures they're up to date on patching, anti-virus, and they'd have to VPN in.

Titus says use of any smartphone and tablet, whether owned by the individual or the corporation, should strive for the highest level of multi-factor security possible. However, that isn't easy today. For one thing, Unisys is testing out capabilities for biometrics for the iPhone, Android and iPad but "it's not there yet."

A brief history of smartphones

Lincoln Cannon, director of sales and marketing technology at medical-device manufacturer Merit Medical Systems, says the company does allow use of personal smartphones at work but the IT team won't support them. For iPhones, though, the company will pay for monthly service.

The biggest focus right now, though is the iPad which is being outfitted for sales presentations. Through touch-screen interaction, customers are engaged through it. "It's the cool factor," Cannon says.

Merit Medical Systems does want to adopt a common security and management approach for iPads and iPhones, in order to be able to do full life-cycle management, inventory, monitoring and more. To that end, it's evaluating AirWatch, which is offered as software or software-as-a service, and MobileIron.

The IT team is looking at the APIs each use that could help with apps management. "We want the ability to add and remove applications from a central console," says Cannon, noting Merit Medical is building iPad applications that are product catalogs, video and brochures.

And to provide a single-sign-on function for both employees and business partners to gain access to authorized internal corporate resources as well as external cloud-based services such as Google Apps or the eLeap training online, Merit Medical uses the cloud-based security service from Symplified for user password-based authentication.

Last month Symplified, through its Mobile Edition service, added support for the iPhone, iPad, Google Android and BlackBerry. Symplified, though, says support for strong one-time password authentication remains a future project, though its service can be used with the Cisco Mobile VPN and Juniper Pulse mobile security software today.

Though the trend is toward allowing employees to use personal smartphones and tablets for work, some companies continue to feel strongly this is a bad idea.

"Our position is you shouldn't be mixing your personal devices with corporate devices for a variety of reasons," says Ken Goldstein, vice president at insurance company Chubb. "There's the potential for business-related information to be compromised."

When a company issues a corporate smartphone or tablet, they should be treated as a "natural extension to their systems. Don't treat mobile devices differently from how you treat internal systems." Goldstein says he considers basic security and management functions include proper password protection, encryption and the ability for the IT team to remotely wipe data.

These are necessary security functions, if the device is going to store data, says Gartner analyst Eric Maiwald. But in his view, there's "no one definitive answer" to the question of employee-owned devices used for work. "It depends on the risk appetite of the enterprise."

Read more about wide area network in Network World's Wide Area Network section.