Different levels of security policy must be set to
protect access to information
IT departments are struggling to constrain the use of
employee-owned mobile devices for work activity. Although the
business can benefit from the increased productivity mobile working
can bring without the commensurate cost, firms are also at risk of
losing control of corporate data and can set themselves up for
later higher transition costs. How can an IT department reap the
business benefits of mobility without losing control?
Devices such as laptops, personal digital assistants, smartphones
and USB storage are rapidly increasing in capability and declining
in price. Mobile devices are more prone to loss and theft, are less
mature and often operate outside the network perimeter, making them
highly vulnerable to attack.
End-users seeking to improve personal productivity and their
work/life balance are bypassing the budget-constrained IT
procurement process and buying such devices themselves. When these
devices are used for corporate activities they open up a Pandora's
box of security and management concerns.
Concurrently, organisations are struggling to manage information
security risks in light of regulation and compliance issues. The
security risk and future integration costs of this informal
approach to mobile working is rising rapidly. Meta Group's research
has indicated that fewer than 10% of organisations have a formal
and comprehensive mobile security policy.
IT departments must develop a security policy appropriate for the
type of device and the information it contains without needlessly
constraining personal productivity. An IT manager should:
- Define an information classification scheme on which to base a
policy
- Craft a security policy that outlines the controls necessary
for different levels of information
- Develop corporate-standard devices and controls
- Educate users about risks and policies
- Create an employee purchase scheme for non-qualified
staff.
Security controls must be appropriate for the level of
information held on the device, rather than being device-specific.
An ideal first step is to classify information into levels of
sensitivity. The types of security controls are then based on the
kind of information enabled on the device.
In most organisations, classification is immature. In the absence
of a formal scheme, policy makers will have to best match
appropriate security controls with users or employ other indicators
of business risk.
The next step is to align different controls to different types of
information. For example, secret data may require two-factor
authentication and encryption, but public data can be held without
password protection.
Using information classification, organisations can build a matrix
of controls for each trust level.
Mobile security policies should be consistent across all mobile
devices, including USB storage, PDAs, smartphones, laptops and
kiosks.
IT managers should keep in mind that not all controls will be
technology controls. Restricting access to certain types of data
from mobile devices is an acceptable way to minimise risks.
Device types can introduce a third dimension. Once a matrix of
controls and information types is identified, IT departments must
evaluate the vulnerabilities and the native security controls of
mobile devices. For example, a Blackberry is considered highly
secure, primarily because of its limited capability and native
security controls. In contrast, a PocketPC has significantly more
capability and thus a greater attack surface and potentially more
vulnerability.
Although a PocketPC may benefit from a personal firewall (such as
from Bluefire) and anti-virus software, a Blackberry may not.
Typically, users favour convenience over security and often resist
even the most obvious security controls such as passwords. At a
minimum, policy should stipulate strong passwords for such devices.
For secret data, two-factor authentication or third-party password
management tools might be necessary.
Personal firewalls are typically necessary only on a PocketPC with
a higher security requirement (secret and above). There are fewer
than a dozen viruses that attack PDAs such as Pocket PCs and
Palms.
Anti-virus programs would be required only in a high-trust
requirement. Regular back-ups, synchronisation and desktop
anti-virus programs might also mitigate the need for protection in
most environments. Encryption should be mandatory for any device
with private data.
Often, employees see a security policy as a barrier to productivity
unless they fully under- stand the risks. Security awareness
campaigns can help employees understand the reasons for a security
policy and enable them to become active partners in security.
Education should focus on the risk the policy is designed to
mitigate and teach staff how to use appropriate controls.
No security controls will be 100% effective against all threats,
especially social-engineering-type attacks, and consequently
training needs to be augmented with regular communication to
outline new threats and vulnerabilities.
IT departments must strive for security simplicity. Consequently,
it is imperative to limit the number of devices they will support
to a manageable figure. At the same time, management is reluctant
to prohibit employee-owned devices because of the low-cost
productivity benefits they bring. IT is also generally reluctant to
upset end-users by enforcing an excessive restrictive policy. How
then can IT managers allow employee-owned devices and yet mitigate
the risks?
It is necessary to provide a carrot as well as a stick to prompt
policy compliance. IT managers must provide some of the tools and
support required to become compliant.
Most IT departments have already deployed corporate-issued devices
for specific positions or job functions. Difficulties can arise
because of a lack of budget to expand such deployments beyond a
core group. Employees left out of this group could go around a
policy and use their own devices.
IT managers should offer devices to non-qualifying employees, but
should require them to cover all or a portion of the cost. The
organisation benefits by maintaining security standards and shifts
the cost of the device and the training to employees, who will
benefit from enhanced productivity and simpler compliance with
security policy.
Peter Firstbrook is programme director at analyst firm Meta
Group