Different levels of security policy must be set to protect access to information
IT departments are struggling to constrain the use of employee-owned mobile devices for work activity. Although the business can benefit from the increased productivity mobile working can bring without the commensurate cost, firms are also at risk of losing control of corporate data and can set themselves up for later higher transition costs. How can an IT department reap the business benefits of mobility without losing control?
Devices such as laptops, personal digital assistants, smartphones and USB storage are rapidly increasing in capability and declining in price. Mobile devices are more prone to loss and theft, are less mature and often operate outside the network perimeter, making them highly vulnerable to attack.
End-users seeking to improve personal productivity and their work/life balance are bypassing the budget-constrained IT procurement process and buying such devices themselves. When these devices are used for corporate activities they open up a Pandora's box of security and management concerns.
Concurrently, organisations are struggling to manage information security risks in light of regulation and compliance issues. The security risk and future integration costs of this informal approach to mobile working is rising rapidly. Meta Group's research has indicated that fewer than 10% of organisations have a formal and comprehensive mobile security policy.
IT departments must develop a security policy appropriate for the type of device and the information it contains without needlessly constraining personal productivity. An IT manager should:
- Define an information classification scheme on which to base a policy
- Craft a security policy that outlines the controls necessary for different levels of information
- Develop corporate-standard devices and controls
- Educate users about risks and policies
- Create an employee purchase scheme for non-qualified staff.
Security controls must be appropriate for the level of information held on the device, rather than being device-specific. An ideal first step is to classify information into levels of sensitivity. The types of security controls are then based on the kind of information enabled on the device.
In most organisations, classification is immature. In the absence of a formal scheme, policy makers will have to best match appropriate security controls with users or employ other indicators of business risk.
The next step is to align different controls to different types of information. For example, secret data may require two-factor authentication and encryption, but public data can be held without password protection.
Using information classification, organisations can build a matrix of controls for each trust level.
Mobile security policies should be consistent across all mobile devices, including USB storage, PDAs, smartphones, laptops and kiosks.
IT managers should keep in mind that not all controls will be technology controls. Restricting access to certain types of data from mobile devices is an acceptable way to minimise risks.
Device types can introduce a third dimension. Once a matrix of controls and information types is identified, IT departments must evaluate the vulnerabilities and the native security controls of mobile devices. For example, a Blackberry is considered highly secure, primarily because of its limited capability and native security controls. In contrast, a PocketPC has significantly more capability and thus a greater attack surface and potentially more vulnerability.
Although a PocketPC may benefit from a personal firewall (such as from Bluefire) and anti-virus software, a Blackberry may not. Typically, users favour convenience over security and often resist even the most obvious security controls such as passwords. At a minimum, policy should stipulate strong passwords for such devices. For secret data, two-factor authentication or third-party password management tools might be necessary.
Personal firewalls are typically necessary only on a PocketPC with a higher security requirement (secret and above). There are fewer than a dozen viruses that attack PDAs such as Pocket PCs and Palms.
Anti-virus programs would be required only in a high-trust requirement. Regular back-ups, synchronisation and desktop anti-virus programs might also mitigate the need for protection in most environments. Encryption should be mandatory for any device with private data.
Often, employees see a security policy as a barrier to productivity unless they fully under- stand the risks. Security awareness campaigns can help employees understand the reasons for a security policy and enable them to become active partners in security. Education should focus on the risk the policy is designed to mitigate and teach staff how to use appropriate controls.
No security controls will be 100% effective against all threats, especially social-engineering-type attacks, and consequently training needs to be augmented with regular communication to outline new threats and vulnerabilities.
IT departments must strive for security simplicity. Consequently, it is imperative to limit the number of devices they will support to a manageable figure. At the same time, management is reluctant to prohibit employee-owned devices because of the low-cost productivity benefits they bring. IT is also generally reluctant to upset end-users by enforcing an excessive restrictive policy. How then can IT managers allow employee-owned devices and yet mitigate the risks?
It is necessary to provide a carrot as well as a stick to prompt policy compliance. IT managers must provide some of the tools and support required to become compliant.
Most IT departments have already deployed corporate-issued devices for specific positions or job functions. Difficulties can arise because of a lack of budget to expand such deployments beyond a core group. Employees left out of this group could go around a policy and use their own devices.
IT managers should offer devices to non-qualifying employees, but should require them to cover all or a portion of the cost. The organisation benefits by maintaining security standards and shifts the cost of the device and the training to employees, who will benefit from enhanced productivity and simpler compliance with security policy.
Peter Firstbrook is programme director at analyst firm Meta Group
This was first published in March 2005