RSA 2012: IT security experts urge enterprises to ban smartphone BYOD schemes

Enterprises should not allow employees to use their own smartphones for work, a panel of IT security practitioners told attendees at the RSA Conference 2012 in San Francisco.

At present, the only way to ensure sensitive corporate data is not lost is to provide employees with devices owned and controlled by the enterprise.

"Rather pay for the devices," said Alex Stamos, founding partner, iSEC Partners. Many companies look to BYOD (bring your own device) to cut costs, but the cost of providing smartphones employees want to use is nothing compared with the risk of losing sensitive company data, he said.

"If employees still want to play Angry Birds, let them get their own devices for doing that and anything else they want to do that is not work-related," said Jeff Moss, founder and director of Black Hat.

A company that allows employees to go out and buy any smartphone and then put enterprise e-mail on that device – which will probably never be patched – is courting disaster, Moss said.

Mike Mosher, director security strategy and architecture at T-Mobile US, said one of the biggest causes risks is the fragmentation around mobile operating systems: "There is no consistency, which means there can be no consistency of support for BYOD."

But one of the biggest problems is that lots of smartphone decisions are not made rationally, said Stamos: "It is often about individuals with forceful personalities who push back against IT, and it usually starts with top executives in an organisation."

Mobile device management (MDM) will undoubtedly evolve to the same level of as its equivalents in the PC world, but it is not there yet, said Mike Convertino, director network security at Microsoft.

Right now, businesses should stick with BlackBerry if they can, because the devices still provide the best protection, said Stamos. "After that, go for Apple's iPhone and only Android on Nexus devices, because at least they get patched," he said.

BlackBerry is still the best from a security point of view, but they are not that attractive to enterprise users anymore, said Moss. Several members of the panel noted that BlackBerry makers, Research In Motion, had failed to keep up with innovation.

The iPhone is probably the next best option, but Apple is not very enterprise-friendly and its security is not yet where it should be, said Moss.

The panel agreed that data protection was the biggest issue with smartphones in the enterprise. Malware is a still a relatively minor threat, they said. Malware is over-hyped, with the attention of cyber criminals still mainly focused on making money through tricking devices into linking to premium-rate services.

Enterprises should be concerned about protecting data, particularly when smartphones are lost or stolen, the panel said.

"We have not yet seen a seminal event; the emergence of highly destructive mobile malware," said Mosher, "yet it is only a matter of time before we do." Direct attacks are definitely something to look out for, particularly as more devices get their own IP address, he added.

For now, the panel said businesses should go with the most secure mobile operating system they can; ensure they are in control of the all devices used for business; and make all access to corporate systems go through a virtual private network (VPN).

Stamos said that, without using a VPN and ensuring that smartphones cannot bridge to Wi-Fi, organisations using Exchange ActiveSync will be in trouble. This is because it is becoming increasingly easier and cheaper to intercept GSM communications. The certificate authority (CA) system is a mess, he added.

Eavesdropping is one of the biggest threats, said Moss. "I know of a group that is able to monitor half the mobile traffic in Berlin with $10,000 worth of equipment and a big antenna," he said. "Without a VPN, you can't text, talk or e-mail securely."

Using security containers is another option open to businesses that will take care of the ActiveSync problem, said Stamos. But this approach would not work in the case of a targeted attack, he added.

However, Mosher said containerisation and virtualisation are likely to become more common as businesses seek to separate multiple operating systems and functions.

Although the Windows Phone mobile operating system is not currently aimed at the enterprise market, some Microsoft employees use the software on business phones to provide feedback to development teams. 

This is managed from a security point of view by not allowing data with a high business impact to be accessed using smartphones, said Microsoft's Mike Convertino. "It is plain due diligence to limit the kind of data that can be delivered to these devices through using effective access controls" he said.

Microsoft uses a tiered sensitivity system and, above a certain threshold, data is automatically blocked. Where businesses throw open their networks, they do so largely with a lack of due diligence, Convertino said.

"If businesses do not get their act together in terms of access protection, then accessing corporate data using any mobile device is foolish," said Convertino.