When it comes to popular smartphones and tablets, security can be a many-layered and necessary endeavor
The growing use of advanced mobile devices, coupled with the increase in wireless broadband speed, is fueling demand by employees to bring their own devices to the job. This situation has opened a new set of security challenges for information technology staff, especially when it comes to the use of apps.
As the popularity and capability of mobile devices expands, standards are necessary to ensure that personal devices can function securely on enterprise networks. To address this need, the Cloud Security Alliance (CSA) organized its Mobile Working Group last year. The group recently released guidance to members on how enterprise administrators can successfully integrate smartphones and tablets into their work environment. The CSA is a not-for-profit organization of industry representatives focused on information assurance in the cloud computing industry.
“Security Guidance for Critical Areas of Mobile Computing, Version 1.0” covers four topics key to mobile computing, according to David Lingenfelter, information security officer with Fiberlink Communications and one of the co-chairs of the CSA Mobile Working Group. “One area that we cover is bring your own device, or BYOD,” he explains, adding that this section delineates what companies need to think about carefully, both legally and technically, when it comes to the trend of employees using their personal mobile devices to access work-related data on enterprise networks. Another section of the report covers authentication, which includes how a mobile device verifies its identity to a secure network and how the device accesses data and applications securely. A third section of the report addresses mobile device apps, the slimmed-down software that allows a mobile device to access news and weather information and commerce sites as well as work-related data. “This section addresses app development, app distribution, app control and app usage on the devices,” Lingenfelter explains. Finally, the report addresses the question of mobile device management and how administrators tie together guidance offered in the first three parts of the report.
The guidance document defines the key characteristics of mobile computing as portability, which is the ability for the device and its user to move easily to different locations while remaining functional; connectivity, which is the ability for device and user to remain connected to the Internet; interactivity, which is the ability for user and device to easily receive or transmit data; and finally, individuality, which is defined as mobile devices allowing users to establish their own unique manner of using the capabilities of the device.
“What really represents the common challenge of this new platform is that it is driven by the consumer electronics industry,” notes Cesare Garlati, vice president of mobile security at Trend Micro, and Lingenfelter’s co-chair of the CSA Mobile Working Group. Because the makers of these devices are focused primarily on consumer needs, he explains, some may not be as focused on data security as other manufacturers. Another challenge, he says, is an extension of the BYOD, and the fact that mobile devices generally run on what he calls nontraditional operating systems, such as Apple’s iOS, and Google’s Android. “The common factor is that they are brought in by end users, and corporate IT is not able to control them,” Garlati says.
The security guidance builds on the reality of mobile devices being first and foremost consumer devices. “Some of our recommendations focus on awareness and having policies in place for BYOD so that information technology understands what its responsibilities are and the end user understands what their responsibilities are,” Lingenfelter outlines. Along with discussing the convenience and potential for increasing productivity from the use of mobile devices in the workplace, the report also examines a number of shortcomings, such as what happens when the use of a mobile device becomes evidence in a workplace-related legal action, which could include the user surrendering the device as part of an investigation, or when data loss results from poorly written third-party apps.
When it comes to the challenge of authentication, the report suggests that network administrators leverage the benefits of cloud computing technology, something that is especially vital in highly secure government mobile applications. “Using a four-digit PIN (personal identification number) on an iPhone is not going to be adequate, and it certainly doesn’t meet Department of Defense requirements,” says Lingenfelter. Some well-known cloud-based authentication models are identified in the report, he adds, “including using a federated authority, perhaps with links in the cloud, or the full services in the cloud, or possibly even going to a private cloud at the federal level.” The key is insuring a continuous chain of authentication from the user, through his or her device, through the device’s apps and finally, through authentication to an enterprise network.
One mobile device phenomenon is the app store. First popularized by Apple when it introduced the iPhone, the Apple App Store allows users to download relatively small software apps designed to perform a limited number of useful functions with its mobile devices. The concept has since been successfully copied by Google for users of its Android-based smartphones and tablets.
In the federal government, the Defense Information Systems Agency (DISA) is setting up private app stores behind secure military firewalls so that users with approved mobile devices can download apps designed to access classified databases securely. In effect, observes Lingenfelter, private app stores are part of the effort by IT managers and their staff to manage the use of mobile devices in the workplace. With private app stores, IT departments regain the ability to manage the apps used internally on devices. Users know where to obtain the apps and they all have the same version. The apps fit with the back end, giving IT the ability to pull the information back into the organization, he says. While private app stores give agencies more control, apps from public sources remain a major concern.
The apps and app stores are some of the more mature aspects of mobile computing in terms of how they are written and distributed, Lingenfelter says, but he is quick to point out that more needs to be done with writing and distributing fully secure mobile apps. “If you’re not developing those apps with security focus in mind, or with how the data is handled, or where it is kept, then you still have a lot of work to do,” he observes.
Garlati calls apps “the number one concern in mobile computing. This is supported by all the data we gather and read on a daily basis with regard to all security issues and threats from malware on both platforms [Apple and Android].” App security is more of a concern for Android devices because the operating system has been and remains open source architecture software, which is the result of development by countless programmers contributing the results of their work in a common application. This situation results in little, if any, quality control from a security standpoint, he maintains. Garlati says that every day his company, which specializes in enterprise-level cybersecurity software, finds “thousands and thousands” of examples of new malware on the Google Play website. Google Play is the app store for devices running Google’s Android operating system.
In a BYOD world, argues Garlati, it doesn’t matter if a corporation, small business or a federal agency runs their own private app store behind the enterprise firewall. With employees bringing their own devices, which use a mixture of apps downloaded from both the secure apps store and the wide-open consumer apps store, it is next to impossible to protect networks and enterprise data reliably from attack via end user mobile device use. By comparison, Garlati credits Apple’s iOS operating system with creating a more secure, closed apps store model, in which the company gives more security scrutiny to apps sold in that store. That scrutiny, however, has resulted in criticism by app developers and buyers alike who say Apple imposes costly and unnecessary delays. In addition, Garlati says those delays result in users of both the Apple iPhone and iPad of illegally modifying their devices to run non-Apple-approved apps. This creates what he calls, “a big hole in the security scheme of things” when it comes to users putting their own mobile devices on enterprise networks. “Five to 10 percent of Apple’s installed base of devices are exposed to this security issue,” Garlati estimates.
Industry is moving rapidly to adapt to changes in technology and consumer demand, Lingenfelter acknowledges, and CSA and its mobile computing guidance must adapt as well. The CSA security guidance is a living document, Lingenfelter says, and he expects his working group to update and revise it in the future to address changes in the mobile computing device industry. Most of the major players are adapting rapidly to such trends as application management and HTML5, he suggests.