As BYOD becomes popular and the use of mobile devices to access corporate systems rises, CIOs need to take stock of this situation and act decisively. By Jasmine Desai
To date, the threats faced by users of smartphones and tablets have largely been disregarded by IT departments. However, with Indian enterprises starting to deploy enterprise mobility solutions, it may well be time to buckle down and start taking mobile security seriously. According to a Forrester report by Chenxi Wang, Ph.D, “Enterprise mobility is now entrenched in many organizations. Not only is Mobile Device Management (MDM) one of the fastest growing markets, but mobile security has also become a hot technology topic. In fact, it has been the top priority for security and risk executives for the past twelve months.”
Smartphones allow workers a great deal of flexibility in managing their schedules and confer the ability to work from home. With the popularity of mobile devices in the 21st century workplace and the BYOD phenomenon starting to catch on, organizations stand to reap the benefits of having near-instant responses even outside of work hours.
According to Surendra Singh, Regional Director – India & SAARC, Websense, Inc. “With all of these benefits, at the same time it opens the door to the possibility of an unprecedented loss of sensitive data. Unfortunately, most organizations prioritize other security issues over mobile threats.”
Crafting the right mobile security strategy
Mobile security, from the vendor perspective, is still a nascent market. According to Ashish Raina, Principal Research Analyst, Gartner, “From the vendor perspective, this is a fairly new market. They play under enterprise rights management and enterprise DRM. It is a vibrant field wherein there are some things that we know of and a whole lot of things that we do not know of.” Presently, the focus of vendors is on protecting the source of information.
BYOD is still gaining ground in India but enterprises providing mobile devices face a daunting question with respect to controlling data loss and theft. Ramasubramaniyan Srinivasan, Principal Solutions Consultant, Mobile Technology Solutions, MindTree, commented, “Given the kind of productivity improvements that mobile applications can deliver to enterprises, especially in sales and supply chain management, we have seen Indian companies provide their employees with Android tablets or BlackBerry devices.” For example, one of MindTree’s large FMCG customers wanted to roll out an Android tablet-based integrated communication and collaboration solution for its sales managers. To ensure data security, it implemented a custom method to authenticate the device, encrypt transfer and storage of data as well as the ability to remote lock and wipe data from lost or out of control devices. This ensured that data was secured and fears about loss of devices was minimized. Although, mobile security is a pressing concern among Indian firms that employ mobile applications and devices, most enterprises in the country continue to have a controlled environment as compared to the complex BYOD scenarios that are unfolding in developed economies.
As per a global study on Mobility Risks conducted by Ponemon Institute and Websense, Inc., 53% of respondents from India were of the view that their organizations had experienced a data breach due to insecure mobile devices while 9% were unsure. The study also asked respondents to indicate the consequences of mobile data breaches. 35% said that it was theft, removal, or loss of information and/or other resources while 20% said that it was disclosure of private or confidential information. 17% indicated an interruption of services. As per the study, 68% of respondents said that their organizations did not have a policy that addressed the acceptable or unacceptable use of mobile devices by employees or that they were unsure.
Having put the strategy into action, Ashwani Tikoo, CIO, CSC India, mentioned that, at this point in time, they only permitted employees’ personally owned devices—smartphones and tablets. Once an employee’s request had been approved and he or she had obtained a smartphone device and service plan, they were kept up to date with helpful tips, security features, FAQs etc.
According to B Raghavendra Rao, Vice President – IT, SAP Labs India, “An organization must ensure that its policies are tailored to employees’ specific devices such as the Blackberry, iPhone, iPad, etc. and have a strong access policy to monitor devices at the connection point.” At SAP, internal enterprise mobility is considered significant. It has adopted and deployed a large number of iPad tablets.
Banning smartphones and mobile devices at the workplace is not the answer. Organizations should instead take measures to protect the data stored on such devices so that, even in case of a data breach, data loss is minimized. For any organization, it is important that it has the right security in place.
Srinivasan of MindTree added, “This threat has to be looked into seriously and efforts should be made to implement a cohesive strategy to handle mobile devices within the enterprise, which includes implementing appropriate security products as well as implementing policies and educating mobile device users.”
Enterprises today can follow two methods. It can define an endpoint security model based on the various security services running on the mobile device and its adherence to the BYOD policies defined by the information security team of the enterprise’s IT division. If the device conforms to these policies, significant data access is provided. Else, data access levels are throttled to ensure data security rather than placing restrictions on the employees’ personal use. The second method, which is being pushed by companies such as VMware, is the virtualization of the device. Here, the virtualization platform provides a controlled sandbox for enterprise data and applications to reside upon and a sterilized method to provide access to data and resources.
According to Ajaykumar Biyani, Senior Consultant, Verizon, “Enterprises should have built the mobile security strategy yesterday but, as we all know, we are playing a game of catch up with technology. To start with, companies should consider a five year road map and take all security decisions keeping the mobile infrastructure in mind.”
The Indian scenario differs significantly from the global norm. There is a lot of data that is accessed through mobile devices and a lot that’s generated. IT needs to have multiple policies in place. It needs to protect information right at the source and protect it when it moves among multiple layers (top management, middle management etc).
Understanding the risks involved is crucial in working towards framing a policy that is not only welcomed by employees but also actively accepted. Rao from SAP Labs India said, “While building the right security policy for mobile devices, organizations must remember that focusing too much on risk mitigation can prove expensive and it can severely restrict the user experience. The key is to identify key stakeholders within the company such as legal, HR, finance, IT and corporate communications.”
Watch out
Smartphones have become ubiquitous these days and are used for a variety of tasks. Cyber criminals have also realized the importance of mobile phones for committing cyber crimes and perpetrating financial fraud. Biyani of Verizon said, “The ever evolving mobile malware is increasing the woes of mobile users worldwide. Recently, 50 applications within Google’s official Android Market were found to be contaminated with DroidDream malware.”
The malware stole sensitive information including a phone’s IMEI number and the SIM card’s IMSI number. It then sent this information to a command-and-control server. Similarly, other spyware and bugs are also infecting mobile phones worldwide. Mobile security threats in India are still pretty rare, but the potential is clearly there when it comes to smartphones.
It is time for us to work upon mobile cyber security aspects. Policy decisions in this regard must be taken urgently and implemented as soon as possible.
Rakesh Aerath, Director – Professional Services, Logica India, said, “Using a VPN while employing mobile devices to connect to enterprise data and sandboxing enterprise applications are some measures that can be taken. Eventually, a phone will be compartmentalized into two areas—one for personal applications and the other for business applications.”
Bipin Kumar Amin, Principle Consultant, Borderless Networks – Security, Cisco, said, “Disallowing data storage on the device while providing a Cloud-based storage facility so that IT can control and secure data while users have access through their devices from anywhere at anytime is one way out.”
Kevin LeBlanc, Sr. Director of Product Marketing, McAfee, commented, “Encryption and authentication are key components of securing mobile devices, data and mobile apps, which is why we have incorporated these features into our solution.”
The verdict
With the decentralization of IT becoming commonplace, both the top management and other employees are discovering the benefits of mobility and bringing personal devices to work. As this trend becomes pervasive, cybercriminals will shift their focus to mobile devices and smartphones in order to lure unsuspecting users through sophisticated and multi-layered attacks. When it comes to mobile security policies, Raina of Gartner said, “These policies are almost like religion. You can follow it or not, nobody can be forced. It has to be a mix of human intervention and automation. There has to be a hybrid approach.”
According to Anand Naik, Managing Director, Sales – India & SAARC, Symantec, “As enterprises are forced to embrace different platforms they are realizing that there need not be a security trade-off since the most critical asset, information, is safe provided that security is approached holistically.”
Malware targeting mobile devices will continue to proliferate and enterprises will wrestle with how to protect users. The obvious targets will be smartphones and tablets, with the hardest hit likely to be Android-based devices, given that operating system’s large market share. Having said that, all mobile platforms will experience an increase in mobile attacks. To assure user protection, organizations will want to have their application source code reviewed by third parties. Similarly, organizations will want to ensure that the applications approved for use on workers’ devices meet a certain standard. It is anticipated that the industry will develop a scoring system that helps ensure that users only download appropriate, corporate-sanctioned applications to business devices.
