The era of mobility completely dismantles the concept of security, and enterprises need to adapt their approach and wireless technology, according to experts from Aruba Networks, Kaspersky Lab and SensePost.
“Apple's iPad is more than just the latest consumer gadget; it is truly disruptive and should be seriously examined by every enterprise,” states a recent Gartner CEO advisory.
With predicted iPad 2 sales of between 500 000 and 600 000 over the weekend in the US alone, the future of the media tablet looks strong.
While employees have traditionally accessed the network via corporate-issue PCs and laptops, there is a growing “bring your own device” (BYOD) mindset that enterprises are being forced to accommodate.
Director of global research and analysis at Kaspersky, Costin Raiu, says that usage of personal devices in an enterprise environment raises a number of problems. Apart from the security threats posed by infected personal gadgets accessing the enterprise network, leakage of enterprise data is also a growing concern.
New threats
“Some users store company confidential documents or e-mails on their personal devices, which can get hacked or lost. Some of these devices run older, insecure versions of operating systems, or have certain known vulnerabilities, which the hackers can use as a point of entrance in the corporate environment,” says Raiu.
According to security and privacy researcher at SensePost, Dominic White, these devices have a significant set of capabilities that can lead to new ways networks or data in a company are compromised.
“For example, the iPhone 4.3 update now allows your iPhone to act as a wireless access point, providing Internet access to those around it. Gone are the days of hunting for unauthorised modems and wireless access points when every user starts carrying one.”
Speaking at a recent seminar on the iPad in the enterprise, Aruba Networks VP for EMEA Duncan Fisken noted: “What we're seeing in the marketplace today with the proliferation of iPads and mobile devices, is what some would call a tornado, some would call a tsunami; we would call it a perfect storm.”
Fisken says he has been surprised by the growth of the local tablet and smartphone market in Africa. “We are seeing the same groundswell of momentum building here that has already been seen abroad.” As such, local enterprises need to rethink their network security, he points out.
Shifting mindsets
“The first part of the puzzle is figuring out how do you provide an environment that is friendly to the BYOD culture, but that doesn't compromise enterprise security and doesn't break the bank,” notes Fisken.
Raiu argues that there are two kinds of changes that can improve the security scenarios and reduce the chance of loss. “These include the storage of private data on personal devices and network access from personal devices.
“In general, users should avoid as much as possible the storage of company confidential documents on their personal devices. Personal devices should not be connected to the enterprise network or, if they need to be connected, they should be connected to a private network that allows only Internet access. This way, even if the device has been compromised, the attacker doesn't get access to the corporate network - only to an Internet-enabled private network.”
For White, it is a mindset shift that is required: “The significant mindset shift required by IT and corporate security professionals, not just due to mobile devices, is that we can't assume the bad guys are 'outside', and if we put enough walls around 'inside' we'll be safe. We need to assume that every user's machine and device is already compromised and design our controls accordingly.”
Device 'fingerprinting'
Connecting personal devices to enterprise networks may, however, be viable in some instances. Fisken explains that Aruba Networks has developed an extension to its role-based access control system by introducing device-access control with “device fingerprinting”.
“Many wireless-LAN networks will unwittingly allow other devices to access the network. The network has no way of distinguishing one device from the other - other than knowing that it is me who is accessing the network, it has no control over what it is that I'm doing.
“To deal with this, we have extended our role-based access control to device-based access control.” Fisken explains that someone accessing the corporate network via their iPad will not have the same access to corporate resources as they would when using their corporate-issue laptop.
“Device fingerprinting means we are able to manage the device in terms of what it is allowed to do and how it accesses the networking. Wireless has decoupled security from the port. It should no longer be about where you are, but about who you are and how you are connecting to the network.”
Device-detecting capabilities can also have other benefits for the enterprise, according to Fisken.
“For example, almost every smartphone today has camera capabilities, but with mobile device management it becomes possible to automatically switch off the camera function on a non-employee's phone when they are on enterprise premises. It gives you a much greater degree of control over the mobile device world.”
While the buzz is currently surrounding the iPad, Fisken says the device management controls and role-based access systems apply to all mobile devices, including the BlackBerry and Android platforms.
The upside?
According to White, there may be a plus side for security with the proliferation of these devices. “Take the iPhone or BlackBerry as an example. These devices enforce what IT departments have so long tried (and taken flak for), or just avoided: limited administrative rights.”
“The chances of these devices getting viruses, for example, are significantly lower than the enterprise-owned laptops or desktops given to their users. Of course, no device is invulnerable, as previous iPhone and recent BlackBerry exploits have shown.”
White argues that a look at the risks suggests that only devices that meet some minimum standard should be connected to corporate networks, but ensuring this is extremely device-dependent.
“BlackBerry devices and, to a degree Windows Mobile devices, are able to accept policies pushed from a central company location, which accounts for their strength in corporate rollouts; however, iOS and Android are much trickier as the onus falls onto the end-user. For example, even if a policy is deployed onto an iPhone, a quick settings reset is all it takes to remove any corporate policy.”
Security options
Fisken says Aruba Networks (which functions locally through its OEM partner Alcatel-Lucent) has seen considerable interest in its network security systems across a broad spectrum of enterprises and services. Microsoft, American Express, Heathrow's new Terminal 5, as well as a number of universities already use the system.
Raiu says Kaspersky Mobile Security is available for Android and BlackBerry, “which solves the problem of securing most popular portable devices besides the iPad”.
“Currently, Kaspersky Lab doesn't offer a solution for iOS due to the limitations of the iOS operating system. We're, however, very interested in getting Apple to implement the necessary APIs (which are currently missing) and hope to release an iOS product in the future.”
SensePost also offers some services around these security issues. “The first, and what we're best known for, is our assessment services. This is where we take on the role of an attacker and see what vulnerabilities could be leveraged by a real attacker. After demonstrating exploits against them, we help organisations fix them,” explains White.
Share