Mobile device security has taken on a new dimension as the number of smartphone platforms proliferate in the enterprise market. Yet, according to analysts and security firms, many enterprises are just beginning to wake up to the challenges of implementing device security policies, and awareness is still below where it needs to be.
The technical challenges of mobile device security have not necessarily grown more complex, but the scope of the problem has changed. As more enterprise users bring devices beyond Research In Motion's (NASDAQ: RIMM [1]) BlackBerry into the workplace--including Apple's (NASDAQ: AAPL [2]) iPhone and a bevy of devices running on Google's Android platform--enterprises have had to adapt. They must figure out security policies for these devices as well as how to separate the business functions of the device from personal uses.
"I'm not sure if the complexity of the problem has gotten greater," said Mort Rosenthal, the CEO of Enterprise Mobile, a mobility outsourcing company. "The scale has gotten greater."
A question of awareness
[3]More and more smartphones are filtering through the larger handset market. According to research firm IDC [3], in the first quarter smartphones accounted for 18.8 percent of total sales, up from 14.4 percent in the first quarter of 2009. Despite the growing adoption, enterprises have been slow to react so far, analysts said.
"There's not enough awareness out there in terms of the need for security on these devices," said Philippe Winthrop, analyst at Strategy Analytics. Enterprises "are less sensitive to the amount of information and content that is residing on or passing though that device on any given time."
According to a January study released by security firm Symantec, which surveyed 174 North American security professionals from enterprise-class organizations, 38 percent of those surveyed said their company had formal device security policies in place, while 28 percent said that device security was managed on an ad-hoc basis. However, another 33 percent said they were moving toward more formal policies.
Khoi Nguyen, the group product manager for mobile security at Symantec--a company better known for its PC antivirus software--said most companies realize they need to take steps to secure confidential data on smartphones, but haven't yet taken a proactive approach. "Since most of them have not been hit with a major virus outbreak, they have not taken the steps to fully address the risks associated with these devices," he said.
However, John Herrema, the CMO of mobile enterprise security firm Good Technology, countered that mobile device security has always been something on the radar of the enterprise market. "I think that just because you don't hear about it, it doesn't mean it doesn't happen," he said. "The new dimension is how do you extend that to these other devices and platforms, and then how to make that work seamlessly in an increasingly individual-liable model," Herrema added. "Users are using these devices for personal reasons."
Challenges remain
There are numerous issues that need to be worked in the mobile security field, according to industry experts and analysts.
Michael Logan, the president of delivery and operations for Axis Technologies, a data management and security firm, said many enterprises have improved their device management and security controls, so that they can get a better sense of when vulnerable data might be exposed. "Pilot error," or the inadvertent sharing of data, is a top concern.
"The malicious hacker scenario, while it makes for good movie plots, is not as common," he said.
Instead, Logan said it's more likely that someone might mistakenly send out sensitive data from their phone. To counteract that, Axis takes a proactive approach and focuses not on data encryption--which can be circumvented by those willing to do so--but on "data masking." As data is sent out, Axis masks all of the sensitive data elements, such as names and Social Security numbers. "The more devices you have, the more places you put data, the bigger challenge it becomes," Logan said. "If you've got that under control, you're in good shape."
Another key issue is what to do when a smartphone is lost or stolen--and how to turn that phone into an un-useful brick. Rosenthal, of Enterprise Mobile, noted that even if a company decides it is not going to pay for their employees' devices, it is still responsible for the data on them. He said that having the ability to remotely wipe a phone is a core requirement of any enterprise's device management and security policies. However, according to Winthrop from Strategy Analytics, only 50 percent of U.S. organizations have "remote kill pills" in smartphones to shut them down, and less than 50 percent have the ability to remotely wipe the phone's data card.
Andrew Jacquith, an analyst at Forrester, noted that if someone has a device provisioned on RIM's Blackberry Enterprise Server, or an iPhone or Android phone working with Exchange ActiveSync, remote wiping of data is not difficult. What has not emerged yet is an industrywide consensus on the right model for phone deactivation and wipe, he said.
"We don't yet have that level of simplicity today for smartphones," he said. "The carriers are the likeliest ‘owners' of the process, although perhaps the handset vendors, like Apple or Nokia, might be too. But regardless of who owns it, it should be dead simple and an industrywide practice."
One other major challenge is the sheer diversity of smartphone platforms entering the workplace, and how to devise device management and security policies across those platforms. Rosenthal noted that in enterprises, there is usually one single standard--Windows for an operating system, Cisco for networking. "Because of diversity, very few companies are capable of maintaining a single standard anymore," he said. "The rate of change is also a challenge. Every month there's something new that makes one platform or another more attractive. And an enterprise's planning horizon is typically longer than a mobile product life cycle."
Herrema said something like the Good for Enterprise Client can navigate these challenges because it is platform agnostic, and enterprises do not have to rely on the security functions built into respective smartphone platforms. Good's client works with iPhone, Android, Windows Mobile, Symbian and might expand to MeeGo. The client provides access to business apps in a self-contained environment, Herrema said, so a business' IT staff doesn't have to research makes and models of phones.
Balancing work and play
A key factor in mobile security is the growing number of workers bringing personal devices into enterprise settings. The question is how to manage this dynamic. "There's going to have to be a world where consumer devices can exist in the enterprise," said John Hering, CEO of Lookout, a mobile security firm focused mainly on consumers. "And there will have to be reasonable boundaries where an enterprise can maintain its own integrity."
Good's Herrema said the company's technology allows enterprises to provide a "reasonably secure" password policy on phones, but still allows users to access things like Facebook. There are subtle tools enterprises can use--such as disabling cut and paste or preventing the backup of data--that are not Draconian in nature.
Symantec's Nguyen said there are sharp cleavages in the industry. Some enterprises are simply not allowing personal devices to come into their network, while others are more progressive and are allowing the devices. He said there is an emerging need for solutions that can distinguish corporate data and wipe that data in the case of a lost or stolen device, but leave the personal data untouched.
Of course, some vertical markets, such as finance or government, have much stricter security requirements than others, and are less likely to be able to bend their rules. Keith Lampron, an associate director of marketing at Verizon Wireless (NYSE:VZ [4]), said the problem is two-fold. "End users are going to be more productive if they're able to bring to the table the tools that they want to bring," he said. And yet, "there [have to be] some very basic fundamental requirements in order to do that. And it must be met in a 100 percent confident way."
Facing the future
Enterprise Mobile's Rosenthal named a main but complex challenge in mobile security: planning horizons. The rate of innovation and change in the wireless world often outstrips the timing and planning it takes to put in place new security features for that evolving landscape.
"Rolling technology out to a culture is hard," Logan said, referring to enterprises. "I think the good news is they may understand the why, but may not understand the technology."
It's clear that enterprises still face many challenges in device security. "It's an uphill battle for them. It's the right thing to do," Winthrop said. "[The vendors] are correct in saying you need solutions to secure your devices. Half the challenge is to convince the organizations of that."
Links:
[1] http://www.fiercewireless.com/tags/rim
[2] http://www.fiercewireless.com/tags/apple
[3] http://www.fiercewireless.com/story/idc-apple-surges-smartphones-while-nokia-rim-stay-stagnant/2010-05-07
[4] http://www.fiercewireless.com/tags/verizon-wireless