Taming the Wild West of Executives' Mobile Devices
When Brian Cornell, VP of IT for Concord Hospitality Enterprises, attended the recent HITEC conference in Austin, he had a list of several ‘must-dos.’ Among them was finding a solution to secure the multiple mobile device platforms now in use by executives at his company. Cornell was far from alone; many hospitality companies, in fact many enterprises of all stripes, are racing to put policies and solutions in place.
Several factors are driving this need. Employees increasingly want to use personal devices for business, known as BYOD (Bring Your Own Devices). In addition, the Blackberry, commonly used by executives and considered secure thanks to Blackberry Enterprise Server, is now being joined by iOS and Android devices without those built-in capabilities. Finally, adding any mobile device into the mix brings increased vulnerability and many enterprises have inadequate mobile device policies and protections in place. According to the Trustwave SpiderLabs 2011 Global Security Report, over the next few years mobile attacks may surpass those against desktops. “We’ve seen more targeted attacks against executives,” says Nicholas Percoco, SVP with Trustwave. “They find the top 10 people at a large hospitality brand, send an e-mail that looks normal, and deposit malware.”
Vendors are rushing to get mobile security applications into the marketplace. But there’s more to securing devices than deploying an app. Here are five commonly held best practices for securing executives’ mobile devices:
1] Assess. What devices are people using and what do they need to do with them? At Concord, executives typically use mobile devices to access e-mail and calendars as well as reports from its Aptech business intelligence platform. Because executives are accessing snapshots of data rather than manipulating it via mobile devices, “I’m not necessarily concerned about data breaches and intrusion,” says Cornell. “It’s the ability to manage and control policies and enforce them,” extending the control they have over Blackberry devices to other platforms. Fortunately, Cornell found a multi-platform solution at HITEC that fits the bill.
2] Create. You need policies, starting with whether or not you permit personal devices; according to Forrester Research, more than 50% of enterprises now do. Other policy questions: Who can enroll devices? What apps can they download? Can they use public WiFi? What steps should they take when they lose their device?
Particularly when employees bring their own devices, operators need policies on privacy, compliance and liability. It’s not clear yet whether corporate liability is reduced on personal devices, according to mobile devices enterprise management and security provider Mobile Iron (www.mobileiron.com), but illegal material such as pornography could in theory make the company culpable.
During 51-property Noble Investment Group’s benefits open enrollment, “we have them re-sign privacy and acceptable use policies every year,” says Nelson Garrido, VP of IT.
3] Plan. With policies in place, you need mobile-specific security layered on top of enterprise security to protect the devices you want, and keep out those you don’t. This includes elements such as: self-service processes for device enrollment, resetting credentials, etc.; identity/access management, such as use of certificates, password management, access provisioning and multi-factor authentication, available through vendors such as Hitachi ID Systems; a way to make e-mail and calendars available to mobile users; encryption for data on the device, such as e-mail; strategies for controlling mobile access when executives are on premise, such as using network access control solutions to divert the device to the guest WLAN; and assigning responsibility for ongoing plan maintenance.
These are early days for mobile versions of apps for things like antivirus, but this category is expected to grow along with the threat.
4] Manage/Monitor. Many enterprises are combining mobile security steps with mobile device management platforms to attain capabilities such as centralized logging, gaining visibility to mobile traffic, keeping mobile operating systems updated with the latest patches, and even building an enterprise approved applications catalog.
Noble Investment Group uses AirWatch mobile device management to manage and control the corporate content on employees’ mobile iOS and Android devices, relying on Blackberry Enterprise Server for those devices and encryption for laptops. “AirWatch allows us to control our own pieces” of content, Garrido says, including Noble’s e-mail on phones, and business intelligence and other Web-enabled apps via iPads in a view-only mode, so nothing is saved to the device. Mobile device security also enables features such as lock/wipe and requiring passwords after timeouts. “It gives us a lot of information about devices.”
5] Enforce. Users need to know what will happen in various scenarios: If you access a forbidden app, you’re asked to remove it; if your device is jailbroken, we will wipe corporate data.
Another important policy to enforce: ensuring future mobile apps are secure. According to enterprise mobility provider FishNet Security, many organizations are developing mobile apps, but too often they are bypassing standard application development software assurance programs; they should undergo forensic review via testing on devices themselves.
“The way we buy technology today is totally different than five years ago,” says Noble’s Garrido. “You’ve got to evolve as an enterprise and the security needed around letting employees use their own devices. Rightly done, they’ll be more productive.”