Network managers are sweating the small stuff — personal mobile devices like Kindles, iPads and Android products — and with good reason. IT consumerization is introducing new security risks to the enterprise network, prompting managers to re-evaluate their organizations’ existing mobile device security best practices.
71% of enterprises believe that the use of personal mobile devices on their networks is leading to increased security incidents, according to a survey of 750 IT and security professionals. Sponsored by Check Point Software Technologies, the survey also revealed that 78% of respondents have seen the number of personal devices connecting to their networks more than double in two years.
Network managers used to just block unwanted devices from accessing the network, but enterprises have begun embracing bring your own device (BYOD) policies, forcing a major shift in the way managers think about consumerization. Instead of first thinking, “Block access,” they are now thinking, “Enable access safely.”
It’s a new mindset for considering a fairly new problem: How do we create and manage a new set of enterprise mobile device security best practices?
Mobile device security best practices: Ask yourself the right questions
In a BYOD environment, mobile device security best practices come with their own set of checklists and procurement plans, particularly as the number and types of mobile devices with access to corporate networks continues to expand. Networking professionals will need to answer three key questions in order to evaluate BYOD security in their own networks, according to Jon Oltsik, senior principal analyst with Enterprise Strategy Group:
- How are these mobile devices used, from a business and personal perspective?
- What limitations do we need to impose on usage through policies and enforcement?
- How can we monitor the network to ensure that these policies are being enforced?
Mobile device security best practices: Assess use
In a BYOD environment, understanding how workers are using their personal devices to conduct business minimizes risk. After all, an employee can unleash malicious code while checking email from an unpatched iPad or compromise a company’s private data by leaving a phone in the wrong place at the wrong time. As a result, risk grows incrementally with each new device granted access to the network.
According to the Check Point survey, many users are accessing corporate email and storing credentials for internal databases and business applications on their smartphones and iPads. Of the IT pros surveyed, 79% report that users access and store email on personal devices, 47% report that users store customer data on devices, and 38% report that users store their login credentials for internal databases or business applications on these devices.
User awareness is a key element of mobile device security best practices. The Check Point survey revealed that 71% of IT pros believe careless employees pose a greater security risk than hackers, while 62% of them said that a lack of employee awareness about mobile device security best practices is a factor in security incidents.
Mobile device security best practices: Creating and enforcing policies
Placing security policies at the gateway of a network represent the “the harder part” of mobile device security policy-setting, according to Oltsik. Network managers must decide who should have access with their personal devices and what type of access they need.
Access policy is important, according to Greg Young, a research vice president and network security analyst at Gartner Group. BYOD security is critical at the device’s connection point, he explained.
“If an enterprise doesn’t own the device with which a user is connecting, monitoring that device for threats is a challenge,” he said. That’s because neither users nor devices are visible to administrators until after they are connected to a network, according to Young.
Scott Emo, head of endpoint product marketing at Check Point, said a top corporate mobile security policy requires employee security awareness training. Companies need to teach employees how to safely store data, Emo said.
A second policy, though unpopular with privacy advocates, would require auditing individuals over time, Emo said. Many network managers are most worried about losing corporate data because a phone or tablet is lost, stolen or destroyed. Making sure employees are aware of their data security responsibilities is by itself a good policy, according to Emo.
Security awareness training “can’t be a one-time shot. You can’t read a memo and you’re done,” Emo said. To be effective, training should occur regularly and should include a module on corporate policy, he added.
Oltsik, of Enterprise Strategy Group, offered several other mobile device security best practices for protecting stored data. He said network managers should:
- Ensure policies are tailored to employees’ specific devices, roles and locations;
- Use devices that are instrumented with digital certificates for authentication; and
- Apply granular network and device policies, based on access rights.
Mobile device security best practices: Monitoring mobile device activity
Oltsik recommended that in addition to installing digital certificates on devices using a device-based authentication tool (perhaps through RADIUS and 802.1X), managers should also inspect network traffic, checking each MAC address to verify if it relates to a PC or a mobile device. “Once you’ve done this, you can enforce network access policies accordingly,” Oltsik said.
Next-generation firewalls can also help with monitoring BYOD security. These devices, which feature application-layer visibility, can enforce usage polices while also giving network managers insight into network activity.
“You can block certain aspects of Facebook — [like] gaming or video uploads — and you can also prevent sensitive data from leaking out through Web channels like Facebook or Dropbox,” Oltsik said.
In a BYOD environment, network managers worry about the users and devices that are not visible to them, according to Gartner’s Young, and while the industry as whole is adapting to BYOD, “we don’t know everything”. “We have to look for vulnerabilities, we have to patch them and we have to find ways to keep up with the bad guys,” he said.