Next

reports
Rep or ts.Informat ionWeek.com

Striking a Security/
Usability Balance
At CES we saw dozens of new tablets and smartphones with
unprecedented capabilities. Employees want to make full use of
their shiny new devices, while IT teams want to maintain security
and control. The principles of secure user access provide a
strategy for CIOs to maintain equilibrium.
By Nadeem Ahmad

Report ID: S4140112

January 2012

Previous

Next

CONTENTS

reports

3
4
5
5
6
7
8
8
9
9
10
10
11

TABLE OF

reports.informationweek.com

12
13
14

Authors Bio
Executive Summary
Challenges IT Faces
Figure 1: Mobile Technology Impact on
Productivity: 2010 vs. 2011
Figure 2: Standardized on a Mobile Device
Platform?
Addressing the Challenges
Build the Security Infrastructure
Figure 3: Increase in Employee-Owned
Mobile Devices?
Adaptive Security
Figure 4: Mobile Device and Data Polices?
Levels of Capability
Figure 5: Importance of Employee Access to
Mobile Technologies
Figure 6: Ability to Selectively Wipe Business
Data From Personal Devices
Examples
A Flexible, Integrated Strategy
Related Reports

Striking a Security/Usability Balance

ABOUT US
InformationWeek Reports analysts arm
business technology decision-makers
with real-world perspective based on
qualitative and quantitative research,
business and technology assessment
and planning tools, and adoption best
practices gleaned from experience. To
contact us, write to managing director
Art Wittmann at awittmann@techweb.com,
content director Lorna Garey at
lgarey@techweb.com, editor-at-large
Andrew Conry-Murray at
acmurray@techweb.com, and research
managing editor Heather Vallis at
hvallis@techweb.com. Find all of our
reports at reports.informationweek.com.

January 2012 2

Previous

Next

Table of Contents

reports

Nadeem Ahmad
Dimension Data

reports.informationweek.com

Striking a Security/Usability Balance

Nadeem Ahmad is global technology director for Dimension Data, a specialist

IT services and solutions provider that helps clients plan, build, support and
manage their IT infrastructures. As part of the global CTO office, Nadeem works
with the business in determining global technology direction and client solution strategy. Within the network integration line of business, Nadeem is responsible for driving the solution development and go-to-market strategy
around wireless and mobility for the company worldwide.
Nadeem studied engineering and computer science at university and has
been in the technology industry for more than 16 years. His experience includes
technical delivery, leading multidisciplinary teams on large system integration
engagements, building and leading technology solution delivery organizations
in Europe, and fostering partnerships and strategic alliances globally in conjunction with solution strategy development and delivery for clients.

2012 InformationWeek, Reproduction Prohibited

January 2012 3

Previous

Next

Table of Contents

SUMMARY

reports

EXECUTIVE

reports.informationweek.com

Striking a Security/Usability Balance

Employees expect IT to support their personal devicesas well they should, because
theres great value in such tools when performing business functions. But the main challenge facing companies that are enabling the use of these devices in business operations
is the security risk of having a variety of mobile platforms accessing enterprise networks:
How do you ensure that sensitive data isnt compromised and that vulnerabilities
brought about by personal devices are mitigated?
Clearly, the answer is not to keep personal devices from accessing corporate resources.
IT can no longer credibly stand in the way of the adoption of mobile technologiesthe
business drivers are too strong. But neither can you fail to enforce policies and slack on
governance. That will lead to an increased number of security exposures. The odds are
that one will be catastrophic to the business.
An additional consideration is the theft or loss of a personal device containing corporate data. Security mechanisms such as remote wipe, PIN-based entry and centralized
management can satisfy many basic security requirements.
For a successful mobile implementation, CIOs must ensure that everyones interests are
represented. That means balancing security requirements with the users device experience. Core areas of a successful and mature mobile information security program include
governance, risk and compliance; mobile policies; and the security infrastructure.
In this report well discuss best practices to securely integrate mobile devices into the
enterprise. Well also cover some security considerations around adaptive security, a critical element of an enterprise mobility framework, in the context of an area called secure
user access, which refers to providing users with access to the network and its resources
without compromising corporate data. Well review the levels of capability in this discipline and discuss in more depth what elements, at each level, you should investigate in
terms of policy, technology and people.
January 2012 4

Previous

Next

Table of Contents

reports

Striking a Security/Usability Balance

Challenges IT Faces
Most of the organizations we work with are
struggling with the onslaught of personal
mobile devices finding their way into the
workplace. In our August InformationWeek
2011 Mobile Device Management and Security Survey of 323 business technology professionals, 79% said that tablets will increase
in importance for business productivity at
their companies over the next 24 months;
82% said the same about smartphones. As
business operations depend increasingly on
a mobile workforce, CIOs worry that the road
to this evolution will be filled with risk and
uncertainty.
Thiss not necessarily so, if you address three
key areas: theft and loss, data leakage, and legal and privacy implications.
> Theft and loss: By their very portable nature, personal devices tend to go missing.
Maybe theyre carelessly left behind in taxis
or restaurants, maybe theyre stolen. However it happens, now that these devices contain sensitive or proprietary company data,
reports.informationweek.com

losses and thefts have deeper ramifications.

In fact, a study conducted by Carnegie Mellon University found that 42% of data

breaches are caused by misplaced or stolen

portable devices, and business travelers, who
are the most likely to misplace a device or

Figure 1

Mobile Technology Impact on Productivity: 2010 vs. 2011

Thinking about the next 24 months, how critical a role will the following mobile technologies play in business
productivity at your company?
2011

2010

Smartphones

82%
89%
Tablets

79%
36%
Laptops

34%
53%
Kiosk-based Web access

24%
21%
Netbooks

22%
38%
Note: Percentages reflect a response of increase significantly in importance or increase somewhat in importance
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals

R3321011/3

January 2012 5

Previous

Next

Table of Contents

reports

have one stolen, lose more than 12,000 laptops per week at airports alone.
The implications of losing a device can be
even more catastrophic when you consider
data protection regulations in place today.
This is a key concern for organizations that deploy mobile devices.
To help protect the personal and professional data on personal mobile devices, manufacturers have implemented some basic
levels of security through either the hardware itself or software implementations. For
instance, PIN-based entry and device-lock
and remote-wipe features are now table
stakes.
> Data leakage: One place to weigh risk vs.
reward is downloading and installing productivity, entertainment and social apps, which
usually require access to the devices data or
file system and may leave you open to attack.
Advanced file or data encryption is usually
necessary to protect against active attacks,
but encryption alone is not effective when
dealing with employee misuse or malicious
insider threats. To adequately protect corporeports.informationweek.com

Striking a Security/Usability Balance

Figure 2

Standardized on a Mobile Device Platform?

Has your organization standardized on a mobile device platform?
2011

2010

Yes, and the IT department is responsible for procuring devices and carriers

58%
73%
Yes, but users purchase the devices themselves and select their own carrier plans

16%
12%
No; employees use their own devices

26%
15%
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals

rate data, you need to control which mobile

apps can handle business data and actively
restrict data manipulation operations like cut
and paste. In some cases, it may be best not
to let the device store and handle any local
copies of data.
Malware represents another way to leak
data, and its now increasingly targeting mobile devices. These malware attacks have the
ability to root the device and bypass all local
security measures. Defending against mobile

R3321011/11

malware will be an increasingly important IT

priority going forward.
> Legal and privacy implications: There
are many questions companies must ask
when deploying a mobile device policy: Do
the controls that you need to employ to improve security violate local privacy laws? Do
you have the legal right to seize the device
under certain circumstances? Is there an expectation of privacy? Many of these questions are clearly beyond the scope of secuJanuary 2012 6

Previous

Next

Table of Contents

Related Report: MDM

The only constant in mobility
nowadays is change. Former
market leaders such as RIM and
Microsoft are now followers
straining to keep pace with consumer-driven operating systems
from Google and Apple. Almost
80% say tablets will grow in importance. No two platforms have
the same security and management hooks, yet your end users
are demanding email, calendaring, VPN access and much
more64% are on board with
custom apps. This is changing the
face of computingand terrifying the IT managers charged
with providing productivity tools
while maintaining control of
sensitive data.

Download
reports.informationweek.com

reports

rity considerations alone. The question of

whether an organization could be liable for
employee misdeeds comes up often. We
know employees use personal devices for a
variety of tasks not related to work, such as
accessing third-party content and media. Its
not uncommon for these devices to contain
content that has questionable copyright status. This poses a legal dilemma: Should your
mobile policy allow such content on your
network? Should you even allow corporate
data to coexist on devices that may contain
questionable content?
Obviously, a close relationship between the
IT and legal departments is critical when formulating a mobile security policy.
Addressing the Challenges
When addressing these security challenges,
focus on how to provide effective governance, mitigate risk and ensure compliance.
GRC begins with information management
deciding what data is indeed sensitive or proprietary, and putting in place policies to protect that data. Will various types of sensitive

Striking a Security/Usability Balance

data even be allowed on personal devices? If

so, must there be separation of corporate data
from personal data on the device? Compliance enforcement must be aligned with these
policies.
Some level of written policy and procedure
that incorporates mobile devices and the handling of mobile data must be in place for effective governance and compliance. Companies often begin with a basic guideline as to
whether employee-owned devices are permitted to access corporate resources or if only
company-provisioned devices are permitted.
These policies may revolve around the right
for IT to manage any mobile device with access to corporate data, even employees personal devices.
The mobile policy needs to indicate which
devices will be fully supported, partially supported or not supported at all. For those devices that are supported, minimum standards
must be outlined around security measures
that can be implemented on the device
think encryption PIN codes or remote wipe.
You may choose to disallow devices that cant

support these baseline security measures.

We mentioned previously the desire for
users to install productivity, entertainment
and social apps on their devices. Your policy
may have guidelines pertaining to permitted applications, the management of those
applications and a category of disallowed
applications. This goes for data handling as
well as applications that may compromise
the device.
Employee acceptance of IT and mobile-usage policies is critical to success. Make people
aware of official governance around the privacy of data and the companys right to monitor data while in the corporate network and
seize devices in case of investigations. Some
organizations require acceptance of the security policy when the device attempts to connect to the corporate network. Further, employees must be aware of their responsibility
to report incidents of loss or theft of their mobile devices.
We discussed earlier how some of these
policies may or may not be aligned with government regulations in various parts of the
January 2012 7

Previous

Next

Table of Contents

reports

world. Review these items with your legal department so it can approve the policy globally
or modify it for certain regions.
Build the Security Infrastructure
Once youve outlined a mobile policy to
align with your GRC drivers, it needs to be enforced via technology deployed to mobile devices. These technologies are usually designed
according to the device platform in use and
the capabilities of such devices when paired
with the deployed management platform. The
key here is to deploy technology that balances the risk profile of the device, the role of
the user, the data that will be accessed and
the minimum acceptable security posture of
the organization.
The security and management infrastructure you need will depend on what types of
policies you employ. For each corporate application or resource that users can access via
mobile device, IT must create a technology security checklist. This is critical so that the IT operations team can ensure that the right infrastructure gear, software and processes are in
reports.informationweek.com

Striking a Security/Usability Balance

Figure 3

Increase in Employee-Owned Mobile Devices?

Do you predict an increase in the percentage of employee-owned (a.k.a. employee liable) smartphones and tablets
accessing business resources? This implies a reduction of business-supplied devices.

Dont know

8%

Yes

65%

27%
No

Data: InformationWeek 2011 Mobile Device Management and Security Survey of 323 business technology
professionals, August 2011

place
R to enforce or support your policies.
While both the IT department and the employee base can agree that mobile policies
and governance are important to overall business success and risk mitigation, overly restrictive policies may alienate users and result in
rampant policy violations. We recommend

R3321011/14

setting up a panel of IT, security and business

users to hash through the policies and strike
a balance between the level of freedom users
value and the level of risk the organization is
willing to accept, which will inform its security
philosophy. A walled-garden approach affects
user experience but provides strong data proJanuary 2012 8

Previous

Next

Table of Contents

reports

tection; a mobile device management approach doesnt change the user experience
but brings only medium data protection; a virtual desktop infrastructure approach affects
user experience but offers strong data protection. At the end of the day, business owners
and business users should see IT as a partner
in their mobility needs.
FAST FACT

27%
have no written policies
or procedures specifically
related to mobile devices
or data.

reports.informationweek.com

Adaptive Security
In the first report of this series, Time to
Move, we talked about using an enterprise
mobility framework as a guide when devising
your mobility strategy. Adaptive security is a
key element of this framework that helps
companies develop a security strategy that
covers policies, technology and people. While
these strategies vary by organization, the remit is the same: security for every mobile requirement, device and application.
Security mechanisms across policy, technology and people need to be in place. Elements
to consider include governance, risk and
compliance. Technology considerations are
also in play as we look at connection and de-

Striking a Security/Usability Balance

Figure 4

Mobile Device and Data Polices?

Does your organization currently have written policies or procedures pertaining specifically to mobile/portable
devices or the handling of mobile data?
2011

2010

Yes; written policies and procedures

49%
52%
Yes; written policies only

18%
19%
Yes; written procedures only

6%
4%
No, but policies are being considered or are under development

21%
22%
No

6%
3%
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals

vice control. With respect to people authenticating and determining the identity of
users, its critical to ensure approved access
to sensitive data and resources on the corporate network.
Its this operational point of view that we

R3321011/19

will explore further and for which we recommend a self-assessment as its a critical reflection point of enterprise mobility. We call this
discipline secure user access.
Secure user access is an operational competency that focuses on providing users with acJanuary 2012 9

Previous

Next

Table of Contents

reports

Striking a Security/Usability Balance

Figure 5
cess to the network and its resources. This access may be based on roles, business needs
and security policies. These security policies
would usually be aligned with the mobility
strategy. For some context, consider if your organization implements a mobile VPN or another means to ensure that the connection for
corporate applications is properly encrypted.

Importance of Employee Access to Mobile Technologies

Using a scale of 1 to 5, where 1 is not important and 5 is very important, how important is it that employees
are provided with the following technologies in support of their jobs?
2011

2010

1 Not important

Very important 5

Wireless network access

4.1
4.0
Remote access (VPN)

4.1

Levels of Capability
In order to help you work out the stages of
your secure user access capability, we will describe the levels: basic, integrated and optimized. With each level of maturity, you can replace reactive mechanisms with more
proactive approaches toward meeting an optimized secure user access competency.
Basic capability here indicates that users
are actually able to securely access the wireless network using their established network
accounts. The use of wireless security protocols like WPA2 will be in place to ensure
proper encryption, as well as integration
with Active Directory for authentication.
Some level of policy education and aware-

4.3
Laptops/netbooks

4.0
N/A
Smartphones with line-of-business applications

3.5
N/A
Tablets with line-of-business applications

3.1
N/A
USB drives/thumb drives/flash drives

2.9
3.0
CD/DVD/Blu-ray burners

2.2
2.3
Note: Mean average ratings
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals

reports.informationweek.com

R3321011/4

January 2012 10

Previous

Next

Table of Contents

FAST FACT

25%
can remotely delete
business data from
devices while leaving
personal data intact.

reports.informationweek.com

reports

ness is present around email, pin lock and remote wipe for mobile devices.
An integrated capability goes a step further.
User credentials also ensure that employees
can access specific (and correct) applications,
systems and data on the network. For example, sales personnel will have access to the
sales pipeline information and Salesforce.com,
but wont have access to human resources reports. Simply put, its about role-based, intelligent access to applications. In addition, as
there are multiple entry points, some type of
WLAN intrusion-prevention system should be
in place, as well as a basic network perimeter
system (i.e., firewall).
You need to balance security concerns with
the user experience of having integrated access to applications, data and systems from
any approved mobile device. For example,
lets say you have a field employee who
needs to engage the supply chain application and check a product inventory from the
field. If he is able to do this, he would then
need to place an order on behalf of the customeralso from a mobile location. Already,

Striking a Security/Usability Balance

Figure 6

Ability to Selectively Wipe Business Data From Personal Devices

If an employee uses a personal device to access business resources, do you have the ability to selectively wipe (delete)
business-related data while leaving personal data intact?

Yes, we can do remote selective wipe

25%

40%
Dont know

No, we must wipe the entire device

10%

25%
We cant do device wipes
Data: InformationWeek 2011 Mobile Device Management and Security Survey of 323 business technology
professionals, August 2011

the positive impact on productivity, timeR deliverables and customer experience

lines,
is evident. Organizations at this level understand that security compliance of mobile
endpoints is essential for a complete security
strategy implementation.
An optimized capability in this competency would manifest itself in a seamless ex-

R3321011/20

perience for the user, with a single sign-on

for all mobile services from any approved device. Users would also be able to move between applications across the organization,
grabbing data from different sources and
carrying out actions that engage various systems. Such access ultimately allows users to
perform their business functions optimally,
January 2012 11

Previous

Next

Table of Contents

reports

regardless of location.
Organizations at this level are consistent in
considering network security a high priority.
They make the commitment to put in place
the necessary tools and technologies to ensure that the fastest possible network is also
the most secure. This is accomplished using a
combination of network perimeter security, a
centralized security policy management system, WLAN sniffer technology used to detect rogue devices and unauthorized use, and
WLAN intrusion-protection systems to enforce
Secure user access is an operational
access policy.

competency that focuses on

providing users with access to the
network and its resources.

Examples
Below are some examples of mechanisms
within a secure user access competency. These are here to help you
ascertain where you are in terms of your capability within this competency.
> Field employees can access transactional
systems (e.g., product inventory and databases) from mobile devices without com-

reports.informationweek.com

Striking a Security/Usability Balance

promising sensitive data

> Guests and partners have appropriate access when working on organizational
premises
> A network perimeter security system is in
place
> A WLAN intrusion-prevention system is in
place
> Rogue-device and unauthorized-user detection are in place
> Mobile subscription access is managed
per role requirements
> Single sign-on is available for all mobile
services from any approved mobile devices
> Security policies and mechanisms are
aligned with mobility strategy
> Mobile VPN or other encryption system
for remote mobile users is in place
Questions you should ask yourself:
> Can your field staff securely access transactional systems from their mobile devices?
> Do you have network perimeter solutions
or WLAN intrusion-prevention systems in
place?
> Do you have security policies and mecha-

nisms to enforce them for mobile devices

and employees?
Some of the examples above can help you
determine where you want to be in the future. Its best to think of this in terms of achievable business objectives. Security is considered a high priority, and a comprehensive
security strategy incorporates all the elements from the previous capability levels
from perimeter and intrusion-prevention systems to security policy enforcement and
mobile VPN encryption.
When youre investigating the systems you
would like to implement to move to a higher
maturity level, consider:
> Is it of business benefit for field employees
to be able to access transactional systems
from mobile devices?
> To improve employee productivity, is it
critical to have single sign-on for systems
and services across the organization?
> Is there a need to ensure that rogue devices and unauthorized users are blocked
from your network via perimeter security
or intrusion prevention systems?
January 2012 12

Previous

Next

Table of Contents

reports

> Is there a benefit to enabling mobile users

to access, securely and safely, your corporate network remotely?
A Flexible, Integrated Strategy
The challenge lies in preserving the user experience while and appropriately minimizing
the risk to the organization. Consumer technologies are proliferating in the workplace because of the undeniable draw of the consumer
experience. Therefore, security and device
management policies must not completely inhibit the flexibility and freedom users value
otherwise they will simply circumvent those
policies, which can make matters worse. When
it comes to personal mobile devices in the corporate network, you need to somehow strike
a balance between mitigating corporate risks
and limiting intrusion in the daily work life of
your employees. Employee education about
safe mobile-use practices is critical to promoting an empowered workforce while maintaining organizational security.
One final thing to keep in mind is that although theres plenty of hype in the media
reports.informationweek.com

Striking a Security/Usability Balance

around the vulnerabilities of mobile devices

and platforms, many of these issues are not
new. Consider Trojan viruses or other malicious applications. Security professionals have
been warning against the dangers of running
untrusted code or opening unknown email
attachments for years. The same issues apply
to mobile platforms. Mobile devices are fairly
similar to laptop PCs. A risk assessment for
laptop PCs will tell you where the most prevalent risks are, and you dont necessarily need
to aim for much higher security assurance for
mobile devices than you do for laptops.
While vulnerabilities affecting mobile
browsers pose a serious threat to businesses,
it could be argued that a greater threat is
posed to traditional PCs and laptops by these
same issues. Its important to integrate your
mobile and traditional endpoint security approaches. Mobile device security and management should be part of your larger endpoint
management strategy. The point is that integrated endpoint security principles are important whether a device is located in an individuals pocket or on top of her desk at the office.
January 2012 13

Previous
Table of Contents

MORE

reports

LIKE THIS

Striking a Security/Usability Balance

Want More Like This?

InformationWeek creates more than 150 reports like this each year, and theyre all free to
registered users. Well help you sort through vendor claims, justify IT projects and implement
new systems by providing analysis and advice from IT professionals. Right now on our site
youll find:
Research: Mobile Device Management: The only constant in mobility nowadays is change.
This is changing the face of computingand terrifying the IT managers charged with providing productivity tools while maintaining control of sensitive data.
Informed CIO: Mobility: In this report, well explain how to harness mobile technologies to
enhance and improve the processes on which your business relies. Plot where you fall in our
Organizational Mobility Matrix, and use that as a starting point for a dialogue on the direction your enterprise mobility initiative will take.
Strategy: Optimize Your Mobile Infrastructure: In this report, well examine the area of IT
services operations with a related discussion of mobile device management. Well review the
levels of capability in this discipline.

Newsletter
Want to stay current on all new
InformationWeek Reports?
Subscribe to our weekly
newsletter and never miss
a beat.

Strategy: Tablet Security: As businesses rely increasingly on tablets for the productivity
benefits they provide, IT must address the security challenges the devices present.
PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek
500 and the annual State of Security report; full issues; and much more.

Subscribe
reports.informationweek.com

January 2012 14