Professional Documents
Culture Documents
reports
Rep or ts.Informat ionWeek.com
Striking a Security/
Usability Balance
At CES we saw dozens of new tablets and smartphones with
unprecedented capabilities. Employees want to make full use of
their shiny new devices, while IT teams want to maintain security
and control. The principles of secure user access provide a
strategy for CIOs to maintain equilibrium.
By Nadeem Ahmad
January 2012
Previous
Next
CONTENTS
reports
3
4
5
5
6
7
8
8
9
9
10
10
11
TABLE OF
reports.informationweek.com
12
13
14
Authors Bio
Executive Summary
Challenges IT Faces
Figure 1: Mobile Technology Impact on
Productivity: 2010 vs. 2011
Figure 2: Standardized on a Mobile Device
Platform?
Addressing the Challenges
Build the Security Infrastructure
Figure 3: Increase in Employee-Owned
Mobile Devices?
Adaptive Security
Figure 4: Mobile Device and Data Polices?
Levels of Capability
Figure 5: Importance of Employee Access to
Mobile Technologies
Figure 6: Ability to Selectively Wipe Business
Data From Personal Devices
Examples
A Flexible, Integrated Strategy
Related Reports
ABOUT US
InformationWeek Reports analysts arm
business technology decision-makers
with real-world perspective based on
qualitative and quantitative research,
business and technology assessment
and planning tools, and adoption best
practices gleaned from experience. To
contact us, write to managing director
Art Wittmann at awittmann@techweb.com,
content director Lorna Garey at
lgarey@techweb.com, editor-at-large
Andrew Conry-Murray at
acmurray@techweb.com, and research
managing editor Heather Vallis at
hvallis@techweb.com. Find all of our
reports at reports.informationweek.com.
January 2012 2
Previous
Next
Table of Contents
reports
Nadeem Ahmad
Dimension Data
reports.informationweek.com
January 2012 3
Previous
Next
Table of Contents
SUMMARY
reports
EXECUTIVE
reports.informationweek.com
Employees expect IT to support their personal devicesas well they should, because
theres great value in such tools when performing business functions. But the main challenge facing companies that are enabling the use of these devices in business operations
is the security risk of having a variety of mobile platforms accessing enterprise networks:
How do you ensure that sensitive data isnt compromised and that vulnerabilities
brought about by personal devices are mitigated?
Clearly, the answer is not to keep personal devices from accessing corporate resources.
IT can no longer credibly stand in the way of the adoption of mobile technologiesthe
business drivers are too strong. But neither can you fail to enforce policies and slack on
governance. That will lead to an increased number of security exposures. The odds are
that one will be catastrophic to the business.
An additional consideration is the theft or loss of a personal device containing corporate data. Security mechanisms such as remote wipe, PIN-based entry and centralized
management can satisfy many basic security requirements.
For a successful mobile implementation, CIOs must ensure that everyones interests are
represented. That means balancing security requirements with the users device experience. Core areas of a successful and mature mobile information security program include
governance, risk and compliance; mobile policies; and the security infrastructure.
In this report well discuss best practices to securely integrate mobile devices into the
enterprise. Well also cover some security considerations around adaptive security, a critical element of an enterprise mobility framework, in the context of an area called secure
user access, which refers to providing users with access to the network and its resources
without compromising corporate data. Well review the levels of capability in this discipline and discuss in more depth what elements, at each level, you should investigate in
terms of policy, technology and people.
January 2012 4
Previous
Next
Table of Contents
reports
Challenges IT Faces
Most of the organizations we work with are
struggling with the onslaught of personal
mobile devices finding their way into the
workplace. In our August InformationWeek
2011 Mobile Device Management and Security Survey of 323 business technology professionals, 79% said that tablets will increase
in importance for business productivity at
their companies over the next 24 months;
82% said the same about smartphones. As
business operations depend increasingly on
a mobile workforce, CIOs worry that the road
to this evolution will be filled with risk and
uncertainty.
Thiss not necessarily so, if you address three
key areas: theft and loss, data leakage, and legal and privacy implications.
> Theft and loss: By their very portable nature, personal devices tend to go missing.
Maybe theyre carelessly left behind in taxis
or restaurants, maybe theyre stolen. However it happens, now that these devices contain sensitive or proprietary company data,
reports.informationweek.com
Figure 1
2010
Smartphones
82%
89%
Tablets
79%
36%
Laptops
34%
53%
Kiosk-based Web access
24%
21%
Netbooks
22%
38%
Note: Percentages reflect a response of increase significantly in importance or increase somewhat in importance
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals
R3321011/3
January 2012 5
Previous
Next
Table of Contents
reports
have one stolen, lose more than 12,000 laptops per week at airports alone.
The implications of losing a device can be
even more catastrophic when you consider
data protection regulations in place today.
This is a key concern for organizations that deploy mobile devices.
To help protect the personal and professional data on personal mobile devices, manufacturers have implemented some basic
levels of security through either the hardware itself or software implementations. For
instance, PIN-based entry and device-lock
and remote-wipe features are now table
stakes.
> Data leakage: One place to weigh risk vs.
reward is downloading and installing productivity, entertainment and social apps, which
usually require access to the devices data or
file system and may leave you open to attack.
Advanced file or data encryption is usually
necessary to protect against active attacks,
but encryption alone is not effective when
dealing with employee misuse or malicious
insider threats. To adequately protect corporeports.informationweek.com
Figure 2
2010
Yes, and the IT department is responsible for procuring devices and carriers
58%
73%
Yes, but users purchase the devices themselves and select their own carrier plans
16%
12%
No; employees use their own devices
26%
15%
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals
R3321011/11
Previous
Next
Table of Contents
Download
reports.informationweek.com
reports
Previous
Next
Table of Contents
reports
world. Review these items with your legal department so it can approve the policy globally
or modify it for certain regions.
Build the Security Infrastructure
Once youve outlined a mobile policy to
align with your GRC drivers, it needs to be enforced via technology deployed to mobile devices. These technologies are usually designed
according to the device platform in use and
the capabilities of such devices when paired
with the deployed management platform. The
key here is to deploy technology that balances the risk profile of the device, the role of
the user, the data that will be accessed and
the minimum acceptable security posture of
the organization.
The security and management infrastructure you need will depend on what types of
policies you employ. For each corporate application or resource that users can access via
mobile device, IT must create a technology security checklist. This is critical so that the IT operations team can ensure that the right infrastructure gear, software and processes are in
reports.informationweek.com
Figure 3
Dont know
8%
Yes
65%
27%
No
Data: InformationWeek 2011 Mobile Device Management and Security Survey of 323 business technology
professionals, August 2011
place
R to enforce or support your policies.
While both the IT department and the employee base can agree that mobile policies
and governance are important to overall business success and risk mitigation, overly restrictive policies may alienate users and result in
rampant policy violations. We recommend
R3321011/14
Previous
Next
Table of Contents
reports
tection; a mobile device management approach doesnt change the user experience
but brings only medium data protection; a virtual desktop infrastructure approach affects
user experience but offers strong data protection. At the end of the day, business owners
and business users should see IT as a partner
in their mobility needs.
FAST FACT
27%
have no written policies
or procedures specifically
related to mobile devices
or data.
reports.informationweek.com
Adaptive Security
In the first report of this series, Time to
Move, we talked about using an enterprise
mobility framework as a guide when devising
your mobility strategy. Adaptive security is a
key element of this framework that helps
companies develop a security strategy that
covers policies, technology and people. While
these strategies vary by organization, the remit is the same: security for every mobile requirement, device and application.
Security mechanisms across policy, technology and people need to be in place. Elements
to consider include governance, risk and
compliance. Technology considerations are
also in play as we look at connection and de-
Figure 4
2010
49%
52%
Yes; written policies only
18%
19%
Yes; written procedures only
6%
4%
No, but policies are being considered or are under development
21%
22%
No
6%
3%
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals
vice control. With respect to people authenticating and determining the identity of
users, its critical to ensure approved access
to sensitive data and resources on the corporate network.
Its this operational point of view that we
R3321011/19
will explore further and for which we recommend a self-assessment as its a critical reflection point of enterprise mobility. We call this
discipline secure user access.
Secure user access is an operational competency that focuses on providing users with acJanuary 2012 9
Previous
Next
Table of Contents
reports
Figure 5
cess to the network and its resources. This access may be based on roles, business needs
and security policies. These security policies
would usually be aligned with the mobility
strategy. For some context, consider if your organization implements a mobile VPN or another means to ensure that the connection for
corporate applications is properly encrypted.
2010
1 Not important
Very important 5
4.1
4.0
Remote access (VPN)
4.1
Levels of Capability
In order to help you work out the stages of
your secure user access capability, we will describe the levels: basic, integrated and optimized. With each level of maturity, you can replace reactive mechanisms with more
proactive approaches toward meeting an optimized secure user access competency.
Basic capability here indicates that users
are actually able to securely access the wireless network using their established network
accounts. The use of wireless security protocols like WPA2 will be in place to ensure
proper encryption, as well as integration
with Active Directory for authentication.
Some level of policy education and aware-
4.3
Laptops/netbooks
4.0
N/A
Smartphones with line-of-business applications
3.5
N/A
Tablets with line-of-business applications
3.1
N/A
USB drives/thumb drives/flash drives
2.9
3.0
CD/DVD/Blu-ray burners
2.2
2.3
Note: Mean average ratings
Base: 323 respondents in August 2011 and 307 in March 2010
Data: InformationWeek Mobile Device Management and Security Survey of business technology professionals
reports.informationweek.com
R3321011/4
January 2012 10
Previous
Next
Table of Contents
FAST FACT
25%
can remotely delete
business data from
devices while leaving
personal data intact.
reports.informationweek.com
reports
ness is present around email, pin lock and remote wipe for mobile devices.
An integrated capability goes a step further.
User credentials also ensure that employees
can access specific (and correct) applications,
systems and data on the network. For example, sales personnel will have access to the
sales pipeline information and Salesforce.com,
but wont have access to human resources reports. Simply put, its about role-based, intelligent access to applications. In addition, as
there are multiple entry points, some type of
WLAN intrusion-prevention system should be
in place, as well as a basic network perimeter
system (i.e., firewall).
You need to balance security concerns with
the user experience of having integrated access to applications, data and systems from
any approved mobile device. For example,
lets say you have a field employee who
needs to engage the supply chain application and check a product inventory from the
field. If he is able to do this, he would then
need to place an order on behalf of the customeralso from a mobile location. Already,
Figure 6
25%
40%
Dont know
10%
25%
We cant do device wipes
Data: InformationWeek 2011 Mobile Device Management and Security Survey of 323 business technology
professionals, August 2011
R3321011/20
Previous
Next
Table of Contents
reports
regardless of location.
Organizations at this level are consistent in
considering network security a high priority.
They make the commitment to put in place
the necessary tools and technologies to ensure that the fastest possible network is also
the most secure. This is accomplished using a
combination of network perimeter security, a
centralized security policy management system, WLAN sniffer technology used to detect rogue devices and unauthorized use, and
WLAN intrusion-protection systems to enforce
Secure user access is an operational
access policy.
Examples
Below are some examples of mechanisms
within a secure user access competency. These are here to help you
ascertain where you are in terms of your capability within this competency.
> Field employees can access transactional
systems (e.g., product inventory and databases) from mobile devices without com-
reports.informationweek.com
Previous
Next
Table of Contents
reports
Previous
Table of Contents
MORE
reports
LIKE THIS
Newsletter
Want to stay current on all new
InformationWeek Reports?
Subscribe to our weekly
newsletter and never miss
a beat.
Strategy: Tablet Security: As businesses rely increasingly on tablets for the productivity
benefits they provide, IT must address the security challenges the devices present.
PLUS: Find signature reports, such as the InformationWeek Salary Survey, InformationWeek
500 and the annual State of Security report; full issues; and much more.
Subscribe
reports.informationweek.com
January 2012 14