Mobile Security: Tougher than It Looks

Mobile Security: Tougher than It Looks

Mobile technology in a corporate setting is here to stay, with 56 percent of U.S. adults owning smartphones according to the Pew Internet & American Life Project. Corporations are interested in location-based marketing, mobile payments, and enabling workforce productivity no matter where employees might be.

But, as people learn while obtaining their information technology degrees or working in the industry, where you have users, you need security. Whether through user accident or direct intervention by criminals, private data can be made public, websites vandalized, and identities or even money stolen. Unfortunately, too many organizations are only now catching up with the degree of security necessary in a mobile world.

For example, look at the Department of Defense, a branch of government that you might think was synonymous with security is only now catching up with mobile. It reportedly bought a mobile security system for 300,000 users without actually testing it, as the site Nextgov explains:

The software was supposed to protect email and Web browsing on consumer-grade smartphones that the military provided to the entire Defense Department, the Coast Guard, the National Guard and military reserves. The devices include iPhones, iPads, devices from Samsung and BlackBerry 10 phones.

The particular solution spread to the Department of Agriculture. The software includes a mobile device management (MDM) system, which typically provides the ability to monitor devices used and remotely wipe or even disable devices, should they be lost or stolen. There would also be an app store for approved software. At least one analyst did give the government high marks for combining MDM and more traditional security products. But the approach is still far from the smooth path most organizations need. Here are some considerations.

Don’t put it off
The DoD is going full steam ahead, but is still behind where it should be. The one-year target has been securing 100,000 smartphones and tablets. Whew that’s a lot of hardware. But it seems highly unlikely that it isn’t being deployed until the end of the year. That means there are likely many thousands of users already with devices that could potentially put classified networks and data at risk. Security shouldn’t be an afterthought.

Don’t rush it
Something notable about the USDA effort is the time table it originally wanted. The winning bidder was supposed to be chosen in November 2012 and, within 30 days, have a “fully functional” pilot deployment that could support 3,000 devices at a minimum. That would mean MDM, security and app store. Just the latter would require identifying what software could be safely run on the devices, which alone could take a significant amount of time. Only 1,370 devices were reportedly connected to the system by the end of July 2013. Proper security is a major undertaking, so don’t allow optimism or executive pressure to set an unrealistic deadline.

Use prudent deployment strategies
Amazingly, neither the DoD nor the USDA tested the products that were part of the ultimate solution before accepting the bid. Even seriously considering software without testing it in the given conditions of an organization is a dangerous practice. What might work well in many settings could cause problems because of some quirk in the architecture of a given IT infrastructure. Security software shouldn’t be treated differently from any other type in terms of evaluation, testing and roll-out.

Tagged as , ,