Among the questions the Gartner analysts sought to answer: How do mobiles stack up against PCs in terms of security threats? How can data be exposed on mobile devices? And, what are best practices to prevent mobile device-related data leaks?
Both analysts agreed that mobile security risks were among the top inquiries they field on a daily basis. As Girard pointed out, most organizations now find themselves with the unenviable task of moving from BlackBerry services – which they considered highly secure – to more questionable types of mobile devices in the form of Apple’s iOS and Google’s Android.
“There’s good news and bad news”, Girard noted, as these newer platforms can’t be fully trusted, and many of the security solutions put in place are what he described as work-arounds or short-term solutions. “At the same time, you don’t hear a lot of stories in the press about phones or tablets causing major data breaches – yet”, he warned. “But we all know people are putting data on these devices as much as they do on laptops…and we know there are lots of easier ways to get into these devices than there are on laptops or workstations that have been properly protected.”
Just because there have been no widespread reports of mobile device-related breaches, Girard continued, that doesn’t mean they can’t or won’t occur. “Even if you are not facing eminent breach disclosure problems over mobile devices”, he acknowledged, security professionals do face compliance requirements that require efforts to manage information on mobile devices.
With smartphone sales set to double by 2015 – coupled with a four-fold increase in tablet sales over the same period – the security implications for enterprises must be addressed. It’s not only a matter of managing two new mobile operating systems, as Girard observed. In the case of Apple’s iOS, the architecture applies to only two commonly used products. But in the case of Android, the operating system can be found on nearly 4000 different devices, making mobile device management a bit of a headache for organizations that take a more liberal approach to adoption.
Girard said it is possible, “with reasonable care”, to keep workstation-class devices such as PCs and laptops updated and patched, as both Apple and Microsoft regularly issue security updates in what are typically considered a timely fashion. This is especially true for organizations that do not permit their employees to carry administrative privileges on these workstations.
In comparison to traditional workstations, Girard said mobile devices can be secure if the same safeguards are employed. “A mobile device, properly configured – such as an Apple device not jailbroken or an Android device not rooted – can actually achieve a level of safety that is easily managed”, he opined. “In the mobile space, RIM [Research In Motion, maker of the BlackBerry] is the best-in-class platform”, Girard added. When compared with PCs, the Gartner analyst said they can be made safer than PCs because they cannot be jailbroken or rooted. “Unfortunately, it’s not the device everyone wants right now”, he admitted, mainly because it does not run the apps that people desire.
With regard to the Apple iOS, Girard noted that data protection on these mobiles is far easier because the vulnerabilities are predictable and the device types are limited – which streamlines policies and the helpdesk process. This means many enterprises are more willing to incorporate Apple’s devices into their mobile strategy, with the added bonus that iOS users tend to refrain from jailbreaking their devices and update their operating systems regularly. Android, on the other hand, is more device-based, and the manufacturer often determines which version of the operating system is on the device and whether it will be updated.
Ironically, Pingree said, “BYOD is never cheap”, and your helpdesk costs will increase as a result – an observation that runs contrary to the rationale many organizations cite for implementing a BYOD program.
No mobile operating system is impervious, however, Pingree continued, and all of them will require regular patches and will be susceptible to a broad spectrum of vulnerabilities.
“Prevent jailbreaking at all costs, and prevent these devices from accessing your environment”, Pingree implored. “Often jailbreaking is done through vulnerabilities, so you have to patch in order to prevent this”, Girard added.
Both analysts agreed that anti-virus/anti-malware solutions are not necessary on mobile devices if you can verify that the device has not been rooted. Other recommendations to prevent data leaks via mobile devices included: avoid, whenever possible, placing sensitive data on them; use devices that have encryption capabilities; employ a company-managed mobile device management (MDM) solution; develop an enterprise-based app store; require the use of passcodes on mobiles; develop a process to securely write your own apps.