Welcome to the 16th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Please join me on January 26th, 2013 at 6pm at Ada’s Technical Books in Seattle’s Capitol Hill neighborhood for a book signing for Cloud Security and Control. We hope to get permission to do a wine tasting as well. Look for more details in January on Ada’s calendar and on my blog.
The Four Pillars of Endpoint Security for BYOD
Two years ago, we introduced the Four Pillars of Endpoint Security model. (For more information, please see our article and video on the topic.) Since that article was published, the bring your own device (BYOD) trend, where employees access enterprise data with their personal PCs, tablets, and phones, has really gained momentum. While the PC will be the primary tool for content creation for the foreseeable future, the dominant interfaces for content consumption are the smart phone and, increasingly, the tablet. What started as a consumer phenomenon is now an enterprise one as well, with adoption being driven from both ends: users want to access work data the same way they access leisure data, and IT managers are eager to cut costs.
The businesses that stay on top of IT trends such as BYOD are the most competitive. However, IT managers are rightly nervous about serving sensitive corporate data to devices that have less sophisticated security controls than PCs and to PCs that are often used in unmanaged environments for much of the day. By applying the Four Pillars of Endpoint Security strategy, you will be able to focus on key areas of investment to enable the business to operate without interruption.
The Four Pillars include endpoint hardening, endpoint reliability, network prioritization, and network reliability.
Endpoint hardening options for mobile devices shipping today are limited but are improving. Exchange ActiveSync is one example of a set of security policies with good cross-platform support. Platform-specific options are also being developed. Several vendors are working on hardened Android solution for use in national defense roles. In addition, both Windows Phone 8 and Windows RT will also include enhanced security features, such as the Trusted Platform Module (TPM), giving devices running those operating systems a strong data security story.
Endpoint reliability for mobile devices is all about detecting the health of the device and initiating remediation when it is out of compliance with the corporate security policy. An important class of products for enabling endpoint reliability is antivirus/antimalware. As above, enterprise-class solutions are still playing catch-up, even on the dominant mobile platforms. But antivirus mobile apps are available from reputable vendors, and we recommend to all of our clients that they use them.
Network prioritization is best captured by this goal: optimize the user experience. An example is the use of flow-control to enable real-time delivery of audio and visual content and to enable high bandwidth utilization. The proliferation of a wide variety of screen resolutions, and a diverse set of client operating systems running on highly capable hardware, introduces a new wrinkle here since part of enabling efficient network utilization is to ensure that content delivery matches the device capabilities. In order to achieve this, both websites and apps must be designed to be responsive.
Network reliability for mobile devices is often touted as high, but anyone who uses a smart phone and data connection has no doubt experienced the inconvenience of spotty coverage. The best apps are those that can provide value offline in these conditions and then seamlessly return to connectivity once the network is again available.
Call to Action
Our recommendation is simple: embrace mobile computing in the enterprise, but don’t forget security best practices.
- Catalog and review compliance criteria to see if they are jeopardized by mobile devices or network access
- Determine and document the policy for each type of mobile device and app that you will support
- Create a plan to enable and enforce hardware protection of data on mobile devices
- Ensure that data on remote devices will be made inaccessible when a device is reported lost or when an employee leaves the enterprise
- Create a plan for websites to use a single data model with views that are responsive to each device type