A horrible mess of nastiness: Consumer gadgets and IT security
When smartphones invade your office, how do you make sure security doesn't suffer?
Is the iPhone 4 secure enough for corporate use?Photo: James Martin/CNET
Letting staff use their own PCs and smartphones in the workplace might sound like an easy way for CIOs to cut the amount they spend on buying hardware, and bring an end to those nagging emails from execs who want the latest shiny new gadget at the company's expense.
But rather than leading to a nice quiet life for the CIO, the consumerisation of IT can also open up a mess of technical, regulatory and legal issues, security chiefs have warned. Even worse, there's no turning back the clock to the days when the IT department could control every gadget that could access the corporate network.
"It's not a question of whether it's happening, it's here and it's not going away. If I ask if anyone who doesn't have access to a smartphone to put their hands up you will probably find that it's a vanishingly small number of people," said Michael Everall, chief information security officer (CISO) with Lamco LLC - Lehman Brothers Holdings.
"We can't be Dilbert's pointy-headed boss - the great deniers of technology. We have to know what's available out there so we can take the cost proposition to the board level and say 'This is what's happening and this is what you are going to do'," he said, speaking at the Infosecurity Europe 2011 conference in London last week.
"Some companies see it as a saving to the organisation through [paying for] fewer licences and fewer BlackBerrys themselves, but once you drill down through all the needs and requirements…it becomes a horrible mess of nastiness," he added.
All your devices belong to us?
Unsurprisingly the danger of a consumer mobile device loaded with corporate data being left in the back of a taxi ranks high on the list of security chief's concerns. And once companies start getting serious about dealing with the data loss threat, staff might start might start thinking twice about using their personal smartphone or tablet at work.
"We basically will be informing individuals that, if we go down this path, be aware it may be your personal device but any of the contents on there is ours to wipe at will, and that includes your personal data," Everall said.
"If you don't back it up you're going to lose it because we will send a kill command to [wipe] that device when you leave the organisation, or if we have any concern that something may be amiss."
Are BlackBerrys the only fruit?
Not all gadgets are created equal - so security chiefs have to add additional policies for consumer smartphones, which don't come with the device security and management options in place that are available with an enterprise-targeted handset.
For example devices targeted mostly at consumers do not offer companies the...
...same level of centralised control over software updates and how staff use the device, the ability to carry out detailed audits of how devices are used and equivalent tools for securing data.
Louis Gamon, information security officer with the John Lewis Partnership, said: "I don't think that currently that Android and other mobiles are anywhere near secure enough for corporate use."
He said that companies thinking of letting their staff use their own work devices at work will need to put additional policies and software tools in place to manage and secure all of the corporate data held on these devices.
"If you look at all the areas where you need assurance - malware, encryption, secure transmission, device management, access control - you need to have something in place.
"It's not just about security, it's about how do you manage those devices, how do you get them updated, upgraded and patched, and applications onto them securely without using something like iTunes."
And the public sector shares Gamon's concerns about consumer technology, the BlackBerry Enterprise Solution is the only smartphone cleared for use by government ministers and civil servants when handling information up to classified up to restricted level. The decision is based on an assessment of the major smartphone handsets by the CESG, the information assurance arm of British intelligence agency GCHQ.
Andrew Turner, IT security officer and information governance lead with NHS Dumfries and Galloway, said: "You have to go into this with your eyes wide open - these are consumer devices, they are not corporate devices.
"They do not have the tools you would expect that have developed over the years for PCs."
Developing the tools and...
Locking consumer devices down too hard can restrict their usefulnessPhoto: Sean Hobson
...policies to secure consumer devices for use in the workplace is further complicated by staff often not being prepared to wait to start using their new gadgets at work.
Gary Cheetham, chief information security officer with NFU Mutual, said: "Our senior management see their pals with other devices and see the applications for them, and they want those devices and want them very quickly.
"We quite often find ourselves in a situation where we cannot secure these devices as much as we would like to within the timescales that they want to use them."
OS makers and manufacturers of consumer devices also don't have any incentive to spend time developing new software or adding features to secure these machines for company use, Turner said.
He asked why these companies would need to invest in attracting corporate customers that will buy in bulk and expect a 50 per cent discount on the price of the handsets, when the manufacturers can sell the same number of devices direct to the consumer with no discount.
"I don't think the situation is going to change anytime soon," he added.
And while the amount of malware targeted at mobile consumer devices appears to be nowhere near the level of PC-focused code, Nigel Stanley, practice leader for security for Bloor Research, said that he had identified "a lot more interest in malware" aimed at mobiles among the "hacker community".
Is cloud the answer to mobile security?
Of course, a simple way of stopping data from being stolen from lost phones and mobile computers is...
...not to store it on the device.
However if staff are to stream the data from corporate servers over a secure connection they will need an always-on connection to the internet, something that is almost impossible to guarantee.
Lamco's Everall said that these gaps in network coverage would mean that barring local data storage would be unacceptable to users.
"If you have nothing cached locally and you're out of connection you're dead in the water," he said.
"You will get people crying, screaming and giving you gratuitous abuse if they have five seconds of non-activity. Until you get close to ubiquitous access having data only in the cloud is not going to be satisfactory for the user.
"There will, unfortunately, always be some requirement for some degree of replication of data."
The prospect of staff leaving a trove of corporate data on the train is not the only danger that companies need to resolve when it comes to consumerisation: once staff start claiming data usage for work - say if a Skype call for work takes someone over their monthly smartphone data limit - a whole new layer of bureaucracy is introduced in the finance department.
Can security be taken too far?
Setting caveats on how staff can use computing devices at work makes sense from a security perspective, but placing too many restrictions can cripple the device's usefulness.
An example is the way that Whitehall has restricted the use of BlackBerrys by civil servants and government ministers.
Speaking to silicon.com the Earl of Erroll, member of the Parliamentary Information Technology Committee, said that there are limits what apps can be used on a BlackBerry that is used for official government business.
"They lock down the BlackBerry so you can't use it for very useful things - they remove half of the apps from it in order to make it secure, so it ceases to be much use as a general purpose device," he said.
He said that there would always be...
...a "tension" between the security and usefulness of a device, adding "I don't think you can overcome that".
Education, education, education
Alongside the security and management tools and carefully worded acceptable use policies, training staff in how to securely use consumer devices is a crucial step in keeping corporate data safe.
NFU Mutual's Cheetham said: "Awareness if absolutely essential here - for example if you go on the tube and you search for Bluetooth devices, look how many people have left their Bluetooth on.
"You're asking people to take accountability for these devices that have a lot more data on them - it's a cultural change for these users and it's going to take a long time to do that."
Everall said that explaining to staff why they needed to change the way they use their personal devices was the key to getting them to comply: "We need to make sure people are aware what is happening, how it's happening and how it helps them," adding that gifts such as free pizza or an anti-virus package incentivise staff to attend training sessions.
"You have to very carefully document, make very careful policy statements and ensure that people buy into it, and damn well accept that they have personal responsibility and potentially personal liability if they lose this data."