Secure data between multiple mobile OSes

IT professionals need to understand flow of critical data in order to create system capable of safeguarding enterprise networks, advise industry players.
Written by Kevin Kwang, Contributor

As people increasingly use their personal mobile devices such as laptops and smartphones for work, IT administrators have to look into protecting their enterprise networks from the perspective of securing the data, rather than the system.

According to Lawrence Goh, technology consulting lead for Accenture Asean, the process of managing risks from multiple devices, and with it the different operating systems (OSes), is essentially the "same as any enterprise risk management approach".

"The differences come in the implementation, where controls are needed to address the increased number of access points into the corporate world and the move toward the borderless corporate," said Goh in an e-mail interview with ZDNet Asia.

"The result is an approach that encompasses infrastructure, application architecture, identity and access management, endpoint encryption and data leakage prevention, to name just a few, and supported by the skills to assess ongoing risks and adequately respond to incidents," he added.

This view is supported by Ronnie Ng, manager of systems engineering for Symantec Singapore, who added that enterprises need to be able to manage data across multiple OSes, and yet remain platform-agnostic with their security and storage infrastructures.

"The most effective IT infrastructures are those that bring together security, storage and systems management to automate... [This] will enable enterprises to manage the risks and complexity driven by the increased proliferation of devices and operating systems, without increasing time and costs," Ng said.

It is not just network administrators who have to worry about securing enterprise data, though. Mobile OS providers have a part to play, too. For one, Microsoft, which develops the Windows Mobile platform, highlighted that phones using its software have key security elements that can be controlled to ensure the organization's data is protected but [still] accessible.

A Microsoft spokesperson told ZDNet Asia that the Windows Mobile OS is "built around a three-tier security model that prevents malicious software from getting access to device functionality and data". He added in an e-mail interview that phones running this OS meet industry standards such as the Common Criteria Security Ceritification AES 4+, a security certification required by over 25 governments worldwide.

However, despite all the measures deployed to safeguard the information flow between devices and networks, Accenture's Goh said the "main threat will always be the end-user".

He noted that all major incidents related to mobile devices over the last three years can be traced back to "process failure and lack of user diligence and understanding".

Mobile threats becoming sophisticated
There are also other external mobile threats to consider. For Ng, the number of attacks designed to exploit a certain OS or platform is directly related to the platform's market share, as malware authors are "out to make money and always want the biggest bang for their buck".

Citing Apple's products as an example, he said the OSX.Iservice Trojan targeting Mac users was a result of the company's rising popularity, and this is a trend that will continue in 2010.

To this end, cybercriminals have used applications such as Snoopware--a spy software commonly used by parents, spouses or employers to spy on people--as a way to remotely access smartphones for eavesdropping into confidential conversations, said Ng.

Meanwhile, "Pranking4Profit" is a class of attacks intended to steal money rather than data from compromised terminals, Ng highlighted. "This type of crimeware uses what is known as 'RedBrowser' to infect the phone and send premium short messaging service (SMS) messages from the device to a Web site that withdraws money from a bank or credit account, before the user or network becomes wise."

Failure to guard against such threats, he said, will lead to three areas of risks: compliancy, data and privacy, and business and network stability. Ng added that if left unprotected, "mobile devices represent the weakest link in an enterprise's IT infrastructure".

Editorial standards