nCircle.com >> nCircle Blog >> Sync

« The iPhone, our new security nightmare | Main | On Trust and Regulation »

Supporting smartphones in your enterprise

If you haven't heard, there is a new smartphone entering the market tomorrow, June 29th. Apple has publicly stated a goal of selling 10 million iPhones in 2008. In the larger world of the smartphone market, 10 million total iPhones is not a huge market share. According to market analysis data shared by Symbian, Gartner says that in 2006, 72.9 million smartphones were shipped. This is a 50% increase over 2005. What you should be concerned about is the expected rapid penetration of all smartphones. Canalys predicts global shipments of smartphones to reach 1 billion by 2012. That's 1 billion handheld devices with gigs of storage, a USB connector, a Bluetooth interface and connectivity to the cellular as well as wifi networks. Moore's law aside, nobody could have predicted that those 1980s era big black box cell phones would morph into a pocket sized computing platform rivaling most computers just 10 years ago.

If someone in your organization hasn't already asked your IT team to support one of these devices, then chances are they already exist and you've chosen to ignore it. Here is your two by four smack to the behind. If Apple's market penetration of the iPod is any predictor of the iPhone, then you can easily anticipate the thundering heard. You can either choose to embrace the change, fight it or ignore it. As a security professional, I suggest a skeptical embracement of the iPhone. And to the overall goal of supporting smartphones in your enterprise, I suggest four top line items for you to consider.

1 Embrace the Need
No matter how much you may want to think that a no tolerance policy keeps these devices away from your networks and company intellectual property, you must learn to accept the truth. There are smartphones, ipods and USB drives in your offices. There are employee, vendor and customer information residing on unapproved storage medium. Don't ignore the requests for IT to support handheld devices, but choose to be proactive. Investigate the options available; speak with your users and vendors to find a palatable solution.

2 Centralized, Supportable, Risk Mitigation
While you are investigating your options, think: centralized, supportable and risk mitigation. Like any good enterprise deployment, you want the biggest win with the least amount of overhead. Consider a solution, which can be centrally managed, and works within existing supported infrastructure. Make sure that you can support the system with an SLA that you, your users and managers can accept. Furthermore, adding service for smartphones may increase the risk posture for your company or other business units, customers and vendors. Its important to consider the possible risk side effects. Those who are process oriented may want to include the services in an information risk analysis and the company business impact analysis

3 Entry and Exit
Networks are no longer the classic cloud protected with a pinprick of an opening and a T1 to the Internet. Not only may we have hundreds of approved ingress and egress points, but also there is the other unknown, possibly dynamic, number of holes. The advent of software VPNs, wireless LANs and now handheld multinetwork interface aware devices are turning networks into moldy Swiss cheese. One item to address -- your wifi networks. If you haven't locked down your wireless networks, do so now. Make sure those wireless networks are first, outside your corporate LAN and second, require encryption, authentication and authorization to make use of it.

4 A Policy is Like Poker
Make a policy, stick to your guns, but know when to fold your cards. Not unlike the familiar Windows Active Directory group policies, an enterprise caliber smartphone solution allows security teams to create and push policies, which affect the functionality and security of the devices. You'll want to invest in a solution allowing you to centrally manage these policies, while also allowing reporting, logging and control of smartphone activity. In developing that policy, consider methods to protect confidential data in transit and at rest. Just a few include data encryption, password protection, remote data wiping and over-the-air data backup. Policies do solve a need, but be aware one must always consider the balance between security and productivity. If your smartphone policy automatically locks the device after 1 minute of idle usage, users will quickly become angered with having to type the unlock password countless times throughout the day.

Even if this isn't your wake up call, it may be time to readdress your security posture when it comes to smartphones. Hopefully, these 4 items will guide you and your enterprise to a more comfortable place.

Tags:

Posted by Andrew Storms on June 28, 2007 10:03 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/228

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Bio

Blog: Sync
Author: Andrew Storms

As nCircle's Director of Security Operations, Andrew Storms is responsible for the definition and enforcement of the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department.
Andrews' commentary on IT security issues has appeared in CNBC, Forbes and The New York Times, as well as many other publications. He is a Certified Information Systems Security Professional (CISSP) and a member of FBI InfraGard.

About

This page contains a single entry from the blog posted on June 28, 2007 10:03 AM.

The previous post in this blog was The iPhone, our new security nightmare.

The next post in this blog is On Trust and Regulation.

Many more can be found on the main index page or by looking through the archives.

Search


Subscribe to this blog's feed
[What is this?]