Falcon's Invoice Discounting: Your Path to Prosperity
Mobility, Security and the Enterprise: The Equation to Solve
1.
Mobility, Security and the Enterprise:
The Equation to Solve
IT departments need to think long and hard
before deciding on the right mobile device
platform for their business needs.
CONTENTS
The Increasing Impact of Consumerization
2
The Impact of Mobility on Network Security
3
Making Smarter Decisions
– Android
– iPhone/iPad
– Microsoft Windows Phone
– RIM
– Symbian
4
SonicWALL Solutions for Mobile Device Security
6
Conclusion: Making Smart Choices
8
2. Abstract
Smartphones and tablets are everywhere today – equally found in the hands of consumers or the enterprise
community. But for all their apparent user-friendliness, these mobile devices can represent a significant
threat to corporate data. IT departments need to think long and hard before deciding on the right
smartphone platform for their business needs.
The Increasing Impact of Consumerization
The “Consumerization of IT” is an industry-accepted idiom introduced by Gartner® Inc., who reports that the
majority of new technologies enterprises currently adopt for their information systems will have roots in
i
consumer applications. At the same time, because employees now work anywhere at any time and need
constant access to key corporate information, they rely upon the same smartphone technology they use in
their personal lives to extend their workday and increase efficiency. However, IT can no longer force users
®
to carry one IT-managed smartphone (e.g., RIM BlackBerry) for work and another consumer device for
personal use.
With an ever-increasing percentage of the workforce having grown up using the Internet and mobile phones,
more workers feel entitled to greater freedom in selecting their business computing devices, and
smartphones are their devices of choice. More than a third of consumers in Western Europe will access the
ii
Internet using their mobile phones by 2014. Eighty-five percent of Americans age 15-18 own a mobile
phone.iii Those now joining the workforce tend to believe that the technology they have at home is better
iv
than the one they have at work. Among “millennials,” sixty-nine percent will use whatever application,
device or technology they want, regardless of source or corporate IT policies. Less than half will stick to
company-issued devices. Moreover, a greater percentage compared with older employees will regularly
v
store corporate data on personal smartphones. This trend will only increase over time.
The power of users now rules the day. IT has effectively lost its ability to constrain the choice of smartphone
access in a corporate setting. Further vexing IT administrators is that the scope of the issue continues to
expand as new categories of devices are introduced to the corporate network, including devices such as the
®
®
®
Apple iPhone and iPad .
A moving target
Face the facts: there will be many rapid changes in smartphone platforms, beyond the control of corporate
®
IT. Administrators must deal with multiple operating system platforms including iOS, Google Android,
®
®
Nokia Symbian and Microsoft Windows Mobile and Windows Phone 7, with an additional potential for new
providers from emerging technology powerhouses such as China. As a result, significant IT investment in
securing any particular consumer smartphone platform is practically untenable over time.
IT must have an agnostic approach to smartphone platforms to support multiple platforms for their users, as
well as provide contingency for access continuity. For example, BlackBerry users in certain countries have
vi
faced threatened service outages that could have required them to switch to a different platform.
Subsequently, to minimize risk of regional loss-of-service, a global business cannot depend solely upon the
viability of a single smartphone vendor’s platform, but instead, must deploy smartphone solutions that are
able to facilitate multiple platforms. The need for platform flexibility could potentially undermine IT controls
gained from mandated deployments of single-vendor platforms, such as BlackBerry Enterprise Server
(BES).
The burden of juggling support for multiple smartphone platforms can also take IT resources away from
securing other aspects of the network. Ultimately, new business technology should enhance employee
productivity, not overwhelm it. Organizations must bear in mind the impact that individually supporting and
securing multiple smartphone platforms will have upon administrative overhead and total operating costs.
2
3. Risk/reward: a complex equation
Perhaps the biggest threat is from users themselves, who are increasingly utilizing their mobile devices with
scant regard for IT policies; for example, playing games or checking personal webmail while connected to
corporate networks. Increasingly, mobile device usage is placing great pressure on corporate network
resources, too, especially when users consume high-bandwidth content such as video. According to a study
by IDC, people downloaded 10.9 billion mobile apps in 2010 (a figure IDC expects will increase to nearly
vii
76.9 billion by 2014 ), each a potential threat to corporate security.
The combination of these factors presents IT departments with a serious dilemma. On one hand,
smartphones and tablets are simply too powerful and useful for businesses to ignore, empowering users in
completely new ways and enabling them to work far more flexibly and productively. On the other hand, they
are also difficult to deploy securely, adding substantial pressure to technology budgets and resources.
Getting this balance between reward and risk right is a familiar problem for IT managers. Security must be
seen to be enabling the business, rather than holding it back from the rewards many of these new devices
offer. However, mobile devices present them with new challenges. Not least of these is the risk that the IT
department may actually be harming, rather than enabling the business, by imposing overly restrictive
security policies. In order for organizations to obtain maximum benefit from the mobility phenomenon, they
need to think about how much access they can give to the workforce, not how little. That in turn means
making some important decisions about where and how the different mobile platforms really need securing.
The Impact of Mobility on Network Security
Mobile devices are outside of IT control
Smartphones and tablets operate in two worlds: they can connect to the corporate network over wireless, or
bypass the network entirely using mobile cellular connections. This means they might download malware
from the web over 3G/4G, and then disseminate it to the network over the corporate WiFi network.
Transferring data in and out of the corporate network, smartphones are beyond IT control. It is harder for IT
to control what users do with their smartphone devices, and how these devices expose business data to
security threats. Even if IT issues them, any endpoint device that can bypass security measures is insecure.
Data leakage and loss
The proliferation of smartphones in corporate environments creates new and wider potential for data loss
and leakage, whether by theft, unauthorized access or unauthorized transmission. Determined professionals
viii
can ultimately undermine even “unhackable” smartphone platforms. Smartphones may also retain
sensitive or proprietary data while connected to the corporate wireless network, then leak it over unsecured
cellular to the web—and IT has no recourse. In addition, a growing amount of data loss via smartphones
originates within the corporate organization. Whether unintentionally, maliciously or driven by profit, a
growing amount of sensitive and proprietary data is lost and leaked via smartphone email attachments and
FTP uploads.
Locally resident smartphone data is only as secure as its Subscriber Information Module (SIM) card. Users
more frequently lose smartphones than computers. Smartphone content is more vulnerable to theft by
whoever finds the misplaced device, as network access codes, usernames and passwords are often
unsecured. Even worse, users often pre-program this sensitive information into the handset for automatic
ix
log-on. In addition, thieves can thwart attempts by IT to wipe data remotely by simply by removing the SIM.
The widespread practice of “jailbreaking,” or opening a phone to customize its features or functionality (such
as to overcome restrictions on alternate mobile service carrier networks), also poses a serious security
3
4. threat. For example, jailbreakers using Secure Shell (SSH) applications to enable full access to their
smartphones often overlook updating their root passwords, making them accessible to outside attack.
Additionally, jailbroken phones often void smartphone service agreements, and jailbroken systems often go
x
untested in product update development. Moreover, jailbreakers often resell these compromised devices. A
mobile device that can access the network via a corporate wireless access point represents the same kind
of threat as any other endpoint. The problem is only different in that a phone or tablet is less likely to be
running security software. A somewhat uncommon threat is the possible compromise of a mobile device via
®
its Bluetooth connection. This requires physical proximity and specific knowledge. However, if the ultimate
target is a larger network, this may be worth the effort for a perpetrator.
Malware infection
As their numbers increase, mobile devices become a more lucrative target for criminal attacks. The same
threats that plague traditional computer operating systems can affect smartphones and tablets,
disseminated in emails, social media sites, games, screen savers, instant messages, slide shows, or in
some cases by shady URL-shortening services, which make bogus redirecting links more difficult to identify.
One report cites that Android users in mid-2011 were 2.5 times more likely to encounter malware than at the
beginning of the year. In particular, DroidDream malware had affected an estimated 250,000 mobile
xi
devices.
Mobile devices can magnify malware distribution by spam, phishing, pharming and pretexting. Because
smartphones and tablets are a more intimate communications channel than a computer, users are more
likely to interact with files masquerading as personal communications. Likewise, users cannot as easily
detect cues that a website is a false front on a handset with a small smartphone screen. Mobile device users
xii
have a 30% likelihood of clicking an unsafe link. Again, the infection may not be apparent even after
perpetration, and propagate via smartphones across corporate IP networks.
Bandwidth overconsumption
The sheer volume of interactive Web 2.0 and streaming media traffic over smartphones can affect corporate
wireless network throughput. Some of these applications, such as streaming video applications, constantly
evolve to avoid control. In addition, like any web-facing endpoint device running applications over the
network, smartphones present a potential channel for forced denial-of-service attacks.
Making Smarter Decisions
Choosing a mobile device platform that is safe, easy to configure and manage, and that is flexible enough to
meet the needs of employees and senior executives sounds easy on paper. In practice, however, it is one of
the biggest challenges ahead for IT managers.
To be certain that devices are safe, IT departments must design security policies that are invariably a
complex blend of technology and policy. Some aspects of these systems, such as mandatory reporting of
lost or stolen phones, are largely device-independent and are thus relatively straightforward for
organisations to enforce. But others, such as varied access levels depending on device type or control and
optimization of smartphone and tablet traffic across WiFi networks, clearly depend on more-sophisticated
technical insight.
Most analysts agree that enterprises should be able to enforce several basic security features on any mobile
device, including mandatory passwords, over-the-air device wiping capabilities and data encryption on the
device itself. In practice, the choice of the platform itself will determine the effectiveness of the overall policy.
4
5. Not all mobile devices are equal, and some vendors make it harder than others do to enforce rigorous
security protocols and policies.
Android
Google’s Android® operating system has been a huge success with the handset vendor community,
attracted by the completely open-source nature of the operating system. Such has been its popularity that
Gartner reports that, by the end of 2011, Android will move to become the most popular operating system
xiii
(OS) worldwide and will build on its strength to account for 49 percent of the smartphone market by 2012.
Although seen initially as a consumer platform (with the added benefit of a less restrictive and more flexible
apps model than the iOS), Google has continually improved security support with successive releases of the
operating system. Google has also added other security features, such as remote wipe and upgraded
password policy enforcement, adding to Android’s appeal to the business community.
iPhone/iPad
Few pieces of technology have garnered as much attention as the Apple® iPhone® and iPad®. The iPhone
remains a more popular smartphone choice for discerning consumers in its target markets. Gartner predicts
that iOS will remain the second biggest platform worldwide through 2014.xiv While Apple cites the closed,
tightly controlled iOS ecosystem as a security benefit, iOS applications can only be distributed, installed and
SM
backed up via the Apple App Store and iTunes®. This can affect organizations wishing to maintain control
over the way they deploy their own or trusted third-party applications. Apple has become friendlier to
enterprise iPhone customers, in particular by supplying VPN capability as standard, enabling access to
some features of Microsoft® Exchange and including remote-wipe and automatic device-erasing features.
Microsoft Windows Phone
The latest version of Microsoft’s mobile device operating system, Windows® Phone 7, attracted a great deal
of attention following its launch in 2010. Long criticized for the performance and usability of its mobile
operating systems, the company’s latest version improves many aspects of the mobile Windows experience,
in particular security access features and integration with back-office Microsoft applications that make it a
powerful tool for accessing corporate data on the move. Like Apple, however, Microsoft has yet to provide a
central console for large-scale management of devices, which limits options for security-conscious IT
managers. It is also exclusively dependent on its own version of Apple’s App Store – Windows Phone
Marketplace – for installation and distribution of applications, diminishing its appeal to the enterprise
customer wishing to deploy apps and data in a carefully controlled manner. Gartner predicts that Nokia will
push Windows Phone well into the mid-tier of its portfolio by the end of 2012, driving the platform to be the
third largest in the worldwide ranking by 2013. In addition, Windows Phone will account for 19.5% market
xv
share by 2015, above Apple’s 17.2%, and account for 215 million worldwide shipments by 2015.
RIM
While devices such as the iPhone are trying to make the transformation from consumer to business devices,
RIM is attempting to make exactly the opposite transition. Long favoured by corporate IT departments for its
focus on providing superlative email facilities, RIM’s devices have historically not enjoyed the same degree
of user evangelism as their more glamorous contemporaries. Apps, in particular, were late arrivals. In Q1
2011, there were still approximately 20,000 Blackberry apps in RIM’s app store, a small fraction of the
number offered by iPhone and Android developers. Blackberry’s browser and interface, too, lack the
usability of its main competitors. With 13.4 percent of projected global sales in 2011, however, RIM is clearly
still a force to be reckoned with, especially in corporate markets where its ubiquitous email platform, robust
hardware and excellent battery life all appeal to business users. Perhaps its biggest asset is the Blackberry
Enterprise Server, which gives enterprises advanced central device management and control of security
over the air, a feature unique to date among mobile device vendors. However, as more vendors enter the
5
6. email fray, many corporations are now seeing the Blackberry Enterprise Server as one of the more
expensive options in the field.
Symbian
In 2011, 19.2 percent of global smartphone sales (89.9 million units) will be Symbian devices, according to
Gartner. Because of its global distribution, comparatively low-cost hardware and mature software platform,
Symbian has been a hit with many consumers and businesses since its launch. Symbian’s popularity has
occasionally made it a target for malware authors, although the Symbian security model makes it very
difficult for unsigned software to cause damage to phones or data, even if installation is authorized by the
user. Many security features are enabled on Symbian devices (including on-device encryption), while many
others can be capably managed by third-party software both on the device and over the air.
Despite its sales figures and generally reliable performance, Symbian has not captured public imagination in
developed markets in recent years, creating opportunities for other vendors to chip away at its market share.
The most notable of these vendors is Android, whose tremendous growth in 2010 hit Symbian harder than
any other platform. In early 2011, Nokia announced a partnership with Microsoft aimed at reversing this
trend, which will put the Windows Phone 7 operating system (see below) on high-end Nokia smartphones,
offering an additional platform for the IT managers of Nokia customers to support and secure.
SonicWALL Solutions for Mobile Device Security
SonicWALL® Aventail® E-Class Secure Remote Access (SRA) Series, SonicWALL SRA Series for SMB,
and SSL VPN available on all SonicWALL Next-Generation Firewalls deliver easy, policy-driven access to
critical network resources from an extensive range of mobile device platforms, including iOS, Google
Android, Windows Mobile, and Nokia Symbian mobile devices.
®
®
The SonicWALL Mobile Connect™ unified client app for iOS provides Apple iPad, iPhone, and iPod touch
users full access to network resources over encrypted SSL VPN connections to ensure confidentiality and
data integrity for users outside the network perimeter. Deployed on or with a SonicWALL Next-Generation
Firewall, it enables Clean VPN to remove malware from communications relayed through iOS devices.
SonicWALL Application Intelligence and Control enables IT to define and enforce how application and
bandwidth assets are used whether the user is inside or outside the network. Users can download and
SM
install the app easily via the App Store , providing secure SSL VPN connections to SonicWALL Aventail EClass SRA, SRA for SMB or SonicWALL Next-Generation Firewall appliances.
In addition, SonicWALL Aventail Connect Mobile™, when combined with SonicWALL Aventail E-Class SRA
appliances, provides an exceptionally robust remote access solution for Windows Mobile smartphones and
Google Android smartphones and tablets.
Both SonicWALL Mobile Connect and Connect Mobile clients provide an "in-office" access optimized for the
device, combining a seamless network experience for users, along with a single, centrally managed gateway
for mobile access control.
SonicWALL Aventail WorkPlace™ delivers a policy-driven, device-optimized web portal that provides easy
®
®
®
access to web-based (including Adobe Flash and Oracle JavaScript) and client/server applications and
critical network resources from an extensive range of smartphone platforms, including Windows Mobile,
Apple iPhone, Google Android and Nokia Symbian smartphones.
SonicWALL Aventail SSL VPN solutions provide secure ActiveSync® support for access to Microsoft
Exchange email, contact and calendar services from Apple, Android and Symbian mobile platform devices.
SonicWALL Device Identification lets administrators chain a specific smartphone to a specific user, so in the
event that phone is lost or stolen, they can quickly revoke corporate access. In addition, SonicWALL
Aventail Advanced End Point Control™ (EPC™) offers advanced endpoint detection and data protection for
distributed enterprises, by interrogating endpoint devices to confirm the presence of all supported anti-virus,
6
7. personal firewall and anti-spyware solutions from leading vendors like McAfee®, Symantec®, Computer
Associates®, Sophos®, Kaspersky Lab® and many more.
SonicWALL is the only provider that solves the challenges of access, security and control with SonicWALL
Clean VPN, Clean Wireless and Application Intelligence and Control. When SonicWALL SRA solutions are
deployed with a SonicWALL Next-Generation Firewall, SonicWALL Clean VPN scans tunnelled traffic to
block malware from using communications as a conduit into the network. SonicWALL Application
Intelligence and Control can allow increased bandwidth for critical applications, while limiting bandwidth for
unimportant or unacceptable traffic.
SonicWALL® Clean VPN™ delivers the critical dual protection of SSL VPN and high-performance NextGeneration Firewall necessary to secure both VPN access and traffic. The multi-layered protection of Clean
VPN enables organizations to decrypt and scan for malware on all authorized SSL VPN traffic before it
enters the network environment. Clean VPN protects the integrity of VPN access by establishing trust for
remote users and their endpoint devices, using enforced authentication, data encryption, and granular
access policy. Simultaneously, Clean VPN secures the integrity of VPN traffic by authorizing this traffic,
cleaning inbound traffic for malware, and verifying all outbound VPN traffic in real time.
SonicWALL Application Intelligence and Control can maintain granular control over applications, prioritize or
throttle bandwidth, and manage website access. Its comprehensive policy capabilities include restricting
transfer of specific files and documents, blocking email attachments using user-configurable criteria,
customizing application control, and denying internal and external web access based on various userconfigurable options. The SonicWALL Application Flow Monitor provides real-time graphs of applications,
ingress and egress bandwidth, active website connections and user activity. This visualization capability
enables administrators to effectively monitor and revise policy based on critical observations.
In addition, when connecting over WiFi inside the corporate network and scanned by a SonicWALL NextGeneration Firewall, mobile devices adhere to organizational security, app control and content filtering
policies.
The SonicWALL Application Traffic Analytics solution is a combination of a SonicWALL Next-Generation
Firewall and one of the software tools in SonicWALL’s suite of traffic flow analysis applications, including
SonicWALL Global Management System (GMS) 7.0, SonicWALL Analyzer or SonicWALL Scrutinizer. The
incorporation of next-generation syslog and IPFIX for application traffic analysis results in granular, flexible
and easy-to-use real-time application level reporting capabilities.
7