Are Tablets and Smartphones Too Insecure for the Enterprise?

In major businesses today users are asking their IT departments to allow them to use tablets and smartphones, modern computing devices, to make their jobs easier. The advantages of mobile computing seem clear, it is easier to take your work with you on a tablet or smartphone, yet IT departments are resisting. The top concern that IT departments seem to have is "security."

It often seems that "security" is the talisman of IT people. Whenever a new technology is introduce which the IT staff is unsure of they instinctively pull out the sacred word "security" to subdue users and management. The old shamans may not have had to worry about skeptical, young college graduates, but modern IT managers should. IT departments may not be able to placate their user populations with the mystical "security" totem once the number of young people in their organizations reaches a critical mass. So, it may be time to drop the security fetish and put a critical eye toward the problem. Security is a very real concern, but using it as an excuse for inaction is not tenable in the long-run.

Furthermore, IT departments need to drop preconceptions from the PC age and evaluate these new devices on their own merits. The IT departments of major enterprises often mandate the use of firewalls, dedicated security hardware, and antivirus software; this was arguably logical during the reign of PCs, but it may not be a reasonable expectation in the mobile computing era. Critical thinking needs to be applied to the topic.

Let us first look at firewalls. All corporations should have firewalls protecting their network, and most require software firewalls on any device that connects to their network from outside. Instead of simply assuming that firewalls are required on mobile devices, the purpose of software firewalls should be considered. A firewall's primary purpose is to monitor incoming network connections and prevent unauthorized ones. Due to concerns over power consumption, most mobile devices by default do not listen for network connections (aside from cellular connections). If a device does not inherently accept incoming network connections, then there is little purpose to a firewall in this regard. It seems that concerns over unauthorized remote network access to mobile devices could be mitigated by selecting devices which inherently disallow incoming connections, which in means jailbroken iOS (iPhone and iPad) and rooted Android devices should probably not be allowed for enterprise use.

Next, let us consider the enterprise "requirement" of dedicated security hardware such as smart cards. Mobile devices do not allow for the use of smart card readers, but considering reality, this should be less of a detractor from mobile computing. It is common for users to simply leave their smart card in their laptops at all times, users will even cut cards that would otherwise stick out of their laptops. Many corporate devices are useless without the external security devices, users know this and thus like to keep those near their computer. This diminishes the effectiveness of the the security concept. Of course most external security devices also require a password or PIN, but the same effect can be accomplished without the extra hardware. Virtual Private Networking (VPN) capabilities are built in to most mobile computing devices, since they were intended to be used remotely. Digital certificates are also widely supported for mobile devices.

Another concern about mobile computing devices is the lack of antivirus software (or active firewall connection screening). Standard iOS devices (iPhones and iPads) do not have antivirus software available for them, but that is for a very good reason. Apple iOS devices are designed to limit the scope in which an application can operate, they are sandboxed, and background process are generally forbidden. These restrictions make it difficult to create an antivirus program capable of monitoring all aspects of the operating system. But, then again, that is precisely the point. The operating system is designed to prevent applications from leaving their sandbox and doing things that they ought not do. If the operating system is restricting the applications that run on it, then there is less of a reason to insist upon antivirus software to do the same thing. The primary reason to limit background processes is to conserve battery power, but it also has some positive security implications. A jailbroken iOS device would not have this same sort of protection. Android devices allow for the creation of background processes, so they present more opportunities for antivirus vendors as well as malicious code progenitors.

When it comes to physical device security modern mobile devices outperform traditional PC equipment. Like Blackberry devices, Apple iOS devices inherently support remote control features such as provisioning and remote wipe; these features can also be added to Android devices. With PC equipment such as laptops, once a thief has physical control of the device there is little that can be done to prevent them from accessing it's data. Though it is not common, hard drives can be encrypted, but this has to be done before the computer falls into the wrong hands.

This is certainly not an exhaustive list of the security concerns that IT departments have with mobile computing devices, so a decision to allow them on the corporate network should not be based upon this alone. The point of this essay was to encourage critical thinking, paying particular attention to aspects of them which represent a paradigm shift for IT departments.

A dedicated individual can gain access to just about any computing resource, this is true for existing IT infrastructure as well as mobile devices. So, security should always be considered, but only on rare cases should it completely hinder the adoption of new technology. Professional architects and engineers understand that nothing man-made is infallible, the challenge is providing a reasonable amount of safety and security while minimizing costs and inconvenience. Corporate IT departments should strive for a more open and pragmatic approach, lest the next generation of managers grow tired of their obduracy and replace them with people who "get" technology.
Published: 2011-09-20
BloggerCritical ThinkingSecurityTabletSmartphoneAndroidiOS