Securing the mobile workforce


The rising tide of mobile computing, driven by the introduction of consumer devices such as the iPhone and iPad, is crashing against the shores of many an IT shop. Most IT organisations have lived on a diet of corporate policy restrictions and liberal use of the word "No!" unfortunately their time has come.

IT can no longer simply ignore the tsunami of remote intermittently connected computing devices that are used by the masses to access corporate resources, especially those that reside within and provided through a shared service or infrastructure (think *aaS or cloud-computing).

No doubt these devices offer tremendous benefits to productivity, real-time information exchange and increased efficiencies throughout the value chain, but IT has been quite leery of their use as officially supported computing platforms and they have every right to be concerned as these devices are not built for the enterprise, they do not have an eco-system of technologies that support them, and most organisation are still challenged to manage traditional computing devices, such as desktops and servers, that reside within their infrastructure.

As the corporate network now extends beyond the perimeter the risk is clear...

A day in the (Risky) life of an executive’s mobile computing device:

  • 8am – Checks email from home before flight to partner meeting. Prints out boarding pass on airline website then clicks on ad with drive-by-download (THREAT #1)
  • 10am – Views latest football scores on mobile phone. Tries to disable security setting that prevents a Flash plug-in from running – since the website uses Flash. (THREATS #2 and #3)
  • 11:30am – Connects to partner network to provide presentation and product demo. Unfortunately, one of the gaming applications that his kids installed last weekend launched an IRC bot that tries to send IRC packets onto partner network (THREAT #4)
  • 2pm – Leaves mobile phone at restaurant. Contains email addresses for all contacts as well as architectural design plans for the next release of their product. (THREAT #5)
  • 6pm – After checking into his hotel room, tries to download an animated screensaver that he thinks kids will like. It contains a number of dangerous spyware programs including one of which opens up a backdoor on his laptop. (THREAT #6)

Managing security for the mobile workforce requirements:

  • “Macro” and “micro” visibility –What’s on my (extended) network? –How are my (managed, yet roaming) computers configured? –What services are they accessing in the cloud? Should they be?
  • Location-aware, OS-aware policies –Precise, targeted control (take bandwidth into consideration) –Get updates there, now
  • Synch up assessment and remediation – regardless of location –Reduce gaps in coverage –Immediate remediation becomes critical

Bottom Line: Managing mobile computing devices is no longer a discussion or a nice to have it MUST be done.

  • IT organisations need to know what they own and what their users (who have been granted authenticated rights to access corporate resources) own. Visibility is your most effective security tool.
  • You have a distributed workforce, whether you like it or not, make sure your IT organisation can manage these resources
  • Simplify and consolidate your management infrastructure
  • You cannot control your users, but your systems management tools should be able to control their computing devices - anywhere they roam

"Recommended For You"

Road warriors remain a security risk say IT staff RSA Conference 2012: Emerging security operations, compliance and risk management concerns