Editor’s note: This is the third in a three-part series on mobility and the mainframe. It's based on content initially published in the SHARE President's Corner blog. For more, see "Ready, Set, Mobile!" and "Mainframe Goes Mobile."
Are your employees clamoring to access the mainframe via their own devices? It’s certainly doable and might even be a perk for a certain type of employee, but is it wise in terms of security? Sadly, most studies and statistics say no.
A Harris interactive survey
sponsored by ESET, an Internet-security solution provider, found that more than 80 percent of 2,000 surveyed employed adults use some kind of personally owned electronic device for work-related functions.
It also found that:
• Encryption of company data is only happening on about one-third of devices.
• Less than 10 percent of people using their own tablets for work have auto-locking enabled.
• Only 25 percent of smartphone owners using their devices for work have auto-lock.
• Auto-locking with password protection was enabled by less than half of laptop users, less than a one-third of smartphone users, and only one in 10 tablet users.
In short, less than half of all devices in the BYOD category are protected by the most basic of security measures. None of this is news to mainframe security administrators. In another survey
, Bit9 found that only 26 percent of IT professionals feel the security of their endpoints, including mobile, is effective.
“That number is definitely not surprising,” says Bit9 CTO Harry Sverdlove. “Right now such trends as bring your own device to work and an ever-growing number of new mobile applications has turned security into the Wild West. They are still trying to get their arms around what it all means.”
For the most part, security techniques and practices have not caught up with the way mobile technology is being used in the enterprise and outside of it, by its customers, Sverdlove says. Internal productivity apps are much easier to manage from a security perspective, not surprisingly.
“Simple tasks like using a smartphone to access email are easy to secure. There are companies that essentially build a stovepipe around the data so it is secure and accessible by employees.”
Where the Wild West factor comes in—which also happens to be the point of intersection for the mainframe—is when an enterprise gets fancy with its productivity apps or rolls out a complicated transaction-based application for customers, he says.
Still, it’s important not to oversimplify security issues for even seemingly simple tasks, Sverdlove says. “Each use presents new challenges. For the BYOD issues, you would need, for instance, good data encryption technology to secure documents. Or a company that lets employees access data it has stored in the cloud via their devices will need solid identity access management technology—either dual-factor or multi-factor authentication.”
Audit controls and visibility around login functionality (Who is accessing the mainframe via mobile, where and when?) is also important, says Chris Petersen, CTO of LogRhythm
. “It is essential to have this information, especially when there is a public app involved,” he says.
But to craft a solid security policy, Sverdlove says, almost every functional area in the company should be involved—IT security, human resources, the legal department, etc. Only with this structure in place will tools like identity access management work best. “There are privacy and legal issues that run straight into BYOD and how corporate data on these devices can be monitored,” he says.
A typical example is a person who uses her own device for work but also has uploaded medical apps or apps that monitor her financial accounts, Sverdlove notes. A company’s security policy might require it to monitor the device—but if it views data on these apps it could also be setting itself up for a legal challenge. This is one reason companies issue their own devices for employees to use on company time, he adds. If an employee wants to check on a bank account from the device fine—but he does so knowing there’s no expectation of privacy.
Other companies take a more moderate approach, allowing employees to use their own devices but requiring them to sign a waiver that gives IT the right to perform security-related tasks, such as wiping the phone, if necessary, and activating the geo-location function. This approach comes with many nuances. Some policies might specify that if an employee installs a certain type of app, say a gaming app, the controls in place will not allow this employee access to data from his device.
Other policies may be even less restrictive allowing, say Angry Birds, to coexist peacefully beside corporate data. The trick, in this case, is to make sure employees have not downloaded malware designed to infiltrate a database to steal customer data or otherwise wreak havoc. Indeed, in April, security firm Sophos
told of malware-infected editions of the "Angry Birds Space" game that had been found in unofficial Android app stores. The Trojan horse looks like a fully functional version of the game, but installs malicious code on the device.
This isn’t the only malware aimed at mobile users, but it’s notable given Angry Birds’ popularity. (“I have seen more than one CEO with a version of the game on his mobile device,” Sverdlove says.)
No matter what the vector or ruse used to trick an employee into downloading malware onto a device, the ending is almost always the same. Once installed, cybercriminals are just one or two keystrokes way from the mother lode of sensitive corporate data.
In short, the security piece is complicated, as it always is—and never completely failsafe. As a first step, mainframe security administrators can put stringent controls and safeguards in place for mobile devices. They should then participate in discussions and dialogue to help build best practices in conjunction with industry experts.
These risks, of course, are part and parcel of the mobile business case. Allowing employees to use their own devices and rolling out mobile apps to customers, both have advantages. An enterprise must ask itself, however, do those advantages outweigh the possible exposure to attacks? If the answer is “yes,” what are the best practices that can minimize the security exposure, while still maximizing freedom of choice in how and where to access information? These are areas of discussion in which SHARE
is acting as the facilitator, and providing thought leadership.
Erika Morphy has been writing about the business impact of technology for 20 years, covering finance, mobility, transportation, the supply chain, Web 2.0, enterprise software/cloud computing, online privacy issues, identity theft and online security.