Mobile technologies are taking off in the corporate world, but they continue to lack the security needed to adequately protect corporate data.
There is little doubt that mobile technologies will continue to grow in both the personal and business spheres. However, the mobile world has not learned the security lessons that the traditional IT world has, and so it lacks much of the centralized, vendor-driven security initiatives prevalent in the desktop world. Accenture outlines the issues and suggests principles to inform a rethink of mobile security in the enterprise.
The competitive and productivity benefits of mobile technologies have driven widespread adoption. Smart phone sales roughly doubled in the last quarter of 2010—and four out of every 10 iPhones sold during that period went to users who worked for large corporations. It would appear that tablets are beginning a similarly strong growth curve.
In tandem, connection has become near ubiquitous through Wi-Fi, mobile hotspots, Bluetooth and other networks.
For mobile phone manufacturers, however, security features remain a relatively low priority, forcing employers to worry about how to secure these devices and protect their corporate networks. The security challenge will be broadened as other types of mobile technologies bring new functionalities to business operations, particularly in the machine-to-machine space, which will include remote medical diagnosis, sensors in smart electricity grids and mission-critical military field operations.
Traditional software vendors are making progress in improving the security of their products, which is forcing cyber criminals to focus more on mobile devices. However, many organizations are lagging when it comes to mobile security. Mobile devices are prone to being lost or stolen, yet very few are encrypted. Organizations need to identify and classify the information they need to protect and apply an appropriate level of encryption.
In addition, mobile networks typically use open standards and allow interoperability between devices—infection can easily spread in such an environment. Mobile phone manufacturers do not manage and deploy patches centrally as computer vendors do. Tablets, meanwhile, access corporate networks in the same way as laptops, yet lack similar security controls.
Other issues include the freewheeling market for mobile applications, which has no central security standards in place; and the geo-tagging embedded in many mobile devices. Finally, it must be remembered that many of the devices accessing corporate networks start as personal devices, further limiting the IT department’s control over their security features.
The traditional IT focus on securing the perimeter is a paradigm that needs to change as mobility takes hold. Accenture’s experience suggests that the following principles should guide a rethink of enterprise mobile security:
There is little doubt that mobile technologies will continue to grow in both the personal and business spheres. However, the mobile world has not learned the security lessons that the traditional IT world has, and so it lacks much of the centralized, vendor-driven security initiatives prevalent in the desktop world. Accenture outlines the issues and suggests principles to inform a rethink of mobile security in the enterprise.
Background
The competitive and productivity benefits of mobile technologies have driven widespread adoption. Smart phone sales roughly doubled in the last quarter of 2010—and four out of every 10 iPhones sold during that period went to users who worked for large corporations. It would appear that tablets are beginning a similarly strong growth curve.
In tandem, connection has become near ubiquitous through Wi-Fi, mobile hotspots, Bluetooth and other networks.
For mobile phone manufacturers, however, security features remain a relatively low priority, forcing employers to worry about how to secure these devices and protect their corporate networks. The security challenge will be broadened as other types of mobile technologies bring new functionalities to business operations, particularly in the machine-to-machine space, which will include remote medical diagnosis, sensors in smart electricity grids and mission-critical military field operations.
Analysis
Traditional software vendors are making progress in improving the security of their products, which is forcing cyber criminals to focus more on mobile devices. However, many organizations are lagging when it comes to mobile security. Mobile devices are prone to being lost or stolen, yet very few are encrypted. Organizations need to identify and classify the information they need to protect and apply an appropriate level of encryption.
In addition, mobile networks typically use open standards and allow interoperability between devices—infection can easily spread in such an environment. Mobile phone manufacturers do not manage and deploy patches centrally as computer vendors do. Tablets, meanwhile, access corporate networks in the same way as laptops, yet lack similar security controls.
Other issues include the freewheeling market for mobile applications, which has no central security standards in place; and the geo-tagging embedded in many mobile devices. Finally, it must be remembered that many of the devices accessing corporate networks start as personal devices, further limiting the IT department’s control over their security features.
Recommendations
The traditional IT focus on securing the perimeter is a paradigm that needs to change as mobility takes hold. Accenture’s experience suggests that the following principles should guide a rethink of enterprise mobile security:
| • | Address four main layers of security: the network, the device, the application and the back-end system. |
| • | Build a hard-nosed “culture of security.” Strong processes and policies are essential. |
| • | Use carrots as well as sticks to motivate behavior. A careful approach will include incentives to promote secure behavior and a willingness to distinguish accidents from malicious intent. |
No comments:
Post a Comment