Securing the Mobile Workforce

The rising tide of mobile computing, driven by the introduction of consumer devices such as the iPhone and iPad, is crashing against the shores of many an IT shop. Most IT organizations have lived on a diet of corporate policy restrictions and liberal use of the word “No!”, unfortunately their time has come.

IT can no longer simply ignore the tsunami of remote intermittently connected computing devices that are used by the masses to access corporate resources, especially those that reside within and provided through a shared service or infrastructure (think *aaS or cloud-computing).

No doubt these devices offer tremendous benefits to productivity, real-time information exchange and increased efficiencies throughout the value chain, but IT has been quite leery of their use as officially supported computing platforms and they have every right to be concerned as these devices are not built for the enterprise, they do not have an eco-system of technologies that support them, and most organization are still challenged to manage traditional computing devices, such as desktops and servers, that reside within their infrastructure.

The risk is clear though as organizations must manage and secure a large, complex, and globally distributed, remote, and mobile computing environment all accessing corporate assets in and outside the corporate network; The loss of visibility and control again forces them to look to how they can better maintain the health and security of their mobile computing environment – the endpoints that require access to corporate resources that are housed inside of the corporate network and in the “cloud”

A day in the (Risky) life of an executives mobile computing device:

• 8am – Checks email from home before flight to partner meeting.  Prints out boarding pass on airline website then clicks on ad with drive-by-download (THREAT #1)
• 10am – Views latest football scores on mobile phone.  Tries to disable security setting that prevents a Flash plug-in from running – since the website uses Flash.  (THREATS #2 and #3)
• 11:30am – Connects to partner network to provide presentation and product demo.  Unfortunately, one of the gaming applications that his kids installed last weekend launched an IRC bot that tries to send IRC packets onto partner network (THREAT #4)
• 2pm – Leaves mobile phone at restaurant.  Contains email addresses for all contacts as well as architectural design plans for the next release of their product.  (THREAT #5)
• 6pm – After checking into his hotel room, tries to download an animated screensaver that he thinks kids will like.  It contains a number of dangerous spyware programs including one of which opens up a backdoor on his laptop.  (THREAT #6)

Managing security for the mobile workforce requirements:

• “Macro” and “micro” visibility –What’s on my (extended) network? –How are my (managed, yet roaming) computers configured? –What services are they accessing in the cloud?  Should they be?
• Location-aware, OS-aware policies –Precise, targeted control (take bandwidth into consideration) –Get updates there, now
• Synch up assessment and remediation – regardless of location –Reduce gaps in coverage –Immediate remediation becomes critical

Bottom Line: Managing mobile computing devices is no longer a discussion or a nice to have it MUST be done.

• IT organizations need to know what they own and what their users (who have been granted authenticated rights to access corporate resources) own. Visibility is your most effective security tool.
• You have a distributed workforce, whether you like it or not, make sure your IT organization can manage these resources
• Simplify and consolidate your management infrastructure
• You cannot control your users, but your systems management tools should be able to control their computing devices – anywhere they roam