By any measure, mobility in the enterprise—both how it is used internally and how it is used to reach out to customers—is a major paradigm shift, nothing less than representing the future of computing. The mainframe, often perceived as IT’s “old guard,” is playing a key role in this shift, sometimes in surprising ways. In a three-part blogs series, we examine how and where mobility and the mainframe meet, how they complement one another, and occasionally, where they clash.
In this final post, we look at mobile security issues.
Employees clamoring to access the mainframe via their own device? It is certainly doable (see blog post “Many Still at the Starting Gate with BYOD, Mobile Productivity”) and may even be a perk for a certain type of employee, but is it wise in terms of security? Sadly, most studies and statistics say no.
A Harris interactive survey sponsored by ESET, an Internet security solution provider, found that more than 80 percent of 2,000 surveyed employed adults use some kind of personally-owned electronic device for work-related functions.
It also found that:
- Encryption of company data is only happening on about one third of devices.
- Less than 10% of people currently using their own tablets for work have auto-locking enabled.
- Only 25% of smartphone owners using their devices for work have auto-lock.
- Auto-locking with password protection was enabled by less than half of laptop users, less than a third of smartphone users, and only one in ten tablet users.
In short, less than half of all devices in the BYOD category are protected by the most basic of security measures.
None of this is news to mainframe security administrators. In another survey, Bit9 found that only 26 percent of IT professionals feel that the security of their endpoints, including mobile, is effective.
“That number is definitely not surprising,” says Bit9 CTO Harry Sverdlove. “Right now such trends as Bring Your Own Device to Work and an ever-growing number of new mobile applications have turned security into the Wild West. They are still trying to get their arms around what it all means.”
For the most part, he says, security techniques and practices have not caught up with the way mobile technology is being used in the enterprise and outside of it, by its customers.
The former—internal productivity apps—are much easier to manage from a security perspective, not surprisingly, he says.
“Simple tasks like using a smartphone to access email are easy to secure. There are companies that essentially build a stovepipe around the data so it is secure and accessible by employees.”
Where the Wild West factor comes in—which also happens to be the point of intersection for the mainframe—is when the company gets fancy with its productivity apps or rolls out a complicated transaction-based application for customers, he says. (See blog post “Opening the Mainframe to the Customer’s Mobile Device”).
Still, it is important not to oversimplify security issues for even seemingly simple tasks, Sverdlove says. “Each use presents new challenges. For the BYOD issues, you would need, for instance, good data encryption technology to secure documents. Or a company that lets employees access data it has stored in the cloud via their devices will need solid identity access management technology—either duel factor, or multi factor authentication.”
Audit controls and visibility around login functionality—who is accessing the mainframe via mobile, where and when—is also important, says Chris Petersen, CTO of LogRhythm. “It is essential to have this information, especially when there is a public app involved,” he says.
But to craft a solid security policy, Sverdlove says, almost every functional area in the company should be involved—from IT security to human resources to the legal department. It is only with this structure in place will tools like identity access management work best.
“There are privacy and legal issues that run straight into BYOD and how corporate data on these devices can be monitored,” he says.
A typical example, he says, is a person who uses her own device for work but also has uploaded medical apps or apps that monitor her financial accounts. A company’s security policy might require it to monitor the device—but if it views data on these apps it could also be setting itself up for a legal challenge.
This is one reason why companies issue their own devices for employees to use on company time, Sverdlove says. If an employee wants to check on his bank account from the device fine—but he does so knowing there is no expectation of privacy.
Other companies take a more moderate approach, allowing employees to use their own devices, but have them sign a waiver giving IT the right to perform security-related tasks, such as wiping the phone if necessary and activating the geo-location function.
This approach comes with many nuances. Some policies might specify that if an employee installs a certain type of app, say a gaming app, the controls in place will not allow this employee access to data from his device.
Other policies may be even less restrictive allowing, say Angry Birds, to co-exist peacefully beside corporate data. The trick in this case is to make sure that employees have not downloaded malware designed to infiltrate a database to steal customer data or otherwise wreck havoc.
Indeed, in April, security firm Sophos told of malware-infected editions of the "Angry Birds Space" game that had been found in unofficial Android app stores.
The Trojan horse looks like a fully-functional version of the game, but installs malicious code on the device.
This is not the only malware aimed at mobile users, but it is notable given Angry Birds’ intense popularity (“I have seen more than one CEO with a version of the game on his mobile device,” Sverdlove says.)
No matter what the vector or ruse used to trick an employee into downloading malware onto a device, the ending is almost always the same. Once installed, cybercriminals are just one or two keystrokes way from the mother lode of sensitive corporate data.
In short, the security piece is complicated, as it always is—and never completely failsafe. The best the mainframe security administrator can do is put in place the stringent controls and safeguards and participate in crafting the company’s first line of defense, its IT security policy.
These risks, of course, are part and parcel of the mobile business case. Allowing employees to use their own mobile devices has its advantages. Ditto, to an even greater degree, the rollout of a mobile app to customers. The company must ask itself, though, do those advantages outweigh the possible exposure to hack attacks? If the answer is yes, what are the best practices that can minimize security risks as much as possible, while still maximizing mainframe operations? These are areas of discussion in which SHARE is acting as the facilitator, and providing a great deal of thought leadership.
Once those questions are answered, to the extent they can be, mainframe operators and IT security might want to look further afield at the industry and vendor community. Are they doing all they can to help secure the mainframe and its intersection with mobile? Better management tools are always welcome, no more so than now as hack attacks zero in on mobile devices.