Accessing your email from your mobile device is only the beginning. Increasingly corporations’ mobile operations are moving into the enterprise realm. Hackers and malware writers continue to focus on this vector, in addition to the cloud. Fortunately mainframe tools, plus related solutions such as mobile device management applications, are well prepared to withstand the onslaught.
When IBM banned certain public cloud-based apps such as the file transfer service site, Dropbox, from its employees’ mobile use, Jerry Irvine, CIO of Prescient Solutions and a member of the National Cyber Security Task Force, was not surprised.
“Those types of sites that provide public access to data warehouses or storage are very vulnerable to hacking,” he said. Not only that, he added, they are seen as low-hanging fruit for hackers because they accumulate data from multiple uses and organizations. “Hackers can get data for hundreds, thousands or even tens of thousands of people.”
Not that the mainframe itself is necessarily at peril even if an employee’s device were to become compromised in such a matter. “Because [the mainframe] has been around so long it has one of the highest security ratings of any systems,” Charles King, principal of Pund-IT said.
Nevertheless, as the mainframe adapts to include cloud-based and mobile-based technologies and policies, these risks must be taken into account because new applications and devices connected to the mainframe do not have the same stringent controls. Exposure for any component of the enterprise computing infrastructure creates relative risk for the entire infrastructure – and the organization it supports. Call it the “Weakest Link” principle: A secure mainframe can be rendered moot when secure mainframe data can be copied to unsecured mobile devices; or, when weak authentication protocols on mobile devices allow access to the mainframe backend.
And while mainframe technology itself may be seen as the most secure, human error can create vulnerabilities, too — and put a company at risk for significant financial and reputational damage. Aberdeen found that the cost of a single mobile-data compliance lapse, according to a recent Aberdeen survey, at the low end is estimated at $140,000 and more than $1 million at the high end, according to Mobile Enterprise Strategies.
In terms of calculating the impact of damage to reputation, insurance companies do have formulas for estimating cost based on the nature of an incident, but Founding Father and businessman Ben Franklin may have summed the issue best: “Glass, china, and reputation are easily cracked, and never well mended.”
For IBM, renowned for internal oversight of IT, reportedly to have issues with employees and Dropbox is a telling sign for other companies and their mainframers, Irvine said. “Mobile and cloud are the genies that left the bottle in most cases. Even smart, IT-savvy employees will make mistakes or do things without thinking – like forwarding a work email to a, say, Gmail home account in order to continue to work on something at home.”
And if those emails forwarded to an unsecured home address contain medical records, credit card information, corporate financial details or some other type of sensitive and proprietary information? The exposure could be damaging to an organization at best and fatal at worst.
Irvine said the first step toward preventing such dangerous slips, as IBM illustrated, is to ban certain sites, especially when BYOD practices are in place. Dropbox has become a favorite productivity tool for many employees despite, as hack attacks against the site have shown, its vulnerability.
Step two, said Irvine, is deciding at the corporate level whether such sites should be permitted to be accessed by employee smartphones, whether or not they are BYOD. “My recommendation is no. Publicly accessible cloud solutions are too dangerous,” he said. His advice is that a hybrid cloud environment, by contrast, is a safer alternative, with its publicly accessible infrastructure and tighter security.
But the unfortunate fact is such blanket statements are difficult to make because of the wide-ranging nature of BYOD. Simply put, most companies are developing strategies and policies as they go along. A recent survey by research firm Information Technology Intelligence Consulting (ITIC) and KnowBe4.com, a Clearwater, Florida, company that specializes in security awareness training, found 71% of businesses that allow BYOD have no specific policies and procedures in place to ensure security.
Yet, BYOD is taking off – in many different directions, with no one path identified as “best practice.” For example, the survey also found:
- Organizations are split on who takes responsibility for the security of BYOD devices. Some 37% of respondents indicated the corporation was responsible; 39% said the end users were responsible; 21% said both bear equal responsibility; and, the remaining three percent were “Unsure.”
- Presently, 51% of workers use smart phones as their BYOD devices; another 44% use notebooks and ultra books, while 31% of respondents indicated they use tablets (most notably the Apple iPad) and 23% use home-based desktop PCs or Macs.
- A 57% majority of respondents said end users purchased/owned BYOD devices; compared with only 19% that indicated the corporation buys and owns them. Another 22% of survey participants said the company and the employees split the cost. The remaining two percent said they decide on a case-by-case basis.
Technology tools can go far mitigating some of this disorganization. “Collaborative environments, such as WebSphere, are key to security,” Irvine said. “That tool alone will provide significant amounts of security that generic cloud storage apps will not.”
Also key are mobile device management applications, or as the category also is called, enterprise mobility management.
IBM offers a unified platform for managing mobile devices and traditional endpoints – IBM® Endpoint Manager for Mobile Devices. Plus, there are a number of other enterprise-quality applications on the market. Aberdeen, for example, follows Sybase’s Afaria, BoxTone, Zenprise, Good Technology and MobileIron, according to Mobile Enterprise Strategies.
A good security check list was recently developed by the Cloud Security Alliance Mobile Working Group in a white paper called “Mobile Device Management: Key Components, V1.0.” It identifies 17 key elements that are critical for organizations to consider for the full-lifecycle security management of mobile devices.
To support the needs of IT professionals looking to manage mobility for the enterprise, SHARE in San Francisco will offer a two-day Mobility Spotlight. Sessions will address everything from taking your enterprise mobile, mobile computing implications for System z security, managing and accelerating mobile app delivery, and more. The current agenda features nearly 12 hours of sessions focused on mobility in the first two days of the conference, followed by additional mobility sessions later in the week. Click here to view the full list of enterprise mobility sessions and to register.