My recent work has lead me to consider the security (or is that lack of security?) associated with mobile devices. One of the things which lead to the early success of the Blackberry was without doubt that it was designed to interface to an enterprise infrastructure in a secure and controlled way. Unfortunately for those responsible for security within an organisation, employees are no longer happy to use the provisioned Blackberry device as their sole means of interacting with the organisations network infrastructure. That of course is not a great surprise, given the choice of using a highly restrictive and (arguably) boring device or using a sexy new smartphone, most of us will go for the smartphone every time.
In many organisations, smartphones have crept into the business with technically adept employees using them to access email and calendar function without proper control or authorisation. This creates a potential security nightmare, with all manner of devices attaching to the corporate network without any real control. How then should those responsible for security react?
There are two extreme positions which can be taken. The first is to make it clear that anyone using an unauthorised device to access corporate data is in breach of the organisation security policy and to use the full force of that policy against any transgressors. The other end of the spectrum is BYOD (bring your own device) allowing any device to access the network. Whilst this second approach is likely to find favour amongst the workforce, it creates some serious vulnerabilities. As is often the case, the best approach lies somewhere in the middle: create a sensible security policy which permits devices meeting certain specific requirements to be attached to the corporate network.
This of course is easy to say, the real skill lies in the creation and enforcement of a security policy which both protects the organisation and at the same time allows employees the freedom to use the smartphone of their choice. One of the key elements in this is a solid understanding of the risks posed by mobile devices and the controls which can be put in place to provide protection. Unlike the situation with conventional network security where there is relative stability and some really solid practices which can be applied, the world of mobiles is still evolving rapidly leaving some security professionals on the back-foot.
Which leads me to a relatively new but rapidly evolving resource for mobile device security: The OWASP Mobile Security Project. The OWASP (Open Web Application Security Project) parent project is a well established resource for the developers of Web applications. The Mobile Security Project extends this work into the world of mobile devices. There are many great resources being built as part of this project but perhaps the two most important are:
Taken together, these provide a phenomenal resource to help in the understanding and prevention of security vulnerabilities created by mobile devices.
The Top Ten Mobile Risks document is still in the release candidate phase so take a look at the associated presentation from AppSec USA 2011  which makes a really excellent job of explaining the details of those top-ten risks.
Once you’ve fully understood the risks and controls identified by the OWASP Mobile Security Project, you’ll be in a good position to begin the task of improving security related to mobile devices.