Alexei Lesnykh, Smartline: The Impact of the Consumerization of IT on IT Security Management
February 2008 by Alexei Lesnykh, Smartline
Driven by the proliferation of high-end consumer technology such as PDAs, MP3 players and Smartphones, we have seen increasing adoption of consumer technology in the corporate environment. The age of consumerization of IT, defined by Douglas Neal, Research Fellow at CSC’s Leading Edge Forum, as the blurring of lines between corporate IT and consumer technology, is well and truly upon us. Thanks to the fundamental growth of endpoint device capabilities and the corresponding changes in security threat profiles, this new era has significant ramifications for the management and enforcement of corporate IT.
Consumerization goes mobile
Today’s personal mobile devices (smartphones and PDAs) have already been proven to increase personal and employeee productivity. Despite a rather limited range of mobile applications and services being used in typical corporate environments – mostly email, IM and, less frequently, Presence Awareness – the use of smartphones is becoming increasingly commonplace in mid to large sized organizations. According to a recent report from Osterman Research, 15 per cent of the corporate workforce used employee-supplied mobile devices in 2007, and a survey from TechTarget forecasts that this figure will exceed 25 per cent in 2008. Recent technology advancements including the chip makers’ continued confirmation of the full validity of Moore’s Law, suggest that IT consumerization is only going to become more widespread.
The world is entering an age of ubiquitous mobile broadband connectivity: a global proliferation of Wi-Fi; the fast-growing commercial deployment of 3G/HSPA networks; and the “injection” of Mobile WiMAX by Intel’s fifth-generation processor platform, Montevina, which promises to enable WiMAX for 750 million people by 2010. With the new generation of SoC platforms, ignited by Intel’s invasion of the mobile SoC market, and the subsequent explosive growth of enterprise-class mobile applications, the world is going ‘ultra mobile.’
The consumobilized threat (consumerized mobile threat )
The consumerization of corporate IT will soon mobilize the entire corporate workforce, with everyone using either company-supplied or individually-owned mobile devices or MIDs. The Yankee Group predicts that this will lead to Zen-like co-operative IT management models being deployed to maximize employees’ productivity.
But from an IT security perspective, the task of managing ‘rogue’ or disgruntled employees in a consumobilized enterprise will become a real art – especially as a high degree of co-operative behavior and self-discipline will be expected and required from all employees including those who are discontented, malicious, negligent, or forgetful. In this way, the very same technology advancements and social trends that drive the progress of consumerization will also cause a sharp increase in information security risks for the enterprise, based on the development of ‘production quality’ mobile malware, and – to an even larger extent - the growth of corporate data leakage from and through employees’ mobile devices.
The typical size of a mobile device’s removable flash memory (currently 4 - 8GB) is already sufficient for storing and running a standard Operating System. The significant increase in mobile internet devices (MIDs) computing ability, together with a tenfold drop in their power consumption, has already triggered rapid mobile OS and application industry growth, making the development of ’commercial’ mobile malware extremely profitable. From its current stage of proof-of-concept prototypes, this mobile malware will very quickly move to a “production-quality” stage, thus increasing the probability of attacks to mobile devices and their infection.
How soon this happens really depends on how quick and dedicated the mobile OS vendors will be in their efforts to control this emerging market. Although, realistically, it is unlikely that we will see any impact before the end of 2009 because the ‘target market’ for commercial malware needs to be mature enough to justify investment in their ‘product’ development.
Conversely, the threat of corporate data leakage through personal mobile devices is unavoidable and immediate. Unavoidable because certain features of human nature will not change: since there is no ultimate cure for accidental errors, negligence or malicious intent, mobile devices will continue to be lost and stolen. Immediate because nothing new is required for exercising the threat and it is happening right now. So what is the scale of this threat, as we enter the early stages of IT consumerization? The figures make for unpleasant reading. In-Stat has estimated that over eight million mobile devices went missing in the US in 2007; and for Smartphone users, the people with the most access to sensitive information, the probability of loosing a device was 40 per cent higher. According to the 2007 CSI Computer Crime and Security Survey, seven per cent of total financial losses incurred by US corporations from IT security incidents were related to the loss of proprietary or confidential data resulting from mobile device theft.
Projecting these figures onto the latest predictions on mobile device market growth made by Tim Bajarin, President of Creative Strategies, one can anticipate an alarming figure of about five and 14 million Smartphones being lost in 2008 and 2010 respectively. This will equate to about 14 per cent of the total financial losses caused by attacks on corporate IT resources in 2008, rising to 21 per cent in 2010.
Mobile encryption is not enough
Every instance of data leakage through a mobile device is a two-step process: firstly, uncontrolled data transfer from a corporate server/host-based resource to the device and, secondly, further unauthorized transfer of this data from the device to the outside. To mitigate this efficiently, existing Data Leakage Prevention (DLP) solutions for mobile devices include two layers of defense. Firstly, DLP components residing at servers, PCs or dedicated network appliances prevent data leaking from the corporate resources to the mobile devices by intercepting and filtering data in all communications channels used by those devices. Secondly, device-resident infosecurity components should prevent data from uncontrollably leaking from the mobile devices. Reviewing the functions of security components running on mobile devices, it appears that there is currently only one truly effective mechanism that directly prevents data leakage – the device-resident encryption. Typically implemented as ‘file/volume encryption’ or ‘whole device encryption’, it blocks access to encrypted files and other objects stored in the memory of stolen or lost devices, as well as removable memory cards.
Security vendors also tout remote data wiping as an additional mechanism for preventing data leakage from missing mobile devices. However, realistically, this should not be considered as a reliable means of protection as any cyber thief will immediately remove the memory card of the stolen device for analysis on a ‘failproof’ device. All other device-resident security components – FW, VPN, device/port control, anti-virus/anti-malware, IDS, application control, NAC, user/device authentication – are not designed for informational data and type filtering and, therefore, cannot be used to determine whether outbound traffic contains any leak to block. As for anti-spam device components, they work in the opposite direction, filtering data coming in rather than preventing the downloading of unsolicited data to the device.
Although cryptographic solutions like “whole device encryption” could completely eliminate data leakage from stolen or lost mobile devices, they are not a DLP panacea for mobile devices. This is because applications use data in RAM rather in plain, decrypted form; so nothing prevents users from deliberately or accidentally sending plain data to an external destination from within an opened network application like email, web-browser, or instant messaging (IM). As a result, a negligent employee could forward an email with order delivery instructions to a subcontractor without noticing that the attachment to the email contains clients’ personal data that should not be revealed to third parties. The only way to achieve truly encryption-based protection against mobile data leaks would be in a physically isolated intranet-type system without any external communications at all. However, this scenario is useless to any business or public sector organization as their operations are inherently based on external communications.
According to Deloitte & Touche and the Ponemon Institute about 45 per cent of US businesses do not use encryption to protect their data. However, in the consumerized corporate future, because of employees’ privacy concerns, the percentage of personal mobile devices without protection by employer-supplied encryption solutions is likely to be much higher.
Without underestimating encryption as the most effective security technology for preventing data leakage from mobile devices today, it should be acknowledged that once the data gets to the device there is, and always will be, a high risk of it being uncontrollably leaked to the outside. This is why, for the foreseeable future, a critically important layer of corporate defense against mobile data leaks needs to be the intelligent control over data delivery channels to the mobile device.
Gone with the sync
Mobile devices can basically import data through three channel types: network applications, removable memory cards, and local connections to PCs. Today, there are numerous products and solutions on the market for preventing data leakage to mobile devices through network applications such as email, web-browsing, file transfer, web-mail and instant messaging. Implemented as server-side components or dedicated network appliances that use well-developed data and file type filtering as well as content-based filtering technologies, these solutions have proven to be highly effective for fighting data leaks and ensuring users’ compliance with applicable security-related legislation and industry standards.
These data filtering technologies have already been integrated with several host-based endpoint device/port control products available today, so the data uploaded from PCs to removable memory cards is intercepted and filtered to block detected leaks. Importantly, these DLP solutions are based on underlying protocol parsing techniques for the most popular network applications, and intercepting file system calls from some office applications.
However, the synchronization of local data between mobile devices and PCs is implemented by very specific applications that do not use network application protocols, and do not interact with office applications. Technically speaking, this means that no existing file type detection or content-based filtering solution can control data flow through local connections from PCs to mobile devices and the only possible method of preventing data leakage through local sync currently is to completely prohibit it at device or local port-type level on the concerned PC. This means that any company concerned with uncontrolled data leakage though mobile devices should prohibit their employees from synchronizing data between corporate PCs and mobile devices. This is obviously unacceptable, even today, since it would completely block the use of mobile devices in the business.
The problem is that if local syncs are allowed – as is the case in most organizations today – then every click on a “Sync” button means that highly valued corporate data may be potentially transferred to a personal mobile device without any way of controlling or tracing it. Weakly protected local sync communications already constitute a serious security issue for organizations. In the future, as consumerization progresses, this issue could grow into a major security problem and business risk. This is why developing a comprehensive DLP solution for local sync connections of mobile devices needs to be urgently addressed by the infosecurity industry.
Developing the solution
So what should the security industry be doing to address the mobile security threats brought about by IT consumerisation? The key part of the architecture for preventing data leakage needs to be local sync parsing. The local sync data leakage prevention architecture should be built as a stack of integrated security mechanisms including bottom-up endpoint device/port control, local sync application parsing, file type filtering, and content-based filtering technologies. In addition, a central policy-based management console integrated with a major systems management platform, comprehensive centralized logging, reporting and evidence enablement components need to be put in place. Every layer of the architecture controls those parameters of a local connection it is designed to deal with by blocking or filtering prohibited elements out, and detecting and marking the types of objects to be controlled by a higher-layer architecture component to which the classified data flow is then passed for further processing.
The device/port control component of the architecture is responsible for detecting and controlling the presence of a locally connected mobile device, the type of connection interface or port type, device type and ideally the device model and its unique ID. The output can then be passed to the local sync parsing component, which parses the sync traffic, detects its objects (e.g. files, pictures, calendars, emails, tasks, notes, etc.) filters out those prohibited, and passes allowed data up to the file type filter. The file type filtering component checks the input flow, deletes those files not allowed, and filters information data to detect and block the pieces of human-understandable data failing to comply with the corporate security policy.
Sync parsing is the most important “piece of cake” to develop because the rest of the required enforcement components are already available on the market just in implementations designed not for the local sync. Not only is local sync parsing key, but its scale (i.e. the range of supported mobile OS platforms) and implementation quality will also be critical for its market adoption. With local sync parsing in place, the other components can be stepwise integrated in the stack by adjusting the existing ones.
Examining the local sync DPL solutions commercially available on the market, the situation is quickly improving with Microsoft ActiveSync® and Windows Mobile Device Center (WDMC) protocol filtering now available. Security administrators can now centrally and granularly define which types of data users are allowed to synchronize between corporate PCs and their mobile personal devices, including files, pictures, calendars, emails, tasks, notes, and other ActiveSync and WDMC protocol objects. Administrators can also centrally block or allow the installation and execution of applications on corporate mobile devices. In addition, it is now possible to detect the presence of mobile devices regardless of which local port or interface it is connected to.
The security threat brought about by the consumerization of IT and the consequent mobilization of the workforce is real and upon us. Organizations need to take immediate steps to ensure that they address this threat before it gets out of control and the infosecurity market needs to continue to develop solutions to mitigate the unavoidable risk brought about by the growth of consumer technology in the corporate environment.