Protecting Users on the Anywhere Network

As a business, how do you secure and control access to applications and data that reside not on your network but out on the Internet? How does the IT department make sure that sensitive data isn’t vulnerable to improper access via unsecure networks, such as public hotspots?

And when it comes to devices like laptops, smartphones and tablets, how does IT manage hardware that it doesn’t own? In the recent Sophos IT Consumerization and Mobile Study, 19% of companies responding were currently supporting employee-owned laptops while 77% of companies have employees with non-company owned mobile devices—and these numbers will only increase.

In this environment, the whole idea of security, and how companies need to protect computing resources, changes. As this new world of business computing evolves, what are the actual difficulties when it comes to providing security for user-owned endpoints and essentially open network perimeters? And what are some of the best practices and tools that organizations can adopt to build and protect a modern anywhere network?

Defending the Mobile Workforce and Their Consumer Devices

So your organization allows workers to use their own devices for work purposes, or you’ve accepted the fact that employees will do this and there’s little you can do to stop it. How does your IT department make sure these mobile devices are as secure as they can be before letting them access company data?

While laptops and PCs can be fairly well secured using traditional security and management tools, the options aren’t quite as robust or mature when it comes to modern smartphones and tablets. In the Sophos IT Consumerization Study, 93% of respondents believed that mobile devices increase the threat to company data. To a large degree, optimal security of these devices means setting best practices to make sure employees are using the available security options on their devices to the best effect.

One of the biggest mobile device risks is data loss or theft. Smartphones and tablets are easily lost or stolen, and if one falls into the wrong hands, company data stored on the device or accessible through its apps can be at risk.

Use of encryption on mobile devices can go a long way toward making sure data on lost devices is harder to access. Security and management agents on these devices can also secure data and offer additional capabilities, such as remote wipe.

However, IT must step carefully. On a company-owned device, these measures can be the best option, but on employee-owned hardware, lots of potential issues come up.

The Risks of Roaming and the Cloud

The growth of Software-as-a-Service (SaaS) and cloud-based applications has made it possible for companies, especially small and medium-sized ones, to deploy powerful business applications without the need for expensive data centers and hardware. The only thing a company’s workers need to use these applications is a web browser.

And these web-based applications will also increase the use of employee-owned devices. If employees don’t need IT to install an application in order to use it, there’s no reason they won’t be able to use their personally owned devices.

But that can create new problems. For example, some applications use SSL security only for the initial login and then send the rest of the data in the open. In these cases, anyone with a simple network sniffer can view information from the app.

Worse, if the employee accesses these applications on a shared network—at a hotel or public WiFi hotspot, for instance—there are tools, such as Firesheep, that make it very simple for someone to hijack that user’s login information and gain full access to the web application.

In the recent Remote and Mobile User Study that Sophos conducted, the biggest concerns that companies had when it came to roaming and off-network access were listed as follows: 75% feared malware would infiltrate the network; 70% were concerned about data loss when users were off the network; 69% believed they wouldn’t be able to provide the same level of security for off-network access; and 51% were concerned that users would access inappropriate sites and applications.

When it comes to protecting roaming users, traditional methods of security often are a good first step, especially for employees using laptops. This means making sure the individual devices themselves are fully patched against known vulnerabilities and security holes. Taking this step can range from using the simple auto-update mechanisms in the operating system to leveraging Windows Server updating services and even to taking advantage of a full patch management system that tracks not just the operating system patches, but also application updates.

It also means taking advantage of strong security tools and protections on the mobile devices’ hardware itself. On the laptop side, there’s a wide range of tools that can detect and prevent viruses, Trojan horses and other forms of malware from infecting a system. System-based firewalls and intrusion prevention products can keep malware from connecting to outside sites and servers that can steal data or load additional malware. Today, these tools are more sophisticated on the traditional PC side, but as mobile devices increase in capability and become more attractive targets, we’re see an increase in smartphone security tools that can prevent downloading of illegal apps, encrypt data to protect it in the case of device loss or theft and remotely track and even wipe a lost or stolen device.

Of course, technology alone isn’t a full solution. Organizations looking to secure roaming users need to pay attention to education and training as well. Mobile users need to be aware of potential risk factors, such as unsecured networks, risky websites and increasingly sophisticated phishing attacks that target corporate users in order to access company networks and web-based enterprise applications. And this education must accompany strong access control and network policies that prevent data loss. Proper policy controls can make sure that only secure connections permit access to company resources, that only individuals with proper rights settings can view sensitive data and that data that shouldn’t leave the company network doesn’t do so.

But as businesses think about securing mobile devices and applications, another area they need to consider is the network itself. Organizations are aware of the risks of public hotspots, but what about employees’ home networks? Do they use WiFi in the home? Are their routers using strong security, such as WPA2, or are they just using WEP—or are their wireless networks completely open to anyone?

Along with setting best practices for devices and applications, businesses should ensure the networks of home workers are as secure as possible. Also, it’s worth investigating new capabilities on offer from networking vendors, such as WiFi routers that can run dual connections, with one for company traffic and the other for personal home traffic.

Best Practices for Defending Data, Mobile and Consumer Devices and Company Resources on the Anywhere Network

As is the case in many areas of technology management, getting a handle on mobile devices, the anywhere network and consumer devices’ ability to touch your networks often breaks down into understanding and measuring usage. Businesses need to understand how employees are using these technologies, then use that knowledge to develop usage policies and build effective control mechanisms to prevent problems and secure company resources.

The Problem of Consumer Devices and Employee-Owned Devices

As a business, you may not want to allow employees to use their own devices to access company resources, but the fact is they will—and this trend will only increase. According to companies in the Remote and Mobile User Study, 30% said that 51% to 100% of mobile devices were employee-owned and 41% expected to see more employee-owned mobile devices in the next two years. If employees can access company applications from their own devices (and odds are they can, given the number of corporate applications that are accessible from a web browser), they’ll do so, since many would rather use their own laptop, smartphone or cool new tablet they just bought. This means every company will need to come up with a way to make sure these devices don’t present a security problem.

Most monitoring and analytics tools will have a tough time providing information on how, and if, consumer- devices are accessing company resources. Still, some data will be available:

  • Look through NAC, network, web logs and analytics to find nonstandard device access.

  • Simply asking employees through a questionnaire or survey is a good way to find out how many have used, or intend to use, their own consumer devices to access company data.

  • Also, IT staff will often have a good sense simply from daily questions and calls they take from users (such as “Hey, the company CRM app doesn’t display correctly on the browser on my new iPad”).

As with mobile devices in general, defining an acceptable usage policy for employee-owned devices can go a long way toward lessening security risks. And this is a step that many companies are taking. In the Sophos Remote and Mobile User Study, 31% of businesses stated they had established an acceptable usage policy for employee-owned mobile devices and 36% for employee-owned laptops. 

  • Company policies can discourage use of such devices by stating, for example, “Accepted policy is for company resources to be accessed only through company-provided devices; if an employee-owned device must be used, please follow these usage procedures,” and then outlining proper usage and security policies, such as being on a secure connection and making sure security on the device is up to date.

  • Consider providing employees with information on potential risks and ways to improve device security in order to encourage self-managing of device security.

Securing employee-owned consumer devices can be a tough task for any IT department. Employees will be hesitant to allow company security software on their personal hardware (which will have personal data and information on it). Here are some ways you can secure employee-owned consumer devices:

  • Making sure employee devices have robust device security in place is a good step toward minimizing risk.
  • Mobile security solutions can assist in preventing downloads and installs of potentially risky applications.
  • Put an extra layer between the employee device and the company applications, including use of VPNs and lightweight network access controls to prevent unsecured access.
  • Cutting-edge methods that aren’t yet in wide use but show a lot of potential include use of virtualization to allow company apps to run separately from apps on the employee device. Other new technologies use web application gateways, which can display company applications through the use of HTML5 and other emerging web technologies and can run via browsers on mobile devices and other consumer devices such as tablets, with no need to install special apps directly on the user device.

Mobile Security

Modern mobile devices such as smartphones and tablets provide unprecedented mobility and productivity for today’s workers, but also bring up new security concerns, especially when it comes to the potential loss of sensitive company data. Also, as noted above, an increasing number of these devices may be employee-owned, making security even tougher. Proper procedures and policies can go a long way toward lowering these risks.

Monitoring of mobile devices can take many forms, including Big Brother–style tools that can track calls and texts. While most businesses probably won’t want to take that route, other analytics solutions can allow them to track how mobile users are accessing company resources and where sensitive data is making its way to mobile devices:

  • Use of some web analytics products will show how and when mobile devices are accessing company applications through browsers and even many native mobile app platforms.
  • Also, NAC tools and firewall, VPN and other access logs can determine whether mobile workers can access company resources from external networks.

One of the best ways to keep mobile devices secure is to make sure workers know which practices aren’t acceptable from a company perspective. An acceptable usage policy for mobile devices should spell out:

  • Use of device security features, such as password locks and encryption
  • Procedures for lost or stolen devices, including situations under which devices will be remotely wiped
  • Some companies may even detail which applications can be used or downloaded

As is the case with traditional computing systems, adding a layer of device security—especially in the case of company-owned mobile devices—makes it possible to protect devices against malware and data loss and also enforce acceptable usage policies. These mobile security solutions can protect against malware and rogue mobile apps, provide encryption to secure sensitive data stored on devices and offer tools to locate lost mobile devices or wipe all data from stolen devices.

Protecting the Anywhere Network

The idea of a traditional company network, accessible only from company offices or a VPN, seems kind of quaint. Today, company resources can be SaaS systems, such as Salesforce.com, that are accessible from anywhere on the web; company applications hosted on cloud-based servers; or even a combination of the two, such as an in-house company application mashed with external web applications. And workers are accessing these resources from homes, remote offices, hotels and coffee shops, and on mobile devices using mobile broadband connections. In this situation, it’s difficult to achieve the same level of security that a business can enforce on an internal network. But it’s possible, through the proper use of policies and enforcement mechanisms, to protect these resources and make sure employees are accessing them securely.

Companies will need to invest in security testing of web applications and ensure SaaS applications meet security requirements, as well as ensure users and infrastructure are protected from attacks that exploit the vulnerabilities of these applications. This will include new security policies as well as security and control assessments of service providers and internally and externally developed apps. Web application firewalls, secure web gateways and endpoint security solutions that can detect and block web-based attacks will provide an additional layer of defense.

For businesses with users on the anywhere network, the key to protection is clearly spelling out acceptable usage policies for roaming and remote workers:

  • This means use of VPN clients whenever a worker is on an untrusted network (at a hotel or a public WiFi hotspot, for instance), whether the employee is accessing company resources or logging into SaaS or other company applications available on the web.

  • If a VPN isn’t available, employees should use HTTPS connections at all times when using browser-based applications such as webmail. Also, policies should state that use of randomly found open hotspots is never permitted.

  • Policies should also forbid use of kiosk, borrowed or other shared systems when accessing company resources and applications.

  • Companies may also want to consider providing mobile broadband service to road warriors in order to remove the need to access untrustworthy networks.

Company applications—whether SaaS, traditional web-based or cloud-based—should use all security and access control mechanisms available:

  • Any web-accessible applications should use HTTPS throughout the entire session, not just login, since applications with only secure login are vulnerable to hijacking afterward.
  • Good password management should be enforced and, for applications that use especially sensitive company data, two-factor authentication should be considered when available. For example, some SaaS applications can use an employee’s known mobile phone number as a second layer of authentication on top of username and password.

  • Comprehensive and up-to-date endpoint security solutions, along with user education and the use of modern browsers’ security features, can prevent users from falling prey to malware programs that steal customer or corporate data and phishing schemes that target corporate users by imitating popular enterprise SaaS applications, such as Salesforce.com.

Conclusion

Mobile devices are becoming tightly entwined into all aspects of our lives, and if you want your company’s business to be well integrated with your employees’ lives, you’ll most likely need to take advantage of these devices and not try to force roaming workers to use a less optimal device. But this doesn’t mean your business can take a pass on the task of securing mobile and roaming workers.

Securing employees’ mobile devices, along with the cloud-based applications and services they’ll be accessing, isn’t easy. But it is possible, and can go a long way toward preventing or limiting the damages that malware or data loss can cause for unprotected workers. The risks that mobile workers face today, both on laptops and on smartphones and tablets, will continue to grow.

As an IT department, you must be able to secure mobile devices and the data they access without putting in restrictive measures that limit the productivity gain that mobile devices can deliver. With the proper mix of security tools and systems, user education and strong policies and best practices, businesses can take advantage of the modern anywhere network while still providing the best security possible.