There seems to be a disconnect between want and need with respect to smartphones and information protection. Securing mobile is a “downer” along at least two main axes of mobile phone interaction: convenience and cost.
If your phone is as powerful as your laptop; meaning the operating system, the peripherals and the applications on your phone are as – or are more - sophisticated than those of your laptop then shouldn’t the security measures that protect the contents be similar? The real question here is, if you’re using your phone to process the same information as your laptop, then we have to ask – how can one justify not securing it to the same degree as your laptop?
My opinion is that the only logical answer is yes. For an increasing number of functions, phones are replacing laptops. I believe that there are ways to secure mobile phones to the same standard as laptops while minimizing the inevitable inconveniences and extra cost. The solutions require thoughtful re-evaluation and sensible compromise. Rather than slapping the old products from the laptop onto the smartphone, we should look at it as a qualitatively different platform.
Drawbacks to Treating a Smartphone like a “Small Laptop”
Here’s an example of when it may be typical to treat a smartphone as a “small laptop”.
Many companies now use URL filtering perimeter systems, such as WebSense, to prevent employees from accidentally going to infected websites. When an employee uses their laptop outside the company network, you may tell them they must “VPN into” the network before using the web. (This way, once the VPN tunnel is established, their browsing goes through the URL filter.)
It is possible to treat the smartphone like a laptop in this scenario, because there are VPN clients that work as well as the laptop version. Employees could be told to “VPN into” the corporate network before web surfing on their smartphone.
However, there are drawbacks: a) VPN clients take a fair amount of computational horsepower to run, and b) from a network architecture and management standpoint, why tunnel all that traffic from every mobile browser into the corporate core in order to turn around and go back out to the Internet?
Rather than treating the smartphone like a laptop, the solution may be to change how your URL filter works. So perhaps, instead of bringing the traffic to the filter, bring the filter to the traffic! Put the URL filter on the Internet, and everyone’s computer (smartphone or laptop) can get to it from everywhere. Companies such as WebSense and zScaler advocates and vendors of such solutions.
Speaking of changing the place where the processing happens – how about using another ancient solution? How about moving where the applications run and so, where the information is processed? I am speaking here of just using the phone as a window into the corporate computing environment. This is déjà vu all over again, the fat client/thin client debate of the 1990s – the Unix X Window system and Citrix ICA. The fact is that this class of “collapsed data center” solution, which once suffered complaints about bandwidth and server capacity issues has become increasingly viable not increasingly outdated. Since the days of the mainframe terminal sessions, the thin client paradigm was always attractive from cost, administrative and data security perspectives. Now the protocols for computing in the data center core and transmitting just the display have become more efficient and bandwidth has come down in price. Similarly, multi-core servers with dozens of gigabytes of RAM are the rule not the exception. This makes it very attractive indeed to just load the thin client app onto the smartphone and have it connect securely to the core to process corporate information which is also on the core. If the organization wants people to be able to drag and drop files or query results from the core within apps that run on the endpoint – then the endpoint needs heavy securing as described above. But if the thin client is set up so that information cannot be transferred from the core to the endpoint then one has a lot less to worry about in terms of “information leakage.” The “drag and drop” tradeoff being that the information the employee wants to transmit to their smartphone is not directly usable by other apps on their smartphone that make them more productive (e.g., transferring an address to the smartphones contact management system or its GPS app).
So where does this leave us? I think, for now, the choice is between:
a. Smartphones with powerful processors and awe-inspiring local apps and local corporate data loaded down with classical malware protections like encrypted file systems, anti-virus, URL filtering, anti-spam, personal firewalling (local or in the cloud)
b. Collapsed data center where the employees log into a virtual desktop running on a big server and all the employee ever has on their smartphone is a thin interface to corporate data on a far-away desktop
The convenience trade-off is clear – I would much prefer to be able to download a spreadsheet to the app on my phone and then hop on a plane and “play with the numbers” versus having to be on the network and constrained by my company's standard spreadsheet program.
Cost wise, the price of buying and administering standalone smartphones with high performance client software on them is much higher risk and less cost-effective than standing up a big server with desktop OS licenses, a few licenses for each app and issuing a thin client for each employee’s corporate or privately owned smartphone, laptop or desktop.
Is there is a happy medium? What do you think?
Next time we’ll discuss modifications to these paradigms that may remove some of the downsides to both, namely, data centers in the cloud and always connected mobile networking.
Some links to others thinking about the same topics:
John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust