BlackBerry is making a comeback—the company debuted an interesting new OS earlier this year along with a slew of new products. More recently, the company proudly announced receiving a 1-million device order from a mystery client. Suddenly BlackBerry -- known for its excellence in security but also for its staid and lackluster approach to everything else mobile -- is looking appealing again. Then there is Android, which is horribly insecure. In a recent report F-Secure described it as a "malware magnet."
With BYOD a given at many companies, informally if not formally, how much of this should matter to IT and more specifically, the mainframe side of the house? For IT the answer is obvious: it matters plenty. One option for companies is to adopt a COPE or Corporate Owned Personally Enabled, approach to mobile computing. Under COPE, employees are issued corporate-owned devices but are allowed to, even encouraged, to access personal information and applications from them as well. A COPE strategy returns some measure of control to IT by determining the personal devices that can access the corporate network and making it easier to configure what they can access, while still allowing users enough personalization that they don’t feel they have to carry two devices with them to connect to their business and personal lives.
In general, this is a smart idea, Roger Skidmore, CTO of AirDefense at Motorola Solutions, says. "We've already seen corporations enact policies prohibiting certain types of devices from being used on the basis of security concerns. For example, IBM in May 2012 prohibiting iPhones with the voice activated Siri service on the grounds that the application represented the potential for disclosure of confidential information."
Limiting the types of mobile devices permitted under BYOD policies enables corporate IT departments to also focus on a narrower select group of devices to hone in on security efforts, custom corporate software applications, and employee training on, he added.
But should this wealth of choices available to employees and company—choices that have differing degrees of security-- matter to the mainframe team as well? Certainly to a large extent the security of the mainframe is device-agnostic, depending instead upon strong authentication, encrypted communication and strong access governance.
So should mainframe professionals weigh in? In short, yes, if possible. They have a stake in this issue as well—and it may not just be about which devices to permit to access the system.
"At first blush, the idea of mobile device malware spreading to a mainframe sounds farfetched, but if you expand your idea of malware to include key loggers, network analyzers, or file transfer utilities that might sneak in behind a BYOD employee using 3270 emulation, the threat begins to sound quite plausible," John Thielens, chief security officer at Axway, says.
"Companies have to design risk management strategies for BYOD that do not depend on a particular device or software that might be installed on it." One answer, he said, may be to build virtual walls around corporate assets, allowing BYOD devices in through controlled viewers, digital rights management, or even remote desktops. Mobile application partitioning is also compelling, he continued, but is more challenging --although not impossible--to implement across the major mobile OS choices.
Data-centric Versus Controls-centric
Another solution – or at least a partial one – is for the company to adopt a data-centric approach to security, as opposed to the controls-centric one that focuses on shoring up weak points in the infrastructure. More devices (and device types) mean more potential break points in security. It is difficult if not impossible to account for all of them, especially with new devices being introduced regularly. Focusing protection around the data rather than the infrastructure allows organizations to identify, prioritize and mitigate risks to the information as it flows through the enterprise.
Verizon Enterprise Solutions' Omar Khawaja, Managing Principal, Global Security, provides a simplified business-centric approach to mobile security that exemplifies this:
1. Define business relevance of each data set available in mobile environment
2. Classify each data set based on business impact
3. Inventory data
4. Destroy (or archive offline) any unnecessary data
5. Inventory users
6. Associate data access with business processes, apps, users, roles
7. Determine standard control requirements for each data set
8. Determine feasible controls for each mobile environment
9. For each data set, identify acceptable mobile environments
10. Ensure only users that need access to data have appropriate access to it
11. Identify and implement appropriate controls across each mobile environment
12. Validate and monitor control effectiveness
"We're starting to see post-BYOD world emerge," Khawaja concludes – a world where most organizations are effectively BYOD environments, regardless of whether BYOD is a corporate sanctioned policy. "There's not much enterprises can do to prevent this through reasonable means."
Still, all this said, the mobile computing environment will only get more complex and diverse, making BYOD that much more difficult to manage in IT. With these above controls in place and a corporate push to COPE, a company just might be able to escape unscathed from the ever-growing universe of malware looking for a home.