23,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
The information you need to avoid security threats on corporatemobile devices Mobile devices have essentially replaced computers for corporateusers who are on the go and there are millions of networks thathave little to no security. This essential guide walks you throughthe steps for securing a network and building a bulletproofframework that will protect and support mobile devices in theenterprise. Featuring real-world case scenarios, thisstraightforward guide shares invaluable advice for protectingmobile devices from the loss of sensitive and confidentialcorporate information. * Provides a practical, fast-track approach to protecting amobile device from security threats * Discusses important topics such as specific hacker protection,loss/theft protection, backing up and restoring data, and more * Offers critical advice for deploying enterprise networkprotection for mobile devices * Walks you through the advantages of granular application accesscontrol and enforcement with VPN Business can be mobile without being vulnerable?and MobileDevice Security For Dummies shows you how.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 434
Veröffentlichungsjahr: 2011
Ähnliche
Mobile Device Security For Dummies®
Visit www.dummies.com/cheatsheet/mobiledevicesecurity to view this book's cheat sheet.
Table of Contents
Mobile Device Security For Dummies®
by Rich Campagna, Subbu Iyer, and Ashwin Krishnan
Foreword by Mark Bauhaus
Mobile Device Security For Dummies®
Published byJohn Wiley & Sons, Inc.111 River St.Hoboken, NJ 07030-5774www.wiley.com
Copyright © 2011 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.
For technical support, please visit www.wiley.com/techsupport.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Library of Congress Control Number: 2011932276
ISBN: 978-0-470-92753-3 (pbk); ISBN 978-1-118-09379-5 (ebk); ISBN 978-1-118-09380-1 (ebk); ISBN 978-1-118-09399-3 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
About the Authors
Rich Campagna is a Director of Product Management at Juniper Networks. His team is responsible for defining product strategy for Juniper Networks’ Junos Pulse Business Unit, including the Junos Pulse Mobile Security Suite, the SA Series SSL VPN product family, Juniper’s Unified Access Control product family, the Junos Pulse Application Acceleration product family, and the Junos Pulse client software. Rich was a co-author for Network Access Control For Dummies. Prior to joining Juniper Networks, Rich was a Sales Engineer at Sprint Corp. He received an MBA from UCLA Anderson School of Management and a BS in Electrical Engineering from Pennsylvania State University.
Subbu Iyer is a Senior Product Manager at Juniper Networks. He drives the product strategy of the Junos Pulse product line, which provides a variety of integrated network services on desktops and mobile devices, including smartphones and tablets. His prior experience includes over eight years at Cisco where he held various senior architecture and engineering roles focusing on application-aware networking, security, and WAN acceleration. He has extensive experience in software development and marketing of products in the areas of Application and Network Security, including remote and LAN access control. Subbu holds an M.S. in Computer Engineering from the University of Arizona, Tucson and an M.B.A. from the Haas School of Business, UC Berkeley.
Ashwin Krishnan s a Director of Product Management at Juniper Networks, where he runs the product management team that is responsible for the high-end SRX product line (which has the leading market share position according to Infonetics Research) and SRX service provider business. He also heads up a cross-functional mobile security team that is focused on defining the strategy and solutions for infrastructure and services protection in the mobile network. His prior experience includes over five years at Nokia where he held various senior product management, architecture, and engineering management roles focusing on core infrastructure, service control, and intelligent subscriber gateway products. Prior to that he has held various lead technical roles at 3Com, Octel, Hughes, and Wipro. He is a frequent speaker at security and mobile conferences (NGMN, 4G world, Informa, and so on) and regularly blogs about all aspects of security. He has over 17 years of industry experience with specialization in wireless, security, and IP networking. He attained his Bachelor of Science degree from the National Institute of Technology, Warangal, India in 1991.
Dedication
Rich Campagna: To Brooke — Daddy loves you!
Authors’ Acknowledgments
Subbu Iyler: I would like to thank my wife Manju, and daughter Anoushka, for their constant motivation, encouragement, and support throughout the writing of this book.
Ashwin Krishnan: I would like to thank Radhika, my wife; Ananya, my daughter; and Jackie, our dog for supporting me through the process of creating this book while I was ostensibly doing chores to write it, including walking the dog (sorry Jackie). Thanks for putting up with my vagaries. And to my mom, Indira Ananthakrishnan, who is a renowned author herself, for instilling in me some of your book writing genes.
To the “numero uno” team at Wiley for providing excellent feedback throughout the process and helping get the book into its final finished form.
And finally to our Juniper in-house editor-in-chief, Patrick Ames, who helped instigate the idea of writing the book and cajoled, threatened, and pleaded with us throughout the course — without you this book never would have happened.
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Media Development
Project Editor: Kim Darosett
Acquisitions Editor: Katie Mohr
Copy Editor: Heidi Unger
Technical Editor: Rob Cameron
Editorial Manager: Leah Cameron
Editorial Assistant: Amanda Graham
Sr. Editorial Assistant: Cherie Case
Cartoons: Rich Tennant (www.the5thwave.com)
Composition Services
Project Coordinator: Sheree Montgomery
Layout and Graphics: Timothy C. Detrick, Nikki Gately, Corrie Socolovitch
Proofreaders: Context Editorial Services, John Greenough
Indexer: Broccoli Information Management
Special help: Colleen Totz Diamond, Kimberly Holtman
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Acquisitions Director
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Composition Services
Debbie Stailey, Director of Composition Services
Foreword
The sweep of mobile devices into our lives has transformed business IT in only a few short years. If you are holding this book in your hands, then you have no doubt encountered this massive change firsthand, and you are looking for answers. Looking out over the next few years, mobile devices will continue to transform the way that we do business.
New form factors such as tablets and “dockable” smartphones will allow users to replace laptops and desktops, DVRs, radios, DVD players, and many other “fixed” devices — untethering us completely. Ubiquitous network access through Wi-Fi, 3G, 4G/LTE, and beyond will allow us to do work anywhere, and at any time. Advances in peripherals and device-to-device interaction will integrate these devices into our lives much more seamlessly, no longer requiring us to remove them from our pockets.
All of this freedom, however, brings forth a huge challenge for corporate IT. It wasn’t that long ago when our IT departments required that users access corporate data and applications from a specific, corporate-issued device (typically a RIM BlackBerry).
Starting with the release of the Apple iPhone, however, users began to demand choice, ushering in a new era of consumerization that will forever change enterprise IT. Today’s users typically purchase their own mobile device of choice, and they find a way to connect it to the corporate network. Your challenge is to provide the flexibility that your users need, without sacrificing security, and this book, Mobile Device Security For Dummies, provides a complete look at the best practices for allowing you to meet that challenge. The authors are at the forefront of mobile device security strategy and product development, and are particularly well-suited to provide a balanced view of the current state of security concerns, and recommend ways to assuage those concerns. They regularly advise a range of customers across just about every domain and industry vertical, so chances are they have experience dealing with other organizations just like yours, with similar challenges.
The mobile world is evolving quickly — with new devices, operating systems, capabilities, and even threats emerging with every passing day. To meet the inexorable mobile changes, you’ll want best practices on how to manage these challenges while adapting the new truths of mobility in the enterprise. So go ahead: Ride the mobile wave safely with the best tools and practices available in the market.
Mark Bauhaus
Executive Vice President
Device and Network Systems Business Group
Juniper Networks
Introduction
Mobile devices, including smartphones and tablets, rule the marketplace. Regardless of whether these devices are employees’ personal devices or company-issued, you need to adopt best practices in an effort to secure them. It’s an effort, because very little planning and budget are devoted to these powerful little devices; but you have to have a plan for securing your company and its network, people, resources, and information.
This book helps you plan for mobile device security in your business and extend it into the lives and homes of your company’s employees. Having a plan helps you plead your case to management, and this book gives you the background you need to make the best decisions for your own implementation of mobile security, management, and control.
We (the authors) work on mobile security software and hardware and have worked for many years on security software implementation throughout the world. This is not to emphasize our massive intelligence in the matter, but rather point out that we’ve seen just about every marketplace and every issue that various IT departments and network administrators face in implementing a mobile strategy. And because we work for Juniper Networks, on the Junos Pulse product team, we know intimately what our customers need. In this book, we give you a view of the mobile security world from a collective viewpoint: beginner, implementer, and successful provider. Regardless of whether you choose Junos Pulse or another solution, or implement your own customized solution, this book helps you understand the threats facing mobile device adoption today and implement the current best practices for securing these devices in the enterprise (the best practices we’ve learned the hard way).
About This Book
This book isn’t meant to be read from cover to cover. It’s more like a reference than a suspense novel. Each chapter is divided into sections, each of which has self-contained information about a specific task in setting up a mobile device security solution.
You don’t have to memorize anything in this book. The information here is what you need to know to complete the task at hand. Wherever we mention a new term or are possessed by the need to get geeky with the technical descriptions, we’ve been sure to let you know so that you can decide whether to read or ignore them. Aren’t we thoughtful? You’re welcome.
Mobile device security has several players: you, the administrator; the mobile device users; management, who must fund security solutions; vendors, who create and sell their solutions; and a shifting crowd of nefarious hackers, thieves, and competitors who are looking for cracks in your wall. While you might find other books about mobile device security, you won’t find one that makes you aware of all the players all the time. This is a new-school book about new-school technology.
Foolish Assumptions
We make a few assumptions about who you are. For example, we assume you bought this book to learn more about mobile device security in the enterprise, hence we assume your job is as an enterprise IT or network administrator. If you’re not one of those industrious people, we assume you might be in IT management or even sales management. In short, you work for a company whose employees all connect to the network with their mobile devices, and you’re supposed to be, somehow, one of the people who control this.
We have bad news and good news for you. The bad news is that we’re sorry you are in this position. If you haven’t had security problems yet, you will. We’ve seen many customers seeking security solutions in our lifetimes, and the good news is that this book details the threats facing mobile device adoption today and the best practices that you can implement for securing them in the enterprise.
Conventions Used in This Book
We know that doing something the same way over and over again can be boring (like Mr. Rogers always wearing the same kind of sweater), but sometimes consistency is a good thing. In this book, those consistent elements are called conventions. In fact, we use italics to identify and define new terms you might not recognize, just like we’ve done with the word conventions. Additionally, when we type URLs (web addresses) within a paragraph, they look like this: www.wiley.com.
That said, throughout this book we use the terms smartphones and mobile devices interchangeably. Sometimes only smartphones have the capability of over-the-air transmission, but new mobile devices are coming that could far surpass even the smartphone’s capabilities. So we use smartphone,mobiledevice,iPad, iPhone,Android, BlackBerry, and other terms interchangeably, too.
At the end of many chapters, we include a case study based on experience we’ve gained from our customers who have grappled with similar situations. It’s the only way we can justify how many miles we’ve flown during the past five years, but more importantly, we hope you can benefit from this running example of how you might implement some of the policies we discuss throughout the book.
That’s about it. Mobile device security is so new that the only convention you share with everyone else around you is a feeling that your data isn’t secure. At all. But fear not — it will be after you implement the policies discussed in this book.
How This Book Is Organized
This bookis organized into five main parts. Don’t feel that you need to read these parts in sequential order; you can jump around as much as you like, and each part is meant to stand on its own.
Part I: Living Securely in the Smart World
Sometimes it’s comforting for authors to describe the world you live in. Part I of this book describes the world that you’re trying control. You’ll be able to find yourself here, in one of the chapters, in one of the scenarios. Misery loves company, and eventually by Chapter 3, we ask you to stop fighting the hordes of mobile devices in your environment and instead embrace them. Embrace, adapt, protect, and manage are the four stages of living securely in this smart new world.
Part II: Implementing Enterprise Mobile Security
Part II assumes you’ve given up the “no mobile devices permitted onsite” fight and taken down the signs. Implementation starts by creating policies and then managing and monitoring them. It’s not rocket science, and chances are you already do many of them today. This part helps you put your policies together and perform the real trick: Make your mobile device policies conform to existing compliance policies so you don’t have to redo policies for the whole company.
Part III: Securing Smart Device Access
Part III moves from the policy to the real world — your network. How do you build the system of monitoring, accepting/rejecting, or limiting access to the hordes of devices entering your main, branch, and remote offices? Not to reveal the ending too much, but you’re going to leverage technology to provide granular, application access control.
Part IV: Securing Each Smart Device
At some point, you have to touch your customer. It’s time to roll out the policy, programs, and technology to encrypt, protect, and back up the device hoards. You don’t want to be in upper management, anyway.
Part V: The Part of Tens
Indispensable places and checklists tend to come in lists of tens, and mobile device security is no different. Turn here often as you read the book, and come back when you’re done.
Icons Used in This Book
To make your experience with the book easier, we use various icons in the margins of the book to indicate particular points of interest.
Whenever we give you a hint or a tip that makes an aspect of mobile device security easier to understand or speeds the process along, we mark it with this little Tip thingamabob. It’s our way of sharing what we’ve figured out the hard way so you don’t have to.
This icon is a friendly reminder or a marker for something that you want to make sure that you keep in mind, or remember, as the icon says.
Ouch! This icon is the equivalent of an exclamation point. Warnings give you important directions to prevent you from experiencing any nightmares. (Well, at least where security is concerned. Offering premonitions about your personal life costs extra.)
Sometimes we feel obligated or perhaps obsessed with some technical aspect of mobile security. We are geeky guys, but mark this info thusly so that you know it’s just geeky background information.
Where to Go from Here
Now you’re ready to use this book. The beginning introduces basic security concepts so you’re familiar with both the terminology and the state of affairs in today’s mobile device security marketplace. If you’re new to mobile device security, start here, or depending on your background, you may want to start by jumping straight to the meat of the discussion in Part II. Once you zoom in to what interests you, we highly recommend going to the other parts or chapters because there are key concepts and usage cases in each chapter.
If you have a mobile device on your desk right now, we recommend muting the ringer and alarms and putting it to sleep for awhile. These devices don’t like to be corralled at first, and if they see you reading this book, they’ll start acting strange for an hour or so.
If you ever want to see what we authors really do, and some of the products we actually get paid to work on, check out Junos Pulse at the Juniper Networks website, www.juniper.net/pulse.
Please note that some special symbols used in this eBook may not display properly on all eReader devices. If you have trouble determining any symbol, please call Wiley Product Technical Support at 800-762-2974. Outside of the United States, please call 317-572-3993. You can also contact Wiley Product Technical Support at www.wiley.com/techsupport.
Part I
Living Securely in the Smart World
In this part . . .
By the end of reading Chapters 1 and 2, you will recognize that your best option for securing your corporate network is to embrace the hordes of mobile devices on your campus — well, embrace may be going overboard, but at least you should acknowledge their existence. You can’t live with mobile devices, and you can’t live without them. What’s the answer? Embrace, adapt, protect, and manage. Those are the four stages of living securely in this smart new world — and the message of Chapter 3.
Chapter 1
What’s So Smart About a Phone, Anyway?
In This Chapter
Taking a look at different mobile devices
Getting up to speed on mobile operating system platforms
Exploring data connections
Examining the applications that run on mobile devices
Putting the mobile device security deployment in order
Introducing the AcmeGizmo case study
The late 2000s and early 2010s ushered in a new era of mobility in the enterprise. Prior to this time, truly productive mobility required users to have a laptop, a mobile phone, and possibly a personal digital assistant (PDA) in order to be as productive offsite as they would be at the office. The rise of the smartphone, however, has changed all of that. Now users can get as much done with a device that fits in their pocket as they could when three separate devices were required to accomplish the same tasks. With tablets reaching widespread adoption as well, many users and organizations are trading in their laptops and desktops and replacing them with these new devices.
Your enterprise may have worked for years on strategies for the use of Microsoft Windows (on laptops and desktops) and the Research In Motion (RIM) BlackBerry OS (on smartphones). In addition to the tools that Microsoft and RIM provide to manage, update, and secure these operating systems, your enterprise may have invested in a number of third-party components to help secure these systems further.
However, with the overwhelming demand to bring smartphones and tablets into the enterprise, many IT departments are forced to allow these devices into their networks, in many cases without properly adopting security policies and procedures and without rolling out the appropriate solutions to secure these devices. Because you have picked up this book, you are most likely concerned about how to successfully adapt what you know about security to an extremely wide range of mobile devices.
In this chapter, we describe the various mobile device form factors (the physical dimensions of the devices), the operating systems that run on those devices, and the types of data connections you need to be concerned with when planning a mobile device strategy. We also explain how the applications and data running on these devices will impact your mobile device security strategy.
Additionally, this chapter gives you an overview of the many considerations that you need to take into account when you decide to allow mobile devices to connect to your corporate network. We give you an introduction to the components that make up a successful mobile device security deployment, and then the rest of the book goes into the details.
Finally, the chapter ends with an introduction to a case study of AcmeGizmo, a fictional company. At the end of many chapters of the book, you’ll find case study excerpts to show how this example company chose to deploy various security products and solutions to secure its employee smartphone deployment.
Exploring Different Mobile Devices
The many different mobile computing devices available in the market today range in sizes small enough to fit in your pocket to large enough to require a backpack or over-the-shoulder bag. In this section, we introduce the major form factors of mobile computing devices.
Smartphones and tablets
Smartphones and tablets fuel today’s mobile device explosion. Tens of millions of these devices have been adopted in the last few years, with forecasts of tens of millions more to hit the market in the near future. These devices have very quickly found their way into the enterprise, and they’re the primary subject of this book. Many of these devices (and their associated operating systems) were designed for the consumer market, and vendors have added more enterprise-friendly functionality over time. Still, their roots as consumer mobile devices have left some enterprises dissatisfied with or unsure of the risk level of these devices.
Typically, these devices run operating systems specifically designed for smartphones: primarily, Apple iOS, Google Android, RIM BlackBerry OS, Microsoft Windows Mobile (up to version 6.5) and Windows Phone (version 7.0+), and Nokia Symbian (which Nokia is in the process of abandoning in favor of Microsoft Windows Phone 7), though there are several other operating systems on the market today.
Smartphones
The line between a smartphone and a traditional feature phone blurs with each new generation of devices on the market. Vendors continually add more and more functionality to traditional feature phones, while at the same time, lower-end smartphones are introduced to the market in an effort to appeal to the more price-conscious consumer.
That said, there are still distinctions between the typical feature phone and a smartphone. Smartphones are frequently described as handheld computers. All have built-in mobile phone functionality, but what differentiates a smartphone from a traditional mobile phone is the ability for the user to install and run advanced applications (in addition to the ability for independent developers to actually build and distribute those applications). It is this ability to add third-party software that makes smartphones an incredible productivity tool for enterprise users, while at the same time makes them susceptible to malware and other types of attacks targeted at those systems. This book helps you to balance productivity gains with security as you enable your end users to use these advanced devices.
In recent years, many smartphones have transitioned to the touchscreen interface, as shown in Figure 1-1, though some still feature a stylus as an input device. Some smartphones include a physical keyboard; others do not. Increasingly, smartphones feature large screens and powerful memory and processors.
One of the big appeals of smartphones today is the availability of third-party applications, typically through application stores or marketplaces, such as iTunes (from Apple), Ovi (from Nokia for Symbian devices), or Android Market (from Google). These marketplaces are where users typically go to purchase and download applications.
In recent years, many enterprise applications have started to make their way into these marketplaces, enabling employees to easily acquire software that helps them to be more effective and productive in their jobs. One of the most common examples is the killer application: e-mail or, more generically, messaging. E-mail is almost always the first application used by enterprises on mobile devices. As enterprises have embraced these mobile devices more completely, they have moved on to more comprehensive business applications such as online tools access, database applications, and sales force applications such as Customer Relationship Management Software (CRM). In fact, you would be hard pressed to find a type of application that hasn’t been ported to mobile devices somewhere.
Figure 1-1: Both the iPhone (left) and Droid (right) sport touchscreen interfaces.
Tablets
Tablets are most commonly identified by their slate shape (see Figure 1-2). They use touchscreens as their primary input device. You’ll find a wide variety of devices in this style, but today’s devices generally run either a version of Microsoft Windows or one of the smartphone operating systems. Tablets running smartphone operating systems such as Apple iOS or Google Android are among the most popular tablets on the market today.
In this book, we focus on tablet devices that run one of the smartphone operating systems. Devices running one of the several Windows variants can be treated very much like a laptop or a netbook from a security perspective, because they are capable of leveraging the endpoint security and desktop management tools available for those other devices running Windows. As a result, devices that run full versions of the Microsoft Windows operating system are outside of the scope of this book. Devices running the Microsoft Windows Phone or Windows Mobile operating systems, by contrast, are covered in detail in this book.
Devices such as Apple’s iPad (which runs iOS), or one of the many Google Android-based tablets on the market, are similar to smartphones in terms of their capabilities and the security issues that the typical enterprise should be concerned about when allowing these types of devices to access corporate networks. Because these devices run the same operating systems as their smartphone brethren, the security implications and the security policies applied to each are exactly the same.
Figure 1-2: The iPad is a type of tablet.
Laptops and netbooks
Notebooks (or laptops) and netbooks are traditionally used as the primary computing devices in many enterprise environments for mobile users (though trends are quickly changing that positioning). Typically, these devices run versions of the major desktop operating systems: Microsoft Windows or one of several popular distributions of Linux (Red Hat, SUSE, Debian, Ubuntu, and so on). Macintosh laptops generally run a version of Mac OS X. Notebook devices are most often based on x86 processing and come in a variety of sizes, with varying hard disk, memory, and other components.
Notebooks have been around in the enterprise for a very long time, and most IT departments have made significant investments in securing and patching these devices. This book does not emphasize or discuss security strategies for these types of devices, and you can easily find a variety of resources and industry knowledge on how to securely deploy these types of devices for enterprise use.
Netbooks are smaller and less powerful than laptops. These devices are specifically built for the low-end consumer market and have not seen widespread adoption in the enterprise, though you may encounter end users who wish to leverage these devices to access the corporate network as personal devices for use when working from home or when traveling. Netbooks typically run scaled-down versions of Microsoft Windows or Linux operating systems, which do not significantly alter the security risk of the devices, and the devices should be secured in a similar fashion to those machines running full versions of the operating system (despite the fact that they have less functionality to exploit).
Aside from notebooks and netbooks, there are other device types on the market, such as the tablet PC, though these devices have never gained widespread popularity and are quickly being phased out in favor of tablets running operating systems designed for smartphones and tablets (such as Apple iOS and Google Android). For this reason, we don’t cover these devices in detail in this section or in this book.
Other computing devices
There are a variety of other computing devices that are probably attached to your corporate network, but as with laptops and netbooks, these devices are outside the scope of this book. Some of these devices include desktop PCs, feature phones, and warehouse and inventory devices.
Examining Operating Systems for Mobile Devices
So many systems, so little time. With so much overlap and so little difference between many of the device types discussed in the preceding section, it can be confusing to tell just by looking at a device what security mechanisms should be applied to it. It’s important to think about the operating system running on the device because that has a big impact on the type and availability of security products that should be applied to the device.
The operating system is the primary interface between the underlying hardware and the applications running on the device. Among other things, the operating system provides a (mostly) generic mechanism for application developers to write a single application and run it on multiple hardware devices running the same operating system. For this reason, the operating system is the primary distinction that we use in this book to differentiate between mobile devices (the primary subject of this book) and everything else.
A large number of mobile operating systems are available on the market today. Only a few of these have really taken off to the point where you are likely to see large numbers of users adopting them for use in the enterprise. Most vendors provide support for, at most, the top five or six operating systems on the market. You will also find that these five or six operating systems represent the overwhelming majority of phones, so that is not likely to become a significant problem. Security vendors also keep a close eye on the market for mobile operating systems, however, and as new operating systems gain or lose market share, you might see coverage change with newer versions of the security software that your organization has adopted.
You have the option of either allowing all devices onto your network or restricting access to a smaller number of devices. We recommend that you restrict access only to those operating systems that you feel comfortable being able to secure, so that you do not put your organization’s sensitive corporate data at risk.
The following sections briefly describe the major operating systems in use on mobile computing hardware and also highlight which operating systems fall under the mobile device security strategies discussed in this book.
Apple iOS
Apple’s iOS runs on a range of devices, including the iPhone, iPad, iPod Touch, and Apple TV. Apple tightly controls the operating system and does not allow it to be used on third-party hardware, so it is found only on Apple hardware devices. iOS (running on iPhone) is commonly known as the operating system that really started the current mobile/smartphone revolution in the enterprise. Prior to the iPhone, RIM’s BlackBerry devices were the de facto standard in the enterprise, but massive consumer adoption and employee demand for corporate access from the iPhone changed that, forcing many enterprises to adopt new mobile device strategies.
iOS is based on Mac OS X, Apple’s desktop and laptop operating system. As with other mobile operating systems, iOS includes a software developer kit (SDK) that allows third-party developers to write and distribute applications for iOS devices. Applications for iOS are published through Apple’s App Store, which includes hundreds of thousands of downloadable applications.
Apple’s tight control of both its hardware and the applications installed on the iOS operating system is both a good thing and a bad thing from a security perspective. On the plus side, the tight control of applications allows Apple to screen applications for (among other things) security prior to distribution. The hardware control allows Apple to lock down its operating system software, exposing fewer functions that might potentially be exploited.
On the downside, Apple has prohibited many third-party security applications, such as antivirus software, from being made available on the iOS platform, taking some of the control over security from the hands of the enterprise IT administrator. Thus far, Apple has done a good job of keeping malware and viruses from making their way to the App Store, so that hasn’t become a huge issue.
Key security distinctions: iOS versus Android
Apple iOS and Android are the two most talked about (and adopted) smartphone/tablet operating systems on the market. Both have gained widespread popularity with mobile application developers, with hundreds of thousands of applications available for each platform through various application marketplaces. There are a couple of key distinctions between iOS and Android, however, that are important to point out. These differences are important because they have significant security implications and make it that much more important to carefully plan your security deployment for Android devices.
Here are the main differences between Android and iOS:
Malicious applications. Apple tightly controls and reviews every application before allowing it to be posted to its App Store. This (according to Apple) helps to mitigate the chance that malicious applications can find their way onto devices running iOS. As an open source project, however, Android’s developer community is self-policing. This means that any application developer can post an application, and it is up to the community to determine whether an application is malicious in any way, and lobby to have it removed. As a result, a number of potentially malicious applications that target Android devices have been found only after end users downloaded and used them.
The Apple App Store. Apple’s iOS offers only the one App Store, from which users can download applications to their devices. (In 2010, Apple began offering new Application Programming Interfaces [APIs] that allow enterprises to develop their own application stores, which allows enterprises to publish and distribute their own applications directly to their employees. APIs are a set of specifications and interfaces that allow an application to communicate with the underlying operating system.)
With Android, however, there are a number of places from which end users can download applications. Google’s Android Market is the primary app store for Android devices and comes installed on most devices running Android. There are, however, many other application stores that can be leveraged by Android devices, many of which are less heavily policed, are known for distributing cracked/hacked software, and represent a big security concern for Android devices accessing corporate networks. It might be a good idea to prohibit your Android users from accessing any of these other application stores.
It is a good idea to train your end users to exercise caution when downloading applications, even from the Android Market itself. Users should download only from trusted sources, and should read reviews to ensure that the applications that they are downloading aren’t already causing other folks issues. Android developers and users do attempt to police the marketplace, notifying Google as soon as possible if malware is present; and thus far, the window of exposure for Android malware has been minimal, but still very real nonetheless.
Operating system fragmentation. Operating system fragmentation is an issue to be aware of on Android devices. With Apple iOS, every device is capable of running the same versions of the operating system, and Apple makes it easy for users to upgrade to the latest versions of iOS through its iTunes software. With Android, however, the hardware and the software are created by two separate entities, and hardware vendors frequently make additions and modifications to the operating system before distributing it. At the same time, some device manufacturers limit or prohibit upgrades to newer versions of the operating system, potentially exposing users to security issues that have been resolved in newer versions. Specifying and controlling which versions of Android can access your network might be a prudent step toward mitigating these risks.
Sandboxing applications. Both Android and iOS sandbox applications, prohibiting them from communicating with other applications on the devices. Apple has made strong statements indicating that this sort of security, along with its review of every application before it is posted to the App Store, is sufficient to keep malicious code from being distributed to iOS devices. As a result, Apple prohibits third-party endpoint security vendors from building software such as antivirus and antimalware for iOS. It remains to be seen whether this strategy will continue to scale and succeed, but as this book went to press, Apple’s strategy has been successful.
It is important to note that we are not attempting to sway enterprises away from allowing users to adopt Android devices. This section is merely meant to highlight some of the additional concerns to keep in mind when allowing Android devices onto corporate networks. These issues can be mitigated or eliminated through proper security planning, policy, and the use of third-party security software.
Google Android
Google’s Android operating system became extremely popular over the 2009–2011 period. While sponsored by and commonly associated with Google, Android is an open source operating system with many contributors. Android is based on Linux, as is common with several of the mobile operating systems described in this section.
As with Apple’s iOS, there are hundreds of thousands of applications available for the Android platform. The Android operating system can be found on smartphones and tablets from a wide variety of handset vendors, including Motorola, Samsung, Dell, HTC, and more. In the second half of 2010, Android became the unit market share leader for smartphone operating systems in the United States.
With the Android operating system, the OS itself is open source, which means that malicious entities might have an easier time finding exploits in various versions of the OS. On the other hand, this open source nature also means that a large community of contributors are keeping an eye on the development of the OS and contributing work. The primary security concern associated with Android systems is the lack of policing on the Android marketplace, as well as the availability of non-Google sponsored marketplaces. Several well-known malware applications have now found their way onto Android systems, with more expected to come in the future. This strengthens the need for a comprehensive security story on Android devices.
RIM BlackBerry OS
Research In Motion’s (RIM’s) BlackBerry operating system has been wildly popular in the enterprise for a number of years. Until recently, with the newest wave of smartphones on the market, it has been the de facto standard for corporate data and application access from a mobile device. This OS became popular in the enterprise due to its native support for corporate e-mail, as well as the management and security functionality that is native to the operating system.
Key to the management and security features is the BlackBerry Enterprise Server (BES), which sits inside of the corporate network and provides authentication, security of data in transit, and security of the device itself. The built-in security does not cover everything, however, and a number of third-party security products on the market complete the BlackBerry end-to-end security story.
Many IT administrators, including some reading this book, wish they could return to the days where they needed to support only a single mobile device operating system (BlackBerry OS), which can be controlled by a single management platform (BES). Unfortunately, the “consumerization” of IT has led to the adoption of myriad other devices by corporate users, so the task of securing devices has become much more complicated (hence the need for books like this one).
Most BlackBerry phones on the market run RIM’s BlackBerry OS, though it is expected to be replaced by a new OS (currently known as the BlackBerry Tablet OS; see the following section). Blackberry OS version 7 will actually be this new operating system, rather than a continuation of the prior versions of the Blackberry operating system.
RIM BlackBerry Tablet OS
BlackBerry Tablet OS is, as of early 2011, a new operating system from RIM that runs on the RIM Playbook tablet. This operating system represents a major shift for RIM, as all of its devices have run some version of the BlackBerry operating system. This new OS is based on a real-time OS, similar to Unix, known as QNX.
RIM has announced plans to transition all of its devices to this new operating system as of BlackBerry 7. Given the tremendous popularity of RIM devices in enterprise environments, it is likely that many mobile device security vendors will adapt their products to support this operating system as BlackBerry 7 devices begin to hit the market. While this operating system may not be a big concern for the corporate IT department in 2011, moving forward, it is something to plan to support.
Microsoft Windows Mobile and Windows Phone
Windows Mobile and Windows Phone are Microsoft’s mobile operating systems. Until version 6.5, Microsoft’s mobile device OS was known as Windows Mobile and was heavily focused toward the enterprise. Version 7 onward is known as Windows Phone, and at least initially, the operating system is built primarily for consumer use. In early 2011, Microsoft’s mobile operating systems continue to fall in market share, making them far less popular than several of the other operating systems described in this section.
Because Windows Mobile (6.5 and prior) was targeted toward the enterprise, it includes many built-in security features and provides the OS capabilities and APIs for third-party security developers to create applications that help secure these platforms. Over time, Microsoft will be phasing out Windows Mobile 6.5 in favor of the newer Windows Phone 7 operating system.
The continuation of release number from 6.5 to 7 is a bit of a misnomer, because Windows Phone 7 is an entirely new operating system and is very different from Windows Mobile (6.5 and prior). A number of functions are currently missing from Windows Phone 7, including virtual private network (VPN) support and on-device encryption, and that prohibits it from being properly secured and connected to enterprise networks.
It is likely (though not confirmed) that over time, Microsoft will add some of these missing enterprise features. For the time being, however, it is important to note that Windows Phone 7 does not necessarily include features that your enterprise might be using on Windows Mobile 6.5, and that your existing security products might not support this newer operating system yet.
Nokia Symbian
