However, with the overwhelming demand to bring smartphones and tablets into the enterprise, many IT departments are forced to allow these devices into their networks, in many cases without properly adopting security policies and procedures and without rolling out the appropriate solutions to secure these devices. Because you have picked up this book, you are most likely concerned about how to successfully adapt what you know about security to an extremely wide range of mobile devices.
In this chapter, we describe the various mobile device form factors (the physical dimensions of the devices), the operating systems that run on those devices, and the types of data connections you need to be concerned with when planning a mobile device strategy. We also explain how the applications and data running on these devices will impact your mobile device security strategy.
Additionally, this chapter gives you an overview of the many considerations that you need to take into account when you decide to allow mobile devices to connect to your corporate network. We give you an introduction to the components that make up a successful mobile device security deployment, and then the rest of the book goes into the details.
Finally, the chapter ends with an introduction to a case study of AcmeGizmo, a fictional company. At the end of many chapters of the book, you’ll find case study excerpts to show how this example company chose to deploy various security products and solutions to secure its employee smartphone deployment.
Exploring Different Mobile Devices
The many different mobile computing devices available in the market today range in sizes small enough to fit in your pocket to large enough to require a backpack or over-the-shoulder bag. In this section, we introduce the major form factors of mobile computing devices.
Smartphones and tablets
Smartphones and tablets fuel today’s mobile device explosion. Tens of millions of these devices have been adopted in the last few years, with forecasts of tens of millions more to hit the market in the near future. These devices have very quickly found their way into the enterprise, and they’re the primary subject of this book. Many of these devices (and their associated operating systems) were designed for the consumer market, and vendors have added more enterprise-friendly functionality over time. Still, their roots as consumer mobile devices have left some enterprises dissatisfied with or unsure of the risk level of these devices.
Typically, these devices run operating systems specifically designed for smartphones: primarily, Apple iOS, Google Android, RIM BlackBerry OS, Microsoft Windows Mobile (up to version 6.5) and Windows Phone (version 7.0+), and Nokia Symbian (which Nokia is in the process of abandoning in favor of Microsoft Windows Phone 7), though there are several other operating systems on the market today.
Smartphones
The line between a smartphone and a traditional feature phone blurs with each new generation of devices on the market. Vendors continually add more and more functionality to traditional feature phones, while at the same time, lower-end smartphones are introduced to the market in an effort to appeal to the more price-conscious consumer.
That said, there are still distinctions between the typical feature phone and a smartphone. Smartphones are frequently described as handheld computers. All have built-in mobile phone functionality, but what differentiates a smartphone from a traditional mobile phone is the ability for the user to install and run advanced applications (in addition to the ability for independent developers to actually build and distribute those applications). It is this ability to add third-party software that makes smartphones an incredible productivity tool for enterprise users, while at the same time makes them susceptible to malware and other types of attacks targeted at those systems. This book helps you to balance productivity gains with security as you enable your end users to use these advanced devices.
In recent years, many smartphones have transitioned to the touchscreen interface, as shown in Figure 1-1, though some still feature a stylus as an input device. Some smartphones include a physical keyboard; others do not. Increasingly, smartphones feature large screens and powerful memory and processors.
One of the big appeals of smartphones today is the availability of third-party applications, typically through application stores or marketplaces, such as iTunes (from Apple), Ovi (from Nokia for Symbian devices), or Android Market (from Google). These marketplaces are where users typically go to purchase and download applications.
In recent years, many enterprise applications have started to make their way into these marketplaces, enabling employees to easily acquire software that helps them to be more effective and productive in their jobs. One of the most common examples is the killer application: e-mail or, more generically, messaging. E-mail is almost always the first application used by enterprises on mobile devices. As enterprises have embraced these mobile devices more completely, they have moved on to more comprehensive business applications such as online tools access, database applications, and sales force applications such as Customer Relationship Management Software (CRM). In fact, you would be hard pressed to find a type of application that hasn’t been ported to mobile devices somewhere.
Figure 1-1: Both the iPhone (left) and Droid (right) sport touchscreen interfaces.
Tablets
Tablets are most commonly identified by their slate shape (see Figure 1-2). They use touchscreens as their primary input device. You’ll find a wide variety of devices in this style, but today’s devices generally run either a version of Microsoft Windows or one of the smartphone operating systems. Tablets running smartphone operating systems such as Apple iOS or Google Android are among the most popular tablets on the market today.
In this book, we focus on tablet devices that run one of the smartphone operating systems. Devices running one of the several Windows variants can be treated very much like a laptop or a netbook from a security perspective, because they are capable of leveraging the endpoint security and desktop management tools available for those other devices running Windows. As a result, devices that run full versions of the Microsoft Windows operating system are outside of the scope of this book. Devices running the Microsoft Windows Phone or Windows Mobile operating systems, by contrast, are covered in detail in this book.
Devices such as Apple’s iPad (which runs iOS), or one of the many Google Android-based tablets on the market, are similar to smartphones in terms of their capabilities and the security issues that the typical enterprise should be concerned about when allowing these types of devices to access corporate networks. Because these devices run the same operating systems as their smartphone brethren, the security implications and the security policies applied to each are exactly the same.
Figure 1-2: The iPad is a type of tablet.
Laptops and netbooks
Notebooks (or laptops) and netbooks are traditionally used as the primary computing devices in many enterprise environments for mobile users (though trends are quickly changing that positioning). Typically, these devices run versions of the major desktop operating systems: Microsoft Windows or one of several popular distributions of Linux (Red Hat, SUSE, Debian, Ubuntu, and so on). Macintosh laptops generally run a version of Mac OS X. Notebook devices are most often based on x86 processing and come in a variety of sizes, with varying hard disk, memory, and other components.
Notebooks have been around in the enterprise for a very long time, and most IT departments have made significant investments in securing and patching these devices. This book does not emphasize or discuss security strategies for these types of devices, and you can easily find a variety of resources and industry knowledge on how to securely deploy these types of devices for enterprise use.
Netbooks are smaller and less powerful than laptops. These devices are specifically built for the low-end consumer market and have not seen widespread adoption in the enterprise, though you may encounter end users who wish to leverage these devices to access the corporate network as personal devices for use when working from home or when traveling. Netbooks typical
ly run scaled-down versions of Microsoft Windows or Linux operating systems, which do not significantly alter the security risk of the devices, and the devices should be secured in a similar fashion to those machines running full versions of the operating system (despite the fact that they have less functionality to exploit).
Aside from notebooks and netbooks, there are other device types on the market, such as the tablet PC, though these devices have never gained widespread popularity and are quickly being phased out in favor of tablets running operating systems designed for smartphones and tablets (such as Apple iOS and Google Android). For this reason, we don’t cover these devices in detail in this section or in this book.
Other computing devices
There are a variety of other computing devices that are probably attached to your corporate network, but as with laptops and netbooks, these devices are outside the scope of this book. Some of these devices include desktop PCs, feature phones, and warehouse and inventory devices.
Examining Operating Systems for Mobile Devices
So many systems, so little time. With so much overlap and so little difference between many of the device types discussed in the preceding section, it can be confusing to tell just by looking at a device what security mechanisms should be applied to it. It’s important to think about the operating system running on the device because that has a big impact on the type and availability of security products that should be applied to the device.
The operating system is the primary interface between the underlying hardware and the applications running on the device. Among other things, the operating system provides a (mostly) generic mechanism for application developers to write a single application and run it on multiple hardware devices running the same operating system. For this reason, the operating system is the primary distinction that we use in this book to differentiate between mobile devices (the primary subject of this book) and everything else.
A large number of mobile operating systems are available on the market today. Only a few of these have really taken off to the point where you are likely to see large numbers of users adopting them for use in the enterprise. Most vendors provide support for, at most, the top five or six operating systems on the market. You will also find that these five or six operating systems represent the overwhelming majority of phones, so that is not likely to become a significant problem. Security vendors also keep a close eye on the market for mobile operating systems, however, and as new operating systems gain or lose market share, you might see coverage change with newer versions of the security software that your organization has adopted.
You have the option of either allowing all devices onto your network or restricting access to a smaller number of devices. We recommend that you restrict access only to those operating systems that you feel comfortable being able to secure, so that you do not put your organization’s sensitive corporate data at risk.
The following sections briefly describe the major operating systems in use on mobile computing hardware and also highlight which operating systems fall under the mobile device security strategies discussed in this book.
Apple iOS
Apple’s iOS runs on a range of devices, including the iPhone, iPad, iPod Touch, and Apple TV. Apple tightly controls the operating system and does not allow it to be used on third-party hardware, so it is found only on Apple hardware devices. iOS (running on iPhone) is commonly known as the operating system that really started the current mobile/smartphone revolution in the enterprise. Prior to the iPhone, RIM’s BlackBerry devices were the de facto standard in the enterprise, but massive consumer adoption and employee demand for corporate access from the iPhone changed that, forcing many enterprises to adopt new mobile device strategies.
iOS is based on Mac OS X, Apple’s desktop and laptop operating system. As with other mobile operating systems, iOS includes a software developer kit (SDK) that allows third-party developers to write and distribute applications for iOS devices. Applications for iOS are published through Apple’s App Store, which includes hundreds of thousands of downloadable applications.
Apple’s tight control of both its hardware and the applications installed on the iOS operating system is both a good thing and a bad thing from a security perspective. On the plus side, the tight control of applications allows Apple to screen applications for (among other things) security prior to distribution. The hardware control allows Apple to lock down its operating system software, exposing fewer functions that might potentially be exploited.
On the downside, Apple has prohibited many third-party security applications, such as antivirus software, from being made available on the iOS platform, taking some of the control over security from the hands of the enterprise IT administrator. Thus far, Apple has done a good job of keeping malware and viruses from making their way to the App Store, so that hasn’t become a huge issue.
Key security distinctions: iOS versus Android
Apple iOS and Android are the two most talked about (and adopted) smartphone/tablet operating systems on the market. Both have gained widespread popularity with mobile application developers, with hundreds of thousands of applications available for each platform through various application marketplaces. There are a couple of key distinctions between iOS and Android, however, that are important to point out. These differences are important because they have significant security implications and make it that much more important to carefully plan your security deployment for Android devices.
Here are the main differences between Android and iOS:
Malicious applications. Apple tightly controls and reviews every application before allowing it to be posted to its App Store. This (according to Apple) helps to mitigate the chance that malicious applications can find their way onto devices running iOS. As an open source project, however, Android’s developer community is self-policing. This means that any application developer can post an application, and it is up to the community to determine whether an application is malicious in any way, and lobby to have it removed. As a result, a number of potentially malicious applications that target Android devices have been found only after end users downloaded and used them.
The Apple App Store. Apple’s iOS offers only the one App Store, from which users can download applications to their devices. (In 2010, Apple began offering new Application Programming Interfaces [APIs] that allow enterprises to develop their own application stores, which allows enterprises to publish and distribute their own applications directly to their employees. APIs are a set of specifications and interfaces that allow an application to communicate with the underlying operating system.)
With Android, however, there are a number of places from which end users can download applications. Google’s Android Market is the primary app store for Android devices and comes installed on most devices running Android. There are, however, many other application stores that can be leveraged by Android devices, many of which are less heavily policed, are known for distributing cracked/hacked software, and represent a big security concern for Android devices accessing corporate networks. It might be a good idea to prohibit your Android users from accessing any of these other application stores.
It is a good idea to train your end users to exercise caution when downloading applications, even from the Android Market itself. Users should download only from trusted sources, and should read reviews to ensure that the applications that they are downloading aren’t already causing other folks issues. Android developers and users do attempt to police the marketplace, notifying Google as soon as possible if malware is present; and thus far, the window of exposure for Android malware has been minimal, but still very real nonetheless.
Operating system fragmentation. Operating system fragmentation is an issue to be aware of on Android devices. With Apple iOS, every device is capable of running the same versions of the operating system, and Apple makes it easy for users to upgrade to the latest versions of iOS through its iTunes software. With Android, however, the hardwa
re and the software are created by two separate entities, and hardware vendors frequently make additions and modifications to the operating system before distributing it. At the same time, some device manufacturers limit or prohibit upgrades to newer versions of the operating system, potentially exposing users to security issues that have been resolved in newer versions. Specifying and controlling which versions of Android can access your network might be a prudent step toward mitigating these risks.
Sandboxing applications. Both Android and iOS sandbox applications, prohibiting them from communicating with other applications on the devices. Apple has made strong statements indicating that this sort of security, along with its review of every application before it is posted to the App Store, is sufficient to keep malicious code from being distributed to iOS devices. As a result, Apple prohibits third-party endpoint security vendors from building software such as antivirus and antimalware for iOS. It remains to be seen whether this strategy will continue to scale and succeed, but as this book went to press, Apple’s strategy has been successful.
It is important to note that we are not attempting to sway enterprises away from allowing users to adopt Android devices. This section is merely meant to highlight some of the additional concerns to keep in mind when allowing Android devices onto corporate networks. These issues can be mitigated or eliminated through proper security planning, policy, and the use of third-party security software.
Google Android
Google’s Android operating system became extremely popular over the 2009–2011 period. While sponsored by and commonly associated with Google, Android is an open source operating system with many contributors. Android is based on Linux, as is common with several of the mobile operating systems described in this section.
Mobile Device Security For Dummies Page 3