Smartphones Extend the Network Perimeter and Introduce Risk
By Rick Tracy
Traditionally, the network perimeter has represented the hard crunchy outside of the network that is intended to protect sensitive assets and data on the inside. However with the rapid proliferation of smartphones, other mobile devices such as iPads/tablets and aircard-enabled laptops over the past few years, this is no longer the case. That is, your sensitive assets and data are no longer always safely tucked away behind a firewall or in a secure physical location.
Some people argue that the network perimeter is shrinking as companies attempt to consolidate all sensitive data in a centralized location and simply focus on protecting that sensitive data and associated assets.
However with the proliferation of cloud-based services and particularly smartphones, you could easily argue that the network perimeter 1) has expanded; 2) only exists in a virtual sense; or 3) no longer exists at all.
One way to look at it is your network perimeter is wherever your sensitive data and assets reside. That said, your network perimeter is elastic and extends to wherever your smartphone-toting employees happen to be. This situation significantly magnifies the risks associated with the typical telecommuting scenario, as many of your employees now have the ability to “telecommute” from anywhere at any time.
Over the past 10 years, smartphones have evolved from cell phones that also allowed you to simply send and receive e-mail to bonafide computers that are by our side 24 hours a day.
Indeed, smartphones today are every bit as powerful as desktops and laptops. For example, in addition to using smartphones to send and receive e-mail we also use them to:
Create and store documents
Surf the web
Participate in video teleconferences
Interface with social media sites
Manage IT systems
Conduct critical business functions including financial transactions
Access network resources via virtual private network connections.
The last example above is interesting in that it demonstrates how the network model has changed. Specifically, we use smartphones, which are a sensitive asset, to remotely access other sensitive assets and data that reside inside the corporate network. Based on this scenario, where is the network perimeter? Is it the VPN concentrator and firewall at the border of the corporate network, or is it the smartphone that is accessing the sensitive resources remotely? To further the point, we are not talking about only one smartphone. For many companies, smartphones are standard issue. Many, often hundreds of employees use them.
So what's the risk?
A lost or stolen smartphone in the wrong hands could be an open portal into your corporate network, giving someone unauthorized access to your sensitive systems and data.
Based on this risk, should companies ban the use of smartphones? In a word, no. Smartphones have become too valuable to businesses and make employees more productive, allowing them to work from anywhere at any time.
Though outright banning of smartphones is not practical, companies might consider controlling who in the company can use them to access company systems and data. This would help limit the threat vector to fewer people.
What can you do to reduce smartphone-related risk?
Since you can't really prohibit the use of smartphones without impacting employee productivity or sacrificing competitive advantage, you must figure out how to make smartphones acceptably secure.
Here are a few things you can do to help reduce the risk associated with smartphones and their extension of the network perimeter:
Require all company smartphone users to read and sign a smartphone appropriate use policy so they understand their responsibilities.
Never allow non-employees to use company smartphones.
Report lost/stolen smartphones to IT immediately.
Manage smartphones as you do other IT assets.
Enable smartphones with company-issued digital certificates to ensure only company-authorized smartphones have access to the corporate network.
Enforce the use of strong passwords.
Enforce the use of encryption on all smartphones (smartphones that do not support encryption should not be used to access, process, or store company data).
Monitor smartphones to ensure OS patches are installed and up to date.
Approve smartphone applications before they are installed.
Ensure smartphones support a remote wipe capability in the event smartphones are lost or stolen.
Activate smartphone locator features when available to locate lost or stolen phones.
Smartphones have made traditional definitions of the network boundary and perimeter obsolete. As discussed above, smartphones and other mobile devices serve to extend our network borders, not just to one location, but to many locations. With that comes the need to make sure these potential access points are as secure as possible.
Smartphones and other mobile computing devices are only going to become more powerful and more pervasive in the future. Therefore companies must recalibrate their thinking as it relates to the network perimeter to account for the fact that smartphones can be anywhere, anytime. As such it is essential that we manage smartphones like any other asset that accesses, processes and stores sensitive company data.