Never has data, such as corporate data, been so mobile—and so prone to theft, loss or corruption. With more than 2 billion handheld devices (PDAs, Smart Phones, Blackberry's™, thumbdrives, iPods™, other handheld devices, etc) already in use, they are becoming more and more commonplace in the corporate environment. Many of these devices are purchased for personal use, but are finding their way into corporate environments and are being used to access corporate information. This changing IT landscape, sometimes referred to as “shadow” IT, is particularly acute at the “mobile edge” or the “perimeter”—the dynamically changing end points of an enterprise network where the type, platform and use of these devices is continuously changing and evolving.
These mobile devices have quickly become the productivity tools of choice for most knowledge workers. The devices are relied upon because of their immediate access to information, their small form factor and faster collection of information. However, such benefits come with tremendous financial, regulatory and brand risk. These devices, if unsecured, can be a primary source of infections via rogue access, data theft, and unsecured transfer of information and inadvertent release of confidential information. Increasingly they are also causing significant IT challenges and helpdesk headaches.
Effective management of these new risks is as critical as it is complex. The complexities lie in many area's of concern. Some analysts estimate that as many as 30% of these devices are lost per year (SANS Institute). The small form factor of these devices also creates new internal security threats due to their ability to be easily concealed. Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. Further, Gartner predicts that through 2006, 90 percent of mobile devices containing enterprise data will have insufficient power-on protection and storage encryption to withstand casual to moderate hacker attacks. This risk has led them to recommend that enterprises immediately start addressing their mobile storage risks.
Corporate enterprises are faced with the challenge of managing the balance between end user productivity, an appropriate level of data security while minimizing IT intervention. Organizations are asking if the solution is an extension of current vendors' solutions, or do they require a fresh approach that leverages security best practices empowered by software that can take advantage of knowing and understanding the dynamics at the mobile edge. The liabilities and risks associated with an unsecured mobile edge are growing. While enterprises look to leverage the competitive advantages and productivity gains associated with the introduction of smart phones and other mobile devices, the security risks continue to increase.
Legislation mandating the protection, management, or verification of financial data and personal information is forcing corporate action and accountability. Legislation stipulating the protection of personal data is commonplace, with penalties for failing to comply becoming increasingly severe. HIPAA, PIPEDA, GLBA, The Data Protection Act, SB1386, SOXA, are examples of regulations targeting organizations that deal in maintenance and transfer of sensitive corporate and consumer information.
Further, complicating this challenge is the general openness of the Microsoft Desktop environment. Now more than ever, every port, external disk drive, or memory stick can become a huge regulatory or financial risk. To confront these growing challenges some IT departments have turned to soldering and gluing USB ports to prevent intrusion, or putting titanium “chastity belts” around computers. Others are looking for more elegant ways to manage the risks associated with the inherent access to enterprise data. USB ports, for instance, can be used for a variety functions from input devices such as mice and keyboards to mobile data storage devices (capable of downloading gigabytes of data or uploading unapproved or malicious software). Devices as inconspicuous as iPods and other entertainment devices are now capable of not only downloading more than 30 GBs of data, they can also, unknown to the user and corporate IT, put aware and other potentially malicious software directly onto the users hard disk.
Mobile devices are key competitive tools in today's marketplace and business, as well as government agencies. These organizations should preferably find ways to transparently apply the necessary security policies to them—to minimize knowledge worker productivity. One of the biggest challenges, the protection of sensitive data including client financial information and patient information, has many issues associated with it and requires a comprehensive solution to achieve the intended result.
Prior art security systems for networks commonly employs static, legacy-type and fixed policy-based approaches controlled from within an enterprise system for protecting data and network access to it. However, mobile communications devices having data storage and software applications create new challenges for network security, in particular because the portable mobile communications devices have a range of software, applications, functions and changes to their operating characteristics occur from time to time without authorization from the security system. A mobile device that is compliant with a security policy can be readily changed to present a security risk subsequent to policy compliance checking. For example, various peripherals can be connected to mobile devices, the devices can communicate with various public networks, and application software can be easily added to the devices.
Since mobile communications devices are intended to enhance productivity for mobile knowledge workers, access to the enterprise network and data stored on servers therein is important to ensuring their productivity. Thus, there remains a need for systems and methods that effectively verify that mobile devices attempting to access a network resource is both authorized to access that network resource and in compliance with network security policies.