The mobile ecosystem has undergone seismic changes over the past 10 years as the majority of corporate mobile fleets have migrated from being almost entirely made up of BlackBerry devices to a world containing multiple types of hardware, operating systems, and ownership models. As mobile devices mature from simple call and text devices, organizations need to consider what security controls to migrate from legacy platforms and what needs to be re-evaluated, replaced or introduced.
Historical IT security controls
The security controls set for legacy devices over the past 30 years often had no regard for the borderless network we see today, but they did set the groundwork for good security practice.
Original IT controls were based on physical access and software controls similar to the least privilege control we know today. As systems matured, complex permissions and role-based access control was implemented across a number of systems.
As the IT footprint grew within organizations, and networks became bridged or connected to the Internet, the complexity of security outgrew the ability to monitor and manage individual user access.
Legacy systems extend least privilege concepts to the end-user device itself, with administrator rights often locked out from end-users. Very few organizations would permit the installation of applications without the explicit approval and intervention of IT administrators.
Legacy IT controls are generally not possible on mobile. App stores are ubiquitous and required for proper functioning of modern mobile devices. File stores are relatively non-existent and user-space is not clearly defined. Transposing existing IT policies across to mobile devices is no simple project.
The challenges of the mobile ecosystem
For a number of years, remote access was a crude affair for workers, often consisting of now defunct protocols and connections (e.g. token-ring and ISDN). Now with mobile being increasingly integrated into the corporate IT infrastructure, there are a number of challenges that come with it.
Unlike the days of Blackberry, without the physical reminder that the device is intended for work only, the line between business and personal use becomes blurred as the user’s expectations and usage behavior shifts more towards a personal device. This is perhaps due to the fact the devices they use for work are sometimes the exact same model they have chosen as their personal device, or at least very similar.
Although many businesses have rules around phone call usage, when you consider the lack of data itemization on phone bills and lack of visibility into mobile internet usage, the potential for misuse on a corporate mobile device is far greater than a premium rate dialed number. These devices intended for work can quickly become a productivity drain and distraction when they aren’t perceived or treated as a work tool by the end user. Especially when there is no way for administrators to hold employees accountable for misuse.
Shorter device lifecycle
While legacy devices like PCs typically have a lifespan of over four years, there are a number of reasons why modern mobile devices’ hardware lifecycle is just short of two years.
- In North America, the majority of mobile contracts last 24 months including a subsidized mobile device purchase
- Apple’s AppleCare purchase program also spreads payments over two years
- Google, Samsung, and Apple generally release a new hardware platform every year
- The latest OS of a mobile device may not run optimally (or at all) on older hardware
- Mobile devices are more susceptible to physical damage, loss, and theft
- Mobile devices generally contain no end-user replaceable parts, making entire device replacement a more feasible option
Planned obsolescence is generally an illegal practice although Apple has pointed to legitimate battery drain concerns over the slowing of older devices on newer OS versions. Mobile administrators need to work closely with suppliers and procurement to accurately forecast and plan for a more condensed device lifecycle.
Lack of traditional threat remediation controls
Security on legacy devices is focused around stopping threats from getting onto a device and quarantining files and executables that exhibit malicious behavior. If malicious files are caught after installation, a policy will immediately delete infected attributes from the device or, at the very least, strip content from them.
Mobile ecosystems generally do not have mature APIs and integration into other business platforms to enable administrators to delete applications or services from a device. Some IT policies may dictate that the systems cannot be used unless they can directly integrate into Active Directory or ServiceNow – this isn’t possible for mobile devices unless you use an EMM.
Additional network exposure
Mobile devices are designed to be always on and always connected. Employees with mobile devices, especially those that work away from their desks, can be more productive and available during work hours, and even outside of traditional work hours. But this means devices are exposed to more networks and therefore more threats. Especially with features that allow devices to connect automatically to open Wi-Fi networks, for example.
Complicated lifecycle management
Asset management and lifecycle management might also miss users who require their access terminated, this is even more complicated with BYOD models when admins can’t just reclaim the device.
Security policies that involve the removal of floppy disk drives and the bolting of devices to desks do not apply to the mobile ecosystem. Mobile devices generally have a single port for charging and data connectivity, so the only controls to limit unauthorized access reside in software.
Applying policy to mobile
Legacy IT security controls matured over decades and were able to adapt over time as IT usage penetration within organizations approached 100%. The mobile ecosystem on the other hand has had less than 10 years to develop, which is likely why today the majority of business are more likely to have a policy on desk phone usage but none on mobile data controls.
Whilst it’s preferential to borrow from any security control precedents on legacy devices, it is not a simple task to transpose those policies across to mobile. Existing acceptable use policy documents for end-users may be too prescriptive and hence exclude mobile devices or don’t include adaptations for BYOD or personal usage.
Organizations might find themselves in a situation where mobile devices are procured by end-users and managed by the mobility team, but the ultimate responsibility for security still lies with the IT security department. For this reason, policies, provisioning, and platform decisions may have already been made with little regard to security and not all security control mechanisms will be available. For more information read our guide to incorporating mobile into your legacy IT security systems.