A few months ago, I posted a blog on Consumerization of IT (here) where I explored some of the causes and impacts of this important trend (wow....has it really been that long since I last blogged? What have you been doing all this time, Sumner?). I mentioned in that blog that there would be a follow-up blog on some of the security implications relating to CoIT. Well, here is that blog.
It seems to me that the use of mobile devices to access enterprise resources has one important difference from the normal case of access through standard work laptop devices. Namely, you need some form of controls on the device itself to protect your information and to help prevent fraud. This is driven from two obvious facts relating to mobile users. First, you (the IT organization) can't always dictate the configuration of the device. Second, once your user accesses corporate information, it physically resides on their personal device. There is clearly a similar risk even when a work-issued laptop is used, but at least you have much more control over the configuration and ultimate disposition of that device.
Controls on the device are often hard to enforce simply because these may have been purchased by the employee for their own personal use. But, most consumer devices now come with some reasonably standard controls related to the security of the device and its contents. Common controls include:
- Encryption of the data on the device
- User authentication (strong passwords, inactivity time-outs, maximum failed login attempts, etc.)
- Device wipe
- Device management to configure device security, and to push policy to the device
- Application certification - most device vendors required formalized testing and certification of applications to minimize malware potential
- Anti-malware products
These controls help to require more than mere physical possession of the device in order to gain access to sensitive data. This is why attackers generally don't target the individual device because in most cases it won't provide access to information that could be used for financial gain. They are more likely to attempt to attack central IT systems and information, since this is where the true financial benefit resides.
In short, security of the device is a tractable problem because today's devices come with some security controls already on the device, and additional security is available from a large number of vendors eager for your business.
But, the more important and difficult challenge is securing access (by the user of the device) to critical applications and information, as well as the use of information after it has been accessed. Protection of your information from mobile users requires a layered approach to security, and requires controls on your user identities (and their access rights), enforcement of your access policies, and controls over how information is used once it has been accessed. The following graphic illustrates conceptually how these controls help protect your resources, regardless of the type of user, or the method they use to access your resources. 
This model says, in effect, that other than controls on the device itself (described above), access from mobile devices requires essentially the same controls as any access method requires. I believe that some areas of controls are particularly important for mobile users - for example, strong authentication and fraud detection. But, a strong security infrastructure of controls relating to identities, access, and information use should also be sufficient to help ensure security from your mobile users.
I will reserve Part 3 of this topic for a short discussion of some issues relating to authentication of mobile users, and hopefully, it won't take as long as Part 2 did.
Do you agree with this model? Would you argue that security of mobile users pose vastly different challenges than does security for all users?
For more information on consumer driven IT, please see www.ca.com/cdit.