Androids and iPads: Network security’s last stand?

More and more companies are allowing their employees to use any computing device they like and no longer mandating which computer and devices the company will support. This consumerization of corporate computers is embraced by end-users, who love the idea of bringing their iPads to work, but it should be disturbing for most IT security shops.

Bring-your-own-computer has been on the rise for many years, but new, feature-rich devices are pushing the envelope even faster. Certainly Apple’s iMacs and iPads have a lot to do with it these days. In the past, most corporations would not consider supporting Apple computers (or only in limited pockets, like marketing) because Macs didn’t support the majority of the corporation’s applications and couldn’t be easily secured and controlled. But over the last few years, the Macs have breached the gates. In fact, the CEO and IT technicians are the ones most likely to be running Apple computers in their environments, often directly against corporate policies, and even risking disciplinary action in doing so.

[ Enterprise-grade security and manageability aren’t exclusive to BlackBerry. See “Mobile management: How iPhone, Android, Windows Phone 7, and the rest stack up.” | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Apple’s iPads are popping up all over the place these days. I’m seeing iPads in almost every corporate environment I visit, and I expect this is just the trickle before the flood. It seems that every software vendor pitching a new product shows how their application also runs on an iPad. Companies may mandate that their employees only use BlackBerry phones for corporate business, but it’s hard to keep iPhones and Droids from appearing at work or to prevent corporate email from finding its way to these phones. The same goes for the iPad and other tablets. Portable consumer devices of every description are invading the corporate network.

The slippery slope of mobile device support

Many early adopters of the bring-your-own-device paradigm have simply changed their support policies to recommend certain devices and brands, but allow outliers to use nonstandard hardware as long as they understand it is not officially supported. Those policies have often morphed into official direct support, outsourcing support to third parties, or making a “best effort” at support but with no guarantees.

Over the coming months, there is likely to be a stronger and stronger push to support multiple platforms and brands in your environment. First, it’s getting harder to tell users that their preferred device can’t do the job. Never before have so many mobile platforms supported such a high level of functionality — capable Web browsers, enterprise email and calendar integration, large numbers of compelling native apps, and (slowly but surely) even viable management tools.

Second, virtualization allows one platform or product to run on another. Many Mac owners are happy with running Windows virtualized, allowing them to get the best of both worlds, while conforming to the demands of the business. Of course, IT and security admins know that running two platforms, whether virtualized or not, incurs higher support costs and challenges. A virtualized system needs to be maintained just like a physical system, and it has to run every security program a real system does. On top of that, it introduces additional, guest-to-host and guest-to-guest security issues.

Third, cloud computing and Web 2.0 functionality make it increasingly likely that your future applications and services will run in a browser. Gradually, what used to run on only one platform will run on several.

I’m a big believer in using whatever tools do the job best, and if the job can most efficiently be done with multiple devices and brands, I support that decision. Many companies find lower costs in supporting one brand or platform, but that isn’t always the best policy. Some companies may be better served by supporting heterogeneous devices. But even a highly mixed environment must have security and control, and the consumerization of IT is quickly challenging the traditional security paradigm.

New directions in endpoint security

Is your company headed in this new direction? If so, how can you ensure the proper level of security for all devices? How can you ensure that connecting computers are securely configured, running up-to-date versions of operating systems and applications, and running up-to-date versions of antimalware software? Is device and platform security still your department’s responsibility or is the new requirement one of simply protecting the core assets and networks against all untrusted assets?

Many security administrators believe in a strong endpoint defense. They are eschewing the hard outer shell and chewy inside for harder insides. How can you enforce a stronger, more secure endpoint if you don’t control it? Maybe a network access control (NAC) product is in your future.

What about data? Will your company allow valuable data to be copied to unmanaged devices? Unless you’ve been extraordinarily proactive, it’s already happening.

This is not to say that support for consumer devices is a binary decision only. An alternative path, which is probably more palpable in most environments, is to support what you can secure. For example, allow email access if it can be secured. Allow document creation and editing only if the third-party application used is 100 percent compatible with the corporate standard. Don’t allow blatantly risky or insecure applications to be connected to your network. Here’s where a NAC solution could give the business what it wants and IT department what it needs.

Deja vu all over again

This new challenge reminds me of the dawn of instant messaging. When instant messaging first appeared, IT shops refused to support it. When a few employees were discovered using it, the app was removed from their desktops. Despite the prohibitions, instant messaging started showing up with more regularity, and it was used for legitimate business transactions. By the time the security problems began to crop up (mostly malicious file transfers), IT did not have the tools to combat them. Eventually the tools to help manage and secure instant messaging were created, and today instant messaging is typically a part of the legitimate environment and supported by IT.

Will your company fight consumerization or embrace it? From a security standpoint, if you can’t control the endpoint, then you shouldn’t allow it in the environment. But security is often an afterthought, secondary to operations and business needs. End-users love their iPads and Droids, and they — and likely their managers — see no reason they can’t bring them to work.

If your IT management hasn’t wrestled with this issue, perhaps this is the time to start the discussion, make decisions, and push out policies. Seize the chance to be slightly ahead of the curve on this one, or it will get ahead of you.

This story, “Androids and iPads: Network security’s last stand?,” was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com.