Thursday, August 26, 2010

Employees carry smart phones; a data security threat silently entering into enterprises

Memories of old days of my employment are still afresh when I used to work for a big multi-national software company. The most uneasy moment that i still remember was crossing the physical security of the company. As per company policy, we were not allowed to bring in or take back any type of electronic media (CD, floppy etc.), self owned or company owned laptop. All bags entering office premises were cross examined by security personals. In this regard, the day when I went office without any handbag, gave me the most peaceful entry and probably virtually to the company as well. Only device that never bothered me was my less smart mobile phone hanging right-side in the belt.

Over years a lot have been changed. Those dummy mobile devices have evolved and became much smarter than ever and it would be not wrong if we call it mini personal computer. These smart phones are capable of storing gigabytes of data and can do personal laptop/desktop like computation in a fraction of time. Hundreds of such devices are brought inside enterprises daily and remain inside for several hours unmonitored.

Though these devices are trusted to be taken inside office premises to serve the personal need of calling by employees to their friends and relatives, it can also be misused to carry company’s confidential data. This tiny device come fully equipped to make network connectivity and can be connected to company’s private LAN without network administrator knowledge.

Most enterprise wireless LANs are secured using WPA2/802.1x security protocol which requires knowledge of domain name and password (certificate is optional for clients in PEAP). So employees can also configure their smart phones to make a connection with corporate LAN. Once the connection is done, user can access resources present on the network and siphon off confidential data.

In a large network enterprise, it’s very difficult for network admin to manage updated list of allowed MAC addresses of networking devices and hence white listing is hard to achieve. It’s difficult to monitor and contain employee carried mobile phones connecting to corporate network. NAC (Network access control) is also not going to help as user can bypass it by successfully authenticating with authenticating server.

Monitoring activity of smart phones inside office premises is increasingly becoming serious security problem. Lack of a reliable solution to contain the problem makes the situation even more alarming. This also opens opportunity for network monitoring system provider to develop innovative solution to manage tiny computers brought inside enterprises by their trusted employees.

Until then, be aware to be secure...

No comments:

Post a Comment