Mobile security, BYOD policy issues to trend at RSA 2012, analysts say

If industry analysts are correct, enterprises facing the challenge of building a bring-your-own-device (BYOD) policy to achieve control of Google Android and Apple iOS smartphones and tablets and secure the company data flowing to these devices tend to get an earful at RSA Conference 2012.

There are individuals with three or four devices attempting to get at the network and that is one of many big issues.

John Kindervag, principal analyst, Forrester Research Inc.

For the primary time at RSA Conference, mobile device security this year has its own session track, meaning an entire state of sessions and speakers may be excited by the subject. While lots of sensational, headline-grabbing mobile malware attacks and malicious applications are areas of shock, enterprises are fighting the sensible challenges of extending corporate security policies to the hordes or personally owned devices accessing the network, said Andrew Hay, a senior security analyst at Ny-based analyst firm The 451 Group.

IT security teams want the facility to trace down and wipe lost or stolen devices, ensure secure access to corporate resources, and address mobile application security issues, said Hay, who's participating in a panel discussion on whether enterprises are “up for the challenge.”

“There are a number of organizations which can be happy with their perimeter demarcation and beginning to examine other sources of knowledge exfiltration. Mobile is actually a type of things,” Hay said in a conference call previewing RSA 2012.  “It goes beyond standard mobile device management.”

The BYOD phenomenon has also created a myriad of legal and technical challenges for enterprises, Hay said. How does an enterprise ensure standard security best practices are enforced without putting severe restrictions on an employee's personally owned device?  RSA 2012 offers at least six sessions addressing BYOD issues.  A Thursday panel discussion, “BYOD: Securing Mobile Devices You do not Own,” will explore ways security pros can address the challenges posed by personally owned devices. Meanwhile, another session, “Mobile Devices: A Privacy & Security Check-In,” will provide insight on BYOD from the perspective of a gaggle of legal and policy experts.   

While some organizations are either restricting mobile access to corporate data to just those users with BlackBerrys or not addressing policy enforcement on iPhone or Android devices in any respect, at some point compliance and governance issues should be addressed, said John Kindervag, principal analyst at Cambridge, Mass.-based Forrester Research Inc.

“We're going to should live with it and treat it,” Kindervag said. “There are individuals with three or four devices attempting to get at the network and that is one of the most big issues.”

RSA Conference 2012 attendees also are more likely to be inundated with new security products designed to deal with mobile concerns. Some enterprises are testing out mobile security software with a limited subset of users; others are expecting technologies to conform, said Jason Clark, CSO of Los Gatos, Calif.-based security vendor Websense Inc. Clark said loads of enterprise CISOs appear to be searching for peace of mind in relation to mobile.

“I view a laptop as being significantly more risky than I do an iPhone or an iPad, but people view the mobile devices as riskier because there may be zero visibility and no endpoint security on them,” Clark said. “The truth is that there is a lot more malware targeted against the laptop, while with the iPhone and iPad you've gotten a way more hardened environment with less data contained in it.”

In an RSA Conference 2012 session about information security within the year 2020, attendees might be asked to foretell future threats and information security challenges to the enterprise. Mobile challenges is usually part of the discussion, said Pete Lindstrom, research director at Pennsylvania-based Spire Security, who's leading the session on Tuesday.

Lindstrom said the present defense-in-depth or zero-trust models may change attributable to increased mobility. He said people may search for methods to obfuscate themselves while at the network and only spend a limited time connected. In place of concerned about tips on how to secure themselves at the network, Lindstrom said people sooner or later might consider the notion of defending themselves as a result of disconnecting.

“I've seen some cool stuff regarding network security in accordance with the proximity of mobile devices,” Lindstrom said. “We're already seeing some innovation with mobility, but i am hoping to spur some more discussion and innovation.”

View all of our RSA 2012 Conference coverage. 

Dig Deeper

• Those who read this also read...