Enterprise IT security in the “mobile age” is not what it used to be. The differences we see today primarily stem from the evolution from personal computers to truly personal devices, such as the iPhone, iPad and Android devices that users expect to purchase with their own money (or corporate allowances) and bring to the workplace as either auxiliary computers or even their primary work platform. The velocity of hardware and software development has increased remarkably in the past decade, and users are increasingly unwilling to wait for corporate IT departments to catch up with the latest gadgets. These days, users want to purchase the device themselves, often within days or even hours of its release, and bring it to work immediately.
This scenario carries with it a large number of risks. First, users think of the device as their personal property, rather than something used to access sensitive corporate systems and information. This generally means that they are more cavalier towards security issues than they might be with company equipment. Second, the user is likely to install various personal apps and games, and is much more likely to visit questionable web sites that may attack the device. Finally, because the device accompanies the user everywhere he or she goes, it is much more likely to be lost or stolen.
It is critically important to understand the scope of the problem before proceeding to remediation strategies. In the first section of this paper, we will explore the entire ecosystem of the mobile enterprise. Then, we will move on to discover some of the vulnerabilities this ecosystem presents, followed by the risks created by those vulnerabilities. In the final section, we will explore some mitigation and defense strategies that will help fix the vulnerabilities and reduce the impact of the risks.