Securing the Next Wave of BYODIntel CISO Assesses Risks, Opportunities
With the release of the iPhone 5, and other new mobile devices and upgrades on the way, security leaders need to start preparing for the mobile security challenges of 2013 and beyond, says Intel CISO Malcolm Harkins.
"To be honest, this is a journey with no finish line," says Harkins in an interview with Information Security Media Group's Tom Field [transcript below].
Heading into 2013, Harkins sees a continued proliferation of multiple device types, operating systems and models. And with more employees bringing their own devices into work, "you'll start seeing more data put on them," he says.
"The resolution we have is a continued focus on sensing the risks, interpreting them and then making decisions to act on them," Harkins says.
Harkins sees mobile's continued proliferation as a chance to add security, an area his team at Intel is focusing on for 2013. "We've got pilots that will be starting to happen, being able to use the mobile device as a mechanism in our authentication," he says. "You can get a one-time password sent to your mobile device that you can then use with a laptop or another device to log-in to maybe a more sensitive application."
For organizations continuing to assess the mobile risks in their organization, Harkins says they can't shy away from the BYOD challenge any longer. "If they don't' adequately stay in front of it, they're going to have more risks for their enterprises and they're going to miss opportunities for business benefit," he says.
In this interview, Harkins discusses:
- Intel's approach to enhancing security awareness;
- How to deal with regional regulatory and privacy nuances;
- Opportunities to use mobility to enhance your security program.
Don't miss Harkins' webinar on BYOD, Mobile: Learn from Intel's CISO on Securing Employee-Owned Devices.
Harkins is vice president of Intel's Information Technology Group and CISO and general manager of information risk and security. The group is responsible for managing the risk, controls, privacy, security and other related compliance activities for all of Intel's information assets.
Before becoming Intel's first CISO, Harkins held roles in finance, procurement and operations. He has managed efforts encompassing IT benchmarking and Sarbanes Oxley systems compliance. Since joining Intel in 1992, Harkins has held positions as the profit and loss manager for the Flash Products Group; general manager of Enterprise Capabilities, responsible for the delivery and support of Intel's finance and HR systems; and in an Intel business venture focusing on e-commerce hosting.
Preparing for New Mobile Devices
TOM FIELD: Apple just released the iPhone 5. We see a whole slew of new mobile devices and upgrades coming up in time for the holidays. How do you expect these announcements to impact your own legion of employees who bring their own devices to work?
MALCOLM HARKINS: I think a number of things. I think we will continue to see growth in the amount of mobile devices in our environment. We've been growing 700-plus a month, now well over 30,000 small form-factor smart-phone devices in the environment. A vast majority of that growth has come from bring-your-own, and I expect that the trend in volume will continue.
In addition, I expect we'll see a lot of upgrades in devices from the ones that people currently have or have had for the past couple of years since we opened the floodgates to BYO in early 2010.
FIELD: When you hear news like the release of the iPhone 5 or the new Kindle and other mobile upgrades, what's your reaction as a CISO?
HARKINS: My reaction is two-fold. There are two aspects of it. When I see the new releases, particularly as I look back with our BYO, and it's about two-and-a-half years old give or take, if you assume some people have been waiting on upgrades, you might see this mass churn of devices. My first thought is that with the existing devices, as they get retired and because if it's a BYO device they might give the old phone to their kid, go make sure that our controls are in place to handle the potential volume of that change and what happens to the old phone and making sure the footprint from the corporate perspective is adequately removed.
Intel: Mobile Breakdown
FIELD: You talked about the number of mobile devices within Intel today. What's the percentage of those that Intel has issued versus the ones the employees bring to work, and what's the breakdown of i-devices versus the non-Apple products by percentage?
HARKINS: In terms of the percentage of BYO versus Intel-provided, when we started this in early 2010 we had 11,000-12,000 small form-factor devices. Virtually all of those, 99 percent give or take, were Intel-provided. We paid the service contract. We paid for the device. Most of the 20,000-unit growth we've had has been from bring-your-own. The split today is you've got 20,000-plus bring-your-own, 11,000-12,000 that our company paid for. Company-paid will continue to stay flat or go down. As we continue to add 700-1000 a month with 90-percent or more being BYO, the shift is going to be there, but right now you've got two-thirds of the environment that is BYO.
FIELD: And what would you say are i-products versus non-i products?
HARKINS: Essentially we support all the major operating systems within the environment. The IOS-based products are probably 50 percent of that total, give or take a little bit. But it's a healthy percentage and you still have Android, Windows and the Blackberry as well. But I think the thing that will be interesting is how that mix will shift over time, and I do expect that we'll see growth in both the Windows OS systems as well as the Android ones.
Biggest Mobile Security Challenges
FIELD: As you mentioned, you've been dealing with mobility for over two years now, and in many ways you're well ahead of many organizations that are dealing with BYO. What do you find to be your biggest mobile security challenges today?
HARKINS: There's always concern about data protection and the containers and does the device have encryption? Do we have a footprint on it that we can adequately manage to reasonably protect the data as well as overall manage it for other reasons?
The second one becomes the growth in mobile malware, and malware targeted at the mobile devices has been growing. The amount of potentially malicious applications on various app stores has continued to grow. That's a growing concern around how you would not only potentially mitigate the malicious malware that could get onto the small form-factor device, but if it was widespread, how would you handle that event, because these are not on your network like PCs and laptops. How do you manage the remediation and the incident response process if something was very widespread? Making sure you're prepared for that is certainly something that we've been trying to do and is top-of-mind for me.
The third angle of it is the legal and regulatory side. You've got obviously privacy concerns when it's BYO. As a multi-national, you've got idiosyncrasies in different locations that you have to work through in terms of complying with local laws. As this expands and looking at potentially local laws and what we can do, what we can't do, how does that limit the potential BYO in certain locations? Those things all need to get thought through as we continue to expand it.
FIELD: Two of the biggest issues we have with mobility are lost and stolen devices when they're in the hands of the users, and, as you mentioned, malware and the users of the frontline when it comes to detecting or enabling that malware. How have you helped to make your users smarter individuals when handling their mobile devices?
HARKINS: Because we've been historically mobile from the significant population of laptops in our environment, dating back now almost 15 years since we flipped from a desktop model towards one of mobile computing for the traditional computing side of things, that has prepared us well for the next expansion of mobile computing into the small form-factor and tablet areas, but we continue to drive awareness.
With BYO there's a service agreement, there's education for the user and there are things that they need to acknowledge in terms of our expectations of them and the expectations they can have on us, like some of the things we're going to do on the device. But we continue to do awareness articles, whether they're phishing-type items, spam, malicious text messages that people might get. Those types of things can make our users aware that the things that they've seen in the PC environment that they've helped be a part of our perimeter defenses for by alerting us to unusual things or trying to mitigate those things with us, they also need to think about them in the small form-factor setting. The vector of attack or approach might be different, because again it might be a text versus an IM versus an e-mail, but they need to think similarly and that the device and what they're getting could contain malicious capabilities.
Top Mobile Questions
FIELD: I know in the past year or so you've done a number of speaking engagements and entertained a number of questions about mobile security. What are the questions you get most frequently these days from organizations that are dealing with their own issues?
HARKINS: Most of the time it really does involve worry about data protection, which again should be primarily the core focus. If you're going to allow potentially corporate data on the device, how do you go about protecting that? How do you go about mitigating lost and stolen devices? It usually revolves around data protection.
For folks that have a multi-national footprint, the next thing that most people start talking about is the local laws and the idiosyncrasies with that. It really becomes the data protection and privacy for the user and how to respect that as you're enterprising the consumer by putting an enterprise layer on that device, and then, like I said, the localization issues in certain countries.
Looking Ahead: 2013's Challenges
FIELD: Because you've resolved many of these issues, you've got the opportunity to look ahead and look at possibilities. What do you see as the mobile security challenges, as well as opportunities, in 2013?
HARKINS: Let's go back to resolving it. To be honest, this is a journey with no finish line. The resolution we have is a continued focus on sensing the risks, interpreting them and then making decisions to act on them, and that will not stop. I wouldn't say that we're done and I think that's the resolution I have on it, so that we don't take our eye off the ball, whether it's the legal and regulatory changes, the security threat vectors or the privacy things.
Going forward in terms of 2013, I think it's going to be a continued proliferation of multiple device types with multiple operating systems and multiple usage models. Definitely in our environment and in others, the folks that have put in place and expanded their footprint on mobile devices, in particular BYO, you'll start seeing more data put on them. Instead of just e-mailing, calendar, contacts, instant messaging and enterprise applications, your ERP data is now a mobile enterprise application. We're going to start driving that.
The other thing that's, honestly, quite exciting for 2013 is how can the mobile device add to my security. We've got pilots that will be starting to happen in the next quarter here, being able to use the mobile device as a mechanism in our authentication. You can get a one-time password sent to your mobile device that you can then use with a laptop or another device to log-in to maybe a more sensitive application. The connection of near-field communications between the phone and the laptop that can again be used to try and help establish from a multi-factor perspective if Malcolm is proximal to his laptop, and with one-time password, I think there are things like that you can envision starting coming into play in 2013 and beyond, this ability to cross-connect your devices and have your devices recognize that they're around each other and then recognize you. Then with things like one-time passwords, you can enhance the user experience and tighten the security and I think we're going to start seeing the emergence of that in 2013.
Supporting Mobile's Next Generation
FIELD: We've got a CISO community that's seeing the iPhone upgrade as well as a slue of other upgrades in mobile devices. What advice do you have to this group about supporting this next generation of mobile? What are the areas they should focus on most?
HARKINS: First, I think those that are not supporting it need to start supporting it because it's happening around them. And if they don't adequately stay in front of it or at least even with this, they're going to have more risks for their enterprises and they're going to miss opportunities for business benefit. If you're supporting it, figure out how to. I think that would be my first message.
In terms of other support, I think it varies based upon the institutions. If you're a multi-national, figure out and look through the local issues that you might encounter in terms of the roll-out and don't just assume that what you do, say, in the U.S. can apply worldwide.
My key message is that the enablement factor is probably the best thing for everybody to do, and recognize you're going to have more than just one operating system and more than one device. Be prepared to support the multiple device-types as well as the multiple operating systems, and if you're not ready for that, it will also constrain your possibilities of benefit. It will also increase your risk if you're not ready to support all the operating systems.