BYOD policies are spreading across Canadian businesses, but according to IDC Canada research, not as fast in the public sector.
That is slowly changing, which is one reason why the Ontario branch of Municipal Information Systems Association (MISA) asked IT World Canada to organize a panel on mobile operating system security last week at their annual conference in Chatham, Ont.
The trio included Anthony Bartolo, technology evangelist at Microsoft Canada, who talked about Windows Phone; Steven Cull, manager of alliances at Samsung Electronics Canada, who spoke on Android and Samsung’s Knox enterprise security features that are built into select Samsung handsets; and IT World Canada CIO Jim Love, who compared security features in Apple iOS and BlackBerry. I was the moderator.
Combined these speakers should have given attendees got a fair idea of the strengths and weaknesses of the most popular mobile operating systems.
I’ll give a brief outline here of what each had to say:
–Bartolo noted that through the just-launched Windows Server R2, WinPhone 8 allows secure access to data not only Windows Phone devices, but also iOS and Android. Access can be federated through Active Directory for BYOD policies.
WinPhone 8 devices can be set to any of 13 levels of security policies, he said. Also, the OS controls the core kernel and up. If malware gets on a device and tires to manipulate the core the handset immediately locks up.
All applications that come with a WinPhone are signed, which makes it “the most secure platform out there from the core up.”
App sandboxing also ensures that applications can only access certain data.
–Samsung’s Knox security capabilities are handset-based features that strengthen Android 4.3 for enterprises.
Presently Knox is only available here through Bell Mobility on the Galaxy Note 3 phablet, but sometime before the end of the year will be added to the Galaxy S4, Galaxy SIII and Galaxy Note 2 devices.
Cull said a special chipset secure the Android kernel, there’s a container for separating corporate and personal applications and data, and AES 256-bit encryption for data on the device and SD card to limit the odds the device can be compromised.
Knox also incorporates SE for Android in the kernel, which makes it impossible to run applications on Android 4.3 at the root level. The kernel is also monitored for unauthorized changes.
At the application level the container for enterprise — which needs a Knox-capable mobile device management suite for implementation — includes email, contacts and business apps.
Knox also allows individual virtual private networks (VPSn) to be set up for up to five applications.
–In comparing BlackBerry and iOS, Love concluded that “Apple gets it:” There are many features the latest versions of both operating systems now share including remote wipe, encryption over the air and the ability to use VPNs per app.
On the other hand BlackBerry has the ability to segregate personal and corporate data. And while Apple says root access can be denied, Love said one security firm pointed out that “once you the keys to the store with Apple, you’ve got it all.”
More broadly, Love said there’s a danger IT managers will be lulled into a false sense of confidence through “feature-itis” — I have approved a device with lots of security features, therefore it must be secure.
“One of the best ways you can keep an application secure is keep your patches up to date, keep your operating systems up to date,” he pointed out. The way Apple pushes out its updates is commendable, he said. In a short time 52 per cent of iOS users have updated to version 7.
He made two other points worth considering: Organizations are so preoccupied with application security they forget that the biggest mobile threat is the employee who doesn’t password-protect their device, followed by malware delivered through email.
I’m indebted to Love, Cull and Bartolo for taking the time to go to Chatham, and hope those who were there got a lot out of our session.
I also thank three people who had to put up with me: conference co-organizers Fred Rouse, network security analyst at the municipality of Chatham Kent, Helen McLaren, the municipality’s director of IT services, and John Millar of Digital Boundary Group of London, Ont.
Next year’s conference is in Peterborough.