VPN Haus talks to Peter Brockmann, tech analyst and president of Brockmann & Company. In the second post in this two-part series, Brockmann weighs in on the security of mobile devices. See Part 1 of the Q&A here.
VPN Haus: The Blackberry is no longer the default mobile device for organizations. Now that different people within a single organization could be using a Blackberry, iPhone, an Android device and more, how can organizations manage mobile security with so much variety? Are there any security advantages of having employees on different kinds of devices?
Peter Brockmann: Despite the noise surrounding Android, our research shows that this is mostly hype so far. North American enterprises are more likely BlackBerry with iPhone. We believe it is this state of affairs because Android has potential, but has yet to make a sizable dent in the business user market with the right combination of network, devices and software.
Mobile security professionals have begun to realize that it is a diverse, user-driven world we live in. Historically, they have always validated policies regardless of the device or device vendors. They typically recommended technologies and implemented policies that address the very real concerns about eavesdropping and theft of mobile devices, the access they enable and the data they have onboard. For them, it was supposed to be a simple method of validating a device’s compliance with these standard policies and accepting or rejecting the device. However, real life isn’t always so simple.
Today, users have enormous power over their IT environment and user convenience is now a major factor in determining device support. The old axiom that “complexity kills” has to be set aside from infrastructure decisions so that users can extract the productivity benefits they seek. One of the downsides to a multi-device, multi-vendor world is that the administrator needs to access different tools to perform the same service for different users. IT might need to have the same app developed for multiple devices. The firm might need different client software to perform the same function on different devices. All of this complexity introduces costs and the potential for error by administrators, but if it simplifies the users’ life and increases their productivity so they can win more business faster, so be it.
VPN Haus: How would you rate Mac’s built-in VPN? Would you suggest corporate networks use external VPNs, rather than relying on the Mac’s built-in function? Or In what cases would you suggest using an external VPN rather than Mac’s built-in feature?
Brockmann: I’ve used the Mac’s (and iPhone’s) built-in VPN to access my corporate network when traveling. It can be a reliable, simple-to-use and unobtrusive security feature. However, there are places, such as my mother’s home, some hotels and a few airport lounges, where the locally provided Internet service supports only a few TCP/IP ports such as port 80 (http) or port 443 (https) which causes a timeout on connection attempts, leaving me frustrated and my Mac stranded.
An external VPN client is better to enable useful features not supported by the ‘built-in’ client. For example, the NCP Secure Entry Client for Mac can overcome the port-limiting challenge with its unique PathFinder technology. It uses the appropriate ports to attempt a service connection and should that fail, it can attempt a connection over port 80 or 443 and thereby increase the possibilities of doing business in these places. Something mother may not appreciate, but my boss will.
Also, if my enterprise supports a number of OS’ on devices expected to be mobile—Windows, Linux, Mac, iPhone, Symbian, BlackBerry, WebOS, Windows Mobile—it might be more appropriate to implement a common client and common remote access server across all these devices. That way, we can enable a unified support service, common features such as PathFinder or a non-RSA two-factor authentication service and a consistent experience (or nearly so) on a users’ mobile or on a users’ laptop.
[tweetmeme source=”vpnhaus” only_single=false]