Wearables are becoming a daily conversation with visuals such as Google Glass, smartwatches like Samsung Galaxy Gear and Apple’s recently announced Apple Watch or fitness wearables like the Fitbit. Businesses are still getting their arms around smartphones and tablets, so what do wearables mean for business security, manageability, and productivity? Let’s explore some areas to consider.
There are many wearables, but the impact to businesses will come primarily from smartwatches and visuals. As a way to think of wearables and their network connectivity, I like to consider them as tethered – devices that use a smartphone or PC to connect to the Internet; and independent – devices that connect directly to the Internet. In some cases a phone or PC is needed to configure the network connection then they are on their own.
The security question
The first questions around wearables are what is the security risk and how can organizations handle it? Risk comes in the form of data loss and device exploitation.
For wearables with cameras, data could be taken through pictures. For smart watches, it could be caching of sensitive information that gets stored on the device. Any sophistication software can and will eventually be hacked. Go to Black Hat or DEF CON in Las Vegas and some researcher will demonstrate hacking the latest cool device. Having the device hacked can open it up to data loss or the intrusion could allow a hacker to use the compromised wearable to proceed to other devices on the network.
While many wearables are running Linux or Android, they have great limitations and often times no management APIs. If you look at the modern smartphone operating systems, it was years before management APIs were introduced and there is still a way to go when compared to desktop and server operating systems.
With the security question comes the ability to patch. Often the network independent devices are self-updating as is the case with Google Glass. Tethered devices often require manual steps on the PC or phone that is managing the device. In either case, there are no management APIs so patch management is out of the question for now.
As to configuration management, good luck. Expect devices with an enterprise orientation to add management APIs, but it could be a while and no consumer oriented device is going to care to invest in management APIs so businesses may have limited to no solutions for these powerful devices.
With the risks outlined above, consider the following two security mitigations:
Network segmentation – Consider wearables as unknown, untrusted devices. If smartphones and tablets didn’t lead you to create a separate wireless network, wearables should cause you to consider it. This network should not be connected to corporate assets and data and go straight to the Internet. Let devices connect here or you may have rogue access points popping up on the corporate network.
User education – It’s important to let employees help you keep the business safe. Remind people to not take pictures of sensitive information whether it’s using Google Glass, a smartphone, a digital camera, or old Polaroid camera. Common sense goes a long way.
Productivity: learn from early adopters
The individual with the latest gadgets may be the best person to identify productivity gains from wearables. IT doesn’t have the time to tinker, but there will be employees that do. It is a fine line, but IT needs to stay enough out of the way to encourage early adopters to do their jobs, but also need to be there to secure the devices they are using. Have a policy that allows wearables with the necessary mitigations and then learn how these devices can help the business.
For example, the healthcare industry is interested in the use of Google Glass for surgery. The devices can be extremely useful, however any touch point in hospital networks have to be locked down to protect patient data. It would be negligent for hospital IT departments to prevent doctors from improving their patient outcomes due to an inflexible IT policy, but equally negligent to compromise patient information by improperly securing the data that wearables access.
If a business sees value in wearables, they should talk to the vendor, ask about management APIs and see how they can be better managed and secured.
If you are open and have an ongoing dialogue with users, you can crowd source IT and let them investigate wearable productivity and adhere to security best practices. It’s not time to panic about wearables, but don’t turn a blind eye as they are already in your office.
Stephen Brown, Director of Product Management- Mobility for LANDESK