While the current generation of "smartphones" is emerging with amazing capabilities, many of these capabilities can also lead to serious security implications. Let's take as an example of this capability the emergence of the feature available on phones like the Droid X to use your cell phone as a router.
The process is simplicity itself. Once the phone has 802.11 capabilities, it can both transmit and receive data. So enabling the phone to be accessed by other 802.11 devices (thereby becoming a "hot spot") and then connecting to the Internet via a cellular connection involves relatively "simple" software, plus, of course, paying a monthly fee to the service provider.
A little over a year ago, we wrote rather expensively about how using "MiFi" type services could be quite cost-effective for the Small Office/Home Office (SOHO) and even in some cases in the Remote Office/Branch Office (ROBO) environment. While super-fast response is not promised, basic connectivity – enough to keep many critical processes running – is quite sufficient.
Steve has been testing this capability, and it works pretty darn well. In fact, it may work too well. Once the smartphone is authorized by the cellular provider, there's an app that allows you to set up and activate the Wi-Fi service, becoming an instant access point. You set up your SSID, your type of encryption (as desired), and your password. Within seconds, you've become a private (or public) hot spot.
And while we're all for instant connectivity and the ability to operate pretty-much continuously, we have a quite serious concern from a security perspective. For instance, assume that the primary owner/user of the mobile hot spot is a fully authorized employee. It's also quite possible that there may be a family member with a relatively unsecured computer. It's a reasonable assumption that the primary corporate user is appropriately authorized and protected within the corporate network. However, it's also quite possible that this user's computer could be used as an unintended "back door" into the corporate network via another device that's connected to the same phone/router/access point
Our bottom-line take on this is that we now have yet another layer of physical devices that must be considered carefully as a part of your overall network security strategy. We're already seeing the need for integrated wired and wireless security strategy on the corporate network. (Watch for more on this topic in the near future.) However, the security needs have expanded from wired and wireless (in the sense of Wi-Fi-based nets) now to include the mobile devices, especially considering that your users could be essentially walking around with corporate-connected routers in their pockets.
This security starts by carefully addressing the "shalts" and "shalt nots" from a policy perspective. But ultimately, we believe that this will require a systems-based approach as well to ensure that the policies are enforceable and enforced.
(Endnote: We're aware of the issues that surround the possible use of Windows 7-based PCs as access points. However, we are not sure that the possible depth of this as an issue as it is with mobile devices in general.)