Enterprise Mobile Security Challenges

Mobility in the enterprise is a rising challenge for information security and risk leaders.  The risks don’t simply stop with confidential data loss, viruses, and malware.  The risks also span legal issues, privacy, and regulatory non-compliance.  Users are consuming information in new ways and at volume never seen before in business.  With users being able to pop on and off the company network oscillating between endless Wi-Fi nodes, carrier network, and hotspots, security teams don’t have the normal visibility and controls allowing traditional monitoring of network traffic.   Cloud services are a nightmare for records management and legal professionals because users can upload anything they want when connected to the carrier network or a host of other out of band network options.

There is no way for security and risk leaders to ignore the increasing demand and proliferation of mobile into the enterprise at this point. The demand isn’t just being driven from by the mass adoption and use consumer devices, but businesses are also leveraging the power of mobile computing to strengthen their value to their clients and customers, making them more agile, relevant, and able to respond to the needs of their customers.  Business applications like salesforce.com and Google business apps are prime examples of cloud-based mobile apps that are changing how business operate.  Who could say no to keeping their sales force plugged in 24x7x365?  In this article I will summarize the challenges and risks enterprise leaders should be considering when formulating a mobile security strategy and a beginning checklist of possible controls.

There are a variety of security options for mobile security, some of more popular include: MDM (mobile device management), enterprise authentication, malware detection, and application containerization.  MDM is not the answer in my opinion and an over reliance on it as a silver bullet will lead to undesirable consequences in my opinion.  I consider MDM components such as device provisioning, locking and ability to wipe a mobile device, elementary and largely operational.  Those things are a given in my mind if you are using mobile in the enterprise environment.  It does little to address the real challenges and threats to the enterprise via mobile computing.

The devices we carry in our hands are effectively full-blown computers with the advantage of being instantly available and because of the social networking trends and people moving away from home and office phones, they tend to carry them everywhere.  Mobile security companies are offering new solutions at blazing speeds with the trends extending beyond device management into application and data management.  I suggest that enterprise security leaders think through a clear strategy and not be lured into the next “whiz-bang” piece of software from a security vendor.  If security and risk leadership limited their strategies and programs based on vendor solutions, they would be in real trouble.

Mobility Challenges for the Enterprise

There is no way for the enterprise to fight the mobile trend.  In the end, we need to have solid controls and solutions for securing the data, visibility into relevant threats, and we need to secure the identities of our users.

I have listed some of the most common challenges that enterprise security leaders are facing today:

• Information is being consumed in a new way and the demand is increasing exponentially across the enterprise without meaningful controls and solutions being implemented.
• The enterprise has effectively lost control of the endpoint.
• Business Week reports that over 30 million mobile phones out of 285 million go missing every year.  Loss of confidential data is a valid concern.
• Unique authentication and identity challenges based on web technologies.
• No real solution for keeping security patches up to date.
• Anti-virus and malware agents are largely unrealistic at this point.
• Multiple entry-points for malware (texting, web browser, social networking, email, etc.)
• Inability to adequately monitor mobile devices and relevant threats.
• Lack of clarity for revising technical security policies involving personal device use.
• MDM comes up short because of the blurred line of corporate and personal use of mobile devices and users ability to go out of band.
• The majority of user activity is via carrier networks, which are out of band of the enterprise network tools.
• Cloud applications and services create blind spots for enterprise security teams.
• Jail-breaking devices are common resulting in serious vulnerabilities.
• Users are constantly shifting between personal use and business use often bypassing enterprise networks and tools.
• Forwarding or saving of confidential data to personal storage and cloud services is common.
• Enterprise authentication and identity management crisis because of cloud services (Google Apps, Salesforce, Box, Office 365, etc).
• Virtualization for mobile is not mature enough at this time to be an enterprise solution.

A Beginning Checklist

The items below are largely common sense, and in some cases it is more than many enterprises have in place today.  Even if an organization were to apply all of the items below, they would still fall short of having an effective set of controls.

• A clear policy on mobile equipment and use must be documented and socialized across the enterprise.  A cross-functional group involving all relevant stakeholders (e.g., legal, HR, records mgmt, etc) is an absolute must.
• Be clear on policy statements involving BYOD equipment (ability to wipe, access termination, jail-breaking, black apps, personal use, social media, approved apps, etc.)
• Review total costs of BYOD and security implications versus providing enterprise devices.
• Review mobility issues across the business to include HR, Legal, records management, etc.
• Enforce basic controls (strong password, automatic logoff, encryption of confidential data on phone and storage card, disable interfaces such as Bluetooth, remote wiping of device, forbid jail-breaking,
• Mobile threats on the rise to include phishing attacks because users can’t see full URL and over tendenancy to “click on everything.  Have a solid user awareness program.
• Produce clear policies on the type of data allowed to be stored on mobile devices.
• Stay close to the solutions for VDI (virtual desktop infrastructure) as a model for virtual mobile desktop infrastructure (VMDI).
• A relevant and persistent awareness and education campaign targeting mobile users on the risks, policies, and procedures.

The mass adoption of mobile technology will continue to challenge the IT, information security, and risk teams within your organization over time.  I think we will see a significant rise in mobile targeted attacks over the next few years because this is where many users are spending most of their time today.  Authentication and fraud are major challenges for organizations as is their ability to apply security patches holistically.  Simply requiring anti-virus and malware agents is not a simple as it might seem in large scale environments.  With the proliferation of web-based apps, cloud services, and browsers on mobile devices being capable of doing everything a desktop can do, the mobile revolution introduces a host of new challenges for security and risk teams that will continue to evolve as we move further down the road.  A business landscape driven by virtual cloud environments and a highly mobile workforce looks unlike anything we have had to protect in the past.

Read More: Tim’s Security Blog