Enterprise security for mobile has quickly become a top concern for IT management. Mobile devices—whether corporate or employee owned—are taking over the workplace at an ever-increasing rate. Organizations faced with enabling these devices must also address a myriad of security, privacy, and confidentiality concerns. Security issues are nothing new for industries that rely on sensitive data, but these days, an additional array of configurations, user-selected hardware, and software must also be addressed.
In a recent Infonetics Research survey only 15% of companies believe remote wipe, device location capability, or disk/file SD card encryption are key technologies for their mobile security solutions.
While enterprises become more concerned about mobile security, employees appear to be doing the opposite. According to a recent survey by Vision Critical on behalf of Absolute Security, 25% of enterprise workers feel data security is not their responsibility and any punishment for losing sensitive corporate data would be inappropriate.
Types of Mobile Security Risks
Insider – Employees who transfer information by use of portable media or the cloud and wind up inadvertently posing a threat to the company. The most common method of data exfiltration involves network transfer by email, remote access channel or file transfer.
Malware – Designed to steal user information, including keystroke loggers that record passwords and mobile activity, and insidious remote-access Trojans that allow hackers access to your phone by masquerading as a credible program or file, these programs gain access to smartphones via website links or as a text message sent to appear as a system update.
Spear Phishing – Malicious attachments sent via email or links targeted at management, administrators and other key personnel, bypassing email filters and antivirus software in attempts to penetrate a network.
Equipment Loss – as more and more sensitive data is stored directly on the device, theft and loss of devices leads to data breaches due to poor physical security mechanisms and hardware encryption.
Layers of Security
With the use of both personal and corporate-owned devices come security issues around device use, data exchange and storage, connectivity, and more. Security risks raise the need for standardized IT policies and best practices for mitigating those risks as best as possible. Establishing full visibility for all devices and users connecting to the network is just a starting point for understanding the diversity of devices and a first step for creating an effective mobile security approach. Once devices and users are made more transparent, continuous monitoring along with vulnerability/risk assessment will help mitigate future corporate data loss.
Defining a mobile policy is one of the first steps an organization should take. What types of devices will you allow? Bring Your Own Device (BYOD) or Corporate Owned Personally Enabled (COPE)? Regardless, many controls and knobs exist to enable an enterprise to achieve granular control over its mobile devices.
Device layer security is the first line of defense and acts as a perimeter for companies wishing to utilize the native capabilities of a mobile device. Enforcing a password policy or encryption are prime examples of device security.
Protecting and isolating corporate information is often referred to as the container-based approach. These methods ensure that enterprise data is isolated in a secure environment separate from personal information. This can included anything from corporate email, packaged, and even external applications. App-wrapping is another approach that gives the ability to add additional layers of security above and beyond the native capabilities within a mobile OS
The question “what is on my network?” is still relevant regardless of application and data controls. First, organizations must determine what devices are connecting, then must put controls in place to mitigate risk and enforce corporate policy compliance. Network access controls or a mobile gateway can act as a gatekeeper regardless of whether or not a device contains an agent.