Mobile Security Should Focus on Data, Not Devices

In previous posts I focused on cross-platform development using HTML5 to assure rich mobile user experience and holistic unified security analytics as a big data project. Between development and analysis, mobile security should focus on data not devices. A recent report by McAfee Labs cited banking malware and “backdoor” Trojans, which steal data from a…

In previous posts I focused on cross-platform development using HTML5 to assure rich mobile user experience and holistic unified security analytics as a big data project. Between development and analysis, mobile security should focus on data not devices.

A recent report by McAfee Labs cited banking malware and “backdoor” Trojans, which steal data from a device without the user's knowledge, as the most common threats during the second quarter of 2013. There were over 17,000 new strains of malware targeting Android devices during the three-month period, up 35% year-on-year. This was the highest growth rate since 2010. Meanwhile, mobile cloud traffic growth continues unabated. Cisco Systems projects this traffic will account for over 70% of total mobile traffic globally by 2016, up from 45% in 2011.

Companies in every sector are experiencing the explosion in mobile, social and cloud adoption. The conundrum for IT departments is that employees need seamless and remote access to enterprise information to enhance productivity and speed decision-making while resources, applications and data need to be safeguarded.

Employees are increasingly downloading third-party apps and access cloud services over the corporate network. In addition, an array of new cloud-based mobile software offers have cropped up aimed at non-technical users. These solutions provide easy-to-use tools that let users build and manage their own apps in the cloud without IT involvement. By circumventing IT, users can introduce myriad problems into the enterprise – from security breaches to unmanaged data flowing into and out of the organization, compromising GRC (governance, regulatory, compliance) mandates. CIOs are at risk of losing mobile application and content controls to business users.

Yet at the same time, more companies are implementing BYOD (bring your own device) programs. This puts pressure on CIOs to monitor, manage and govern the explosion of devices running on different operating systems with multiple versions and specifically developed mobile apps. BYOD brings its own risks, including security, data leakage and privacy concerns. The same tablet accessing the corporate network today may have been infected with malware as it accessed a website from an airport terminal yesterday. Or, while accessing corporate data from the road, the same user may have moved enterprise files to a cloud storage service such as iCloud or Dropbox.

Many firms have deployed Mobile Device Management (MDM). However, MDM is useful for company-owned devices only because employees are related to allow their devices to be managed by their employer's MDM solution. Moreover, as easy as it is to jailbreak devices, relying solely on device-level controls is fruitless.

Secure apps and data first

A successful enterprise mobility strategy places applications first, mapping their mission to the variety of use cases in the field. But mobile apps require greater management, control and security. Unlike with a browser, where the enterprise's application logic and data are stored in the data center, with mobile apps this intelligence is stored by the app on the device itself. Regardless of whether an organization's approach to mobility is company-issued devices or BYOD, the focus should be more on isolating and securing enterprise apps and data and less on locking down devices.

The objective is to manage mobile apps at a granular level to address deployment, security, analytics, data synchronization, storage, version control, and the ability to remotely debug a problem on a mobile device, or wipe the enterprise's data clean if a device is lost or stolen or if the employee leaves the company.

To mitigate mobile security risks, enterprises should have their mobile traffic secured, not only to detect and block malicious transactions but also to manage sensitive corporate data. First, IT needs to have visibility into the mobile traffic traversing the enterprise network, especially as it pertains to data residing in or moving between users and corporate resources. Once visibility is established, IT must secure and control potentially malicious traffic. This includes detecting and blocking advanced threats through the mobile browsers, as well as application-specific threats such as malware to prevent sensitive data leaks.

These steps can be achieved through technologies most organizations have already deployed. Specifically, application delivery controllers (ADCs) and application performance monitoring (APM) software for end-to-end visibility, and secure web gateways (SWGs) with built-in data leak prevention (DLP), and next-generation security information and event management (SIEM) to detect and block malicious traffic. These can be deployed physically or essentially on-premise or as cloud-based solutions.

Mobile Application Management for better security and control

Complying these technologies is Mobile Application Management (MAM), which provides for the security of corporate data alone – independent of the personal settings and apps on the device. MAM solutions can be used to provision and control access to both internally-developed and approved third-party mobile apps.

With thevalence of cross-platform development, apps are no longer created using a container model, where functionality is configured up front, leaving no room to address security or data management issues. Today, mobile apps are “wrapped”, meaning that additional functionality is layered over the app's native capabilities as needed.

IT defines a set of business apps for users to access through the corporate app store via their personal device. The package includes an encrypted data file in which these approved apps hide, user authentication, selective wipe of locally-cached business data from the device and app-level VPN capabilities to provide comprehensive protection for different users and contexts. If a device is used for business, company policy should allow app downloads from a corporate app store only, instead of public cloud app stores like iTunes or Google Play (formerly Android Market). This should be completed by cloud access gateways that ensures transparent encryption of enterprise data stored in the cloud via sanctioned SaaS apps.

MAM provides IT with the insights and analysis to determine which apps are being downloaded, which employee groups are installing and using apps, how the apps are being used, and what devices employees have all without additional coding.

Conclusion

There is no silver bullet and organizations will need to use a combination of solutions to address enterprise mobile security. IT should collorate with functional and business unit heads to define policies, procedures and processes. This encompasses everything from who is eligible, how users will be authenticated, what policy and network access applications to them, whether the company will issue devices or support BYOD, which devices and operating systems will be supported, who is responsible for managing wireless costs and network operators and what the consequences of non-compliance are. Painstaking as this may be, it will result in lower costs and higher productivity while minimizing security and GRC risks.