Securing mobile enteprise assets by embracing the app
Horacio Zambrano, senior director of products, Mocana
There are a number of trends driving the need for mobile app protection in the workplace today. Foremost is the increasing consumerization of IT, also known as the bring-your-own-device (BYOD) movement.
With all these new employee-owned devices coming onto enterprise networks, there is great anxiety among enterprise IT staff about how to harness and enforce corporate policy on them. Specifically, how to balance the requirement for security to ensure that the corporation's intellectual property is protected with the need for the privacy of the employees – all while maintaining the inherent usability of the device.
Enterprise BYOD strategies can boost worker productivity, score employee satisfaction points, and greatly reduce the cost of purchasing and maintaining a wide variety of diverse hardware platforms. At the same time, the thought of provisioning and protecting thousands of mobile devices, sensitive enterprise data, and access privileges can give nightmares to even the most seasoned CIO.
In the traditional PC paradigm, countless vendor solutions exist to give enterprise IT the tools they need to protect company data. But the nature of enterprise data usage and communications has dramatically changed with the proliferation of mobile devices. Employees, customers, and partners are now accessing sensitive data on their smartphones and tablets, and increasingly the vehicle for delivering enterprise data is in the form of the mobile app.
Since the mobile device management market (MDM) started to take off nearly five years ago, enterprises have grappled with the question of how to separate the personal and the professional on BYOD devices. The ability for IT to govern or manage the device within the enterprise, while important, is simply no longer sufficient.The corporate boundary is becoming increasingly fuzzy, as affiliates, partners, contractors and even end customers are all potential recipients of the enterprise's data.
The problem is further exasperated by the fact that due to BYOD, the enterprise cannot claim control over the end-user's device on which the enterprise app will find itself installed.
What happens to the data when the employee's phone has malware? Or what happens when that employee quits? How does the enterprise protect its data when it is accessed from outside its managed device community? And, what if any are the compliance concerns?
With BYOD, one must assume the worst-case scenario, that the end-user device is compromised in some way, and it's time to plan accordingly. If you can't trust the device, then the logical question becomes, how do you provide assurance that the enterprise data, in the form of mobile apps, is protected?
Even if the device is managed by an MDM within the enterprise, current technologies for identifying jailbroken devices or those with rogue apps and malware are not foolproof.
The solution, then, is to consider the app as the endpoint, not the device.
With the app as the endpoint, CIOs can apply policies specific to the use of that app, and even specific to the particular user of that app. These policies should be granular, encrypting any data-in-motion or data-at-rest for that app, restricting cut-and-paste to insecure apps, and providing backup and recovery for data produced by that app. Ideally, the user experience should be unchanged. The employee simply downloads the protected app from the enterprise app store, except in this case the IT department controls the policies behind it.
App-specific policies can also access features of the mobile device to enforce geo-fencing (where the app only works within certain geographical coordinates), time fencing (where the app works only within a specific timeframe), and velocity (where the app does not work when the device user is speeding down a highway, thus reducing liability for the enterprise as well).
Viewing the mobile app, not the device, as the endpoint is a major paradigm shift, and is one that needs to occur within enterprise IT security if BYOD is to be successful within the enterprise.