Use of mobile devices in the enterprise has forced those in charge of maintaining the integrity of business networks to consider new security strategies and new tools. All the old assumptions about how to protect endpoints have been under challenge.
For one thing, IT often has little or no say over the type of device connecting to the network – let alone what applications are being deployed or what other resources users are connecting with. Plus, workers are ever more resistant to rules and regulations. Consequently, the threat picture continues to only grow.
Of course, organizations aren't standing still. Device makers are recognizing – belatedly perhaps – that they need to do more. Vendors of all stripes are offering a spectrum of technology solutions. And, rather like parents watching teenagers getting behind the wheel, IT and security organizations are adjusting to a different style of management and control.
Not so long ago there were plenty of reasonably secure mobile devices. BlackBerry, in particular, was a staple for a decade, notes Andrew Braunberg (below), research director at NSS Labs, an Austin, Texas-based analyst firm. However, when the new wave of technology with increased usability and functionality – epitomized by the iPhone – hit the market and the price points came down, making it a mass phenomenon, everything changed. The early adopters of many of these tools were C-level people so IT's ability to enforce security practices quickly eroded. “You can't say to someone at that level that they can't access the network with an iPad or iPhone,” says Braunberg.
The trend has been happening in parallel with personal cloud adoption, where almost everyone has a Dropbox account. Both are waves we still haven't recovered from, Braunberg says. “IT has lost those fights,” he adds. Still, although Braunberg admits there is “no cure yet,” technology and the market are evolving rapidly.
Initially, the main focus for mobile security was on securing the device itself. Mobile device management (MDM) players offered a range of solutions, Braunberg says.
Jon Oltsik, an analyst with Milford, Mass.-based Enterprise Strategy Group, agrees: Everyone looked first at device security and that's where the MDM players grew up, he says. “In general, this was about establishing secure device configurations, device authentication, application controls, etc.”
However, after this basic housekeeping, most companies increase focus on protecting the local data on mobile devices, usually with MDM providing encryption and remote wiping in case devices are lost or stolen, he says.
Today, notes Braunberg, while MDM offerings typically include a good selection of cool features, “many of those capabilities are rapidly moving to the mobile operating system, making MDM a less critical play.” For instance, he notes, “Apple is being fairly aggressive in moving security features into its operating system.” Android devices will likely follow. As those features get built in, the focus will switch away from securing the device because it will inherently be a lot more secure, he says.
“With MDM, it is becoming more of a commodity in price, but there is a complexity and usability side,” he says. “How do you talk end-users into using it and how do you make sure they don't do an end-run around it,” notes Braunberg.
Other efforts to further secure the endpoint, often through MDM, include security lockers or containers, Braunberg notes. For app security, in fact, enterprises are focusing on two main paths: app wrapping or app containers, says Michael Sutton, vice president of security research at Zscaler, a San Jose, Calif.-based secure cloud provider.
Sutton explains that app wrapping takes the approach of adding layers of security on top of an existing app to enforce an enterprise policy – such as requiring certain authentication mechanisms or restricting app functionality. However, he notes, not all apps can be wrapped, especially in an iOS environment.
Containerization is another approach, either at an app or operating system level. “Containers restrict the apps that can be used to only those permitted within the container,” he says. And, while this increases enterprise control over corporate apps, it decreases choice for the employee. If you want to use your favorite app to view the PDF you just received, you're restricted to the PDF viewer provided by the container, he explains.
According to Sutton, Samsung and Google are introducing containerization at the OS level to effectively split the phone into two distinct halves – personal and corporate. However, this approach is relatively new and has yet to gain traction (Google is introducing its iteration in the upcoming version of Android). “It remains to be seen if employees will be comfortable flipping back and forth between virtual environments throughout the day,” says Sutton.
However, containerization is an option that works. According to Dan Ford, chief security officer at SGP Technologies SA, a Switzerland-based provider of privacy-oriented devices, research he's conducted shows that from a quantitative risk analysis perspective, containerization significantly reduces the risks of compromise to enterprise data when compared to MDM. “This research was specifically limited to iOS6.x and only to the APIs provided by Apple. However, the results from that study indicate a similar conclusion would be likely when testing against other versions of iOS and Android,” says Ford.
Another concept that has surfaced and could be relevant for some is setting up a virtual mobile infrastructure (VMI), a concept that is similar to the familiar virtual desktop.
At least for highly regulated industries, such as health care or for government, when employees bring their own technology, it raises a lot of legal issues and makes policies more complex. VMI could be the ideal solution, argues Ashok Sankar (right), vice president of product strategy and management at Raytheon Cyber Products, a Herndon, Va.-based provider of cybersecurity solutions. “Although encryption and other techniques can help, it is important to recognize that mobile devices represent an entire new surface,” he says. “It's really a new vector for attacks for anyone who wants to steal data.”
If one were to look at industry reports from the last few years, far more than Windows or any other vector, mobile devices have been targeted and to a greater degree than any other endpoint device, Sankar says. What people started to do is to simply secure the device in the belief that if they could do that and understand its state they could also keep the applications and data secure on the device. “That was the essential focus of MDM, along with helping to manage and provision or, in a worst-case scenario, actually wiping the device selectively or completely,” says Sankar.
Some MDM solutions also provided whitelisting or blacklisting for applications. But that didn't solve the fundamental problem of data theft and linkage because one could still compromise the operating system and MDM would never know, says Sankar. Secure containers and sandboxes also provided some protection, but they were still application-level solutions, he notes.
On the other hand, with VMI, one is simply redisplaying corporate information so when someone walks away from the office, the admin can be sure there is no corporate data with them. “With VMI, individuals keep their personal data and they only access corporate data when they need it,” he explains.
As with a virtual desktop, with VMI, one is taking native applications and virtualizing them in a backend and then securely redisplaying them to the device. “The advantage is that there is much more security because the data is at rest and there is neither data nor applications on the device itself, so theft is not a big concern nor is ownership of the device,” says Sankar.
However, the drawback of a virtual desktop is usability, warns Braunberg. “A service worker who doesn't have to modify a lot of things might work successfully with VMI, or someone in a location with good pipes,” he says. “But outside of that, for workers operating remotely, that is where you would see the drawbacks.”
There are also a number of players just looking at access control from more of a cloud perspective, which provides some ability to handle mobile device security as well, Braunberg adds.
That's where size matters. According to Chris Lyttle, managing principal consultant at Accuvant, a Denver-based provider of information security services, smaller organizations tend to primarily address access policies and use MDM for device management. By contrast, nonprofits and educational institutions tend to lean heavily on putting BYOD users into isolated networks and are less concerned with stronger control measures, he says. But, especially for smaller organizations, cloud and mobile are key to reducing the costs, he says.
Similarly, many IT organization are still getting a handle on device security and aren't ready to think about creating a more secure ecosystem, says Troy Fulton (left), director of product marketing at Tangoe, an Orange, Conn.-based provider of on-demand lifecycle management technology. Thus, he says, a managed service team can help IT staff to scale and to take their concerns and transfer them into an actionable strategy.
“What we recommend is thinking about security in terms of monitoring, defending and having some contextual awareness,” says Fulton. “It is a tiered approach to achieving outcomes with respect to your business model and external governing bodies.”
In practice, Fulton says, this means recognizing that people need access and that a lot of data is not critical. “In other words, you need a baseline of trust. Monitoring of key corporate data and controlling access to it is critical,” he says.
Others advocate implementing a holistic approach to address these needs in a cohesive way. “Organizations that have adapted BYOD, especially larger organizations, face a stronger need for mobile security solutions that support a heterogeneous mix of devices, networks and mobile operating systems,” says Kayvan Alikhani, senior director of technology at Bedford, Mass.-based RSA, the security division of EMC. In addition, such companies have a bigger need for solutions that offer strong-authentication and broad authorization features. “Organizations that provide their users with a mix of on-premise and cloud-based apps and services need to adapt hybrid security solutions that provide the best of both worlds: leverage their investment in on-premise identity and security solutions, while taking advantage of cloud based mobile access services.”
“In the end, none of these approaches represent a silver bullet and most enterprises will want to look at a combined approach depending on their needs and the devices they wish to protect,” notes Sutton.
For all organizations, “developing good security and privacy policies is key to clarifying the use of mobile devices for end-users,” adds Lyttle.