In a relatively brief period, we have begun to see a stability that suggests maturity in the security products intended for the mobile market. With bring-your-own-device (BYOD) being the latest market-hype buzzword, one would think that venders would be scrambling for new tools and techniques to handle the onslaught of users insisting on adding their smartphones and tablets to the corporate infrastructure. That, it turns out, does not seem to be the case.
And, it is not for the reasons we might expect - such as the technology not being ready for mobile device security, or mobile devices don't need anything special or, more likely, there isn't a market. None of those things are the case. The real truth seems to be that the venders are looking at evolving requirements, yawning and saying, "Yep... been there, done that." The state of the art in the products we looked at this month is remarkably mature and effective. These are, simply put, a batch of really fine tools, and selecting among them was a difficult task. When one of our products missed a tie for Best Buy because of some nearly trivial improvements to be made to some documentation, you know that the market is the real winner.
Mobile device security addresses several important issues. For example, being able to control the disposition of sensitive information that resides within the enterprise, but can be accessed by a mobile device is very important. This addresses privacy, intellectual property and other confidentiality issues.
Too, mobile devices are prone to theft. It is important to be able to control access to sensitive information if the device is lost or stolen. Having a capability available to remotely wipe the device - either completely or selectively - is critically important. The most complete systems can do a selective wipe based on what is stored on the device as corporate and what is personal data. Most people balk at a forced wipe of personal data, such as music and photos, given that the device is theirs and not the organization's.
Anti-malware and hacking safeguards are important as well. For Android devices, especially, there is a serious potential problem with malware. Because the Google Play Store contains a plethora of applications that are minimally vetted before being allowed to be sold or given away through this channel, the possibility of malware containing backdoors and trojans is potentially high. Not all of this malware is intended for the device itself, of course. Much of it is intended simply to be spread to the enterprise - making the Android device a sort of "Typhoid Mary" [the first person in the United States identified as an asymptomatic carrier of the disease].
Access controls, too, are important, since if the device is in use by an unauthorized person, it would be a bad thing for that individual - with embedded credentials - to be able to access the enterprise with an automated login. Along with this is access to the data on the device itself. Today, open source forensic tools are available that can extract data from many types of popular mobile devices. That means that even if a thief cannot gain access to the device, there is a possibility that access to the data may be gained forensically. Encrypting the data on the device is important to protect against this unauthorized bypass of access controls.
All of this goes together to make a world-class mobile device security tool. So, when one is looking at this type of tool, what should be required? While features may seem to be the hot button, before one starts thinking about functionality, ask what the environment looks like. In simple terms, what types of devices are you willing to support? Apple iOS, for example, is a big one. But there are Androids gaining market share rapidly, and BlackBerry is starting to come on strong again. Though nobody yet is sure how far that will evolve, it still must be a consideration. There also are a few dark horses, such as Kindle and Nook. One probably won't want to support everything, but implementations should support the leaders.
