Enterprise mobile security is no longer as simple as protecting an employee's device.
IT experts foresee a shift in the enterprise from protecting hardware and devices to protecting applications and data in 2014.
Bring your own device has made it more difficult for IT to control what happens with devices, thus the need to protect data more than the devices themselves, said Andreas Baumhof, chief technology officer at San Jose, Calif.-based ThreatMetrix Inc., an online security vendor.
After trying to lock down employee devices, Baumhof said his company realized the approach doesn't work. "People want to use their device and I can't force them to lock it down," he said.
The enterprise has just scratched the surface when it comes to mobile applications, and in turn what the proliferation for those apps will mean for mobile security, said Chris Hazelton, research director for mobile and wireless for 451 Research, a New York-based consulting firm.
Hazelton sees a significant challenge for IT in how applications are provisioned for end users within an enterprise. Some could get apps from their enterprise while others get theirs from public app stores such as the iOS App Store and Google Play.
Andreas BaumhofCTO, ThreatMetrix Inc.
There are so many ways to get applications that IT managers are rightly concerned about whether corporate data will be secure, Hazelton said. He added that he's heard from more companies who want to conduct app wrapping for added management and protection.
Despite the new emphasis on app and data protection, IT must strike a balance between giving end users what they want for their devices and protecting what's important to that particular enterprise, ThreatMetrix's Baumhof said.
"People are used to devices that are really easy to use," he said. "But from an enterprise point of view, you really want to make sure you have the most stringent policies around it."
Mobile security technology in focus
One company that recently took advantage of the growing mobile security market is San Francisco-based Lookout Inc., which released an enterprise security suite after years catering to the consumer market.
Original equipment manufacturers, however, will also try to add native changes to their products to improve security, said Eric Klein, senior mobility analyst for VDC Research, a consulting firm in Natick, Mass. Klein cited Apple's increased use of biometrics on its devices.
"There's definitely a renewed push for the ability to incorporate native, really robust consumer-feel but enterprise-grade security into these platforms," Klein said.
Apple introduced the Touch ID for iPhone 5s last year, but its security features weren't considered enterprise-grade by experts.
Some smaller companies are doing interesting work in mobile security technology, according to Klein and Hazelton.
Klein mentioned Delfigo Security, a multifactor authentication company in Boston that is building security features that detect users based on the pressure they apply to a device when it is swiped.
Hazelton said MobileSpaces, in Silver Spring, Md., and Better, in New York, which both specialize in securing mobile applications, could thrive with what Hazelton said he sees as a desire for more app wrapping in the enterprise.
This may be better served for enterprises that use Android devices as opposed to iOS, he said.
"I've talked to very large banks interested in wrapping even the native email client for iOS," Hazelton said. "Apple's not going to let that happen. But on Android, you really can do quite a bit because once it goes it out, Google has a lot less control than Apple."
IBM introduces mobile security patent
IBM recently introduced a patent aimed to prevent mobile devices from accessing maliciously or inadvertently altered software code in an enterprise's cloud.
The patent was born out of problems with network printers, where Andrew Cornwell, a mobile patent engineer at IBM, said parties would inject malicious code. It was found that if the code could be encrypted, it could have a wider application, including with smartphones and tablets.
Cornwell said the invention would recognize altered software code in something like a company's enterprise mobile application and prevent a mobile device from accessing that application if the alterations happened without proper decryption and re-encryption.
"It gives more control to an organization, and it's not just for protecting a device," Cornwell said. "It modifies the [virtual machine] so that only it allows classes that have been encrypted to be loaded."
IBM did not comment on when the patent would be available for commercial use.