When it comes to mobile application security, IT should focus on data, not devices.
Extensive mobile device management is often a poor fit for corporate IT. For example, when an employee quits, should IT invoke a full-device wipe on his personal device? Enterprise mobility management (EMM) suites sometimes allow businesses to inventory and block potentially malicious mobile apps, but is doing so an invasion of employees' privacy? EMM-enforced native data protection is a good start, but companies must find more effective ways to manage business risk without hampering usability or personal privacy.
In fact, the cost of a lost or stolen mobile device is not hardware replacement. Rather, it's the value placed on the lost or stolen data. It therefore makes sense for businesses to manage, monitor and secure only business assets and minimize device restrictions. This shift in focus from device to data is a win-win: Enterprise IT gets to avoid the burden of backing up or restoring personal data and apps, and employees find comfort in knowing that their employers have no control over or visibility into their personal activities and data.
Fortunately, technologies such as mobile application management (MAM), containerization, mobile content management (MCM), reputation analysis and identity awareness can help IT more selectively and effectively safeguard business data.
MAM helps IT regain control over apps
MAM can stop users from sideloading public apps from unofficial app stores and it can silently push enterprise apps onto enrolled devices. MAM plays an important role in mobile application security because it deters users from installing bad apps. Instead, it promotes and properly configures good apps, and makes it possible for IT to install third-party containerized apps, MCM software and more. For example, enterprise IT can use MAM to support policies that allow business data to flow freely between managed apps, but it prevents that data from leaking into unmanaged apps.
Containerization bolsters mobile application security
Containerization refers to technologies that create authenticated, encrypted trustworthy environments to store, use and share business data. The container can be a secure application, such as a secure web browser or email app, or it can be a MCM application. Both approaches help IT carve out a safe, managed space on any device, and it applies secondary authentication and encryption policies that shore up native data protection.
If a device cannot support two-factor authentication, the container may do so, which helps keep the data within the container safe. If a device is lost, IT can delete the container instead of wiping the entire device. If a device is jailbroken or running a bad app, IT can disable access to the container. Because the container belongs to the employer, rights and responsibilities are clearer and adverse effects on the user's data, apps or privacy are minimized.
Most EMM suites include several container options for different use cases. Increasingly, mobile platforms use containerization to enhance native data protection. For example, Android for Work creates containerized apps that can share business data but remain isolated from personal apps and data.
MCM uses containerization to create a safe workspace
MCM insulates corporate data from personal data and any threats that might be present on the device. MCM is data-centric; it provides an authenticated encrypted lockbox where users can store business documents, images, email attachments, messages and more.
Using MCM, IT can silently push documents over the air to the lockbox, keep them current and enforce policies that prevent copying and pasting, printing, forwarding and unauthorized file sharing. IT can also isolate business data and prevent common user mistakes that often lead to data leaks. MCM can also be helpful to consistently ensure compliance with data protection laws across diverse mobile platforms.
Finally, IT can often integrate MCM with enterprise or cloud data stores. This delivers secure mobile access to shared business data in a controlled and monitored fashion. MCM tools are available today both within EMM suites and as standalone products.
Risk-averse companies use application reputation analysis to assess and respond to mobile app vulnerabilities and threats that could endanger business data. Despite Apple's App Store curation and improvements to the Google Play store, IT must still be concerned about snoopy and malicious mobile apps. Businesses can use EMM to blacklist bad apps, but static lists are time-consuming to maintain, and they are ineffective against zero-day attacks.
For this reason, some EMM suites integrate with app reputation services to enable a more timely response. For example, when an app reputation service spots a mobile app that's known for tracking users' locations or harvesting their contact and calendar information, it may alert the EMM software, which then temporarily quarantines all mobile devices running that app.
This kind of mobile data risk management technology may be more surgical and effective than traditional blacklist and antimalware approaches.
Finally, a growing number of EMM suites are identity aware. Mobile data security policies have been based on device or application parameters, but what companies really want are consistent data access policies, regardless of device type or data location.
Ultimately, companies need business data to remain secure, whether users retrieve it from an enterprise file store, save it on a smartphone or synchronize it with a public cloud service.
Integrating EMM suites with enterprise identity management systems allows IT to apply mobile application security policies based on authenticated user identity. This spans all the mobile devices that one person might use throughout his workday.
Identity awareness can also extend to single sign-on, which helps companies deliver frictionless mobile access.
Essential guide: mobile app security and delivery
How to reduce common mobile app security risks
Mobile apps pose enterprise security threats
Three steps to better mobile data protection