igor - Fotolia
Keeping enemy attackers from storming the gates of the corporate IT castle used to be pretty simple. But mobility changed all that.
With the great power of mobile comes the great responsibility of mobile security, and IT can't rely on old tactics to keep sensitive information out of the wrong hands. The biggest change is in how workers access corporate data. Years ago, business users did all their work on a company-issued desktop hooked into a corporate network. The typical approach to security was to build a castle wall to keep the data inside, said Matt Kosht, an IT director at a utility company in Alaska.
"Most corporations bought all their own equipment, and they weren't having people come in and out," Kosht said. "If [users] were inside your network, you were pretty confident it was safe."
Today, IT has to contend with users accessing corporate data on smartphones, tablets and wearables from a variety of locations. The reliability and security of outside networks present their own data security challenges. Building a wall isn't enough anymore. Nor is it feasible in many cases. Users can easily find ways to get around IT and use unsanctioned personal devices, apps and networks to get their work done.
"Security is broken," said Ajay Arora, CEO of Vera, a startup that offers file-level security. "The perimeter-based approach is not sufficient."
Mobile security requires an approach that protects apps themselves, secures data wherever it resides and better monitors access to sensitive information. The switch to a more mobile world now informs how organizations implement security overall. IT departments should not treat the two differently, said Craig Mathias, founder of the Farpoint Group, a wireless technology advisory firm in Ashland, Mass.
"All the principles need to be the same anywhere you can get connectivity," Mathias said.
A new approach to mobile security
With the advent of the bring your own device trend came new approaches to management and security, each with its own benefits and challenges for IT and users.
Shortly after the introduction of Apple's iPhone in 2007, tools arrived to help organizations prevent corporate data leakage. Mobile device management (MDM) was the rage at first, but that only goes so far, said Alisdair Faulkner, chief products officer with ThreatMetrix, a user authentication software provider in San Jose, Calif.
"You can't forever be chasing and patching every single device," Faulkner said. "You can't forever hope to roll out an MDM solution that's going to fully satisfy all your use cases."
Matt KoshtIT director at a utility company
Mobile application management (MAM) and mobile content management (MCM) are two newer approaches that allow workers the freedom to use the tools they want while keeping corporate data within IT's grasp. For example, a sandboxed email app is specifically designed to keep data within that specific app and other authorized apps. If a device is lost, MAM allows IT to wipe only the sandboxed email app and its data.
The unique nature of mobile operating systems themselves has also provided new security opportunities. For example, mobile devices have managed to avoid many of the antivirus concerns that threaten Windows PCs, thanks to more closed operating systems such as Apple iOS, said Chris Hazelton, research director for enterprise mobility at 451 Research. OS vendors can still do more to help, including allowing IT to turn off specific app permissions and ensuring third-party apps can't collect employee data, he said.
"A developer can sell and monetize your information if they can track your location," he added.
Identity access management (IAM) is one security technology that's become even more important in the mobile era. With IAM, IT can set application permissions for users, capture and record user behavior and more easily authorize and audit apps. Without strong IAM in place, IT could miss abnormal behavior, like an employee based in one location logging on from a different location—a potential sign of a breach.
"If I can assume your identity, or assume your device profile and look like your device, then I can get access to the corporate crown jewels," Faulkner said.
In the desktop era, an employee typically used just one device to do work and didn't take it out of the office. IAM is more difficult nowadays in part because of barriers put up by mobile OS vendors, Hazelton said. For example, iOS devices are designed as consumer products, and Apple discourages any kind of management agent running on the device from disrupting user experience, he said.
Not location, location, location
Mobility changed the paradigm that where a user accesses information is the most important aspect of enterprise security. New IT security threats have affected all of modern enterprise security.
"It's not about keeping bad people out of your device," Kosht said. "It's about keeping bad people out of your data. You have to design systems around the fact that people are going to breach them."
The ubiquity of mobile devices, cellular networks and Wi-Fi hotspots means there are more chances than ever for sensitive data to find itself in the wrong place at the wrong time. And the rise of high-speed Internet access gives attackers more bandwidth over which to steal reams of data. Organizations must change to deal with these new IT security threats.
"Mobile has brought a Cambrian explosion, in both the level of commerce that it enables and the degree of sophistication of cyber-attacks," Faulkner said.
This article originally appeared in the June issue of the Modern Mobility e-zine.
Security revolution means more than just malware
Do you need antimalware protection for mobile?
Security and usability can coexist for mobile apps