This content is part of the Essential Guide: Lock down enterprise mobility and security

Three steps to better mobile data protection

To best protect mobile data, IT must know the ins and outs of each mobile operating system, determine which devices to accept in the workplace and understand native data protection.

Protecting corporate data from loss or theft is a top priority. Data breaches are painful and pricey, and their effects can range from brand damage to regulatory sanctions.

Fortunately, the mobile industry has evolved to address enterprise security concerns, especially when it comes to mobile data protection. Smartphones that once lacked even basic data encryption capabilities have matured into better-sandboxed platforms than their laptop and desktop counterparts.

At the same time, enterprise mobility management (EMM) suites have improved over-the-air monitoring and control, which gives IT administrators a plethora of mobile data protection tools as data moves from home to office to public hotspot.

Mobile OSes set the stage

A foolish man builds his house upon sand; a wise man builds upon solid rock. In the world of mobile devices, hardware and operating system capabilities can provide firm footing for mobile data security -- or not.

Like their desktop counterparts, all mobile operating systems have security vulnerabilities that can put mobile data at risk.

Most enterprise desktops and laptops run one of two operating systems: Microsoft Windows or Apple Mac OS. This creates a relatively consistent IT-procured and managed environment. But mobile devices run more diverse and rapidly evolving operating systems that can vary by device make, model and carrier. When users bring their personal devices and mobile applications downloaded directly from public app stores to work, they increase diversity even more, and they bypass IT in the process. As a result, IT cannot protect mobile data by standardizing devices and locking down applications.

Securing mobile data requires that IT administrators understand what each mobile OS can and cannot do. They must then make the most of supported security technologies, applications and settings. For example, nearly every contemporary mobile OS provides native application isolation -- known as sandboxing -- and kernel security.

Support for native device-level encryption and secure device wipe varies, however. Because of this, it is common for IT shops to apply a two-pronged approach to securing mobile data. First, they establish and enforce minimum acceptance criteria, then they backfill platform weaknesses with third-party mobile security technologies.

Determine which devices to accept

To establish mobile device acceptance criteria, examine each platform's security architecture. Consider the extent to which user, carrier and manufacturer applications are isolated from each other and the OS kernel.

Also look at whether applications can read or modify each other's data and any services and data that lie outside the OS sandbox such as shared files and messaging. Consider which permissions are granted -- by default or explicitly -- to applications, as well as the level of control that IT can exert to detect and block potentially harmful applications.

Like their desktop counterparts, all mobile operating systems have security vulnerabilities that can put mobile data at risk. OS and application update methods, as well as time-to-patch, vary and are particularly problematic within the fragmented ecosystem.

A similar concern applies to mobile application provenance; Apple's tight-fisted application vetting is credited for minimizing, but not eliminating, iOS malware. Consider these factors when establishing minimum acceptance criteria. For example, some companies prohibit Android devices, or allow workers to use only devices running certain Android versions.

For many companies, non-negotiable table stakes criteria include minimum OS version, hardware support for full-device encryption, and interfaces for over-the-air mobile device management to enable passcode policy enforcement, remote data wipe for part or all of the device, mobile activity logging, jailbreak or rooting detection and some degree of mobile application management for monitoring and control over third-party mobile security technologies. Mobile devices that cannot meet these minimums may be denied access to enterprise networks and services, or permitted in limited ways that do not endanger data.

Native data protection establishes a foundation

Smartphones and tablets will inevitably go missing, along with the business data they carry. Insisting upon full-device encryption, supported by logged proof of encryption, can often stop a lost device from causing a breach.

Still, it's important to understand the limitations of full-device encryption on each platform. For example, remote wipe support is ubiquitous, but its effectiveness varies. On Apple and BlackBerry devices, crypto keys are removed, which renders encrypted data unrecoverable. On older Android devices without hardware encryption, wipe is just a reset to factory default, which leaves data at risk if the device is lost, stolen or resold.

Similarly, an encrypted file system cannot fully secure mobile data on a compromised device, nor can it prevent users from leaking data to unencrypted locations beyond IT's reach. When business and personal applications coexist on the same device, there's a greater chance that a snoopy or malicious app installed by the user will compromise business data in the same encrypted file system. Unless IT takes preventative steps, an employee with authorized access to an encrypted mobile device can easily leak data by emailing it, sending files to a cloud service, such as Dropbox, or synchronizing data with a personal Apple iCloud or Google account.

Native mobile data protection is best viewed as an essential starting point, but it's far from foolproof. To take full advantage of supported capabilities, use EMM to enroll acceptable devices and provision their settings, starting with device-level authentication policies such as passcode length and complexity, fingerprint or smart card unlock, timeout and acceptable retries. Robust authentication is critical because an easy-to-guess passcode can neutralize even strong encryption. Enable remote wipe and get explicit user consent during enrollment to invoke this fallback option sparingly, under tightly specified conditions.

Next Steps

Why mobile device data protection is increasingly important

Improve mobile data protection with containers

How EMM can ensure mobile data security

Five ways to boost mobile application security

Dig Deeper on Enterprise mobile security