Modern Mobility

IT wrestles with mobile privacy, security concerns

Graeme Dawes - Fotolia


Layered security is IT's best defense

Mobile devices aren't the only thing putting the enterprise network at risk. IT admins must grapple with a host of security threats, requiring a layered security model.

Businesses need to protect themselves from different types of mobile threats -- not just the portability and connectivity...

of smartphones and tablets.

Mobile devices have blown away the notion of a corporate network perimeter, but threats now extend much further than devices boundaries'. Vulnerabilities such as malware, direct attacks, data interception, exploitation and social engineering are evolving -- on endpoints in our hands, at our desks, on our networks and in our service providers' data centers. This reality is precisely why the concept of defense-in-depth -- the practice of implementing multiple security countermeasures, or layers, to protect data -- resonates.

Defense in depth requires advanced security tools, particularly as organizations become more reliant on modern operating systems, applications and even Internet of Things devices. Implementing the best layered security model is no easy task, however.

Device manufacturers such as Apple and Samsung have made tons of progress by adding important embedded security features. Those include the ability to prevent modified OSes from booting, kernel integrity monitoring, more robust sandboxing mechanisms and most recently, co-processors that can provide isolated execution, secure storage and even trusted network connections to device-side features such as near-field communications and Bluetooth. Consortiums such as the Trusted Computing Group also continue to develop technical standards for authentication, cloud security, data protection and mobile security. These measures help address today's security concerns, but they only solve part of the problem.

Push past the perimeter with layered security

One of the biggest problems mobile users cause happens when they connect their laptops to public Wi-Fi networks, running the risk of exposure to malware or viruses that can later infect the corporate network. A firewall can stop attacks at the network perimeter, but it may not be able to stop an attack that comes from a trusted source. IT departments should complement existing security investments with network access control tools to help minimize the risks of device exposure to malicious software.

IT departments should complement existing security investments with network access control tools.

Email-based threats have also grown in sophistication, making strong email protection a critical component of security. It has gotten easier to protect against spam and nuisance emails; attackers don't pose as princes trying to claim their inheritances anymore, but they craft and target their intrusions more deliberately. Spear phishing attacks -- emails that succeed in convincing recipients that they are from a trusted source -- are extremely dangerous and can allow hackers to export data and steal account credentials. Quarantining suspected email-based attacks and re-routing them to spam folders definitely works, but it's a manual process that costs IT time.

To combat these issues, IT can layer these emerging authentication and other security technologies into their existing mechanisms:

Enhanced biometric authentication: Modern devices feature fingerprint sensors for user authentication -- a step in the right direction -- but they are not yet proven to be secure enough for certain deployments. More robust mechanisms are emerging that attackers cannot spoof. These can provide military-grade authentication and even tie identity to specific applications.

Next-generation firewalls and web gateways: These security systems offer analysis capabilities with near real-time visibility into emerging threats. They include features such as URL filtering to help mitigate phishing, and advanced malware mitigation to prevent denial-of-service attacks.

Micro-segmentation: Micro-segmentation technologies partition data centers into zones, rather than having a single security perimeter that allows free traffic flow. They reduce the attack surface by containing any breach to a smaller fault domain. That setup will logically extend to segmenting traffic on mobile endpoints going forward. Enterprise mobility management (EMM) vendors even are beginning to integrate identity management and per-app VPN controls with micro-segmentation, to offer the ability to dynamically set network policies from a single console.

Enhanced email gateways: New hardware-based tools that offer these gateways can strengthen the defenses of a layered security model against spam, phishing and malware. EMM vendors have offerings that can manage and secure email traffic through encryption between users' mobile devices and corporate data stores and back-end systems.

This article originally appeared in the July/August issue of the Modern Mobility e-zine.

Article 2 of 6

Next Steps

Top three mobile security threats facing IT

Understand defense-in-depth network security

How layered security protects Exchange

Dig Deeper on Enterprise mobile security