Top techniques for mobile data loss prevention

To protect data on mobile devices, you need data loss prevention methods like dual persona technology to keep corporate information secure.

Protecting the data on mobile devices is the first step to security in a consumerized enterprise environment. But...

even with the proper encryption and password protection in place, IT needs to face the fact that sometimes devices get lost or employees unknowingly download something malicious.

So what do you do in that case? In part two of this series about mobile information management, learn how to protect devices from external threats.

Protecting against lost or stolen devices

If a phone storing corporate information is lost or stolen, that creates a serious exposure. The data should be encrypted and the password activated, but administrators typically want to stem the threat by wiping the corporate data from the phone. This can be accomplished in a couple of different ways.

First, tools such as Microsoft's Exchange ActiveSync and IBM's Notes Traveler provide a remote-wipe capability. It is, however, a "blunt instrument" approach. When the wipe command is sent, all of the phone's content is wiped, including any personal photos, music, apps, ringtones and other items.

Given that this device is now in unknown hands, the user might want the phone's contents wiped. With luck, the user will have followed IT's guidance and backed up the contents on a regular basis.

Another scenario that mobile security plans must address is when an employee leaves the organization. In that case, a mobile device management (MDM) system has the advantage of being able to wipe just the corporate content while leaving the user's personal information intact. It may also offer a total wipe capability if the user requests it.

It is important to note that remote wiping is not 100% effective. If the phone is turned off, set to airplane mode or simply put in an area where it cannot connect to a network, it won't be able to receive the wipe command.

Also, if the MDM client is uninstalled, or the Exchange or Notes Traveler account is deactivated, the device won't respond to a wipe command. In most cases, however, uninstalling the MDM client or canceling the email account will cause any data associated with the device to be erased.

Data loss prevention

Losing a mobile device is one way to lose control of corporate information, but it's not the only concern in MIM. Users have been known to forward business email to their personal accounts or to upload corporate files to consumer cloud storage services like Dropbox. If all else fails, an employee can simply use the copy and paste functions to move information from corporate email or attachments anywhere they want.

Fortunately, MDM providers are aware of this threat and have developed methods to protect against it. The basic tool is a "secure container" or "sandbox," which is essentially a password-protected, software-defined region on the device that stores corporate information independent of the user's personal files. If the device is lost or stolen, or if the user leaves the company, the secure container can be wiped remotely.

The other key feature of the secure container is that any corporate data that is sent to it is tagged and cannot be forwarded out of the container. Email or attachments cannot be forwarded, nor can their contents be copied and pasted.

The secure region can also store other applications, and their contents also cannot be forwarded. An MDM product can incorporate a secure cloud storage capability to eliminate the need for open services like Dropbox.

"Dual persona" is the catchy term MDM vendors have coined to describe this approach. BlackBerry Ltd. had one of the first capabilities of this sort with its BlackBerry Balance, and other vendors now offer it for virtually all mobile operating systems.

Samsung recently introduced its own secure container technology as part of Knox for the Android platform. Knox works with a number of MDM solutions and also provides a secure boot function.

Application security

The irony is that all these security measures can come crashing down if a device becomes infected by malware. Mobile apps are available from any number of sources, and vendors take vastly different approaches to how -- or if -- they test apps for malware before distributing them.

The exposure is compounded if the device is "jailbroken" (an iOS term) or "rooted" (the Android term), a process in which the basic security mechanisms built into the device are disabled, allowing applications from any source to be installed. Jailbreaking or rooting software is freely available on the Internet.

More on mobile data loss

How personal cloud services harm corporate data

Legal risks with mobile devices

How locking down devices prevents data loss

Virtually all MDM products provide jailbreaking/rooting detection, and a device can be blocked from accessing corporate email or other systems until it is brought back into compliance. Given the nature of their design, there have been no reported instances of jailbreaking or rooting BlackBerry or Windows Phone devices, so this is a problem confined to Apple's iOS and Google's Android.

With regard to the apps themselves, so long as a user is downloading applications from Apple's iTunes store, they are fairly well protected. Apple does extensive testing on apps to detect malware prior to their distribution. Of course, if a device is jailbroken, the user can download iOS applications from anywhere, and all bets are off.

Up until this point, Android has been the target for most mobile malware. In its Consumer Mobile Trends Report from June 2013, security firm McAfee reported that Android malware had grown by one-third in a single quarter, registering more than 680,000 samples.

Most instances appeared to be targeting simple theft, primarily causing the device to send premium Short Message Service texts. Note that there are versions that can allow a hacker to monitor communications or snatch virtually any data file off a phone.

To protect against this form of attack, jailbreaking/rooting detection is the first step. If no MDM system is in place, the organization's mobility policy should explicitly prohibit jailbreaking/rooting.

MDM systems can also allow administrators to blacklist applications, and there are Android antivirus products available from companies such as Avast, Bitdefender and Kaspersky Labs. According to independent IT security firm AV-Test, many of the better products are as much as 95% effective.

For even tighter control of mobile applications, some companies are taking the step of implementing their own internal app stores. Most MDM suppliers, as well as specialists like Apperian or App47, provide these capabilities. Besides controlling app distribution and updates, these internal app stores can also manage any corporate-licensed software.

About the author:
Michael Finneran is principal at dBrn Associates, an advisory firm specializing in wireless, mobile security and unified communications. Along with providing consulting assistance to carriers, equipment manufacturers and end-user organizations, Finneran is a frequent speaker at industry conferences including InterOp, Enterprise Connect and the UC Summit. He has published over 300 articles, as well as numerous white papers and market reports. Finneran is a member of the Society of Communications Technology Consultants International, and he has a master's degree from the J.L. Kellogg Graduate School of Management at Northwestern University.

Dig Deeper on Enterprise mobility strategy and policy