Holistic Mobile Security: Protection on Every Side
Imagine for a moment an enterprise. The specific industry it operates in is not important, but envision a large firm, perhaps 10,000 employees. Overall, this organization is well managed, profitable, and generally thought of as a leader in its market.
Like most companies, this imaginary business deals with confidential information: everything from trade secrets and sensitive competitive details to private customer data. However, under the mandate of the CIO, the company does have IT security policies in place to protect this information.
If this business were real, the general perception of it would likely be very positive.
Now imagine that the IT department does not enforce the security policies referenced above. Nearly all employees are allowed to bring in their own laptops—whether in compliance with the company’s security policies or not—and connect to the corporate network. To make matters worse, the IT department is lax regarding the security and management of company-owned laptops and desktops. Password enforcement and other security settings, along with system and application updates, are often an afterthought.
How would this change the perception of this company? Would it still be positive? In all likelihood, general observers would see such a company as a ticking IT security time bomb on the verge of detonating.
Believe it or not, many real-world enterprises actually fall into this category, but instead of unsecured and mismanaged laptops and desktops creating the problem, it is mobile devices, such as smartphones and tablets, that are often neglected.
Today’s smartphones and other mobile devices—along with the service provider networks they operate on—are incredibly sophisticated, and tomorrow’s will be even more so. Increasingly, these devices and subsequently the related service provider networks are being brought into the enterprise by end users. Furthermore, the devices are being used for an ever-increasing list of both personal and business connectivity purposes. This consumerization of IT offers tremendous productivity increases but also creates new security and management challenges for IT—challenges that should not be ignored any longer.
To overcome these challenges, the mobile industry as a whole must begin shifting towards a holistic approach to mobile security and management in order to keep sensitive enterprise data secure. This complete approach should focus on shoring up the security of both the visible and not-so-visible—from the enterprise perspective—sides of the mobile ecosystem. The endpoints where the data is created, used, and stored form the visible ecosystem, and the networks through which the devices connect and communicate with corporate backends make up the not-so-visible ecosystem.
Protecting the visible mobile ecosystem: devices and data
As mobile devices become more sophisticated, provide greater corporate access, and store more data, they become an increasingly popular target for attackers. They also become a bigger target for theft, and their size makes them much easier to misplace. Their computing power also makes them a convenient alternative to the traditional laptop. As a result, companies need to manage these devices and make sure they are secure. To do this effectively, companies need to stop making exceptions for mobile devices and treat them as they would any other endpoint, and using security and management software directly on the device is the first step.
By implementing solutions focused on protecting and managing the devices themselves—much like those used to secure and manage the data on PCs—organizations can ensure that mobile devices are not the weak link in their IT security armor. This includes mobile security, device management, information protection, and authentication technologies:
Security: Though mobile threats are still in their infancy and are nowhere near the level we see targeting traditional computing platforms, some creative cybercriminals have found ways to exploit smart mobile devices through viruses, Trojan horses, SMS or e-mail phishing, rogue applications, and snoopware—mobile spyware that activates features on a device without the user’s knowledge, such as the microphone or camera. It is therefore growing increasingly important to employ the mobile security solutions that provide a barrier against these attacks— similar to their laptop and desktop counterparts.
Security solutions that feature network access control capabilities can also help to enforce compliance with security policies and ensure that only secure, policy-compliant devices can access business networks and e-mail servers.
Device Management: A well-managed device is a secure device. It is important that mobile devices remain properly configured and managed at all times. Mobile device management, or MDM, solutions enable this. By increasing IT efficiency with over-the-air deployment of configurations, applications, and updates, management solutions help ensure devices have the required policies and applications and that they are configured correctly and kept up-to-date. This not only improves end-user productivity by managing mobile device health but also ensures security vulnerabilities are not present on the devices.
Information Protection: The biggest threat to mobile devices remains the risk of loss or theft. As more companies use these devices simply as additional endpoints, data stored and accessible through them is put at even greater risk. Corporate e-mail and data from line-of-business applications on smartphones often contain intellectual property or information subject to government regulation.
The loss or theft of the device exposes sensitive data and may result in financial loss, legal ramifications, and brand damage. Strong password/PIN policies prevent unauthorized access to the mobile device and its data. Mobile encryption technologies provide protection for data communicated and stored on end users’ mobile devices. Remote wipe and lock capabilities enable an enterprise to remotely delete all of the corporate data on the device to ensure that the data cannot be breached.
As individual-liable mobile devices permeate enterprise networks, organizations need granular control over these endpoints, such as remote wipe capabilities enabling only the corporate-owned data to be removed. And finally, enterprises need to make sure that the appropriate data leakage prevention policies are in place to reduce the flow of sensitive data out of the mobile devices.
Authentication: Most enterprise networks require a username and password to identify users, but usernames and passwords can be compromised. Using two-factor authentication technology provides a higher level of security when users log in to the corporate network. Quality authentication technologies extend the same safety measures for when users log in from a mobile device. As enterprises develop custom applications, they need to look at extending the authentication to these apps as well.
Protecting the not-so-visible ecosystem: service provider networks
As more and more enterprise endpoints access the service provider networks directly (via mobile devices), organizations need to feel comfortable that the vital service provider networks their mobile devices connect to are also free of attacks and threats that could proliferate into their own systems. Superior mobile security and comprehensive network protection allows the service providers to provide that confidence to enterprises.
Network Protection: As malicious threats designed to be propagated via mobile networks increase, so too must the measures implemented by providers to block these threats. Service provider networks should be protected at their edge, never allowing these threats from getting in. By building a network-wide policy control and enforcement system, these networks are guarded against malware.
This network-wide solution must include an application-level security policy that protects against the predominant types of traffic entering the network, including the Web, SMS, MMS, and so on. By putting this application-level policy in place, service providers can identify and evaluate new threats from devices as soon as they appear and prevent them from reaching other enterprises and end users.
Services Revenue: Improving overall security with a network-wide policy control and enforcement solution has additional benefits. It empowers providers to offer revenue-generating protection services for both enterprises and consumers. These include enterprise-level control capabilities over where users may browse the Web or by controlling devices connecting to the enterprise infrastructure. These capabilities can be sold as security-as-a-service to corporate customers to drive enterprise customer retention and acquisition. They can also be offered as consumer-level control capabilities; providing individual subscribers control over their mobile presence across all services is also a possibility.
Security Insight: In order to protect network stability, performance, and subscriber trust, it is critical that service providers have real-time insight into what types of activity is happening within their network. Additionally, service providers must comply with increasing regulatory requirements being placed on them. An intelligent security solution designed to identify, manage and report suspicious activity, in real time, enables a proactive approach to improving network efficiency by only valid traffic traverses the network. Additionally, operators must ensure they properly store and make retrievable application-level traffic requested by enterprises, helping to meet regulatory requirements for data retention and recovery.
As we continue to plunge head-first into this new era of computing, one where smart mobile devices are becoming more common than laptops and desktops, completely securing them and the networks in which they communicate can seem like a daunting challenge. However, it is not an impossible task. The key is an industry-wide holistic approach that stops making exceptions for mobile devices and treats them as true endpoints. Ideally, this would include integrated protection solutions for end users, enterprises, and telecommunication service providers.
Jon Kuhn is the director of product management, Enterprise Mobile Group at Symantec.