Mobility is now one of the top strategic priorities for organizations. In fact, supporting mobility is seen as so important that some organizations are offering employees the option of using their own personal devices. This “bring your own device” concept is seen as a way for companies to reduce costs, but the proliferation of smartphones and tablets in the enterprise means that IT needs to somehow practically manage these devices. And, when most IT people talk about “managing mobile devices,” they primarily mean ensuring that they are used correctly (i.e., according to company polices regarding data access, storage, and transmission) and do not become a “black hole” of a security threat to the company.
Mobile device management is an ongoing process that requires configuring devices so that they comply with the organization’s usage and security policies and then monitoring them to ensure compliance over time and to protect them from malware and other threats. In short, managing and ensuring security for mobile devices involves:
- Enabling secure connectivity to avoid unauthorized access to enterprise systems
- Securing the mobile device itself in order to avoid a breach of sensitive data if it is lost or stolen
- Preventing end users from inadvertently or intentionally entering company data into unsecured applications
- Protecting against malware (e.g., spyware and viruses)
General Mobile Device Management and Security Considerations
Organizations should opt for a mobile device management solution that features a Web-based console that will allow IT administrators to access configuration and control capabilities and provide “over the air” updating, regardless of where they (or the mobile device) are located. It should provide basic device management and configuration capabilities, as well as the ability to set user access rights at the granular level, based on company policies and users’ profiles. Only authorized users should have access to certain enterprise functionality and specified company information. For example, HR users would be allowed to access and view information only pertaining to their department, while account managers would see information only related to their customers and such details as the aggregated figures for overall sales, for example.
With stories of companies getting hacked frequently making the news, IT is very conscious of avoiding any unauthorized access to enterprise systems via mobile devices. And mobile devices — especially those for dual use (i.e., business and personal) — are seen as an increased threat to security because they are easily lost or stolen. (There is the additional risk as well that these devices may pick up malware if end users use them to readily download apps and access consumer social nets and other sites on their own time.)
The mobile platform, security, and enterprise software vendors have gone to considerable lengths to provide mobile application developers with tools to ensure the security of smartphone and tablet devices. This includes providing the ability to leverage the security capabilities of their mobile platforms and enterprise applications (e.g., SAP authentication, Lightweight Directory Access Protocol (LDAP) authentication), as well as data encryption techniques to help ensure the security of mobile applications. Enhanced public key infrastructure (PKI) capabilities are also utilized, thus offering strong authentication for devices accessing the corporate network. As a result, it has become practical for smartphones and tablets to connect securely to the corporate network using client certificates (much in the same way as laptops routinely do so today).
Whenever possible, organizations should seek to utilize mobile platforms that support over-the-air security with encrypted messages used between the client and server, applying symmetric key algorithms employing limited validity periods and a cryptographic checksum at the end of each message. Such capabilities mean that you can transmit most content over the wireless network securely and efficiently and be reasonably assured that it is safe. With such functionality, traffic is first compressed and then encrypted using standards-based cryptography as well as any platform-specific encryption that’s already in place (e.g., in BlackBerry Enterprise Server). This helps ensure a strong, uniform security implementation across client platforms while also leveraging platform-specific functionality.
Security on Mobile Devices
Mobile enterprise applications can take advantage of the built-in security capabilities of today’s mobile devices. In addition to not allowing onboard storage of passwords, smartphones and tablets also support the encryption of log-in credentials before transmission. Offline security features include encrypted local storage on mobile devices and leveraging lease key technology to protect data access within a configurable validity period.
Most mobile devices now support “data wiping” that can automatically clean all of an application’s data stored on a mobile device immediately once the application is closed or the device is turned off. This feature ensures that if an employee leaves his or her smartphone or tablet at the bar or on the subway and someone finds it, this person won’t be able to see what the employee had been examining; nor will that person be able to log on to the organization’s systems. Any mobile device management platform used should allow IT or management to be able to delete organizational (i.e., company) data while leaving personal data intact on the device. (The ability to clearly separate personal information from company information is obviously important for dual-use mobile devices.) Administrators should be able to accomplish this remotely via a management console.
Organizations should also design mobile apps with the intention of preventing an end user from inadvertently (or intentionally, for that matter) distributing company data or sensitive information. This should include not allowing users to be able to forward company data to a personal email account. In addition, users should be prevented from cutting and pasting data from a company application into a personal (i.e., nonsecured) application (social network, blog, etc.) that is not protected by the enterprise’s mobile management/security systems.
Protecting Against Malware on Mobile Devices
Mobile devices currently are not as heavily targeted by hackers with malware and other malicious programs as are traditional computing platforms. These threats are expected to increase considerably, however, due to the rapid adoption of mobile devices by both consumers and businesses. Thus, protecting mobile devices against malware includes monitoring for spyware and viruses and detecting and removing malicious and unapproved apps.
As I alluded to previously, over the past year or so, the enterprise security vendors have increased their efforts to enable their software to better support mobile devices. As a result, security software today can scan and clean files, emails, Internet downloads, text and MMS messages, and attachments. Such software typically resides on the mobile device client and can interact with the organization’s enterprise security and policy management systems to provide active and ongoing monitoring for threat detection and removal of malware and unauthorized apps.
In addition, in order to reduce the threat posed by employees possibly downloading malicious apps to their phones and tablets, some vendors’ solutions (for example, McAfee’s Enterprise Mobility Management platform) even provide the ability for organizations to be able to recommend applications to their users via an enterprise app store.
Smartphones and tablets have changed the way people work, but mobile adoption does bring increased security risks to the enterprise. However, mobile device management and security have advanced to the point where organizations now have a number of tools available that they can use to implement comprehensive security capabilities for mobile applications. Not only are the mobile devices themselves more capable, but the mobile platform, security, and enterprise applications providers have all taken considerable steps to ensure the security of mobile applications and devices.
The market for mobile management/security is also expected to accelerate as the use of mobile devices in the enterprise continues to pick up. In addition to more advanced software offerings, we’re also seeing hosted services designed to help organizations secure mobile devices that provide access to corporate data. These solutions include security applications for smartphones and tablets, along with managed services for policy management and compliance monitoring.