Mobile devices are rapidly becoming the primary end-user computing platform at area companies. The broad user-experience, computing capabilities, and always-on connectivity combined make mobile devices very compelling PC replacements. However, this shift to mobile computing represents a challenge to existing secure IT environments. IT management must consider new approaches to securing corporate data and minimizing risk when so many new variables are introduced. “How do these mobile devices expose our company?” is a common question. Because organizations want to take a mobile first approach, many employees and managers are enjoying resulting benefits which include efficiency, competitive differentiation and heightened innovation. Finally, every new approach needs to be evaluated for new risks and benefits, so let’s take a minute to survey this new landscape of risk/benefit.
Consider the two key reasons why IT needs to adopt new strategies for securing corporate data on mobile, as compared to PCs, when pursuing a strategy to heighten user productivity.
Reduced IT control over mobile devices: The mobile era is all about the end user. They get to pick a mobile platform that best meets their personal preferences, with the expectation that the device should also work in a business context for the full range of apps and content needed to stay productive. This is in stark contrast from the PC era where IT offered end-users an approved PC with a set of pre-selected apps. End-users had very limited say on what the PC was able to access and IT had the ability to control every aspect of the corporate-owned device from physical ports, to software and application versions. For mobile, end-users make the decision for many of these variables and IT can only recommend devices and applications. IT has no way to enforce a standard OS, device or app across the organization. In fact, the more IT tries to lock down devices, the more end-users will try to by-pass policies, increasing risk to the organization.
Old security models must adapt to stay relevant: In the PC operating system scenario, the agent-based security method worked well. This involved a piece of software residing on the PC that controlled the process and data belonging to other applications. Unfortunately, this agent-based security model cannot be used to secure Mobile because of the differences in the way these operating systems are designed. Mobile operating systems are designed using a sandboxed architecture which enables for isolation of apps and associated data which can only interact and share data through very well-defined mechanisms. This allows for greater security than the open-file system used by PC OS, and needs new tools that leverage specific security capabilities made available by the device vendor itself.
Threats to Mobility
As trends such as the use of Mobile devices to enhance enterprise productivity, organizations are being exposed to a variety of information security risks and threats. Threats introduced by mobile can be grouped in to three categories:
Device based threat vectors
Mobile devices enable end-users to perform a variety of business-related tasks such as receiving email and accessing, editing and sharing corporate content via a variety of productivity apps. As a result, mobile devices store a significant amount of sensitive data. This data can be compromised in a variety of ways due to:
- Always-on connectivity which could allow unauthorized parties to access business data.
- Software that allows “jailbreak” or “rooting” of devices, compromising data security.
- Portability making the devices susceptible to theft and misplacement.
Network based threat vectors
The always-on model requires mobile devices to be constantly connected to the internet. As a result, end-users might rely on untrusted public networks enabling malicious parties to access and intercept transmitted data using
- Rouge access points
- Wi-Fi sniffing tools
- Sophisticated Man-in-the-Middle attacks
User based threat vectors
Mobile empowers end-users. While this is great for user-choice, well-meaning end-users often indulge in risky behaviors that could compromise business data. Examples of risky behaviors include:
- Using un-approved cloud-based apps to share and sync data
- Using un-approved productivity apps that maintain copies of corporate data
- Jail breaking/ rooting devices to bypass security controls
- Using malicious apps from un-approved app-stores
- Exposing business data with malicious intent
While one may argue that the list of threat vectors introduced by Mobile devices are similar to those introduced by laptops and similar portable PC-based devices, the fundamental differences between Mobile and PC operating systems require IT to adopt purpose-built Enterprise Mobility Platforms to mitigate risks introduced by Mobile.
Countermeasures for New Risks
Implementing data loss prevention on mobile devices requires a layered security approach. This layered security approach can be implemented using the controls listed below:
1) Secure operating system
2) Strong Authentication
3) Remote wipe
4) Device Encryption
5) Data sharing
6) Network security
7) Application lifecycle management
8) Secure browsing
Below are descriptions of the data loss prevention requirements and specific controls. Each class of controls can include basic controls, which directly address the requirements, supplemental controls, which strengthen the basic controls, and compensating controls, which apply when no basic control is available. These layered security controls, together, establish a data loss prevention model for Mobile.
Secure operating system
Secure applications to prevent malware from accessing application data – Configure apps to access data only when essential.
Provide a safe application ecosystem – Stores such as Google Play and the Apple App Store are tightly curated to minimize the likelihood of malware in posted apps. Apple prohibits certain backdoors, like the download of new, executable code into an already approved app. Apps can also be immediately revoked from app stores if they are later found to break to violate policies. Add additional tools to ensure malware is minimized.
Patch OS vulnerabilities quickly – Ensure devices are configured to automatically update as patches are released.
Remotely configure password policy
Auto-wipe device after a certain number of failed authentication attempts
Enforce identity for enterprise services
For company-owned devices, remotely wipe all the data on the device
For employee-owned devices, remotely wipe ONLY if enterprise data is the device
Encrypt all enterprise data-at-rest on the device
Encrypt all enterprise data-in-motion to and from the device
Encrypt all enterprise data in secure apps
For corporate email in the native email app:
- Do not allow attachments to be opened in an unauthorized app
- Do not allow forwarding through a personal email account
- Do not allow copy/paste, printing, or screenshots of email text
- Do not allow backup of email outside IT control
For corporate apps:
- Do not allow app data to be accessed by unauthorized apps
- Do not allow copy/paste, printing, or screenshots of app data
- Do not allow backup of app data outside IT control
Prevent data loss as enterprise data traffic travels through public cellular and Wi-Fi networks outside IT control. VPN: For companies that have standardized on device-wide VPN technology from vendors like Cisco and Juniper, the VPN service should be configured to provide a secure channel for data.
Application lifecycle management
Prevent rogue apps from being downloaded to device
Blacklist unauthorized apps
Whitelist authorized apps
Publish and distribute enterprise apps
Update enterprise apps
Allow secure access to enterprise web apps located behind the firewall
Prevent data loss of downloaded documents and cached web content
Protect against “drive by” malware browser attacks
The pressure to support new mobile operating systems will be a constant challenge for IT departments because operating system and device choice are now determined by the consumer, not by the enterprise, and can change frequently. Mobile operating systems such as Android and iOS as an enterprise mobility management (EMM) platform have matured to provide the layered security controls enterprise requires to mitigate the risk of data loss on both corporate-owned and personally-owned devices. As a result of these controls, organizations can now support the new generation of mobile operating systems and devices that their user communities demand.
Feel free to contact Jeff Sheets or Bill Long with your questions about mobile device security.