Most discussions about mobile security in the enterprise focus on Mobile Device Management (MDM) these days. Some vendors may call it Enterprise Mobility Management (EMM) instead, but the point is the same: invest in an expensive, multi-featured, centralized security suite, and you’ll be able to manage and secure a Bring Your Own Device (BYOD) environment.
(Those acronyms sure are stacking up, aren’t they?)
The trouble is that this is not true. MDM tools are indeed necessary, but they are tools, not a complete solution. MDM is a good place to start, and for MDM buying tips, refer to this story, but it is not a be-all –and-end-all solution.
A complete solution, as with any other real network security, requires layers. Moreover, this challenge is new enough that it’s probably not wise to trust any one vendor for the entire solution. Some will be better at application management. Others will be good at partitioning enterprise data from personal data. Still others will excel at enforcing policies.
As you start to piece together the mobile endpoint security strategy that makes the most sense for your organization, here are five important considerations:
1. Determine how you will protect sensitive data once it leaves the network perimeter.
Intellectual property, customer credit card information, sales leads – none of this should be shared freely to personal mobile devices. In the old BlackBerry model (corporate-owned, tightly managed), the enterprise had more control because it owned the device and because of the robust policy features in BlackBerry Enterprise Server (BES).
Completely wiping a device wasn’t a problem. It was the enterprise’s device, after all.
Today, even if you make employees sign waivers allowing you to wipe data, don’t be surprised if they push back if you wipe their data. Better to avoid this trap all together.
“We wanted to share content internally and externally, but be able to maintain complete control over it so it couldn’t be saved, forwarded, or otherwise misused,” said Jeff Fotta, CEO of Gryphon Networks, which provides cloud-based consumer contact preference solutions for the financial services industry.
“We deal with a lot of sensitive information such as pipeline, deals, revenue and strategic directions, and we definitely do not want our competitors to see any of it,” he said. “We also wanted to be able to deliver this information to mobile devices of employees in the field, while retaining the ability to terminate access to it at any time, in case it fell into the wrong hands.”
To accomplish this, Gryphon began investigating document and content protection solutions from Brainloop, WatchDox and Content Raven.
“Content Raven was really the only one on the market that fit all our criteria. They deploy through the cloud, so it was really easy to get started, and they allowed us to keep our content in our own infrastructure,” he said. Fotta placed a premium on the fact that Content Raven did not make him move content into their cloud. “Instead, we can point their solution to our content where it currently resides. That’s huge for us.”
Other factors that helped tip the scales to Content Raven included the ability to handle mobile content and support of rich media and video, as well as analytics and tracking capabilities.
2. Figure out which BYOD model to embrace.
Which BYOD model you choose can be just as important as the technologies you adopt to support it. Even if you embrace the IL BYOD model (individually liable) versus the CL (corporate-liable) one, there will be plenty of times when your employees will expect you to pay for mobile activities.
If they’re traveling overseas, for instance, and need to download a critical presentation to a smartphone or tablet, they’ll expect, rightly, that the company will reimburse them for those expensive data roaming minutes.
In fact, trying to push mobile expenses onto employees may backfire. Companies that just provide subsidies and allow employees to pick whatever device they want will face support problems and will lose out on volume discounts for both devices and plans.
This doesn’t mean, though, that one model has to blanket the whole company. For instance, a sales team has very valid reasons to not have to worry about expensing every single mobile cost. And if they do, you’ll probably spend more money processing expense reports than paying for the devices and services outright.
On the other hand, employees who did little work on the go may not even need to be granted mobile access, let along given devices.
3. Figure out how to manage mobile expenses.
Skyrocketing mobile costs can quickly sink BYOD’s expected efficiency and productivity gains. As you embrace BYOD, figure out how you will keep costs in check. Canada’s CTV, a division of Bell Media, wanted to deal with handheld mobile security and expense management with one tool.
Their IT and telecom staff was struggling to manage 3,000 mobile devices – a mix of BlackBerry, iPad, iPhone, Android and others. CTV produces a number of TV shows in remote locations such as Haiti and Japan, so traveling employees need their mobile devices in order to stay connected and to send real-time updates – and often video – while on location.
Whenever a company device was lost or stolen, confidential information was at risk, since they were unable to remotely wipe devices or track them down. At the same time, while abroad, employees were often going over their monthly data plans, which would cost tens of thousands of dollars without them even knowing it.
To get a handle on both problems, CTV turned to a combined MDM and TEM (Telecom Expense Management) solution from Tangoe. CTV chose Tangoe over other solutions because of its “real-time telecom expense management” capabilities. Tangoe’s system allows the IT department to monitor all devices and track usage.
The IT department now has the ability to shut down a device if it is not being used according to the company’s policy, if it’s lost or stolen, or even if it goes over its allotted data plan.
4. Don’t forget about mobile AV.
Fortunately, free mobile AV solutions are available from the likes of Lookout Mobile Security. This is what I use on my own Android and it’s worked well.
However, IT probably wants to strive for AV unity across devices and platforms. Check to see what your existing endpoint protection provider has in the works for mobile AV. If they offer Android support but don’t protect iPhones yet, find out what their roadmap is. If support for additional platforms is too far out, you might want to reevaluate them as your desktop AV provider too.
However, vendors that have a PC-protection mindset may not adapt well to mobile.
This is purely anecdotal, but after checking out a Webroot demo at RSA 2012, I’m seriously considering switching to it for all of my endpoint protection for my own content-creation firm, Sandstorm Media.
The suite is powered by the cloud, so it has a tiny device-side footprint, as opposed to traditional resource-hogging security suites, and mobile support for Androids and iOS has recently been added.
It’s not that I dislike Lookout, but I prefer simplicity when possible, and my legacy endpoint security suite, CA, is not satisfactory and a resource hog to boot. Thus, I have two AV solutions. I have no idea whether CA has a mobile solution and won’t bother looking. My licenses are almost up, so I want to unify device protection for my small organization – which even for about seven or so devices is complicated.
Besides protecting against malware, Webroot Mobile allows IT to locate, lock and wipe devices, while adding additional features like SMS spam filtering and app inspection.
5. Realize strong authentication is a must.
Many organizations feel a false sense of security once they are able to enforce screen locks and passwords on devices. For mobile, weak authentication isn’t good enough. For instance, Android phones allow you to unlock the device by drawing a pattern.
I’m no criminal genius, but it took me all of ten seconds to realize that the oil on people’s fingers would leave a distinct enough smudge that figuring out the pattern would be easy. Weak user names and passwords are nearly as bad. BKD, an accounting and advisory firm, needed to boost authentication standards for mobile devices and first investigated tokens as a two-factor authentication solution.
“We quickly determined the traditional token approach would require significant internal resources at a time when internal resources were stretched thin on multiple projects,” said Bill Melgren, BKD Director of Information Services. Managing, configuring, troubleshooting and repairing or replacing broken hardware tokens would add significant overhead.
Instead, BKD turned its attention to software-based authentication and selected the solution from PhoneFactor.
PhoneFactor relies on the mobile device itself as a second authentication factor. “PhoneFactor got us up and running in a fraction of the time that would have been required by a traditional token approach,” said Melgren. “Internal resource utilization has been kept to a minimum throughout.”
With PhoneFactor, each time a user tries to authenticate, following password validation, the user’s phone is called. The user simply has to answer the phone and is prompted to enter an assigned PIN number. Because of the secondary authentication call, attackers need to know both the user’s password and have physical possession of the user’s phone. This second factor – the possession of the phone itself – adds an additional layer of security.