The enterprise mobility industry is going through a methodology shift in how it approaches and thinks about mobile security. When Mobile Device Management (MDM) initially launched, the industry assumed having the ability to lock down features and functions on a particular device also helped secure the device. However, this configuration management type of approach was deemed unsatisfactory when it comes to providing actual security on top of what the underlying operating system provides.
As the industry shifted from MDM to Enterprise Mobility Management (EMM), the focal point also shifted and honed in on securing applications and data to ensure corporate and government data residing on the device remains secure at all times. According to Gartner, in the next three years, 75% of mobile security breaches will result from mobile application misconfiguration. This risk factor, along with the increase in corporate mobile use, presents IT with a tricky challenge.
BYOD-enabled businesses of all sizes are looking for broader EMM solutions to both address end-to-end data security, while providing an elegant user experience that enables stakeholders to work remotely on mobile devices. In order to turn BYOD from an IT nightmare into a business asset, IT managers can look to secure collaboration tools with built-in authentication, authorization and access control, and a strong, supporting ecosystem, as their security lifelines.
Secure collaboration tools
In today’s BYOD environment, it’s essential for employees to access the right information at the right time, from any device and in any location. According to Forrester, employees are beginning to purchase whatever devices and collaboration tools they need, whether company-sanctioned or not. In fact, approximately 32% of employees are willing to purchase collaboration tools to be as productive as possible. To not hinder this new way of working, IT teams must be the guardians that walk the fine line between enablement and control.
Expanding further, IT managers must ensure employees are accessing corporate data in a secure manner at any given time, regardless of whether it’s from personal or corporate devices. The combination of unsecured devices and leaky collaboration tools put sensitive data and the company at risk. With Forrester estimating that 15% of employees are accessing sensitive corporate data, such as customer information, nonpublic financial data and intellectual property, from personal devices, this is a wake up call and warning for IT managers.
Unsecured collaboration tools that allow employees to move data around applications and various cloud services present dangers in the corporate environment. To avoid corporate liabilities, collaboration applications must have security (i.e. data-at-rest and data-in-transit encryption), policy management and compliance capabilities built in as a set of core capabilities from the beginning. IT managers will rest better knowing the collaboration tools are embedded with critical security and management capabilities at the application level.
One common way IT managers can ensure high levels of security within collaboration applications is by using a mobile platform that has security as a foundational layer. Security is an enabler. Understanding security and thinking about it early will allow a CISO to say yes to a CIO’s request to enable employee access on mobile devices because the company now has the proper risk mitigation controls in place.
Strong authentication and multi-layer security
It’s highly recommended to have at multi-layered security approach that starts with strong authentication, especially given that passwords have become an antiquated approach that are easily getting compromised. Today, organizations can leverage password alternatives such as one-time password (OTP), smart cards, and biometric authentication, which include facial, voice and fingerprint. All are typically referred to as two-factor authentication; since it’s something we know (i.e. a password or PIN) and something we have, which could be the token, smart card or biometric template. Going one step further, organizations can integrate into their existing identity and access management (IAM) strategy instead of trying to create something completely different for their mobile deployment.
Strong authentication is just one layer in what should be a defense in depth approach. Additional risk mitigation techniques should include verification of the underlying operating system where these collaboration tools are installed on. In addition, there should be a verification of the actual applications themselves to ensure that these applications are providing the necessary security, policy management, and compliance controls as advertised.
Open ecosystems
Having flexibility around what authentication method to use or what mobile application to deploy to solve a particular use case is a major benefit and piece of mind to IA personnel and IT managers running the mobile deployment. It also provides a sense of agility in this fast-moving space where mobile deployments provide significant ROI when it comes to increased productivity. An open ecosystem should not only include a plethora of authentication providers and the ability to seamlessly migrate from one to another if the time comes, but also a variety of collaboration and productivity applications. Equally important are abstracted app-independent services that can solve various and often times specific needs for a particular enterprise.
For an open ecosystem to succeed, independent software vendors (ISV’s) need to be able to quickly jump on to a particular platform so they can take advantages of all that it offers instead of trying to figure it out themselves. This applies to things like encryption, overall security, authentication, and many other platform capabilities/offerings. The key to a broad open ecosystem is the underlying platform which should create a “If you build it they will come” phenomenon. By leveraging a robust mobile security platform, enterprises can truly crowd-source to solve their needs, whether they build something from scratch or more likely leverage a popular ISV and just have them integrate the underlying platform. As a result of leveraging an open ecosystem, with partners at every turn to help for any category of things a company might want to do, business gets further enabled by increasing productivity and user satisfaction all while reducing overall costs.
An ecosystem, where every application shares the same underlying security methodologies, enables interoperability and unified enterprise policy management, helping meet compliance needs. The ecosystem of ISV’s can focus on making user experience terrific, resulting in a happy end user community. In the past, companies were burdened with incomplete capabilities from one vendor’s offerings, or from non-integrated components sourced from multiple vendors. This was a management nightmare for IT, a laundry list of potential risks for IA and a horrible user experience.
Today, we have the luxury of open ecosystems, which give more choice, flexibility and streamlined and simplified methods to protect data. With 70% of enterprises claiming mobile support to employees will take high priority over the next 12 months, IT managers should be exploring new ways to leverage collaboration tools, strong authentication methods and open ecosystems.
The enterprise mobility industry is refocusing its attention on applications and the mobile data that resides within them. As a result, information assurance personnel in partnership with IT managers must decide how best to protect sensitive corporate data and applications regardless of device type.
- Eugene Liderman is director of public sector technology at Good Technology
