Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but maintain some editorial control so as to keep it free of commercials or attacks. Please send along submissions for this section to our editors at:dmeyer@rcrwireless.com or tford@rcrwireless.com.
The rapid proliferation of user-owned iPhones, iPads and literally hundreds of different Android smartphone and tablet devices is making mobile security a top priority for IT departments. According to the InformationWeek 2011 Strategic Security Survey, 70% of companies see these new mobile devices as a threat to their companies’ security right now and an additional 20% foresee problems down the road.
What are companies worried about when employees use their own mobile devices to access corporate networks and apps? According to the InformationWeek survey, 64% of companies are most concerned that devices containing sensitive info will be lost or stolen. Other worries include infected personal devices connecting to the corporate network (59%), followed by user download of malicious apps (37%) and data loss stemming from the uploading of corporate data to personal devices (36%).
Today, about a third of these companies said they’re using mobile device management (MDM) solutions to increase mobile security. Organizations use MDM solutions to better secure, monitor, manage and support the myriad mobile devices used by their employees. This is especially important in the bring-your-own-device (BYOD) era we now live in; if you aren’t proactively defining your company’s BYOD policies and security controls, then your end users are doing it for you. And if you don’t have a MDM solution in place to consistently implement, manage and enforce your policies, then you may as well not have them.
But the truth is MDM on its own is not enough to ensure security and prevent data loss in an increasingly BYOD world. This is for three simple reasons:
1. MDM doesn’t add security and data loss controls where they don’t already exist. The simplest example of this is data encryption. Many devices lack built-in encryption. A MDM solution on its own, no matter how slick, can’t add encryption to a device or application that doesn’t already support it.
2. Encryption, “whole device” passwords, and “device wipe” are only effective if passwords are strong, are changed regularly and timeouts are short. Users simply don’t want to enter complex passwords every time they want to make a phone call, send a text message, or change their Facebook status. This is true for company-owned devices, and it’s an even more acute challenge with personally-owned devices. In the face of this challenge, we see too often that IT departments cave to user pressure and compromise corporate security by allowing weak, numeric-only passcodes and/or long passcode timeouts. But that should never happen – if the password policy you apply to iPads isn’t every bit as strong as the policy you apply to laptops, then you have a security and compliance problem, period. MDM doesn’t solve the password problem. In many cases, MDM can even exacerbate it by forcing corporate policies and related administrative actions like “wipe” to be applied to the “whole device” and not just to the specific apps where sensitive corporate data is actually stored and accessed.
3. Apps and APIs are the new security risk. Even if a device does have some form of built-in encryption and a strong password, if that same device also allows user-installed apps to access corporate data through open APIs, document exchange interfaces, or other similar frameworks, then it may not matter whether your corporate data is encrypted, or how strong your password and related policies may be. Facebook, Box.net, Dropbox and Evernote are just a few examples of apps that can directly or indirectly access and share corporate data with other third-party apps and cloud services, even if the device itself supports data encryption and is protected with a strong password. This is possible because fully-authenticated end users, not faceless hackers, who install these apps and enable them to access your corporate data. MDM vendors will often cite some combination of app store disablement or app “blacklisting” as the answer to this kind app-driven data loss. However, app store disablement is not a realistic option for BYOD devices, and “blacklisting” simply doesn’t work – not when there are well over 500,000 apps available between the Apple Inc. App Store and Android Marketplace alone, and thousands more showing up every day.
To address today’s security risks, companies need to go beyond basic MDM and adopt solutions that allow IT departments to set policies, control access and prevent data loss at both the application and device level. By focusing first on security and control at the application level, IT can more readily embrace BYOD and not compromise either the user’s experience or its policies. For example, when policy and controls are applied at the application-level, IT can implement and enforce strong, enterprise-grade policies for passwords, timeouts and other security controls without impacting the user’s overall personal experience. This approach also allows IT to prevent corporate data loss by enabling more control over how and how much corporate data is shared across and between apps and without having to limit the user’s ability to install and use personals.
While the visibility, management and policy enforcement enabled by MDM platforms is one part of the mobile security puzzle, it’s rarely enough on its own to secure corporate data and prevent data loss, especially in a BYOD world. Today, the primary mobile security threat arguably isn’t the faceless hacker trying to intercept communications or extract data from a lost or stolen device. Rather, it’s the well-intentioned, fully-authenticated end user who is simply trying to be more productive by installing and using apps that appeal to the user, but rarely comply with IT security policy and compliance rules.
This relatively new category of risk will define how mobile security evolves from its traditional and relatively narrow focus on encryption and lost device scenarios, toward a much more comprehensive and holistic approach to data loss prevention. To stay ahead of the curve, companies need to think beyond “device management” and focus instead on corporate “application and data management.” Because in a BYOD and app-centric world, managing the former no longer ensures security and control over the latter.
Reader Forum: In a BYOD world, MDM is not enough
ABOUT AUTHOR