By Bill Hicks
Gartner expects that by 2016, there will be more than 300 billion app downloads annually from mobile app stores [Source: Managing Enterprise Mobility, a Gartner presentation by Monica Basso and Rob Smith, 2013], and that by 2017, 25% of enterprises will have enterprise app stores for managing corporate-sanctioned apps on mobile devices and PCs [Source: “Gartner Says that by 2017, 25 Percent of Enterprises will have an Enterprise App Store,” Gartner press release, Feb. 12, 2013. http://www.gartner.com/newsroom/id/2334015]. This is hardly surprising given the benefits mobility offers organisations: mobility removes many barriers inherent in traditional business, enabling companies to reshape their organisations and processes for the digital data economy.
However, the move to mobile is not without its challenges. Gartner recently revealed that biggest challenge companies are facing is not in creating mobile applications. Instead, 85% of the cost and time enterprises spend deploying mobile solutions is on the integration of the application into the back end of the business and on security.
In particular, mobility challenges the traditional security perimeter of a company. Historically, the corporate perimeter was the firewall at the network edge. Today, mobile applications are moving data in and out of the firewall-protected data centre and transmitting data to and from hybrid computing infrastructures that are accessible by the company, partners and customers on any mobile devices that these entities and individuals might use. This pushes the perimeter out to the device; to the end point where data consumption occurs.
Businesses need to understand this change, the new risks involved, and protect the evolving and increasingly complicated perimeter that mobility creates.
What makes this new ‘edge’ perimeter so complex is that it is influenced by all the people, devices, and data – structured corporate information as well as unstructured data such as access credentials, documents, and local copies of intranet websites – that access the network. In addition, the device market is constantly changing with new devices, form factors, operating system upgrades, and software updates that influence how company data is accessed or viewed. The prolific app ecosystem is also populated with products that are vulnerable to malware and other attacks. Finally, the devices themselves can be lost or stolen.
In addition to managing these risks, companies need to pay close attention to two additional and very important concerns: who owns the data and where is the data?
Data ownership questions arise when corporate data is delivered on devices or infrastructure that is not owned by the corporation and when an employee’s identity-based corporate credentials facilitate access to corporate data yet the data is still controlled by IT. This can lead to corporations losing the ability to know precisely where their data is and who is using it. This is an increasingly challenging problem for companies today because smart phones, tablets and mobile apps make it extremely easy for employees to use and share data on their devices and the devices can store any type of data, from emails to proprietary materials to large graphics and video files.
So what is required? First, the corporate perimeter needs to be extended to the end point where data consumption occurs. Second, companies must have the ability to connect an identity to every piece of data that is stored, used and transmitted, regardless of department, company, system and geography.
One way of doing that is attaching an identity to all data, which will benefit companies because it puts identity at the heart of all solutions. In its most basic implementation, a company could use the identity associated with a device to assign a policy to data used by the device. This would give the company the ability to control the data as it is stored and transmitted and the capability to allow or prevent access to the data. Many types of business processes and proprietary information could be protected by this capability.
Corporations also need the ability to securely shred any data that belongs to the company.
To do this, companies have used a variety of methods, such as virtual desktop infrastructure (VDI) and dual-boot or dual-persona access tools, to manage BYOD as well as corporate-owned, personally enabled (COPE) devices. However, first-generation approaches have not been able to effectively satisfy both IT and employee priorities. In particular, preventing the comingling of corporate and personal data on these devices has become a fundamental issue. Companies have tried simply limiting the use of personal features on devices, but this strategy is not friendly to employees who want to use their devices for personal email, applications and features during non-work hours.
Indeed, such strategies can actually become counterproductive for companies if the security methods present a barrier to use and dissuade employees from taking full advantage of mobile enterprise applications and tools.
Instead companies have turned to mobile device management (MDM), mobile application management (MAM), and other more specific techniques such as identity management, secure containers, secure-access and Single Sign-on tools. These are all gaining traction among corporations, but crafting a coherent security strategy with a variety of discrete products can be problematic for many companies and often is not viable for the long term.
A piecemeal solution adds cost and complexity for enterprises as they seek to support, manage and maintain multiple management tools. Fragmentation also produces mobile security data silos, which generate fragmented views of data and services to the enterprise and create associated challenges for security auditing and compliance activities.
Rather, security needs to become a business enabler. Because mobile security minimises risks, it gives corporations the confidence they need to exploit the many benefits mobility offers to their businesses. Analyst firms are noting the correlation between mobile security and business improvements and the impact can be substantial. PricewaterhouseCoopers, for example, asserts that companies can realise 25% improvements in business performance if they carefully prepare their businesses to address mobile security vulnerabilities. [Source: Managing Security in a Mobile World, report published by PricewaterhouseCoopers, 2012, page 5. http://www.pwc.com/en_us/us/it-risk-security/assets/managing-security-in-a-mobile-world.pdf ]
The next generation of mobile security strategies now emerging should enable enterprises to provide a comprehensive framework while minimising the fragmentation challenges associated with earlier technologies. Gartner, for example, is emphasising this shift and is advocating that enterprises focus instead on integrated enterprise mobility management solutions. [Source: Managing Enterprise Mobility, a Gartner presentation by Monica Basso and Rob Smith, 2013]
As industry innovates new architectures to address emerging security concerns, enterprises can take fundamentally important steps today to reduce the security risks associated with the evolving perimeter.
Step 1: Associate an identity with anything that connects to data that is owned or curated by the corporation
Many companies overlook the importance of identity and as a result identity is often a gap in business IT security practices. But identity is a powerful tool. It can be applied to people, devices as well as data and therefore plays a vital role in securing the new perimeter.
Step 2: Create a clean boundary between corporate and personal data
Companies must isolate corporate applications and data from within personal devices and they must maintain a secure separation between the two in order to prevent the comingling of corporate and personal data. The most effective approach for creating and managing this boundary is to implement mobile application management in conjunction with secure containers. MAM separates personal and corporate apps, allowing personal and corporate information to coexist independently on the same device while preventing the intermingling of data. It achieves this by facilitating and managing a secure container for corporate apps and data.
The container itself is a highly specialised app that runs on a device. It is not dependent on the device OS and also is both convenient for companies and employee-friendly, enabling employees to keep their personal apps and data when they leave a company even though the corporate workspace is deleted.
Step 3: Make sure your security controls do not distract from the user experience.
Companies should make sure the security solutions they adopt are frictionless to the end user and that all application policies and entitlements are clear to users. Companies must also recognise that today’s employees, and especially younger generations who will make up the future workforce, will not tolerate cumbersome processes that adversely affect the user experience.
Step 4: Make sure the hardware accessing your network complies with your security policies
Corporations need to know which devices their employees are using and make sure they comply with company security policies and that IT can secure each supported device as well as the applications and services that will operate on the device. IT should also make sure it has capability to block access from any device that is vulnerable, compromised or not supported by the IT organisation.
More and more corporations are using mobility solutions, cloud services and mobile applications to succeed in the digital data economy. As these companies look for improved security solutions, they will need next-generation, unified approaches that can effectively secure the corporate perimeter by managing all people, devices and data that interact with the network.
A flexible, integrated platform that puts identity at the heart of its solutions will give companies powerful new capabilities to address near-term mobile security challenges while positioning their organisations to confidently address future mobile security needs. In particular, an identity-based security model that incorporates mobile application management and containerisation tools will provide the rigorous, comprehensive framework needed to address key vulnerabilities while alleviating many of the challenges and fragmentation issues associated with traditional, device-centric strategies.
