CHICAGO -- According to The Economist, there will be more than 3 billion smartphones and tablets in use worldwide by the end of 2015. According to two experts at the 2013 (ISC)2 Security Congress, end users will continue to flood enterprises with risk-laden mobile technology, but a mobile risk management program built on a data-centric approach can stem the tide.
A pair of speakers from the IT Risk & Security group at PricewaterhouseCoopers (PwC) LLP -- director Dan Fitzgerald and manager Nikita Reva -- kicked off their Wednesday session on mobile security by highlighting statistics from PwC's most recent global security survey.
One key data point stood out: Only 40% of responding enterprise security pros currently have a mobile security strategy. When Fitzgerald asked attendees, "How many of you would say you have a mobile security strategy?," only about 20% of audience members raised their hands.
The two experts proceeded to lay out the elements needed to implement a successful mobile risk management program, with emphasis on a data-centric approach that favors protecting mobile device data over the devices themselves.
To highlight the need for this approach, the duo painted a scenario where a U.S.-based enterprise buys a company based within the European Union, which requires a uniquely intense regulatory scope regarding consumers' data privacy. Before such a purchase is completed, Fitzgerald and Reva said the American organization needs to plan how to manage the risk associated with managing that data privacy mandate.
Reva emphasized the importance of selecting and implementing the right mobile device security controls, based on a variety of factors, and that utilizing threat modeling can help enterprises define those factors. For example, mobile threats can come in many forms and target data in different ways, but by looking at the threats most likely to target an organization's industry vertical, a company can gain a much better understanding of the threats it is likely to face and can subsequently build in the appropriate mobile security controls.
Fitzgerald believes encryption represents one of the best controls to fit the data-centric approach being preached. To underline the point, he turned to the highly problematic issue of collecting and storing personally identifiable information (PII). Though Fitzgerald advised against ever collecting PII on mobile devices, he said organizations that "make sure [PII] is encrypted" when sending such sensitive information should be safe, assuming the encryption was implemented at the right points.
Even after an effective mobile security program has been implemented, Fitzgerald and Reva reminded enterprises to remain flexible enough to reassess controls based on changes to their environments. A prime example of such a change is the recent release of Apple's iPhone 5S, which notably includes fingerprint technology that can be used to unlock the device and certain apps. Reva said enterprises should consider how they will manage the potential risks that such a technology can introduce, such as whether the organization may be responsible for the biometric data stored on a users' phone.
Some enterprises with large security budgets might be tempted to throw money at mobile security problems, but according to the two experts, simply buying "new and shiny objects" in the form of myriad mobile security products won't provide the desired results. Instead, enterprises should look toward existing mobile control frameworks such as the final revision of NIST Special Publication 800-124, along with formulating an easily understandable acceptable use policy to achieve buy-in from end users.
"What's not important is running out and buying the best technology you can get," Reva emphasized.
Audience discussion highlights different approaches, confusion
At the tail end of the session, Fitzgerald and Reva invited attendees to share their thoughts and experiences on implementing mobile security controls and evaluating mobile device management (MDM) products. The result was a scattershot conversation that underscored the need for more standardized approaches to mobile security.
A number of attendees mentioned they had implemented the MDM product suite from Good Technology Inc., with one saying his company included it as part of an acceptable use policy so mobile devices could be wiped without concern for end users. Another attendee noted that her company had been using the Good Technology product for personal devices for about a year, but pushback from users led to the adoption of an MDM product from vendor AirWatch LLC.
An attendee that works on securing approximately 7,000 devices globally also had mostly positive experiences using AirWatch products, but her experience using MDM technology across national borders stressed the need to involve legal when implementing such products.
"You have to work with your legal teams and those countries to figure out what you are allowed to put on these devices and track," she said, with Russia and South Korea standing out as particularly tricky environments to navigate.
Speaking with SearchSecurity after the session, Reva agreed with attendees that had logged their concerns around various regulations, particularly around data storage. Data classification, in alignment with security controls, could represent an answer to such issues, he noted.
For Fitzgerald, the conversation with attendees showed why enterprises should ideally have "mature security capability" already in place when dealing with mobile device risk management. Though the efforts mentioned by the duo can serve as a catalyst for existing security programs, he said many can get in trouble if they don't already have it.
"We're preaching to the choir here a little bit," Fitzgerald said about attendees, before adding, "I have a client that is definitely on the less mature end of the spectrum and his CEO says, 'I'm going to carry whatever device I want.'"