This tip is part of SearchSecurity.com's Security School lesson, Mobile device defense fundamentals. For more information, visit the lesson page; for additional learning resources, visit the Security School Course Catalog page.
From personal contact information to sensitive corporate documents to sensitive customer information, mobile devices are increasingly used to carry high-value personal and company information. When the norm was to have personal devices disconnected from company networks, the security risks were relatively low. However, the evolution of smartphones and tablets combined with ubiquitous connectivity has significantly increased the risk profile of mobile devices.
Unfortunately, there is no single vendor that a company can turn to for mobile security.
To date, deliberate attacks involving mobile devices have been limited in both scope and impact. However, indications are that things are about to change for the negative. Jail broken iPhones have been the subject of attacks, rogue applications have targeted US banks and hackers have targeted the Android market place. These and other impending threats make the need for improved mobile security controls an imperative for any organization looking to leverage mobility for competitive advantage.
A key challenge for improving mobile security is to understand what tools are available and how they can be leveraged. The following is a list of must-have mobile device security controls to protect workers and organizations:
- Device security. Remote lock, wipe and backup/recovery can help reduce the risk associated with lost or stolen devices. As noted in SearchSecurity.com's 2012 mobile device security survey, lost and stolen devices rank among organizations' top mobile security concerns, and for good reason: the easiest way to lose data via a mobile device is to lose the device itself. Every enterprise that sanctions (or doesn't prohibit) BYOD must ensure that any supported device can be locked and erased remotely, and that valuable data is backed up to a location under the organization's control.
- Network security. The increased number of smartphones and other devices such as tablets that are carried into the enterprise by end users increases the threat to corporate networks. Attackers have started seeking ways to use unsecured mobile devices as a means to leapfrog into otherwise protected areas of the network, including databases. Connectivity-oriented security tools such as IPSec and SSL VPN, multifactor authentication and logging reduces the threat of a network compromise. Applying these controls to mobile devices can be challenging but is ultimately necessary to protect the enterprise as a whole.
- Malware defense. The oncoming wave of mobile malware requires protection, like antivirus, personal firewalls, Web filtering and antispam. While the iOS platform has proven to be relatively resilient, Android-based devices have repeatedly fallen prey to malware, and malicious mobile apps represent an increasing threat to all platforms. For these reasons, it's becoming necessary to invest in mobile add-ons from traditional antimalware vendors, or consider a mobile device management (MDM) product that can, among other things, facilitate the extension of anti-malware to a variety of mobile devices.
- Threat intelligence. Mobile threats are continually evolving. Large enterprises should invest in threat monitoring tools and research teams, and train them on how to not only identify mobile threats, but enable rapid response. These functions can be closely tied to existing log analysis and security information and event management (SIEM) processes. The most important tactic here is to develop a baseline of "normal" mobile device activity and use analytics and real-time monitoring to spot deviations that may be a sign of an attack.
- Multi-operating system support. There is no de facto standard for mobile device platforms today, nor will there be for the foreseeable future. Android and iOS are currently the dominant platforms, but BlackBerry remains popular in many enterprises, and other platforms like Windows Mobile and Symbian aren't uncommon. The variety of mobile platforms in use today, however, hasn't discouraged malware authors, as malware volume on virtually all mobile platforms continues to increase. Companies must either decide now which platforms they will support and secure, or plan on having to protect all mobile operating systems. The former strategy may be the most cost-effective but may limit user productivity and satisfaction, while the latter will likely require new technology and hence be more expensive.
- Centralized management. Alluded to in several previous points, central management tools provide a "single pane of glass" to set and enforce policies and perform many other security-related functions across all mobile devices. This is becoming an increasingly important capability in organizations where multi-platform support is essential. Many major systems management vendors are moving into the mobile space, integrating traditional products with new mobile management capabilities.
- Network access control. Network access control (NAC) has long been a solution looking for a problem. The influx of consumer devices and transient users makes NAC a must-have technology to ensure that mobile devices meet company security policies before connecting to the corporate network.
- Data encryption. Files, contacts and email need to be encrypted on mobile devices in the event of loss or theft. Each platform comes with different encryption challenges, some requiring additional encryption application for the data that lives on the device. While the market for mobile encryption for data in motion is immature, new options are emerging all the time.
- Over-the-air capabilities. Mobile security requires over-the-air provisioning and configuration to ensure that workers always have the latest security capabilities without burdening IT, forcing them to physically touch each device. As demand grows for an increasingly diverse landscape of mobile devices, this feature is crucial for enterprises that need to scale their mobile security provisioning efforts.
Unfortunately, there is no single vendor that a company can turn to for mobile security. Mobile security products span a wide variety of technology areas. M&A activity will eventually rationalize this list down, but in the short term, it's likely that companies will need to deploy mobile security technology from at least three different vendors or technology providers.
Mobile security is still in its infancy, but the trends around connectivity, device evolution and worker mobility means organizations must start planning their mobile security strategy now, and that process begins with assessing what mobile security controls are needed and developing a plan to put those controls into action.
About the author:
Zeus Kerravala is principal analyst for ZK Research. He provides a mix of tactical and long-term strategic advice to help his clients succeed. Prior to ZK Research, Kerravala spent 10 years as an analyst at Yankee Group. Before Yankee Group, Kerravala held a number of technical roles, including senior technical positions at Greenwich Technology Partners, Ferris, Baker Watts and Alex Brown and Sons, Inc.