iQoncept - Fotolia
As workforce mobility increases, so do the opportunities for costly data leaks. Information security officers are in uncharted territory, seeking better ways to embrace the benefits of mobility while effectively managing business risks associated with mobile security threats.
Failed attempts to safeguard enterprise data by banning mobile data access or locking down smartphones demonstrate a pressing need for more effective strategies, however. In a 2014 Ponemon survey of IT and IT security practitioners, 63% reported that their organizations had experienced data breaches as the result of mobile security issues. The average organization had roughly 23,000 employees with mobile devices and 37% of those were estimated to contain sensitive information.
"With mobile devices, you have data at the user's disposal -- literally," says Tom Sivo, CISO and CTO at Interpublic Group, a global advertising holding company. "They can delete or lose it or deploy it anywhere, and that's a danger. We have to make [users] aware of the data wallet or purse that they're carrying and their responsibility to care for it properly."
Many enterprises and midmarket companies are now pursuing mobility initiatives to increase employee productivity, improve customer service and grow revenue, according to 1,400 respondents polled in Cisco's Enterprise Mobility Landscape Survey 2015. The top obstacle, however, remains mobile security risk, trumping even budget constraints.
"Just to stay secure, to keep current and protect against the latest attacks, you need to invest," says Sivo, whose agencies have close to 50,000 employees worldwide. "It can be hard to convince a business lead or CFO, but finding those resources -- which can mean re-balancing other projects -- is now almost a daily activity."
Before he can deploy enterprise mobility management (EMM) tools -- to manage devices, apps and mobile content across an organization -- Sivo must convince business, finance and IT leads at office, regional and global levels. He is leveraging insights from IPG's internal audit team and third-party attack and penetration testers to help make his case. "Getting a 360 perspective helps me convince them of the urgency," he says.
Top mobile security threats
Sivo is not alone. More CISOs are focusing on accidental data exposure as a serious mobile security threat, according to Michael Raggo, director of security research at MobileIron and co-author of Data Hiding, a look at advanced techniques, including steganography (concealing messages within text). "Every time a new OS version comes out, users can end up accidentally sharing data in new ways, from AirDrop or Open-In to screenshots and cloud backup," he says. "In addition to direct exposure, these leaks have regulatory compliance implications."
Many enterprises are also concerned about device compromise -- specifically iOS jailbreaking and Android rooting. "Malware such as iOS WireLurker, Masque, XGhost and Android StageFright all impact apps at the device level, presenting a huge risk to data," says Raggo. "Our research shows that even legitimate apps can expose PII [personally identifiable information] or PHI [protected health information] by embedding libraries that have some sort of adware or data harvesting capability."
Tom SivoCISO and CTO, Interpublic Group
Security teams aren't the only ones focused on mobile security threats. "Increasingly, CISOs need to prove to their board that they've taken action to protect against and remediate mobile malware," says Neil Florio, vice president of marketing at Fiberlink, an IBM company that offers the cloud-based MaaS360 platform, which in August was the first EMM to receive provisional authorization to operate from FedRAMP.
To improve controls over mobile downloads, EMM vendors such as Fiberlink and MobileIron are now integrating with mobile-app reputation specialists such as IBM's Trusteer and Veracode to deliver real-time information about apps that pose mobile security threats.
Containers to prevent leaks
While traditional risk management focused on device ownership and administration, those strategies proved far too broad and inflexible for bring your own devices (BYODs). "CISOs need to control mobile data risk uniformly and consistently -- but also with flexibility," says Florio. Many enterprises are moving to containerized approaches and data loss protection policies that are more granular, according to Florio, with growing emphasis on securing data in transit and preventing corporate network breach.
Napa County CISO Gary Coverdale is tasked with protecting 26 different departments, from health and human services to law enforcement. To reduce opportunities for data leakage, including data stored on lost devices, data leaked through cloud services, and mobile malware, county workers use Good Technology's Good for Enterprise Suite on both corporate and bring your own devices.
"We have a high bar to meet when it comes to protecting data," says Coverdale. "Because I consider people and policy to be the weakest link, I prefer a truly containerized, sandboxed approach to give us safe harbor when we lose a device. We can wipe those devices -- but with a container, we don't have to, so we're not infringing on personal use of BYODs."
County-owned devices are locked down, says Coverdale, but BYOD users can do anything they want to their devices. For this reason, Good's containers are used to protect county data, coupled with anti-leak policies to stop containerized data from being copied into personal areas of the device. "Containers allow me to sleep better at night," he says.
With data containerization, if a user opens an attachment, it can be automatically dumped into a container, requiring no extra user action. "Mobile operating systems support a more proactive defense-in-depth approach, combining OS sandboxing with native encryption, containerization and MDM APIs to control how data is shared," MobileIron's Raggo says. If an enterprise employee needs to share data or collaborate, IT can provide the means to do so -- for example, using enterprise cloud apps.
Classification and flow control
IPG also uses classification policies to provide data loss protection. "Our clients tell us how they classify and prioritize their data, and we use contract language to attest to proper controls around PII," says Sivo. "This year, we introduced InfoSec controls, based on the SOX model. Asking, for example, do you have a data inventory process? Are you abiding by our policies and practices for data management? We'll then institute InfoSec controls to address any gaps we may find."
The company backs classification with audit and risk management processes that examine data flows. "We look at outbound emails to personal accounts. We look at spikes in activity. We look at what's going to external sites like Dropbox," explains Sivo. "We do this with internal audits and then talk about it openly at leadership and governance meetings so that everyone knows where data goes. This keeps everyone on their toes and accountable."
Mobile data flows can be controlled at many levels. On the device itself, flows between apps can be controlled using OS capabilities like iOS Managed Open-In and more granular policies offered by containerized systems. But when it comes to leak prevention, data in motion is a whole different ballgame.
As more business data goes to the cloud, IT teams need to get out in front of any shadow IT and other risks. "IT must engage with business and financial leadership to raise awareness and insist upon best-in-class data management practices," says Sivo. "Encryption everywhere must be the standard," he adds. "We're also looking at tagging and audit trail solutions to tell you where data goes, because we can't stop it. But if we can start showing them their data outflows, we can have relevant discussions."
Strategies to narrow gaps
To minimize release of data into the wrong hands, Napa County is developing a strong awareness program and policy that's not confusing, and backing up those efforts with data loss protection technologies. "We are now looking at data leak prevention solutions -- including Good's -- to prevent and track PII and PHI from being released, or at least notifying us that data is being moved out of the container," says Coverdale.
While virtual private networks (VPNs) protect mobile data in transit, they can also increase corporate network breach risks. Fortunately, the per-app VPNs added to iOS and Android provide finer-grained control, more efficiency and better security. "By whitelisting with per-app VPN, you can control which apps can reach the enterprise cloud," says Raggo. "If a malicious app does make it onto the device, it doesn't have access to the corporate network."
Integration between EMMs and third-party app reputation and mobile security threat technologies is also enabling more holistic defense strategies. "Registering devices with an EMM makes it possible to create app inventories. Combining this visibility with reputation allows detection of known and zero-day malicious apps," Raggo says.
Device-resident EMM agents are commonly used to detect malware and jailbreaking or rooting, notifying IT to take actions such as quarantining the device or performing a full or selective data wipe. "It's not a matter of if you're going to get breached but when," says Fiberlink's Florio. "You want to detect breach activity, share it with your SIEM, look for anomalies and then be able to act on threats."
"But what about stolen devices that fall off the network?" asks Raggo. Some of these tools are being refined to provide offline protection as well, using locally resident policies to perform a data wipe in real time.
Looking ahead, Florio sees growing demand for integrated systems that provide visibility and control end-to-end, from the corporate network through the carrier's network and into the cloud. "If enterprises don't have complete visibility, they can't protect the flow of data," he says. However, ensuring QoS and security end-to-end will require collaboration between EMM vendors and carriers.
Finally, many experts see growing integration between EMM and identity management systems. As Workday, Salesforce1, Office365 and other cloud apps become more pervasive, integrated identity management becomes more valuable. "CISOs want to know whether a person has the right to access data, whether it's inside the organization or on the cloud," says Florio. "From IT's perspective, single sign-on is about ease of use, but from the CISO's perspective, SSO is also about how to protect data more effectively."
About the author:
Lisa Phifer owns Core Competence Inc., a consultancy specializing in safe business use of emerging Internet technologies. In 1994, Lisa received a Bellcore President's Award for her work on the South Carolina Information Highway. Since joining Core Competence in 1995, she has focused on secure mobility. Lisa is a recognized industry expert on wireless, mobile, and cyber security. She has conducted cyber threat research and written extensively about safe networking needs, technologies and best practices.
Is antimalware protection necessary for enterprise mobile security?
Top five best practices for mobile data protection
How to control and secure mobile certificates in the enterprise