- Michael Heller, Senior Reporter
As mobility increases workforce productivity, CISOs need to develop a mobile security strategy that strikes a balance between a great user experience and effective information security. The key to scaling the mobile maturity ladder is in how well you know your users and the devices they bring to your organization.
Jim Routh, CSO at Aetna, says there are minimum levels of security he requires regardless of device ownership.
"Aetna has approximately 6,000 enterprise users who either bring their own mobile device or use a mobile device issued by the company," Routh says. "Each of them uses mandatory protection that provides an encrypted channel to use in compromised Wi-Fi networks and alerts the user and enterprise before any malicious mobile app is being installed on the device. This same capability is provided to all top executives for their personal mobile device."
Colin Minihan, director of security and best practices at VMware AirWatch, says understanding users and their needs will help a mobile security strategy progress from stage zero, having no plan; to having a one-size-fits-all plan (stage one); to a flexible plan that "fits ownership and is unique to the culture of the company" (stage two); to integrating "industry-specific, vertical or use-case specific capabilities," including regulatory compliance concerns (stage three); to a mature mobile security strategy, with the right tools and processes in place.
"Getting all the way to the other end would be not just having a strategy that fits uniquely where I am as a company and where I do business, but also taking into account what the future would hold and where I may be in a year," Minihan says. "How my employees may use mobile devices next year, the year after, the year after that -- and taking that into account with the security strategy today so that the company is ready for it when that change does arise."
Big Brother and other privacy concerns
Employees think that IT has a lot more visibility into their private information on mobile devices than what's actually possible.
In order to combat this, many security vendors include transparency notifications explaining what exactly the enterprise can and cannot do on a mobile device. But Sean Ginevan, senior director of strategy at MobileIron, says it is still best that the IT staff maintain clear communication with users.
"We certainly see that communication is key. And, whether you're doing BYOD or not, we see that because they're on us 24 hours a day; these are very personal devices, and they end up being mixed-use regardless of ownership," Ginevan says.
"Enterprises need to communicate proactively, not just about what they're doing when the program gets launched, but also as the mobile world changes." -- M.H.
VMware AirWatch and Check Point Software Technologies outline the pathway to mobile maturity in terms of categorizing data or users into similar groups, devising particular plans of action for each group, and choosing the right tools for the job. Other EMM providers, such as MobileIron, describe their mobile maturity philosophy as data-centric, meaning email is secured first before moving on to SharePoint, ISV or workflow-based apps, and ultimately a fully "mobile-first" view of productivity.
On the surface, these approaches make it sound as though the base level of a mobile security strategy requires a choice between prioritizing access controls or data security. But according to Patrick Hevesi, a former senior director of information security at Nordstrom and current research director at Gartner, it's impossible to have one without the other.
"Knowing what type of data they're asking for and who are 'they' are the basics, so most organizations will start there," Hevesi says. "The more mature organizations will care about other things, but you need to give the end user the ability to choose. So if they need access to higher classified levels of data, you're going to probably want them to be fully managed, fully controlled, on approved types of devices. If they just want some email or contacts, you can do bring your own device and [Exchange ActiveSync] or some form of access to that. And then in between, if they need to VPN in or if they need to get into SharePoint or any other kind of business application, you might have some flavor between that based upon the data classification."
This approach is commonly known as the three w's: Who needs access? What do they need access to? What is the posture of the device? Another important consideration: Where is the user or the data in case of issues with data sovereignty?
Mobile encryption times three
As far as CISOs are concerned, according to Gartner research, three levels of encryption matter on a mobile device. The first is device-level encryption, which is primarily used to protect devices when they are lost or stolen.
"Device encryption is really targeting people who steal your phone and try to access the data off your phone. If it's not encrypted, I can just plug it into a USB and then start to try to do stuff," says Patrick Hevesi, Gartner research director.
"The bigger issue is that vendors aren't enforcing passcodes. If I skip out and put no authentication at all on that, that device encryption is useless. Not having device encryption is about the same as having device encryption with no passcode."
The second layer is the encryption of the data stored in a secure container on a device. But, Hevesi says, there is a third layer that enterprises often overlook, which is that not all apps transmit data securely.
"There's no segregation of network traffic," Hevesi says. "So if an app developer doesn't encrypt something, that's where these unwanted applications really thrive; they're looking for that network channel that's outside of the container to try to find something." -- M.H.
Salespeople, employees who travel a lot, and those "in corner offices" are more likely to need anytime-anywhere access to sensitive data. These groups are either provided a tablet, smartphone or both by the organization, or they have more stringent security measures installed on their devices.
Ownership of the device is a governance and cost question, notes Sean Ginevan, senior director of strategy at MobileIron, and it doesn't affect security. "What's going to change the security model is the types of data that these mobile devices are going to be accessing and the risk profile that that access provides," he says. "I honestly think that the security architecture that's put in place is all driven around the use cases you're going to use for mobile and far less so by who owns the device."
BYOD and device management
In addition to mapping out use cases, it is important to have an inventory of the devices and different versions of mobile OSes that connect to your network, according to Rick Holland, a former analyst at Forrester Research and current vice president of strategy for Digital Shadows. Mobile device management includes "knowing where the exploits in the wild are, and then adjusting your security program [and] having more rigor when you start to see an uptick in a particular type of attack vector from an adversary group."
Steven Lentz, CSO for Samsung Research America, says mobile device management (MDM) software combined with a secure container option is the standard protection for every device in his organization.
"If you take a look at a normal company's infrastructure, everything is behind firewalls, data loss prevention stuff, advanced persistent threat stuff, everything. You have all this infrastructure built in for your laptops and PCs, but then if you look at mobile devices, there's really nothing that's protecting mobile devices," Lentz says. "[MDM] is the closest thing to zero-day malware protection you can get on mobile."
Enterprise MDM should not be considered impenetrable, however, according to Gartner. "As a CISO, if you're going to let a device into your network, you want to be sure," Hevesi says. "So you want to see that device from the beginning. And that's why administrators look at things like the Apple Device Enrollment Program or the Samsung [KNOX Mobile Enrollment], where they're actually controlling the device all the way and locking things down," he says. "Just because you have MDM on the device doesn't mean it's going to be 100% foolproof."
Rooted and jailbroken devices
One of the more complex device risks facing anyone setting up an enterprise mobile security strategy is that of tablets and smartphones that may be rooted or jailbroken, or more broadly, that allow admin-level access.
Lentz says that when he first rolled out MDM at Samsung Research, he found three Android devices that were rooted and one jailbroken iPhone, and just last year he needed to quarantine eight devices because they had been rooted or jailbroken.
According to Kurt Roemer, chief security strategist for Citrix, this issue is what really separates traditional PCs from mobile devices.
"Really, the baseline is to have a known security configuration. And so for, say, a Windows laptop, you want to make sure you're patched and up to date, running antivirus, have a personal firewall configured, you're doing all the right things," Roemer says. "On a mobile device, primarily it's making sure that it's not jailbroken or rooted and then to make sure that there's a passcode enabled so device-level encryption is turned on."
Gartner says this kind of admin-level access can allow for stolen data, or it can lead to more advanced attacks.
"What some of the hackers will try and do is, once they get device admin, they have enough elevation of privilege that they'll hide their application or their malware in the system," Hevesi says. "When you then take that BYO device and bring it into your organization to be managed, the MDM will try to detect if something is wrong, but if the malware is already on there and it has been hidden through some of these more advanced techniques, the device will show as fine."
The best option, Hevesi says, would be for enterprises to manage and control a device from the start, but that is increasingly difficult with BYOD because an organization can't simply wipe an employee device and start everything from scratch. This is why, Hevesi says, most security vendors are working toward monitoring network traffic for communication with known command and control servers, behavior anomaly detection -- including USB debugging and other admin-level settings being toggled -- vulnerability management, and application scanning and risk.
Risky apps and malware
Enterprises ultimately want to allow users to blend work and personal activities when it comes to apps, which means there are two types of risky apps that need to be considered -- those that are outright problematic, like apps that include malware and apps that handle corporate data poorly, and personal-use apps that might ask for far-reaching permissions.
"By integrating their systems with ours, a customer can use that data to say, 'Oh, this particular application is less trustworthy. Let me go ahead and blacklist that, so the user can't access enterprise data with that risky app installed,' " MobileIron's Ginevan says. "We're seeing a lot of third-party apps go and access platforms like Salesforce and they download all the data. And, unless that app is managed, you as an enterprise have no control over it. You can't delete that data without wiping out the entire device."
For apps that enterprises may want to blacklist, many mobile security providers maintain partnerships with companies like Veracode, FireEye and Appthority that track app stores and judge the relative risk of mobile apps. App reputation services often rely on proprietary methodologies for tracking and rating apps and do not share data.
While security experts have noted the rising amount of mobile malware, many couch those concerns as long as software is installed through the official Google Play or iTunes app stores, because the likelihood of malware being found in these apps is extremely low.
Gartner's Hevesi says there are still attack vectors, however; and some, although unlikely, can be quite scary.
"The best example right now -- and the worst vulnerability, in my opinion -- are the malicious profiles on iOS. On iOS, there is the concept of profiles, so your MDM agent will install a management profile and that's how they manage the device. … An attacker will try to phish you to a site with a configuration profile and, within that profile, they'll embed a root certificate," Hevesi says. "So they get the end user to accept the profile, [and] then to accept the root certificate.
"Then … I control the entire device. I can decrypt traffic; I can man-in-the-middle; I can install applications; I can watch what you're typing; I can intercept your phone calls; I can do it all and the device is not jailbroken."
No matter what the device risks or security controls, CISOs should work toward a mobile security strategy that balances ease of deployment and transparency of whatever the technology control is alongside the risk profile of a particular group of users, according to Digital Shadows' Holland.
"Validating user experience [is] really, really key if we want to avoid giving ourselves our own black eye versus an adversary doing it," Holland says. "We can shoot ourselves in the foot when we roll out a new web proxy and, all of a sudden, web pages are getting clocked. Same thing with containerization, so you need to understand the use cases where it makes sense, where the risk level is commensurate with that control, and then take a very deliberate [approach to] deployment."
About the author:
Michael Heller is a senior reporter for SearchSecurity covering breaking information security news, industry analysis and product strategy.
Why data loss tops mobility risks in the enterprise
Should you invest in antimalware protection for mobile security?
Readers' Top Picks for enterprise mobility management