Checking the box: That's an unfortunate, yet common, approach to addressing security in the enterprise, including...
mobile security issues. It's happened for decades with traditional network and computer systems along with the applications and databases involved. This box-checking mindset is also extending to the cloud. Perhaps the most obvious -- and concerning -- area where people are simply going through the motions is with mobile security management. Unknowns, oversights and gaping holes make up a large portion of any enterprise computing environment. Yet time keeps passing and, eventually, something bad will happen.
Where the gaps are
Key mobile security issues include security gaps caused by a variety of factors. In some cases, it's a lack of visibility and access controls. It could be rogue apps being utilized for business purposes that are unnecessarily exposing corporate information assets. It could be oversights in terms of endpoint security standards and system hardening. Whatever the case, if you don't have a solid mobile security management strategy and, just as important, don't use the right tools to enforce your policies, then you're just going through the motions. Inevitably, an incident or confirmed data breach will happen to you.
How does an enterprise security professional ensure proper oversight, compliance and address myriad security challenges while at the same time minimizing mobile complexities and maximizing the user experience? Enterprise mobility management (EMM) and its successor unified endpoint management (UEM) address these challenges in modern mobile computing environments. They go well beyond mobile device management (MDM) controls. And, of course, they're light-years ahead of doing nothing at all -- an all too common approach.
A big focus of these new mobile security management technologies is controlling and overseeing mobile enterprise apps. In the past, the typical approach was to let users not only bring their own device but also let them choose which mobile apps to use to get their work done. Risky business. EMM and UEM can offer much more granular control to limit this risk. By guiding users' app choices, IT can control which business content those apps can access, process and store, and can even perform threat analysis and oversight on the apps, raising mobile security to a new level.
Such an approach to app and content management resolves the recent challenges we've had involving BYOD and the seemingly unenforceable acceptable usage policies that users either ignore or know nothing about.
Are you taking the 'ostrich' approach?
It's natural to want to stick your head in the sand and hope for the best. But if you don't have EMM, UEM or even MDM controls in place -- and in certain cases, even when you do -- you need to consider the following:
- Are you really aware of your mobile risks? Says who? Has an outside expert been involved? Have others -- e.g., management, legal or business unit leaders -- been involved to help decide what's important and what's risky?
- Knowing what you know based on your risk assessment -- that's the only way to find out where things stand -- do you believe your business is where it really needs to be in terms of dealing with mobile security issues and endpoint management? What about apps and business content? Are they completely locked down? What exposures remain?
- How are your mobile security efforts helping or hindering your other enterprise IT and security initiatives?
- How will the internet of things affect mobile oversight? Are you prepared to take on an entirely new set of converged systems that create tangible risks beyond laptops, phones and tablets?
- Have you thought about how big data analysis and related threat intelligence -- some of which you may already be using in other areas of security -- can impact mobile deployments and access?
It's easy to not know what you don't know. Just ask any of the big companies that have suffered enormous losses because they overlooked what would be considered pretty basic weaknesses and breakdowns in security operations. If it can happen to them from a general security perspective, it can certainly happen to you in the context of mobile, especially given its growing complexity and the increased business dependence on mobile devices, apps and content.
'Good enough' never is
But the best of intentions and the best of mobile management and security deployments can lead to a false sense of security. "Good enough" products rarely are. In all but the most basic of enterprise configurations, mobile security issues simply cannot be effectively managed without EMM and UEM controls. Perhaps you could start out by addressing identity access and management, a common mobile challenge. Then you could expand by locking down apps and endpoints. Integrating with existing network security controls may be just what you need to bring things full circle and have a more holistic security environment that actually works for your business.
Acknowledge the complexities and risks, and do something about them. For current mobile deployments, and whatever it is that comes next, the only way is to see the bigger picture. Step back, take it all in and make the right decisions today that will set you up for success down the road.
To paraphrase American motivational speaker Jim Rohn, lack of direction, not lack of time (or money for that matter), is the problem. Do what you can to address this issue now on your terms before you're forced too once your mobile environment becomes even more complex.