Safely Enabling Mobile Devices - Planning for Network Security Part 3
The topic of mobile security (and BYOD) is probably one of the most divisive security topics, and at the same time, one of the most critical challenges security organizations face worldwide. Why? According to IDC and Gartner data (PDF) on mobile devices, annual revenue generated by smartphones and tablets sales have exceeded those of PCs by 4x. Mobile device use cases are vast, and the conditions for securing devices on a user or enterprise basis can be so diverse that architecting the right enterprise mobile security solution can be very challenging.
Organizations have explored various options, none of them ideal. Very security-conscious organizations have chosen to block all mobile devices. While this may be an acceptable option for some employees, others will find a way to use mobile devices despite such policies. In addition, it prevents the organization from tapping into mobile productivity benefits that could improve revenue.
Other organizations have attempted to address mobile security challenges by extending the same products and technologies used to secure laptops like IPS, anti-malware and VPN to mobile devices. This approach has its limitations as existing security technologies may not provide coverage for mobile threats, and are not suitable to run on mobile devices with limited computing power and battery life. The ephemeral quality of VPN also means that when a user disconnects, they will not be subject to network security controls and therefore may inadvertently be downloading malware or sharing files inappropriately.
Requirements for Securing Mobile Devices
So, what are the right requirements for securing mobile traffic? Three critical elements are:
• Managing the device – the challenge with mobile devices is there are so many different settings and knobs to personalize that it can be easy for a user to put it in a state that is ripe for compromise. Therefore, in order to secure a mobile device, you need to first start by managing it. But, think of it less as the typical MDM device onboarding or asset management but from a security angle. The information about the state of the device could be used in making decisions to protect the device and control the data. For example, a device that has malware can be blocked from accessing corporate data.
• Protecting the device - In his article in Network World on VMware's acquisition of Airwatch, Zeus Kerrala correctly pointed out that it is impossible to remove security threats solely by managing mobile devices. We also established earlier in this article that protection of the device cannot be done at the endpoint. Therefore, protection of the device needs to occur on a network device that sees all mobile traffic and can implement protection against a spectrum of threats, including exploits and new, unknown forms of malware. Protection of the device must include an always-on secure IPSec and SSL VPN connectivity to ensure that protection of the device extends to insecure locations like hotel WiFI or public hotspots.
• Controlling the data - The network is also the right place for IT to see all mobile traffic and enforce control between applications and mobile users, and that’s true regardless of what device is being used. Controlling the data means establishing access to corporate applications and data associated with them, in addition to controlling data that may traverse laterally between applications on the same mobile device. Even with BYOD use cases, the organization can’t control what users do with their own devices, but they can control access to applications once the users touch the network.
These requirements need to be evaluated as a solution or system, because each of these requirements are interdependent on each other, and must operate as a comprehensive framework. For example, when a new form of mobile malware is discovered (protect the device), the endpoint may be wiped (manage the device), or access limited (control the data).
Planning for Mobile Security in 2014
So how do you start planning for mobile security in 2014?
Here’s a 3-step plan:
• Start with your objectives – Identify what your goals are, which includes identifying the types of mobile devices you will support on your network and the types of critical applications and data that can be accessed from mobile devices. You need to find the right balance to deliver a mobile security environment that meets productivity and flexibility needs without putting your devices, apps, or data at risk. Consider the following:
> Will BYOD be part of your mobile security strategy? Does it make sense to support BYOD as part of your mobile security strategy, or do you limit access for users on BYOD devices?
> Regulatory and industry concerns – How do your regulatory compliance requirements apply to mobile devices and data on it?
• Building your infrastructure - Your mobile security strategy should focus on vendor solutions that can deliver the requirements above in a comprehensive, integrated solution. Take your time to look at mobile security with a completely different perspective from traditional remote access or traditional MDM solutions. Instead the focus should be on vendors that already have a strong security and threats focus, and have an understanding of how to implement the right safe enablement policies.
• Institute mobile device policies and standards - Finally, develop mobile device policies and standards for your organization, making sure to institute them hand-in-hand with an education and training program for end-users.