Why Mobile Security Is Like Jell-O
Understandably, enterprises embracing mobility usually worry most about security. After all, mobility eradicates traditional network borders. Doors into the network now can be opened nearly anywhere.
For instance, no longer does identifying a device mean you’re also identifying an employee. Employees use multiple access devices with different addresses. And some might lend their devices – and credentials – to someone else. Mobile devices don’t match up with traceable physical switch ports, the way good old wired computers and IP phones do; rather, they can connect via any access point over the air.
It’s all like trying to get a firm grasp on a pile of Jell-O.
So security gets the scrutiny, as well is should. But “security” has many facets. It’s not a simple function that’s just “on” or “off.” There’s lots to do. Ultimately, your security tools arsenal needs to let you take the following actions, all automated by policies you set in software:
- Identify every device, by make and model, that tries to connect to your network. Based on your policy, allow this device type and OS onto the network or block it.
- Check whether the device’s OS versions and security patches are current, and block or quarantine the device if they are not.
- Scan for malware; if found, block or quarantine the device.
- Authenticate both the device and the user.
- Match authentication credentials with network and application access policies stored in back-end AAA servers.
- Encrypt confidential corporate data on the device.
- Encrypt confidential data traversing the airwaves.
- Remotely wipe corporate data on devices that go missing.
- If you’re supporting BYOD, partition corporate data from users’ personal data so that confidential data doesn’t leak out via consumer apps, email attachments and social media.
- Figure out how to do all of the above even if the employee, not the company, purchased the device.
This list makes it clear why security is a slippery struggle. Enterprises are trying to balance the benefits of multi-OS mobility with compliance to internal and industry policies. The two goals are inherently at odds. But, fortunately, tools are emerging to help you beat this situation into submission.
What tools or best practices have you discovered that help you tame the mobile security beast?
Don't forget the most important best practice, which is educating your users on what security features are built in, what the business offers and what they need to do to adhere to security poliicies. It may seem obvious, but sometimes we can be so concerned with tools and policies, that we neglect the fact that if the user doesn't know the basics (or more), they can break rules and not even be aware of doing so. Take the time to educate the users- not just via email or a website link. Have a conversation.
Agreed! Knowing what you want employees to do and not to do and documenting it in a policy that you distribute and/or discuss frequently with users helps prevent the security holes created by lack of user awareness. That should be the low-hanging fruit!
Education is helpful, but infosec follow-through requires addressing the selfish interests of the users themselves. One approach may be to reposition/explain some of the info sec requirements in a way that emphasizes user privacy.
