We are seeing a fundamental shift in the way IT is consumed, and subsequently secured, and it’s mostly driven by mobile. The recent SBIC report, “Realizing the Mobile Enterprise: Balancing the Risks and Rewards of Consumer Devices,” highlights these shifts.
“A huge benefit of mobile devices is the user interface… This is simply how people want to interact with IT systems nowadays…” –Dr. Martijn Dekker (SVP, CISO, ABN Amro)
There are a number of trends around mobility that make it a distinctly different and new security challenge to consider:
BYOD: The fact that devices are personally owned or treated as such has serious implications. Many enterprises are struggling to get users to install Mobile Device Management (MDM) software on their devices, let alone deeper agents like anti-virus or malware forensics. In addition to the lost endpoint control, BYOD also creates a problem about when and how enterprise policy is applied. The fact that I carry my phone all day everyday means that a large percentage of the time it will be used is for personal reasons. This forces enterprises to think about applying security policy sparingly.
Off Network: Network visibility is a drug to security teams. It’s needed more than anything else to understand what users are doing and when they are doing it. Unfortunately, in the mobile world, enterprise networks don’t have to be touched all that often. As soon as the data gets to the device – you’ve lost visibility from a network perspective (picture a sensitive piece of content being uploaded to Dropbox from a mobile device).
“Chatty” Interaction Model: Mobile users have very frequent context shifts between work and play. The Blackberry changed the way email is consumed. It gave quick access to email and calendar without the need for VPN. Android brought in more play to these devices and what we are left with is a consistent flip between work/play throughout the day. Constant switching does not provide good areas for strong authentication and blurs the line as to when enterprise security policy should be applied.
Web/Federated Access Model: More and more cloud services are being used for enterprise purposes (Google Apps, Salesforce, Box, Office 365, etc.), and each of them make use of web-based authentication standards. As enterprise app development evolves, more and more things will be developed in the mindset of “mobile first.” This will push more traditional enterprise authentication and identity management into a web standards world.
Fundamentally, you still need to secure data and identities, and get threat visibility, but you need to do it while working within these trends. The SBIC report calls out the need for MDM, but cautions against over reliance on it as a security solution. The overall mobile market is maturing beyond just MDM into application and data management. Strong authentication methods, especially those that rely on risk-based methodology, as well as data security and threat forensics will be layered on top of these infrastructure components to create a true mobile security stack that can take much of the mystery out of BYOD.