1. A 3-step plan is proposed for mobile security that starts with mobile device management (MDM), adds supplemental security measures like secure access and threat protection, and considers emerging technologies.
2. MDM provides capabilities for application management, device configuration, and data protection on lost devices. Supplemental measures address access control, malware, and data loss prevention beyond email.
3. Emerging technologies involve app/desktop virtualization, self-defending apps, and always-on VPNs, but device diversity and ownership models complicate a single security strategy. Consolidating products minimizes costs and complexity.
2. A 3-STEP PLAN FOR MOBILE SECURITY 2
A complex problem that 2. Protect the client device itself, which serves
as a conduit to both local and remotely
requires a holistic approach accessible resources.
Mobility is here. Mobility is now. Mobility (along As you clarify your objectives you begin to reveal
with cloud and social media) is one of the three the security tools and technologies that you will
new technologies that brings new productivity need. Some examples:
opportunities—and associated security risks.
Add in the consumerization of IT, an explosion • Communication over unsecure networks
of corporate and personal mobile devices, and requires an authenticated and encrypted
the fact that there are no simple mobile security tunnel.
solutions, and you have one of the major IT security
• Protecting data that is both stored and in
strategy challenges of 2012.
use on mobile devices requires encryption
The challenge is how to enable productivity and and data loss prevention (DLP).
mitigate the threats, vulnerabilities, and risks in
• Device protection requires configuration
a way that strikes the best balance and lowest
management and anti-malware software.
total costs.
This paper identifies specific countermeasures
and management controls that you can use Identify and understand
to establish a mobile security strategy that the threats
encompasses both corporate and personal
It is easy to see why data loss is such a high
devices. It also covers the threat scenarios, risks,
priority for mobile security. Regulatory
complications, and solutions that IT security
requirements and the low cost of mobile
professionals should use to guide their decisions in
devices contribute to the problem. As this table
this critical area of enterprise vulnerability.
illustrates, most organizations should start
Organizations that narrowly focus on one aspect with a focus on tools and techniques that help
of the problem and fail to holistically address the protect mobile data.
security challenges posed by mobility, as well as
consumerization and device proliferation, run the Threat Risk
risk of much lower user satisfaction, productivity,
Lost or stolen device Unauthorized access to
and business gains, along with higher costs and
local or network-based
even exposure of sensitive data.
data; data loss
Lost or stolen Local data loss
media card
Start with your goals
Misuse of local Compromised/infected
Regardless of the devices involved and who owns comms (e.g., device, and data loss and
them, what are you trying to accomplish? Is the Bluetooth, IR) potentially degraded
goal to provide mobile access to useful corporate operation
resources such as email, file services, and intranet
Compromised apps Data loss and potentially
apps? If so, having highly limited, isolated mobile
degraded operation
devices provides little value. In order to provide
secure mobile access to these valuable resources Malware Data loss and potentially
(which is the goal of most organizations), you must: degraded operation
1. Protect accessed data that is now local to the Web/network-based Data loss and potentially
client device, and attacks degraded operation
3. A 3-STEP PLAN FOR MOBILE SECURITY 3
Countermeasures and other
Most organizations identify data loss as the
related controls top concern in the mobile scenario. That’s why
Given the objectives, threats, and risks the primary emphasis should be on tools and
discussed above, we present below three tiers techniques that help protect mobile data.
of countermeasures and controls to help you
establish and maintain a mobile security strategy.
Because of the scope of the problem, we 3. MDM and advanced mobile security could
recommend that you start with the first set. remain independent solutions.
Then adopt items from the other two, with
All of these scenarios can deliver good solutions
your schedule based on such things as your
to the market, but the best integration and lowest
organization’s tolerance for risk, the nature of the
overall costs are most likely if mobile security
business you are in, regulatory requirements, and
vendors add MDM.
the level of mobile maturity in your organization.
Some of the security controls listed below—such While the primary objective of MDM is centralized
as mobile DLP, enterprise sandboxing, and self- life cycle management of mobile devices such as
defending apps—are newly emerging solutions. smart phones and tablets, many of the so-called
Unless your need is critical, delay adoption of device management features are also relevant
these. More mature solutions are on the horizon from a security perspective. For example, if
that will be easier to implement and manage. you can configure Wi-Fi settings and update
applications, you can use these same features
to reduce a device’s surface area for attack. And
Tier 1: Mobile Device other features such as remote wipe and encryption
Management (MDM) control provide added layers of data protection.
The term mobile device management is an Robust MDM solutions should include the following:
artifact of convenience in this context. It’s the • Application management - Includes the
capabilities that matter most, not the specific ability to inventory a device’s applications,
product category they come from. Some distribute/update software, and restrict
organizations get everything they need from the use (if not installation) of individual
Exchange ActiveSync® or BlackBerry® Enterprise applications. It also often includes support
Server, while others require a fully blown for a self-service portal and/or enterprise
enterprise-class MDM solution. No matter which app store.
MDM solution makes sense, most organizations
will eventually find it necessary to also implement • Configuration management and resource
some of the supplemental security measures control - This entails having control over
described below. a wide range of device-level capabilities
and parameters including password
Because current MDM offerings are light on requirements, camera functionality, SD
security, we can expect the industry to evolve. card usage, and VPN, Wi-Fi, Bluetooth, and
Specifically: encryption settings.
1. MDM vendors may add more security • Device integrity - All of your defenses are
capabilities to their solutions. effectively undermined when a mobile device
2. Mobile security vendors will add MDM is jailbroken or rooted. Being able to detect
capabilities to their solutions (this is more likely this condition is, therefore, a critical capability.
because it is easier to add simple to complex
(that is, MDM to security), than vice-versa.
4. A 3-STEP PLAN FOR MOBILE SECURITY 4
• Device recovery and loss mitigation – beyond email, three additional, access-oriented
This includes device tracking, manual and countermeasures become increasingly relevant:
automatic lock-out, manual/automatic (1) strong authentication to the network—
wiping of all or selected data, and support e.g., with tokens (2) an encrypted tunneling
for device-level backup and restore. capability that supports access to all types of
apps—e.g., an SSL VPN, and (3) a host-integrity-
• Support and service management - Remote
checking capability that supports access to all
control is useful for technical support, while
types of apps, and a host-integrity-checking
expense control is intended to moderate
capability that restricts access based on the
usage, particularly when costs are high (e.g.,
security state of the user’s device (available
roaming abroad).
standalone or as an integral component of
What about policies, agreements, and user leading SSL VPNs).
awareness? Policies are a key tool for any mobile
Threat protection - Mobile malware has not
security strategy, and the policies you choose
historically been a major concern, but that
determine the specific technical controls you need.
started changing in 2011 and is expected to
Getting users to sign mobile-use agreements
grow even faster in 2012. As a result, anti-
that document their rights, their responsibilities,
malware for mobile platforms is becoming
and the company’s rights is also crucial (e.g., this
increasingly important—especially because
is where you would include a clause that allows
the highly dynamic nature of today’s web and
the enterprise to wipe the device in exchange
the threats it harbors means that conventional
for providing the user with access to corporate
technologies and mechanisms in this area (e.g.,
resources). Signed agreements are especially
signatures) are glaringly insufficient. What
important when bring-your-own-device (BYOD)
organizations need instead is a robust web
and subsidized-usage models are supported,
security “cocktail” that examines content from
primarily due to legal uncertainties around liability
every possible angle to detect new threats.
and rights to data. And even though ongoing user
This requires real-time threat intelligence using
awareness training on mobile security is probably
multiple, complementary inspection engines
a good idea, history proves that such efforts are
capable of delivering real-time threat analysis
not often very effective.
and content classification. Equally valuable will
be the ability to filter mobile applications based
on reputation. Still emerging, this capability is
Tier 2: Supplemental Security analogous to reputation filtering for email, URLs,
and downloaded files, but focuses instead on
MDM-oriented security capabilities are an
preventing users from downloading malware-
excellent starting point for a mobile security
infected mobile apps – a growing problem,
strategy. However, as mobile access scenarios
particularly for non-curated app stores.
continue to expand and the development of
mobile malware continues to accelerate (in Data protection - Additional coverage in
other words, as vulnerabilities, threats, and risks this area comes primarily in the form of DLP
continue to grow), the effectiveness of MDM technology. The starting point for a complete
for security drops lower and lower. IT needs to solution is back at headquarters, where email
implement measures that pick up where MDM and web security gateways with embedded DLP
leaves off in order to bolster secure access, functionality should be used to control what
threat protection, and data protection. data can make its way onto mobile devices in
the first place (e.g., via email, or web-based file
Secure access - ActiveSync and/or MDM-based
sharing services such as Dropbox). For data
security may be sufficient when mobile users
that does make it onto mobile platforms, the
are only using email. Once you provide access
next layer of protection should be a mobile
5. A 3-STEP PLAN FOR MOBILE SECURITY 5
DLP capability that helps keep the data the outset to be inherently more secure – for
from being either unwittingly or maliciously example, by incorporating their own encryption
exposed. Notably, the need for mobile DLP and key management functionality, and relying
is also being driven by increasing reliance on less on native platform features and data storage
SaaS applications, where both data and users locations for protection.
are outside the corporate perimeter and the
Enterprise sandbox - The intent with sandbox
protection it typically provides.
technology is to create an isolated zone on
Agent vs. Cloud the mobile device where users can work with
enterprise resources. Access to the zone depends
What’s the best way to deploy supplemental
on authentication and authorization, while all
threat and data protection capabilities: local
data transmitted to, from, and within the zone is
software agents, or cloud-based services? For
encrypted. For mobile devices that support this
some of the most popular platforms – such as
technology, the result is another powerful layer
Apple iOS – there’s no option. The architecture
of data protection. Tradeoffs include relatively
limits the functionality or entirely precludes the
limited app support and a hit to user experience,
use of security agents. Android supports agents,
as native email and calendaring apps cannot be
but the footprint on the device should be as
used to access enterprise resources.
lightweight as possible to reduce its performance
impact. Further tilting the scales in favor of Always-on-VPN - This approach involves routing
cloud-based services are advantages such as: all data traffic back to headquarters via an
quicker, easier, and less costly implementation; encrypted tunnel. In this way it can be protected
universal platform compatibility; and greater by all of an organization’s centrally implemented
adaptability. Local agents can provide countermeasures, including full enterprise-class
incrementally better functionality and DLP. Drawbacks include slower performance,
effectiveness, but it seems unlikely that this increased traffic load on corporate security and
will be enough of an advantage to offset the networking infrastructure, and the complexity of
strengths of a cloud-based approach. having to create policies that also accommodate
personal-use objectives.
Tier 3: Emerging security measures
This third tier of countermeasures is fairly new to Caveats and complications
the market, and is often classified as advanced
Nothing related to information security is as
or emerging. Early adopters of such technologies
easy as it first looks, and this is doubly true for
tend to have a very low tolerance for risk,
mobile security. Here are two topics that are
extremely sensitive data, or face very strict
worth mentioning:
regulatory requirements.
Device and platform diversity - The greatest
App/desktop virtualization - Never allowing
complication to an organization’s mobile security
sensitive data to leave the data center in the
strategy is by far the diversity of mobile platforms
first place clearly provides a superior degree of
and devices. This manifests itself in a couple of
protection. One way to do this while still enabling
ways. First, differences in platform architecture
view-only access to essential resources is to deploy
impact both the need for and availability of many
server-hosted app and desktop virtualization
add-on security capabilities. For example, the
solutions (e.g., from Citrix or VMware).
isolation model employed by Apple iOS not only
Self-defending apps - In some instances diminishes the effectiveness of most malware,
organizations will have the option to select but at the same time precludes use of fully
mobile apps that have been designed from functional security agents. Other platforms have
6. A 3-STEP PLAN FOR MOBILE SECURITY 6
varying resistance to malware and other types of administration, directory integration, group
threats, along with varying degrees of support policies, flexible reporting, and configuration
for local security agents. A related issue is that audit trails.
platform, device, and service provider diversity
Consolidation - Meeting the organization’s needs
also impacts the availability and effectiveness
with a smaller set of products and vendors
of native security capabilities. The bottom line is
invariably reduces cost and complexity while
that there is considerable variation from device
improving integration and effectiveness. This is
to device in terms of both (a) what is necessary
why IT/security managers typically favor solution
from a security perspective, and (b) how it can
providers that offer the greatest portfolio of
best be accomplished.
capabilities for the greatest number of devices
Different ownership and usage scenarios - they intend to support (particularly across tiers
Additional complications arise from new and 1 and 2). Even further gains can be realized if the
varied ownership and usage models. No longer advanced threat and data protection capabilities
are all client devices owned by the organization needed to support mobile devices are available
and used strictly for business purposes. as integral extensions of the solutions already
Employees expect to be able to use their being used to provide similar capabilities for the
mobile devices for personal tasks. And different organization’s fixed users/devices.
ownership and reimbursement arrangements
often lead to different policies and capabilities.
For example, with BYOD and no reimbursement Conclusion
to users, wiping data needs to be a last resort
and should be selective (i.e., wipe all business but The need to support and secure a growing
no personal data). Adding service reimbursement population of mobile devices is here now. The
into the mix, however, changes the situation. challenge of doing so, however, is complicated by
Wiping all data now becomes a more acceptable a number of factors, especially: (a) the diversity of
and therefore prominent part of the security plan, platforms and devices and how this impacts both
while other functionality also becomes more the need for certain controls and the available
relevant, such as expense control. solutions, and (b) the diversity of potential
ownership, reimbursement, and usage scenarios,
and how to maintain a balance between user and
Characteristics of an ideal corporate expectations.
enterprise solution Because of these complexities, there is no
straightforward, one-size-fits-all recipe for success
No one turns in their laptop or desktop when when it comes to solving the security-for-mobility
they get a smartphone, so mobility just adds problem. Nonetheless, organizations should:
to the challenges of enterprise security.
This—and budget pressures—drive the need • Remain focused on the most important
for administrative efficiency and low cost of objective – ensuring adequate protection of
ownership when selecting mobile security mobile data – while balancing this with need
solutions. For today’s businesses, ideal solutions for a positive user experience and reasonable
will be those that are enterprise-class in nature cost of ownership;
and that keep costs down by minimizing the • Pursue a layered approach where
number of products and vendors. MDM-oriented security capabilities are
Enterprise-class - Key features that should supplemented by the advanced controls
be a part of all mobile security solutions to described herein for secure access, threat
further reduce cost and improve effectiveness protection, and, above all else, data
include: centralized management, role-based protection; and,