SlideShare ist ein Scribd-Unternehmen logo

A 3-step plan to secure mobile devices

A
arms8586

1. A 3-step plan is proposed for mobile security that starts with mobile device management (MDM), adds supplemental security measures like secure access and threat protection, and considers emerging technologies. 2. MDM provides capabilities for application management, device configuration, and data protection on lost devices. Supplemental measures address access control, malware, and data loss prevention beyond email. 3. Emerging technologies involve app/desktop virtualization, self-defending apps, and always-on VPNs, but device diversity and ownership models complicate a single security strategy. Consolidating products minimizes costs and complexity.

1 von 7
Downloaden Sie, um offline zu lesen
A 3-STEP PLAN FOR MOBILE SECURITY
A 3-STEP PLAN FOR MOBILE SECURITY 2 A complex problem that 2. Protect the client device itself, which serves as a conduit to both local and remotely requires a holistic approach accessible resources. Mobility is here. Mobility is now. Mobility (along As you clarify your objectives you begin to reveal with cloud and social media) is one of the three the security tools and technologies that you will new technologies that brings new productivity need. Some examples: opportunities—and associated security risks. Add in the consumerization of IT, an explosion • Communication over unsecure networks of corporate and personal mobile devices, and requires an authenticated and encrypted the fact that there are no simple mobile security tunnel. solutions, and you have one of the major IT security • Protecting data that is both stored and in strategy challenges of 2012. use on mobile devices requires encryption The challenge is how to enable productivity and and data loss prevention (DLP). mitigate the threats, vulnerabilities, and risks in • Device protection requires configuration a way that strikes the best balance and lowest management and anti-malware software. total costs. This paper identifies specific countermeasures and management controls that you can use Identify and understand to establish a mobile security strategy that the threats encompasses both corporate and personal It is easy to see why data loss is such a high devices. It also covers the threat scenarios, risks, priority for mobile security. Regulatory complications, and solutions that IT security requirements and the low cost of mobile professionals should use to guide their decisions in devices contribute to the problem. As this table this critical area of enterprise vulnerability. illustrates, most organizations should start Organizations that narrowly focus on one aspect with a focus on tools and techniques that help of the problem and fail to holistically address the protect mobile data. security challenges posed by mobility, as well as consumerization and device proliferation, run the Threat Risk risk of much lower user satisfaction, productivity, Lost or stolen device Unauthorized access to and business gains, along with higher costs and local or network-based even exposure of sensitive data. data; data loss Lost or stolen Local data loss media card Start with your goals Misuse of local Compromised/infected Regardless of the devices involved and who owns comms (e.g., device, and data loss and them, what are you trying to accomplish? Is the Bluetooth, IR) potentially degraded goal to provide mobile access to useful corporate operation resources such as email, file services, and intranet Compromised apps Data loss and potentially apps? If so, having highly limited, isolated mobile degraded operation devices provides little value. In order to provide secure mobile access to these valuable resources Malware Data loss and potentially (which is the goal of most organizations), you must: degraded operation 1. Protect accessed data that is now local to the Web/network-based Data loss and potentially client device, and attacks degraded operation
A 3-STEP PLAN FOR MOBILE SECURITY 3 Countermeasures and other Most organizations identify data loss as the related controls top concern in the mobile scenario. That’s why Given the objectives, threats, and risks the primary emphasis should be on tools and discussed above, we present below three tiers techniques that help protect mobile data. of countermeasures and controls to help you establish and maintain a mobile security strategy. Because of the scope of the problem, we 3. MDM and advanced mobile security could recommend that you start with the first set. remain independent solutions. Then adopt items from the other two, with All of these scenarios can deliver good solutions your schedule based on such things as your to the market, but the best integration and lowest organization’s tolerance for risk, the nature of the overall costs are most likely if mobile security business you are in, regulatory requirements, and vendors add MDM. the level of mobile maturity in your organization. Some of the security controls listed below—such While the primary objective of MDM is centralized as mobile DLP, enterprise sandboxing, and self- life cycle management of mobile devices such as defending apps—are newly emerging solutions. smart phones and tablets, many of the so-called Unless your need is critical, delay adoption of device management features are also relevant these. More mature solutions are on the horizon from a security perspective. For example, if that will be easier to implement and manage. you can configure Wi-Fi settings and update applications, you can use these same features to reduce a device’s surface area for attack. And Tier 1: Mobile Device other features such as remote wipe and encryption Management (MDM) control provide added layers of data protection. The term mobile device management is an Robust MDM solutions should include the following: artifact of convenience in this context. It’s the • Application management - Includes the capabilities that matter most, not the specific ability to inventory a device’s applications, product category they come from. Some distribute/update software, and restrict organizations get everything they need from the use (if not installation) of individual Exchange ActiveSync® or BlackBerry® Enterprise applications. It also often includes support Server, while others require a fully blown for a self-service portal and/or enterprise enterprise-class MDM solution. No matter which app store. MDM solution makes sense, most organizations will eventually find it necessary to also implement • Configuration management and resource some of the supplemental security measures control - This entails having control over described below. a wide range of device-level capabilities and parameters including password Because current MDM offerings are light on requirements, camera functionality, SD security, we can expect the industry to evolve. card usage, and VPN, Wi-Fi, Bluetooth, and Specifically: encryption settings. 1. MDM vendors may add more security • Device integrity - All of your defenses are capabilities to their solutions. effectively undermined when a mobile device 2. Mobile security vendors will add MDM is jailbroken or rooted. Being able to detect capabilities to their solutions (this is more likely this condition is, therefore, a critical capability. because it is easier to add simple to complex (that is, MDM to security), than vice-versa.
A 3-STEP PLAN FOR MOBILE SECURITY 4 • Device recovery and loss mitigation – beyond email, three additional, access-oriented This includes device tracking, manual and countermeasures become increasingly relevant: automatic lock-out, manual/automatic (1) strong authentication to the network— wiping of all or selected data, and support e.g., with tokens (2) an encrypted tunneling for device-level backup and restore. capability that supports access to all types of apps—e.g., an SSL VPN, and (3) a host-integrity- • Support and service management - Remote checking capability that supports access to all control is useful for technical support, while types of apps, and a host-integrity-checking expense control is intended to moderate capability that restricts access based on the usage, particularly when costs are high (e.g., security state of the user’s device (available roaming abroad). standalone or as an integral component of What about policies, agreements, and user leading SSL VPNs). awareness? Policies are a key tool for any mobile Threat protection - Mobile malware has not security strategy, and the policies you choose historically been a major concern, but that determine the specific technical controls you need. started changing in 2011 and is expected to Getting users to sign mobile-use agreements grow even faster in 2012. As a result, anti- that document their rights, their responsibilities, malware for mobile platforms is becoming and the company’s rights is also crucial (e.g., this increasingly important—especially because is where you would include a clause that allows the highly dynamic nature of today’s web and the enterprise to wipe the device in exchange the threats it harbors means that conventional for providing the user with access to corporate technologies and mechanisms in this area (e.g., resources). Signed agreements are especially signatures) are glaringly insufficient. What important when bring-your-own-device (BYOD) organizations need instead is a robust web and subsidized-usage models are supported, security “cocktail” that examines content from primarily due to legal uncertainties around liability every possible angle to detect new threats. and rights to data. And even though ongoing user This requires real-time threat intelligence using awareness training on mobile security is probably multiple, complementary inspection engines a good idea, history proves that such efforts are capable of delivering real-time threat analysis not often very effective. and content classification. Equally valuable will be the ability to filter mobile applications based on reputation. Still emerging, this capability is Tier 2: Supplemental Security analogous to reputation filtering for email, URLs, and downloaded files, but focuses instead on MDM-oriented security capabilities are an preventing users from downloading malware- excellent starting point for a mobile security infected mobile apps – a growing problem, strategy. However, as mobile access scenarios particularly for non-curated app stores. continue to expand and the development of mobile malware continues to accelerate (in Data protection - Additional coverage in other words, as vulnerabilities, threats, and risks this area comes primarily in the form of DLP continue to grow), the effectiveness of MDM technology. The starting point for a complete for security drops lower and lower. IT needs to solution is back at headquarters, where email implement measures that pick up where MDM and web security gateways with embedded DLP leaves off in order to bolster secure access, functionality should be used to control what threat protection, and data protection. data can make its way onto mobile devices in the first place (e.g., via email, or web-based file Secure access - ActiveSync and/or MDM-based sharing services such as Dropbox). For data security may be sufficient when mobile users that does make it onto mobile platforms, the are only using email. Once you provide access next layer of protection should be a mobile
A 3-STEP PLAN FOR MOBILE SECURITY 5 DLP capability that helps keep the data the outset to be inherently more secure – for from being either unwittingly or maliciously example, by incorporating their own encryption exposed. Notably, the need for mobile DLP and key management functionality, and relying is also being driven by increasing reliance on less on native platform features and data storage SaaS applications, where both data and users locations for protection. are outside the corporate perimeter and the Enterprise sandbox - The intent with sandbox protection it typically provides. technology is to create an isolated zone on Agent vs. Cloud the mobile device where users can work with enterprise resources. Access to the zone depends What’s the best way to deploy supplemental on authentication and authorization, while all threat and data protection capabilities: local data transmitted to, from, and within the zone is software agents, or cloud-based services? For encrypted. For mobile devices that support this some of the most popular platforms – such as technology, the result is another powerful layer Apple iOS – there’s no option. The architecture of data protection. Tradeoffs include relatively limits the functionality or entirely precludes the limited app support and a hit to user experience, use of security agents. Android supports agents, as native email and calendaring apps cannot be but the footprint on the device should be as used to access enterprise resources. lightweight as possible to reduce its performance impact. Further tilting the scales in favor of Always-on-VPN - This approach involves routing cloud-based services are advantages such as: all data traffic back to headquarters via an quicker, easier, and less costly implementation; encrypted tunnel. In this way it can be protected universal platform compatibility; and greater by all of an organization’s centrally implemented adaptability. Local agents can provide countermeasures, including full enterprise-class incrementally better functionality and DLP. Drawbacks include slower performance, effectiveness, but it seems unlikely that this increased traffic load on corporate security and will be enough of an advantage to offset the networking infrastructure, and the complexity of strengths of a cloud-based approach. having to create policies that also accommodate personal-use objectives. Tier 3: Emerging security measures This third tier of countermeasures is fairly new to Caveats and complications the market, and is often classified as advanced Nothing related to information security is as or emerging. Early adopters of such technologies easy as it first looks, and this is doubly true for tend to have a very low tolerance for risk, mobile security. Here are two topics that are extremely sensitive data, or face very strict worth mentioning: regulatory requirements. Device and platform diversity - The greatest App/desktop virtualization - Never allowing complication to an organization’s mobile security sensitive data to leave the data center in the strategy is by far the diversity of mobile platforms first place clearly provides a superior degree of and devices. This manifests itself in a couple of protection. One way to do this while still enabling ways. First, differences in platform architecture view-only access to essential resources is to deploy impact both the need for and availability of many server-hosted app and desktop virtualization add-on security capabilities. For example, the solutions (e.g., from Citrix or VMware). isolation model employed by Apple iOS not only Self-defending apps - In some instances diminishes the effectiveness of most malware, organizations will have the option to select but at the same time precludes use of fully mobile apps that have been designed from functional security agents. Other platforms have
A 3-STEP PLAN FOR MOBILE SECURITY 6 varying resistance to malware and other types of administration, directory integration, group threats, along with varying degrees of support policies, flexible reporting, and configuration for local security agents. A related issue is that audit trails. platform, device, and service provider diversity Consolidation - Meeting the organization’s needs also impacts the availability and effectiveness with a smaller set of products and vendors of native security capabilities. The bottom line is invariably reduces cost and complexity while that there is considerable variation from device improving integration and effectiveness. This is to device in terms of both (a) what is necessary why IT/security managers typically favor solution from a security perspective, and (b) how it can providers that offer the greatest portfolio of best be accomplished. capabilities for the greatest number of devices Different ownership and usage scenarios - they intend to support (particularly across tiers Additional complications arise from new and 1 and 2). Even further gains can be realized if the varied ownership and usage models. No longer advanced threat and data protection capabilities are all client devices owned by the organization needed to support mobile devices are available and used strictly for business purposes. as integral extensions of the solutions already Employees expect to be able to use their being used to provide similar capabilities for the mobile devices for personal tasks. And different organization’s fixed users/devices. ownership and reimbursement arrangements often lead to different policies and capabilities. For example, with BYOD and no reimbursement Conclusion to users, wiping data needs to be a last resort and should be selective (i.e., wipe all business but The need to support and secure a growing no personal data). Adding service reimbursement population of mobile devices is here now. The into the mix, however, changes the situation. challenge of doing so, however, is complicated by Wiping all data now becomes a more acceptable a number of factors, especially: (a) the diversity of and therefore prominent part of the security plan, platforms and devices and how this impacts both while other functionality also becomes more the need for certain controls and the available relevant, such as expense control. solutions, and (b) the diversity of potential ownership, reimbursement, and usage scenarios, and how to maintain a balance between user and Characteristics of an ideal corporate expectations. enterprise solution Because of these complexities, there is no straightforward, one-size-fits-all recipe for success No one turns in their laptop or desktop when when it comes to solving the security-for-mobility they get a smartphone, so mobility just adds problem. Nonetheless, organizations should: to the challenges of enterprise security. This—and budget pressures—drive the need • Remain focused on the most important for administrative efficiency and low cost of objective – ensuring adequate protection of ownership when selecting mobile security mobile data – while balancing this with need solutions. For today’s businesses, ideal solutions for a positive user experience and reasonable will be those that are enterprise-class in nature cost of ownership; and that keep costs down by minimizing the • Pursue a layered approach where number of products and vendors. MDM-oriented security capabilities are Enterprise-class - Key features that should supplemented by the advanced controls be a part of all mobile security solutions to described herein for secure access, threat further reduce cost and improve effectiveness protection, and, above all else, data include: centralized management, role-based protection; and,
A 3-STEP PLAN FOR MOBILE SECURITY 7 • Favor solutions that deliver a high degree of administrative efficiency and low overall TCO “Even further gains can be realized if the based on their capacity for consolidation and advanced threat and data protection capabilities incorporation of enterprise-class features, needed to support mobile devices are available such as centralized management, directory as integral extensions of the solutions already integration, and robust reporting. being used to provide similar capabilities for the organization’s fixed users/devices.” Contributing Author Mark Bouchard, CISSP, is the founder of AimPoint Group, an IT research and analysis company specializing in information security, compliance management, application delivery, and infrastructure optimization. A former META Group analyst, Mark has analyzed business and technology trends pertaining to a wide range of information security and networking topics for more than 15 years. A veteran of the U.S. Navy, he is passionate about helping enterprises address their IT challenges and has assisted hundreds of organizations worldwide meet both tactical and strategic objectives. About Websense Today’s productivity tools are increasingly mobile, social, and in the cloud. But so are advanced data-stealing attacks, which antivirus and firewall alone can’t prevent. You can stay a step ahead with Websense® TRITON TM security, which combines best-of-breed web security, email security, and DLP modules (available together or separately) into one powerful solution. With shared analytics, flexible deployment options, and a unified management console, it’s the effective and economical solution for today’s security challenges. © 2012 Websense Inc. All rights reserved. Websense, the Websense logo, and ThreatSeeker are registered trademarks and TRITON, TruHybrid, Security Labs, and TruWeb DLP are trademarks of Websense, Inc. Websense has numerous other registered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.

Empfohlen

Cloud Computing in the Midmarket: Assessing the Options
Cloud Computing in the Midmarket: Assessing the OptionsCloud Computing in the Midmarket: Assessing the Options
Cloud Computing in the Midmarket: Assessing the Optionsarms8586
 
IDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis Dell
IDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis DellIDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis Dell
IDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis Dellarms8586
 
Dell's Intelligent Data Management Strategy by IDC
Dell's Intelligent Data Management Strategy by IDCDell's Intelligent Data Management Strategy by IDC
Dell's Intelligent Data Management Strategy by IDCarms8586
 
3 Ways Companies Are Slashing IT Costs with VDI
3 Ways Companies Are Slashing IT Costs with VDI3 Ways Companies Are Slashing IT Costs with VDI
3 Ways Companies Are Slashing IT Costs with VDICitrix
 
Embracing BYOD
Embracing BYODEmbracing BYOD
Embracing BYODEnvision Technology Advisors
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
The CIO Handbook
The CIO HandbookThe CIO Handbook
The CIO HandbookHCL Technologies
 
Cloud Lecture Capture[1]
Cloud Lecture Capture[1]Cloud Lecture Capture[1]
Cloud Lecture Capture[1]Dillard University Library
 

Empfohlen

Cloud Computing in the Midmarket: Assessing the Options
Cloud Computing in the Midmarket: Assessing the OptionsCloud Computing in the Midmarket: Assessing the Options
Cloud Computing in the Midmarket: Assessing the Optionsarms8586
 
IDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis Dell
IDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis DellIDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis Dell
IDC MarketScape Worldwide Scale-Out File-Based Storage 2012 Vendor Analysis Dellarms8586
 
Dell's Intelligent Data Management Strategy by IDC
Dell's Intelligent Data Management Strategy by IDCDell's Intelligent Data Management Strategy by IDC
Dell's Intelligent Data Management Strategy by IDCarms8586
 
3 Ways Companies Are Slashing IT Costs with VDI
3 Ways Companies Are Slashing IT Costs with VDI3 Ways Companies Are Slashing IT Costs with VDI
3 Ways Companies Are Slashing IT Costs with VDICitrix
 
Embracing BYOD
Embracing BYODEmbracing BYOD
Embracing BYODEnvision Technology Advisors
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
The CIO Handbook
The CIO HandbookThe CIO Handbook
The CIO HandbookHCL Technologies
 
Cloud Lecture Capture[1]
Cloud Lecture Capture[1]Cloud Lecture Capture[1]
Cloud Lecture Capture[1]Dillard University Library
 
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...IBM India Smarter Computing
 
Latest news phoenix
Latest news phoenixLatest news phoenix
Latest news phoenixJeff Pearce
 
Chapter 03 it-8ed-volonino
Chapter 03 it-8ed-voloninoChapter 03 it-8ed-volonino
Chapter 03 it-8ed-voloninoGildardo Sanchez-Ante
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterpriseinfra-si
 
Advocate Consulting - Mobile Device Management
Advocate Consulting - Mobile Device ManagementAdvocate Consulting - Mobile Device Management
Advocate Consulting - Mobile Device ManagementAdvocate Consulting
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
 
Chapter 04 it-8ed-volonino
Chapter 04 it-8ed-voloninoChapter 04 it-8ed-volonino
Chapter 04 it-8ed-voloninoGildardo Sanchez-Ante
 
Yakhouba
YakhoubaYakhouba
Yakhoubayakhouba sall
 
Web Conferencing for SMBs
Web Conferencing for SMBs Web Conferencing for SMBs
Web Conferencing for SMBs ReadyTalk
 
2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprexKim Aarenstrup
 
Bring your own device (byod) is here to stay, but what about the risks
Bring your own device (byod) is here to stay, but what about the risksBring your own device (byod) is here to stay, but what about the risks
Bring your own device (byod) is here to stay, but what about the risksLogicalis
 
01 roland top storage trends_praha_02
01 roland top storage trends_praha_0201 roland top storage trends_praha_02
01 roland top storage trends_praha_02IDC_CEMA
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Virtualworks - Ebook
Virtualworks - EbookVirtualworks - Ebook
Virtualworks - Ebooktrulsjeppe
 
NJVC Brochure
NJVC BrochureNJVC Brochure
NJVC BrochureSpencer Nelson
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! EMC
 
RightScale State of the Cloud Report 2013
RightScale State of the Cloud Report 2013RightScale State of the Cloud Report 2013
RightScale State of the Cloud Report 2013arms8586
 
Customer-centric IT - Enterprise IT trends and investment 2013
Customer-centric IT - Enterprise IT trends and investment 2013Customer-centric IT - Enterprise IT trends and investment 2013
Customer-centric IT - Enterprise IT trends and investment 2013arms8586
 
The Digital Universe in 2020
The Digital Universe in 2020The Digital Universe in 2020
The Digital Universe in 2020arms8586
 
The Diverse and Exploding Digital Universe
The Diverse and Exploding Digital UniverseThe Diverse and Exploding Digital Universe
The Diverse and Exploding Digital Universearms8586
 
SIIA’S Vision from the Top
SIIA’S Vision from the TopSIIA’S Vision from the Top
SIIA’S Vision from the Toparms8586
 
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...arms8586
 

Weitere ähnliche Inhalte

Was ist angesagt?

Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...IBM India Smarter Computing
 
Latest news phoenix
Latest news phoenixLatest news phoenix
Latest news phoenixJeff Pearce
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterpriseinfra-si
 
Advocate Consulting - Mobile Device Management
Advocate Consulting - Mobile Device ManagementAdvocate Consulting - Mobile Device Management
Advocate Consulting - Mobile Device ManagementAdvocate Consulting
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
 
Web Conferencing for SMBs
Web Conferencing for SMBs Web Conferencing for SMBs
Web Conferencing for SMBs ReadyTalk
 
2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprexKim Aarenstrup
 
Bring your own device (byod) is here to stay, but what about the risks
Bring your own device (byod) is here to stay, but what about the risksBring your own device (byod) is here to stay, but what about the risks
Bring your own device (byod) is here to stay, but what about the risksLogicalis
 
01 roland top storage trends_praha_02
01 roland top storage trends_praha_0201 roland top storage trends_praha_02
01 roland top storage trends_praha_02IDC_CEMA
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
Virtualworks - Ebook
Virtualworks - EbookVirtualworks - Ebook
Virtualworks - Ebooktrulsjeppe
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! EMC
 

Was ist angesagt? (16)

Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
Scale-Out Network-Attached Storage Addresses Storage Problems for Private Clo...
 
Latest news phoenix
Latest news phoenixLatest news phoenix
Latest news phoenix
 
Chapter 03 it-8ed-volonino
Chapter 03 it-8ed-voloninoChapter 03 it-8ed-volonino
Chapter 03 it-8ed-volonino
 
Securing a mobile oriented enterprise
Securing a mobile oriented enterpriseSecuring a mobile oriented enterprise
Securing a mobile oriented enterprise
 
Advocate Consulting - Mobile Device Management
Advocate Consulting - Mobile Device ManagementAdvocate Consulting - Mobile Device Management
Advocate Consulting - Mobile Device Management
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
 
Chapter 04 it-8ed-volonino
Chapter 04 it-8ed-voloninoChapter 04 it-8ed-volonino
Chapter 04 it-8ed-volonino
 
Yakhouba
YakhoubaYakhouba
Yakhouba
 
Web Conferencing for SMBs
Web Conferencing for SMBs Web Conferencing for SMBs
Web Conferencing for SMBs
 
2012 security services clientprex
2012 security services clientprex2012 security services clientprex
2012 security services clientprex
 
Bring your own device (byod) is here to stay, but what about the risks
Bring your own device (byod) is here to stay, but what about the risksBring your own device (byod) is here to stay, but what about the risks
Bring your own device (byod) is here to stay, but what about the risks
 
01 roland top storage trends_praha_02
01 roland top storage trends_praha_0201 roland top storage trends_praha_02
01 roland top storage trends_praha_02
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
Virtualworks - Ebook
Virtualworks - EbookVirtualworks - Ebook
Virtualworks - Ebook
 
NJVC Brochure
NJVC BrochureNJVC Brochure
NJVC Brochure
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
 

Andere mochten auch

RightScale State of the Cloud Report 2013
RightScale State of the Cloud Report 2013RightScale State of the Cloud Report 2013
RightScale State of the Cloud Report 2013arms8586
 
Customer-centric IT - Enterprise IT trends and investment 2013
Customer-centric IT - Enterprise IT trends and investment 2013Customer-centric IT - Enterprise IT trends and investment 2013
Customer-centric IT - Enterprise IT trends and investment 2013arms8586
 
The Digital Universe in 2020
The Digital Universe in 2020The Digital Universe in 2020
The Digital Universe in 2020arms8586
 
The Diverse and Exploding Digital Universe
The Diverse and Exploding Digital UniverseThe Diverse and Exploding Digital Universe
The Diverse and Exploding Digital Universearms8586
 
SIIA’S Vision from the Top
SIIA’S Vision from the TopSIIA’S Vision from the Top
SIIA’S Vision from the Toparms8586
 
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...arms8586
 
IDC's software taxonomy, 2007
IDC's software taxonomy, 2007IDC's software taxonomy, 2007
IDC's software taxonomy, 2007arms8586
 
Video Surveillance Book, 2013
Video Surveillance Book, 2013Video Surveillance Book, 2013
Video Surveillance Book, 2013arms8586
 

Andere mochten auch (8)

RightScale State of the Cloud Report 2013
RightScale State of the Cloud Report 2013RightScale State of the Cloud Report 2013
RightScale State of the Cloud Report 2013
 
Customer-centric IT - Enterprise IT trends and investment 2013
Customer-centric IT - Enterprise IT trends and investment 2013Customer-centric IT - Enterprise IT trends and investment 2013
Customer-centric IT - Enterprise IT trends and investment 2013
 
The Digital Universe in 2020
The Digital Universe in 2020The Digital Universe in 2020
The Digital Universe in 2020
 
The Diverse and Exploding Digital Universe
The Diverse and Exploding Digital UniverseThe Diverse and Exploding Digital Universe
The Diverse and Exploding Digital Universe
 
SIIA’S Vision from the Top
SIIA’S Vision from the TopSIIA’S Vision from the Top
SIIA’S Vision from the Top
 
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
Box Private Vendor Watchlist Profile: Cloud - Based Content Collaboration Ser...
 
IDC's software taxonomy, 2007
IDC's software taxonomy, 2007IDC's software taxonomy, 2007
IDC's software taxonomy, 2007
 
Video Surveillance Book, 2013
Video Surveillance Book, 2013Video Surveillance Book, 2013
Video Surveillance Book, 2013
 

Ähnlich wie A 3-step plan to secure mobile devices

report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
Advocate Consulting Mobile Device Management Brochure
Advocate Consulting Mobile Device Management BrochureAdvocate Consulting Mobile Device Management Brochure
Advocate Consulting Mobile Device Management BrochureJon Prete
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsurancePriyanka Aash
 
IDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based SecurityIDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based Securityarms8586
 
Unique Security Challenges in the Datacenter Demand Innovative Solutions
Unique Security Challenges in the Datacenter Demand Innovative SolutionsUnique Security Challenges in the Datacenter Demand Innovative Solutions
Unique Security Challenges in the Datacenter Demand Innovative SolutionsJuniper Networks
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
Paper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldPaper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldWTHS
 
MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!Dell EMC World
 
Digital Guardian and CDM
Digital Guardian and CDMDigital Guardian and CDM
Digital Guardian and CDMGreg Cranley
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler Service2Media
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxcuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxsalmonpybus
 
Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Omar Khawaja
 
White Paper: Defense In Breadth
White Paper: Defense In BreadthWhite Paper: Defense In Breadth
White Paper: Defense In BreadthCourtland Smith
 
IBM Mobile devices Whitepaper
IBM Mobile devices WhitepaperIBM Mobile devices Whitepaper
IBM Mobile devices WhitepaperShetal Patel
 

Ähnlich wie A 3-step plan to secure mobile devices (20)

report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
Advocate Consulting Mobile Device Management Brochure
Advocate Consulting Mobile Device Management BrochureAdvocate Consulting Mobile Device Management Brochure
Advocate Consulting Mobile Device Management Brochure
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Reference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- InsuranceReference Security Architecture for Mobility- Insurance
Reference Security Architecture for Mobility- Insurance
 
IDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based SecurityIDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based Security
 
Unique Security Challenges in the Datacenter Demand Innovative Solutions
Unique Security Challenges in the Datacenter Demand Innovative SolutionsUnique Security Challenges in the Datacenter Demand Innovative Solutions
Unique Security Challenges in the Datacenter Demand Innovative Solutions
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
Paper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldPaper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile world
 
MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!
 
Digital Guardian and CDM
Digital Guardian and CDMDigital Guardian and CDM
Digital Guardian and CDM
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
Service2Media: Webinar Security & Management (17 March 2014) by Derk Tegeler
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Chris D'Aguanno
Chris D'AguannoChris D'Aguanno
Chris D'Aguanno
 
Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security
 
White Paper: Defense In Breadth
White Paper: Defense In BreadthWhite Paper: Defense In Breadth
White Paper: Defense In Breadth
 
IBM Mobile devices Whitepaper
IBM Mobile devices WhitepaperIBM Mobile devices Whitepaper
IBM Mobile devices Whitepaper
 

Mehr von arms8586

Ten IT-enabled business trends for the decade ahead
Ten IT-enabled business trends for the decade aheadTen IT-enabled business trends for the decade ahead
Ten IT-enabled business trends for the decade aheadarms8586
 
Harness the power of Big Data
Harness the power of Big DataHarness the power of Big Data
Harness the power of Big Dataarms8586
 
Big data: The next frontier for innovation, competition, and productivity
Big data: The next frontier for innovation, competition, and productivityBig data: The next frontier for innovation, competition, and productivity
Big data: The next frontier for innovation, competition, and productivityarms8586
 
Tintri — A New Approach to Storage for Virtualization
Tintri — A New Approach to Storage for VirtualizationTintri — A New Approach to Storage for Virtualization
Tintri — A New Approach to Storage for Virtualizationarms8586
 
Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...
Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...
Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...arms8586
 
IDC Worldwide IT Cloud Services Taxonomy, 2012
IDC Worldwide IT Cloud Services Taxonomy, 2012IDC Worldwide IT Cloud Services Taxonomy, 2012
IDC Worldwide IT Cloud Services Taxonomy, 2012arms8586
 
IDC MarketScape Virtual Tape Library
IDC MarketScape Virtual Tape LibraryIDC MarketScape Virtual Tape Library
IDC MarketScape Virtual Tape Libraryarms8586
 
IDC Worldwide Software 2008-2012 Forecast Summary
IDC Worldwide Software 2008-2012 Forecast SummaryIDC Worldwide Software 2008-2012 Forecast Summary
IDC Worldwide Software 2008-2012 Forecast Summaryarms8586
 
IDC Archiving
IDC ArchivingIDC Archiving
IDC Archivingarms8586
 

Mehr von arms8586 (9)

Ten IT-enabled business trends for the decade ahead
Ten IT-enabled business trends for the decade aheadTen IT-enabled business trends for the decade ahead
Ten IT-enabled business trends for the decade ahead
 
Harness the power of Big Data
Harness the power of Big DataHarness the power of Big Data
Harness the power of Big Data
 
Big data: The next frontier for innovation, competition, and productivity
Big data: The next frontier for innovation, competition, and productivityBig data: The next frontier for innovation, competition, and productivity
Big data: The next frontier for innovation, competition, and productivity
 
Tintri — A New Approach to Storage for Virtualization
Tintri — A New Approach to Storage for VirtualizationTintri — A New Approach to Storage for Virtualization
Tintri — A New Approach to Storage for Virtualization
 
Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...
Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...
Worldwide Purpose Built Backup Appliance 2011-2015 Forecast and 2010 Vendor S...
 
IDC Worldwide IT Cloud Services Taxonomy, 2012
IDC Worldwide IT Cloud Services Taxonomy, 2012IDC Worldwide IT Cloud Services Taxonomy, 2012
IDC Worldwide IT Cloud Services Taxonomy, 2012
 
IDC MarketScape Virtual Tape Library
IDC MarketScape Virtual Tape LibraryIDC MarketScape Virtual Tape Library
IDC MarketScape Virtual Tape Library
 
IDC Worldwide Software 2008-2012 Forecast Summary
IDC Worldwide Software 2008-2012 Forecast SummaryIDC Worldwide Software 2008-2012 Forecast Summary
IDC Worldwide Software 2008-2012 Forecast Summary
 
IDC Archiving
IDC ArchivingIDC Archiving
IDC Archiving
 

A 3-step plan to secure mobile devices

  • 1. A 3-STEP PLAN FOR MOBILE SECURITY
  • 2. A 3-STEP PLAN FOR MOBILE SECURITY 2 A complex problem that 2. Protect the client device itself, which serves as a conduit to both local and remotely requires a holistic approach accessible resources. Mobility is here. Mobility is now. Mobility (along As you clarify your objectives you begin to reveal with cloud and social media) is one of the three the security tools and technologies that you will new technologies that brings new productivity need. Some examples: opportunities—and associated security risks. Add in the consumerization of IT, an explosion • Communication over unsecure networks of corporate and personal mobile devices, and requires an authenticated and encrypted the fact that there are no simple mobile security tunnel. solutions, and you have one of the major IT security • Protecting data that is both stored and in strategy challenges of 2012. use on mobile devices requires encryption The challenge is how to enable productivity and and data loss prevention (DLP). mitigate the threats, vulnerabilities, and risks in • Device protection requires configuration a way that strikes the best balance and lowest management and anti-malware software. total costs. This paper identifies specific countermeasures and management controls that you can use Identify and understand to establish a mobile security strategy that the threats encompasses both corporate and personal It is easy to see why data loss is such a high devices. It also covers the threat scenarios, risks, priority for mobile security. Regulatory complications, and solutions that IT security requirements and the low cost of mobile professionals should use to guide their decisions in devices contribute to the problem. As this table this critical area of enterprise vulnerability. illustrates, most organizations should start Organizations that narrowly focus on one aspect with a focus on tools and techniques that help of the problem and fail to holistically address the protect mobile data. security challenges posed by mobility, as well as consumerization and device proliferation, run the Threat Risk risk of much lower user satisfaction, productivity, Lost or stolen device Unauthorized access to and business gains, along with higher costs and local or network-based even exposure of sensitive data. data; data loss Lost or stolen Local data loss media card Start with your goals Misuse of local Compromised/infected Regardless of the devices involved and who owns comms (e.g., device, and data loss and them, what are you trying to accomplish? Is the Bluetooth, IR) potentially degraded goal to provide mobile access to useful corporate operation resources such as email, file services, and intranet Compromised apps Data loss and potentially apps? If so, having highly limited, isolated mobile degraded operation devices provides little value. In order to provide secure mobile access to these valuable resources Malware Data loss and potentially (which is the goal of most organizations), you must: degraded operation 1. Protect accessed data that is now local to the Web/network-based Data loss and potentially client device, and attacks degraded operation
  • 3. A 3-STEP PLAN FOR MOBILE SECURITY 3 Countermeasures and other Most organizations identify data loss as the related controls top concern in the mobile scenario. That’s why Given the objectives, threats, and risks the primary emphasis should be on tools and discussed above, we present below three tiers techniques that help protect mobile data. of countermeasures and controls to help you establish and maintain a mobile security strategy. Because of the scope of the problem, we 3. MDM and advanced mobile security could recommend that you start with the first set. remain independent solutions. Then adopt items from the other two, with All of these scenarios can deliver good solutions your schedule based on such things as your to the market, but the best integration and lowest organization’s tolerance for risk, the nature of the overall costs are most likely if mobile security business you are in, regulatory requirements, and vendors add MDM. the level of mobile maturity in your organization. Some of the security controls listed below—such While the primary objective of MDM is centralized as mobile DLP, enterprise sandboxing, and self- life cycle management of mobile devices such as defending apps—are newly emerging solutions. smart phones and tablets, many of the so-called Unless your need is critical, delay adoption of device management features are also relevant these. More mature solutions are on the horizon from a security perspective. For example, if that will be easier to implement and manage. you can configure Wi-Fi settings and update applications, you can use these same features to reduce a device’s surface area for attack. And Tier 1: Mobile Device other features such as remote wipe and encryption Management (MDM) control provide added layers of data protection. The term mobile device management is an Robust MDM solutions should include the following: artifact of convenience in this context. It’s the • Application management - Includes the capabilities that matter most, not the specific ability to inventory a device’s applications, product category they come from. Some distribute/update software, and restrict organizations get everything they need from the use (if not installation) of individual Exchange ActiveSync® or BlackBerry® Enterprise applications. It also often includes support Server, while others require a fully blown for a self-service portal and/or enterprise enterprise-class MDM solution. No matter which app store. MDM solution makes sense, most organizations will eventually find it necessary to also implement • Configuration management and resource some of the supplemental security measures control - This entails having control over described below. a wide range of device-level capabilities and parameters including password Because current MDM offerings are light on requirements, camera functionality, SD security, we can expect the industry to evolve. card usage, and VPN, Wi-Fi, Bluetooth, and Specifically: encryption settings. 1. MDM vendors may add more security • Device integrity - All of your defenses are capabilities to their solutions. effectively undermined when a mobile device 2. Mobile security vendors will add MDM is jailbroken or rooted. Being able to detect capabilities to their solutions (this is more likely this condition is, therefore, a critical capability. because it is easier to add simple to complex (that is, MDM to security), than vice-versa.
  • 4. A 3-STEP PLAN FOR MOBILE SECURITY 4 • Device recovery and loss mitigation – beyond email, three additional, access-oriented This includes device tracking, manual and countermeasures become increasingly relevant: automatic lock-out, manual/automatic (1) strong authentication to the network— wiping of all or selected data, and support e.g., with tokens (2) an encrypted tunneling for device-level backup and restore. capability that supports access to all types of apps—e.g., an SSL VPN, and (3) a host-integrity- • Support and service management - Remote checking capability that supports access to all control is useful for technical support, while types of apps, and a host-integrity-checking expense control is intended to moderate capability that restricts access based on the usage, particularly when costs are high (e.g., security state of the user’s device (available roaming abroad). standalone or as an integral component of What about policies, agreements, and user leading SSL VPNs). awareness? Policies are a key tool for any mobile Threat protection - Mobile malware has not security strategy, and the policies you choose historically been a major concern, but that determine the specific technical controls you need. started changing in 2011 and is expected to Getting users to sign mobile-use agreements grow even faster in 2012. As a result, anti- that document their rights, their responsibilities, malware for mobile platforms is becoming and the company’s rights is also crucial (e.g., this increasingly important—especially because is where you would include a clause that allows the highly dynamic nature of today’s web and the enterprise to wipe the device in exchange the threats it harbors means that conventional for providing the user with access to corporate technologies and mechanisms in this area (e.g., resources). Signed agreements are especially signatures) are glaringly insufficient. What important when bring-your-own-device (BYOD) organizations need instead is a robust web and subsidized-usage models are supported, security “cocktail” that examines content from primarily due to legal uncertainties around liability every possible angle to detect new threats. and rights to data. And even though ongoing user This requires real-time threat intelligence using awareness training on mobile security is probably multiple, complementary inspection engines a good idea, history proves that such efforts are capable of delivering real-time threat analysis not often very effective. and content classification. Equally valuable will be the ability to filter mobile applications based on reputation. Still emerging, this capability is Tier 2: Supplemental Security analogous to reputation filtering for email, URLs, and downloaded files, but focuses instead on MDM-oriented security capabilities are an preventing users from downloading malware- excellent starting point for a mobile security infected mobile apps – a growing problem, strategy. However, as mobile access scenarios particularly for non-curated app stores. continue to expand and the development of mobile malware continues to accelerate (in Data protection - Additional coverage in other words, as vulnerabilities, threats, and risks this area comes primarily in the form of DLP continue to grow), the effectiveness of MDM technology. The starting point for a complete for security drops lower and lower. IT needs to solution is back at headquarters, where email implement measures that pick up where MDM and web security gateways with embedded DLP leaves off in order to bolster secure access, functionality should be used to control what threat protection, and data protection. data can make its way onto mobile devices in the first place (e.g., via email, or web-based file Secure access - ActiveSync and/or MDM-based sharing services such as Dropbox). For data security may be sufficient when mobile users that does make it onto mobile platforms, the are only using email. Once you provide access next layer of protection should be a mobile
  • 5. A 3-STEP PLAN FOR MOBILE SECURITY 5 DLP capability that helps keep the data the outset to be inherently more secure – for from being either unwittingly or maliciously example, by incorporating their own encryption exposed. Notably, the need for mobile DLP and key management functionality, and relying is also being driven by increasing reliance on less on native platform features and data storage SaaS applications, where both data and users locations for protection. are outside the corporate perimeter and the Enterprise sandbox - The intent with sandbox protection it typically provides. technology is to create an isolated zone on Agent vs. Cloud the mobile device where users can work with enterprise resources. Access to the zone depends What’s the best way to deploy supplemental on authentication and authorization, while all threat and data protection capabilities: local data transmitted to, from, and within the zone is software agents, or cloud-based services? For encrypted. For mobile devices that support this some of the most popular platforms – such as technology, the result is another powerful layer Apple iOS – there’s no option. The architecture of data protection. Tradeoffs include relatively limits the functionality or entirely precludes the limited app support and a hit to user experience, use of security agents. Android supports agents, as native email and calendaring apps cannot be but the footprint on the device should be as used to access enterprise resources. lightweight as possible to reduce its performance impact. Further tilting the scales in favor of Always-on-VPN - This approach involves routing cloud-based services are advantages such as: all data traffic back to headquarters via an quicker, easier, and less costly implementation; encrypted tunnel. In this way it can be protected universal platform compatibility; and greater by all of an organization’s centrally implemented adaptability. Local agents can provide countermeasures, including full enterprise-class incrementally better functionality and DLP. Drawbacks include slower performance, effectiveness, but it seems unlikely that this increased traffic load on corporate security and will be enough of an advantage to offset the networking infrastructure, and the complexity of strengths of a cloud-based approach. having to create policies that also accommodate personal-use objectives. Tier 3: Emerging security measures This third tier of countermeasures is fairly new to Caveats and complications the market, and is often classified as advanced Nothing related to information security is as or emerging. Early adopters of such technologies easy as it first looks, and this is doubly true for tend to have a very low tolerance for risk, mobile security. Here are two topics that are extremely sensitive data, or face very strict worth mentioning: regulatory requirements. Device and platform diversity - The greatest App/desktop virtualization - Never allowing complication to an organization’s mobile security sensitive data to leave the data center in the strategy is by far the diversity of mobile platforms first place clearly provides a superior degree of and devices. This manifests itself in a couple of protection. One way to do this while still enabling ways. First, differences in platform architecture view-only access to essential resources is to deploy impact both the need for and availability of many server-hosted app and desktop virtualization add-on security capabilities. For example, the solutions (e.g., from Citrix or VMware). isolation model employed by Apple iOS not only Self-defending apps - In some instances diminishes the effectiveness of most malware, organizations will have the option to select but at the same time precludes use of fully mobile apps that have been designed from functional security agents. Other platforms have
  • 6. A 3-STEP PLAN FOR MOBILE SECURITY 6 varying resistance to malware and other types of administration, directory integration, group threats, along with varying degrees of support policies, flexible reporting, and configuration for local security agents. A related issue is that audit trails. platform, device, and service provider diversity Consolidation - Meeting the organization’s needs also impacts the availability and effectiveness with a smaller set of products and vendors of native security capabilities. The bottom line is invariably reduces cost and complexity while that there is considerable variation from device improving integration and effectiveness. This is to device in terms of both (a) what is necessary why IT/security managers typically favor solution from a security perspective, and (b) how it can providers that offer the greatest portfolio of best be accomplished. capabilities for the greatest number of devices Different ownership and usage scenarios - they intend to support (particularly across tiers Additional complications arise from new and 1 and 2). Even further gains can be realized if the varied ownership and usage models. No longer advanced threat and data protection capabilities are all client devices owned by the organization needed to support mobile devices are available and used strictly for business purposes. as integral extensions of the solutions already Employees expect to be able to use their being used to provide similar capabilities for the mobile devices for personal tasks. And different organization’s fixed users/devices. ownership and reimbursement arrangements often lead to different policies and capabilities. For example, with BYOD and no reimbursement Conclusion to users, wiping data needs to be a last resort and should be selective (i.e., wipe all business but The need to support and secure a growing no personal data). Adding service reimbursement population of mobile devices is here now. The into the mix, however, changes the situation. challenge of doing so, however, is complicated by Wiping all data now becomes a more acceptable a number of factors, especially: (a) the diversity of and therefore prominent part of the security plan, platforms and devices and how this impacts both while other functionality also becomes more the need for certain controls and the available relevant, such as expense control. solutions, and (b) the diversity of potential ownership, reimbursement, and usage scenarios, and how to maintain a balance between user and Characteristics of an ideal corporate expectations. enterprise solution Because of these complexities, there is no straightforward, one-size-fits-all recipe for success No one turns in their laptop or desktop when when it comes to solving the security-for-mobility they get a smartphone, so mobility just adds problem. Nonetheless, organizations should: to the challenges of enterprise security. This—and budget pressures—drive the need • Remain focused on the most important for administrative efficiency and low cost of objective – ensuring adequate protection of ownership when selecting mobile security mobile data – while balancing this with need solutions. For today’s businesses, ideal solutions for a positive user experience and reasonable will be those that are enterprise-class in nature cost of ownership; and that keep costs down by minimizing the • Pursue a layered approach where number of products and vendors. MDM-oriented security capabilities are Enterprise-class - Key features that should supplemented by the advanced controls be a part of all mobile security solutions to described herein for secure access, threat further reduce cost and improve effectiveness protection, and, above all else, data include: centralized management, role-based protection; and,
  • 7. A 3-STEP PLAN FOR MOBILE SECURITY 7 • Favor solutions that deliver a high degree of administrative efficiency and low overall TCO “Even further gains can be realized if the based on their capacity for consolidation and advanced threat and data protection capabilities incorporation of enterprise-class features, needed to support mobile devices are available such as centralized management, directory as integral extensions of the solutions already integration, and robust reporting. being used to provide similar capabilities for the organization’s fixed users/devices.” Contributing Author Mark Bouchard, CISSP, is the founder of AimPoint Group, an IT research and analysis company specializing in information security, compliance management, application delivery, and infrastructure optimization. A former META Group analyst, Mark has analyzed business and technology trends pertaining to a wide range of information security and networking topics for more than 15 years. A veteran of the U.S. Navy, he is passionate about helping enterprises address their IT challenges and has assisted hundreds of organizations worldwide meet both tactical and strategic objectives. About Websense Today’s productivity tools are increasingly mobile, social, and in the cloud. But so are advanced data-stealing attacks, which antivirus and firewall alone can’t prevent. You can stay a step ahead with Websense® TRITON TM security, which combines best-of-breed web security, email security, and DLP modules (available together or separately) into one powerful solution. With shared analytics, flexible deployment options, and a unified management console, it’s the effective and economical solution for today’s security challenges. © 2012 Websense Inc. All rights reserved. Websense, the Websense logo, and ThreatSeeker are registered trademarks and TRITON, TruHybrid, Security Labs, and TruWeb DLP are trademarks of Websense, Inc. Websense has numerous other registered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.