4 Strategies to Bolster Mobile Security

Maribel Lopez is the CEO and mobile market strategist for Lopez Research, a market research and strategy consulting firm that specializes in communications technologies with a heavy emphasis on the disruptive nature of mobile technologies. AT&T has sponsored the following blog post.

Smart mobile device growth, led by consumer purchases, is escalating.  Within 15 months, Apple sold 15 million tablets and Google claims it is activating 350,000 Android devices daily. These employee-owned smart devices are entering the workplace in droves, regardless of IT policies.  The move to employee-owned devices presents both business opportunities and threat. By allowing personal owned devices to access corporate resources, firms can extend mobile access to a majority of their employees, eliminate the corporate purchasing of devices and reduce the telecom expense associated with allowing corporate access.  On the flip side, these devices also present security and support risks.  In fact, 70% of the 1,084 respondents to the 2011 InformationWeek Analytics’ Strategic Security Survey said they believe mobile devices pose some level of threat to their organizations’ security.  IT may not have worried about corporate data being stored on smartphones, but tablets have similar features to laptops and offer the ability to store large volumes of data.  It’s clear that IT needs a security strategy. What isn’t clear is how IT can balance the security requirements of the corporation with their employee’s desire to download and use apps  and use social software.

While RIM’s Blackberry platform continues to be the gold standard for security, other operating systems, such as Apple’s iPhone and Google’s Android, don’t offer the same levels of security. What firms need is a comprehensive set of mobile security tools that provide protection on three levels by preventing unauthorized access to: 1) the device and its data, 2) data as it transits the network, 3) as well as securing the corporate network. Many firms are using Microsoft’s ActiveSync to provide basic password and security policy enforcement on non-Blackberry devices.  While Activesync provides the basics, there are several other methods that firms should evaluate, including:

  1. Mobile VPNs. Firms can use mobile VPN clients to build an encrypted channel over an unsecured Internet connection to enable smart devices to access corporate data and applications.  This is an easy extension of most firms existing PC VPN tools but in many cases users experience performance issues.  For example, a mobile VPN may lose its connection as it switches between networks and hits gaps in wireless coverage.
  2. Mobile security software suites (MSSS). Enterprise mobility management vendors such as Zenprise and security vendors such as McAfee and Trend Micro provide various level of MSSS which can include antivirus, firewall, on device data and removable media encryption as well as the ability to configure mobile devices to match corporate security policies and enforces compliance prior to network access.  It can also automate the configuration and connectivity of VPN, Wi-Fi, PKI, and native email sync.  The upside is that these platforms support security profiles across multiple OS platforms.  The downside is that IT needs to purchase and install another solution.
  3. Software that locks corporate data. Currently if you allow employees to access email or applications, it’s easy for the employee to copy data into another application or forward documents to a personal email account.  RIM recently announced Blackberry Balance, which gives IT the ability to prevent employees from cutting and pasting and/or forwarding corporate data to non-approved apps such as a personal email account.  The employee can still view and interact with the information locally.  While only natively available on the Blackberry today, this will become a best practice in the industry with mobile security software vendors embracing this as part of their platforms.
  4. Sandboxing corporate data. Smart device OEMs, Mobile Enterprise/Consumer Applications platforms like Antennae Software and Sybase, and enterprise mobile management vendors are deploying features that partition work and personal data. Unlike say Parallels on a Mac where the desktop partitions look and act as separate entities, sandboxing software will provide an integrated UI.  Similar to locking where personal applications cannot access business information, this technology allows IT to remove corporate data from devices without touching an employee’s personal data.  If an employee leaves the firm or loses their device, administrators can remotely wipe only business information.

Given the numerous options available, companies should be evaluating and deploying mobile security strategies today. These mobile security strategies should take into consideration what types of applications will be used, what type of data will be stored on the device as well as what regulations the firm is required to support ( e.g., Sarbanes?Oxley Act (SOX), Gramm?Leach?Bliley (GLB), and Health Insurance Portability and Accountability Act (HIPAA)). The good news, vendors and service providers are available to support the move to any device, any place access.

Your Turn: Do you have something to add to the conversation? Leave a comment below and share your thoughts!
Maribel Lopez CEO Lopez Research About Maribel