A 3-STEP PLAN FOR MOBILE SECURITY 2A complex problem that 2. Protect the client device itself, which serves as a conduit to both local and remotelyrequires a holistic approach accessible resources.Mobility is here. Mobility is now. Mobility (along As you clarify your objectives you begin to revealwith cloud and social media) is one of the three the security tools and technologies that you willnew technologies that brings new productivity need. Some examples:opportunities—and associated security risks.Add in the consumerization of IT, an explosion • Communication over unsecure networksof corporate and personal mobile devices, and requires an authenticated and encryptedthe fact that there are no simple mobile security tunnel.solutions, and you have one of the major IT security • Protecting data that is both stored and instrategy challenges of 2012. use on mobile devices requires encryptionThe challenge is how to enable productivity and and data loss prevention (DLP).mitigate the threats, vulnerabilities, and risks in • Device protection requires configurationa way that strikes the best balance and lowest management and anti-malware software.total costs.This paper identifies specific countermeasuresand management controls that you can use Identify and understandto establish a mobile security strategy that the threatsencompasses both corporate and personal It is easy to see why data loss is such a highdevices. It also covers the threat scenarios, risks, priority for mobile security. Regulatorycomplications, and solutions that IT security requirements and the low cost of mobileprofessionals should use to guide their decisions in devices contribute to the problem. As this tablethis critical area of enterprise vulnerability. illustrates, most organizations should startOrganizations that narrowly focus on one aspect with a focus on tools and techniques that helpof the problem and fail to holistically address the protect mobile data.security challenges posed by mobility, as well asconsumerization and device proliferation, run the Threat Riskrisk of much lower user satisfaction, productivity, Lost or stolen device Unauthorized access toand business gains, along with higher costs and local or network-basedeven exposure of sensitive data. data; data loss Lost or stolen Local data loss media cardStart with your goals Misuse of local Compromised/infectedRegardless of the devices involved and who owns comms (e.g., device, and data loss andthem, what are you trying to accomplish? Is the Bluetooth, IR) potentially degradedgoal to provide mobile access to useful corporate operationresources such as email, file services, and intranet Compromised apps Data loss and potentiallyapps? If so, having highly limited, isolated mobile degraded operationdevices provides little value. In order to providesecure mobile access to these valuable resources Malware Data loss and potentially(which is the goal of most organizations), you must: degraded operation1. Protect accessed data that is now local to the Web/network-based Data loss and potentially client device, and attacks degraded operation
A 3-STEP PLAN FOR MOBILE SECURITY 3Countermeasures and other Most organizations identify data loss as therelated controls top concern in the mobile scenario. That’s whyGiven the objectives, threats, and risks the primary emphasis should be on tools anddiscussed above, we present below three tiers techniques that help protect mobile data.of countermeasures and controls to help youestablish and maintain a mobile security strategy.Because of the scope of the problem, we 3. MDM and advanced mobile security couldrecommend that you start with the first set. remain independent solutions.Then adopt items from the other two, with All of these scenarios can deliver good solutionsyour schedule based on such things as your to the market, but the best integration and lowestorganization’s tolerance for risk, the nature of the overall costs are most likely if mobile securitybusiness you are in, regulatory requirements, and vendors add MDM.the level of mobile maturity in your organization.Some of the security controls listed below—such While the primary objective of MDM is centralizedas mobile DLP, enterprise sandboxing, and self- life cycle management of mobile devices such asdefending apps—are newly emerging solutions. smart phones and tablets, many of the so-calledUnless your need is critical, delay adoption of device management features are also relevantthese. More mature solutions are on the horizon from a security perspective. For example, ifthat will be easier to implement and manage. you can configure Wi-Fi settings and update applications, you can use these same features to reduce a device’s surface area for attack. AndTier 1: Mobile Device other features such as remote wipe and encryptionManagement (MDM) control provide added layers of data protection.The term mobile device management is an Robust MDM solutions should include the following:artifact of convenience in this context. It’s the • Application management - Includes thecapabilities that matter most, not the specific ability to inventory a device’s applications,product category they come from. Some distribute/update software, and restrictorganizations get everything they need from the use (if not installation) of individualExchange ActiveSync® or BlackBerry® Enterprise applications. It also often includes supportServer, while others require a fully blown for a self-service portal and/or enterpriseenterprise-class MDM solution. No matter which app store.MDM solution makes sense, most organizationswill eventually find it necessary to also implement • Configuration management and resourcesome of the supplemental security measures control - This entails having control overdescribed below. a wide range of device-level capabilities and parameters including passwordBecause current MDM offerings are light on requirements, camera functionality, SDsecurity, we can expect the industry to evolve. card usage, and VPN, Wi-Fi, Bluetooth, andSpecifically: encryption settings.1. MDM vendors may add more security • Device integrity - All of your defenses are capabilities to their solutions. effectively undermined when a mobile device2. Mobile security vendors will add MDM is jailbroken or rooted. Being able to detect capabilities to their solutions (this is more likely this condition is, therefore, a critical capability. because it is easier to add simple to complex (that is, MDM to security), than vice-versa.
A 3-STEP PLAN FOR MOBILE SECURITY 4• Device recovery and loss mitigation – beyond email, three additional, access-oriented This includes device tracking, manual and countermeasures become increasingly relevant: automatic lock-out, manual/automatic (1) strong authentication to the network— wiping of all or selected data, and support e.g., with tokens (2) an encrypted tunneling for device-level backup and restore. capability that supports access to all types of apps—e.g., an SSL VPN, and (3) a host-integrity-• Support and service management - Remote checking capability that supports access to all control is useful for technical support, while types of apps, and a host-integrity-checking expense control is intended to moderate capability that restricts access based on the usage, particularly when costs are high (e.g., security state of the user’s device (available roaming abroad). standalone or as an integral component ofWhat about policies, agreements, and user leading SSL VPNs).awareness? Policies are a key tool for any mobile Threat protection - Mobile malware has notsecurity strategy, and the policies you choose historically been a major concern, but thatdetermine the specific technical controls you need. started changing in 2011 and is expected toGetting users to sign mobile-use agreements grow even faster in 2012. As a result, anti-that document their rights, their responsibilities, malware for mobile platforms is becomingand the company’s rights is also crucial (e.g., this increasingly important—especially becauseis where you would include a clause that allows the highly dynamic nature of today’s web andthe enterprise to wipe the device in exchange the threats it harbors means that conventionalfor providing the user with access to corporate technologies and mechanisms in this area (e.g.,resources). Signed agreements are especially signatures) are glaringly insufficient. Whatimportant when bring-your-own-device (BYOD) organizations need instead is a robust weband subsidized-usage models are supported, security “cocktail” that examines content fromprimarily due to legal uncertainties around liability every possible angle to detect new threats.and rights to data. And even though ongoing user This requires real-time threat intelligence usingawareness training on mobile security is probably multiple, complementary inspection enginesa good idea, history proves that such efforts are capable of delivering real-time threat analysisnot often very effective. and content classification. Equally valuable will be the ability to filter mobile applications based on reputation. Still emerging, this capability isTier 2: Supplemental Security analogous to reputation filtering for email, URLs, and downloaded files, but focuses instead onMDM-oriented security capabilities are an preventing users from downloading malware-excellent starting point for a mobile security infected mobile apps – a growing problem,strategy. However, as mobile access scenarios particularly for non-curated app stores.continue to expand and the development ofmobile malware continues to accelerate (in Data protection - Additional coverage inother words, as vulnerabilities, threats, and risks this area comes primarily in the form of DLPcontinue to grow), the effectiveness of MDM technology. The starting point for a completefor security drops lower and lower. IT needs to solution is back at headquarters, where emailimplement measures that pick up where MDM and web security gateways with embedded DLPleaves off in order to bolster secure access, functionality should be used to control whatthreat protection, and data protection. data can make its way onto mobile devices in the first place (e.g., via email, or web-based fileSecure access - ActiveSync and/or MDM-based sharing services such as Dropbox). For datasecurity may be sufficient when mobile users that does make it onto mobile platforms, theare only using email. Once you provide access next layer of protection should be a mobile
A 3-STEP PLAN FOR MOBILE SECURITY 5DLP capability that helps keep the data the outset to be inherently more secure – forfrom being either unwittingly or maliciously example, by incorporating their own encryptionexposed. Notably, the need for mobile DLP and key management functionality, and relyingis also being driven by increasing reliance on less on native platform features and data storageSaaS applications, where both data and users locations for protection.are outside the corporate perimeter and the Enterprise sandbox - The intent with sandboxprotection it typically provides. technology is to create an isolated zone onAgent vs. Cloud the mobile device where users can work with enterprise resources. Access to the zone dependsWhat’s the best way to deploy supplemental on authentication and authorization, while allthreat and data protection capabilities: local data transmitted to, from, and within the zone issoftware agents, or cloud-based services? For encrypted. For mobile devices that support thissome of the most popular platforms – such as technology, the result is another powerful layerApple iOS – there’s no option. The architecture of data protection. Tradeoffs include relativelylimits the functionality or entirely precludes the limited app support and a hit to user experience,use of security agents. Android supports agents, as native email and calendaring apps cannot bebut the footprint on the device should be as used to access enterprise resources.lightweight as possible to reduce its performanceimpact. Further tilting the scales in favor of Always-on-VPN - This approach involves routingcloud-based services are advantages such as: all data traffic back to headquarters via anquicker, easier, and less costly implementation; encrypted tunnel. In this way it can be protecteduniversal platform compatibility; and greater by all of an organization’s centrally implementedadaptability. Local agents can provide countermeasures, including full enterprise-classincrementally better functionality and DLP. Drawbacks include slower performance,effectiveness, but it seems unlikely that this increased traffic load on corporate security andwill be enough of an advantage to offset the networking infrastructure, and the complexity ofstrengths of a cloud-based approach. having to create policies that also accommodate personal-use objectives.Tier 3: Emerging security measuresThis third tier of countermeasures is fairly new to Caveats and complicationsthe market, and is often classified as advanced Nothing related to information security is asor emerging. Early adopters of such technologies easy as it first looks, and this is doubly true fortend to have a very low tolerance for risk, mobile security. Here are two topics that areextremely sensitive data, or face very strict worth mentioning:regulatory requirements. Device and platform diversity - The greatestApp/desktop virtualization - Never allowing complication to an organization’s mobile securitysensitive data to leave the data center in the strategy is by far the diversity of mobile platformsfirst place clearly provides a superior degree of and devices. This manifests itself in a couple ofprotection. One way to do this while still enabling ways. First, differences in platform architectureview-only access to essential resources is to deploy impact both the need for and availability of manyserver-hosted app and desktop virtualization add-on security capabilities. For example, thesolutions (e.g., from Citrix or VMware). isolation model employed by Apple iOS not onlySelf-defending apps - In some instances diminishes the effectiveness of most malware,organizations will have the option to select but at the same time precludes use of fullymobile apps that have been designed from functional security agents. Other platforms have
A 3-STEP PLAN FOR MOBILE SECURITY 6varying resistance to malware and other types of administration, directory integration, groupthreats, along with varying degrees of support policies, flexible reporting, and configurationfor local security agents. A related issue is that audit trails.platform, device, and service provider diversity Consolidation - Meeting the organization’s needsalso impacts the availability and effectiveness with a smaller set of products and vendorsof native security capabilities. The bottom line is invariably reduces cost and complexity whilethat there is considerable variation from device improving integration and effectiveness. This isto device in terms of both (a) what is necessary why IT/security managers typically favor solutionfrom a security perspective, and (b) how it can providers that offer the greatest portfolio ofbest be accomplished. capabilities for the greatest number of devicesDifferent ownership and usage scenarios - they intend to support (particularly across tiersAdditional complications arise from new and 1 and 2). Even further gains can be realized if thevaried ownership and usage models. No longer advanced threat and data protection capabilitiesare all client devices owned by the organization needed to support mobile devices are availableand used strictly for business purposes. as integral extensions of the solutions alreadyEmployees expect to be able to use their being used to provide similar capabilities for themobile devices for personal tasks. And different organization’s fixed users/devices.ownership and reimbursement arrangementsoften lead to different policies and capabilities.For example, with BYOD and no reimbursement Conclusionto users, wiping data needs to be a last resortand should be selective (i.e., wipe all business but The need to support and secure a growingno personal data). Adding service reimbursement population of mobile devices is here now. Theinto the mix, however, changes the situation. challenge of doing so, however, is complicated byWiping all data now becomes a more acceptable a number of factors, especially: (a) the diversity ofand therefore prominent part of the security plan, platforms and devices and how this impacts bothwhile other functionality also becomes more the need for certain controls and the availablerelevant, such as expense control. solutions, and (b) the diversity of potential ownership, reimbursement, and usage scenarios, and how to maintain a balance between user andCharacteristics of an ideal corporate expectations.enterprise solution Because of these complexities, there is no straightforward, one-size-fits-all recipe for successNo one turns in their laptop or desktop when when it comes to solving the security-for-mobilitythey get a smartphone, so mobility just adds problem. Nonetheless, organizations should:to the challenges of enterprise security.This—and budget pressures—drive the need • Remain focused on the most importantfor administrative efficiency and low cost of objective – ensuring adequate protection ofownership when selecting mobile security mobile data – while balancing this with needsolutions. For today’s businesses, ideal solutions for a positive user experience and reasonablewill be those that are enterprise-class in nature cost of ownership;and that keep costs down by minimizing the • Pursue a layered approach wherenumber of products and vendors. MDM-oriented security capabilities areEnterprise-class - Key features that should supplemented by the advanced controlsbe a part of all mobile security solutions to described herein for secure access, threatfurther reduce cost and improve effectiveness protection, and, above all else, datainclude: centralized management, role-based protection; and,