Mobile // Mobile Business
Commentary
11/27/2013
08:06 AM
Eyal Manor
Eyal Manor
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mobile Security: All About The Data

Spend less time worrying about devices and more time worrying about the data.

For those of us who remember the days when mobile phones weighed two pounds and were roughly the size of a large flashlight, it can be tempting to marvel at how we have managed to get so much computing power in a device tiny enough to fit in our pockets.

Nevertheless, here we are, with smartphones that are used not only for personal calls but also as means to access corporate networks and data. This new reality means that corporations need to secure a perimeter that now extends beyond the desktops in office cubicles to the iPhone and Android devices being used by employees as they sit in the airport. This explosion of devices accessing corporate data has created a new challenge for security professionals that mandates they not only focus on the user's device, but also on protecting the data itself.

[ Is it time to take a more integrated approach to security? Read It's Not 'Mobile Security,' It's Just Security. ]

Failing to do so can have significant consequences. A Check Point survey of 790 IT professionals around the world revealed that while 67 percent allow personal devices to connect to their corporate network, 63 percent of companies said they do not manage corporate information on their employees' personal devices.

A separate study by Javelin Strategy & Research found that 7 percent of smartphone owners surveyed were victims of identity fraud, an incidence rate one-third higher than the rest of the public. Part of this was believed to be due to user behavior -- 32 percent admitted to not updating their mobile operating system, and 62 percent said they did not use a password on their home screen.

These statistics alone should emphasize the importance of focusing on data. Because many users are not keeping up with security in basic ways, corporations need to be ready to look out for themselves. But even when device locks and passcodes are used, they are only partial solutions. After all, the amount of malware targeting mobile devices is on the upswing. If a device is compromised by malware, a passcode is not going to stop an attacker from making off with everything from the victim's email contact list to their location data. A hacker needs only to attempt a maximum of 10,000 tries on a phone protected with a 4-digit passcode (0000 through 9999). Even fingerprint entry has recently been hacked, although this is quite a bit more difficult.

One of the longstanding answers to the challenge of securing data has been mobile device management (MDM), which allows organizations to manage mobile devices user in the organization and set a security policy for the entire device. But MDM can appear to be heavy-handed security for employees and contractors. After all, employees are purchasing their own smartphones for their personal use. MDM can seem intrusive if a company now can manage and control a personally owned device. For enterprises, this is what makes focusing on the data so important.

Three ways of dealing with the issue come to mind: containerization of business data, user authentication, and data encryption.

  • Business data containerization ensures that corporate data such as email, contacts, documents, etc. reside in a separate, encrypted area on the employee's smartphone. It also permits enterprises to apply policy controls only when accessing this data specifically as opposed to controlling the entire device. Business data stays in that particular container, reducing the chance of malware infections compromising information.

  • Authentication and encryption offer additional layers of protection. By protecting enterprise data with additional authentication requirements above and beyond what is needed to access the device, organizations can enforce an extra layer of protection in the event a device falls into the hands of an attacker.

  • Likewise, enterprises should consider protecting sensitive data both at rest and in transit with encryption.

Effective enterprise security requires the ability to monitor and compare anomalous behavior over time, connecting the dots among multiple events. Given the sophistication and volume of the attacks seen today, this is no small task. The EvaluatingAnd Choosing Threat Intelligence Tools report looks at the types of products available that will help you fight back and offers recommendations on how to evaluate and select them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Muthu LeesaJ889
50%
50%
Muthu LeesaJ889,
User Rank: Apprentice
12/4/2013 | 7:04:43 AM
Yes, its the data and not really the device!
I always believed that MAM was the subset of MDM. But now I see a change in the trend where CIO's are favoring MAM to MDM. And the reasons? Ofcourse, its the data and not really the device! Read more at http://mlabs.boston-technology.com/blog/why-are-cios-looking-at-mam-versus-traditional-mdm
shakeeb
50%
50%
shakeeb,
User Rank: Black Belt
11/30/2013 | 12:23:54 PM
Re: Managing Mobile Security
If this sensitive data falls to a fraudster's hands it can be used for fraudulent activities. This will harm the reputation of the organization as well as to loss the customer integrity towards the organization. 
shakeeb
50%
50%
shakeeb,
User Rank: Black Belt
11/30/2013 | 12:20:16 PM
Re: Managing Mobile Security
This is an interesting article on data over smart phones. As you correctly mentioned many of the users has configured data channels to their mobile phones which is a risk. 
Adam2IT
50%
50%
Adam2IT,
User Rank: Apprentice
11/28/2013 | 7:55:23 AM
Managing Mobile Security
One way to reduce the security risks of mobile computing is to use virtualization and HTML5 technologies to keep data and applications separate from devices.  For example, Ericom AccessNow is an HTML5 RDP client that enables users to connect from most types of devices to any RDP hosts (such as VDI virtual desktops or Windows Remote Desktop Services) and run full Windows desktops or applications in a browser tab.

There's nothing to install on the end user devices, as you only need an HTML5-compatible browser.  That protects corporate data by keeping it off the device, and also reduces IT support costs, since IT staff don't need to spend time installing software on so many different platforms.  All they need to do is give employees a URL and login credentials.

For an online, interactive demo visit: http://www.ericom.com/demo_AccessNow

Please note that I work for Ericom
Shepy
50%
50%
Shepy,
User Rank: Apprentice
11/28/2013 | 7:24:34 AM
Central locking
In the UK we've long had a inter-network blacklist for mobile devices, preventing locked IMEI from using the networks. Obviously IMEI re-programming gets round this if known how to be done, but it would be interesting to asee some kind of central blocking from Apple or Google end as each device needs to be registered with itunes or play etc.
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Strategist
11/27/2013 | 11:40:17 PM
Re: Interesting report from the Aberdeen Group
I agree about "an alternative rather than an addition" but the trend is interesting. I think that every sensitive data element should be encrypted or tokenized, to be ably to enforce "security policy" rules.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Author
11/27/2013 | 3:39:23 PM
Re: Interesting report from the Aberdeen Group
>Aberdeen has also seen "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data".

Why an alternative rather than an addition? Everything should be encrypted, regardless of other security measures.
WKash
100%
0%
WKash,
User Rank: Author
11/27/2013 | 1:35:34 PM
Data vs Devices
Interesting to note the perspective from Ashok Sankar, who's worked with the Defense Department and the Intelligence Community to manage the data movement on classified and top secret domains.  He makes the same case. See  "Keep Data Off Mobile Devices & Away From Adversaries" by Ashok Sankar also on InformationWeek at  http://add.vc/fZy
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Strategist
11/27/2013 | 11:07:14 AM
Interesting report from the Aberdeen Group
I agree that "Three ways of dealing with the issue come to mind: containerization of business data, user authentication, and data encryption".

We can follow the lead by credit card companies that establised PCI DSS for "containerization of business data, and data encryption" of sensitive data.

I recently read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users".

Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data The name of the study, released a few months ago, is "Tokenization Gets Traction".

Aberdeen has also seen "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data".

Modern data tokenization can also be used for containerization of business data.

Ulf Mattsson, CTO Protegrity
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.