Advanced Mobile Security in the Age of Consumerization

By Bruce Gilley President, Fixmo US

May 2, 2013, 11:30 am EST

The new age of mobile computing is upon us and it reminds me of a good horror film: both exhilarating and frightening at the same time, with the chance for an unsuspecting victim to emerge as an unlikely hero.

Smartphones and tablets have quickly emerged as must-have tools for our business and personal lives, offering unprecedented access to information, applications and real-time collaboration. They are now full-blown endpoint computing devices that fit in the palm of our hand, and not only match the storage and processing power of their wired equivalents, but are outpacing them when it comes to network connectivity, motion and location sensors, external media capture and machine-to-machine communications. We’ve witnessed the mobile app revolution and incredible advancements in user experience, screen technology and I/O capabilities.

Put it all together, and gone are the days of thinking about these as wireless email devices or mobile browsers. These are the next generation of personal computing devices that will forever change the way we work, play and collaborate.  But from an IT security point of view, it is important to understand that these are not simply smaller, more portable personal computers that we can control and manage in the same way as we did traditional desktops. Because employees will carry these devices with them wherever they go, they will inherently rely on them for both business and personal use, and they will not tolerate highly complex authentication policies and tight restrictions on which features can be used.

Whether you like it or not, employees will take personal photos, access social media sites, configure simple passcodes to unlock the device, and run a mix of personal and business apps side-by-side. And for the foreseeable future, the majority of these devices will be built on consumer-grade operating systems that prioritize personal user experience over system-level security. Scared yet?

The good news is that this brave new world is already resulting in unprecedented business productivity and innovation by employees. But if not managed correctly and in a strategic manner, it could also result in very serious security gaps that could cast a dark shadow over enterprise IT. So how do we approach security and compliance in this new age of mobile computing and consumerization where we are quickly losing the capacity to say ”no you cannot do that”? How do we empower employees to access both the business and personal services they need, on the devices they want, without compromising security or compliance? This is a key challenge that is now facing many IT organizations across the public and private sector, specifically in highly regulated industries.

Before thinking about the right technical approach to solving this challenge, you need to consider the inherent risks in mobile computing and what the actual vulnerabilities and threats are that you are trying to defend against. As with any connected computing device, smartphones and tablets expose organizations to the risk of private data leakage as well as remote cyber attacks. If we are going to embrace mobile devices as business tools, we need ways to protect against unauthorized access to sensitive information, accidental data leakage, targeted data theft, and network intrusion. Potential exposure to these kinds of risks are heightened on mobile devices since they are frequently used outside of a physically controlled office environment, they may connect to unknown wireless networks  or unsecured Bluetooth devices, they can be easily lost or stolen, and they typically have unverified third party apps installed.

We also need to consider that these devices have microphones, cameras, and sophisticated sensors that, if compromised, can expose an organization to serious corporate espionage attacks. It is exceedingly simple to develop an application for a smartphone – even a BlackBerry – that runs periodically in the background and records audio information or captures GPS location data without the device user’s awareness.

In a ‘command-and-control’ corporate setting these risks would be mitigated by disallowing the installation of third party apps, disabling certain hardware features through IT policies, enforcing strong password controls and limiting what kind of data can be stored locally on the device. But in the age of consumerization and high-powered mobile computing, this may no longer be the right approach. In fact, it may not even be an option if you want to retain your employees.

What much of this comes down to is the fact that modern mobile devices being used in the workplace are built on vulnerable consumer-grade operating systems, will be used for a range of unverified and unmanaged personal apps and services, but  cannot be locked down to the point where the user experience and the potential productivity gains will suffer. This is becoming a classic exercise in risk management where organizations need to understand the business requirements,  the associated risks, and technology solutions that can help them address them both to an acceptable level.

So how we do maintain security and compliance in this new world? Is it possible to  satisfy end users, enterprise IT and business owners? The good news is that the technology industry is paying close attention to this problem and new solutions are now coming to market to help IT strike the right balance with end-users without sacrificing security or usability. Secure container technology, for example, has emerged as a viable approach to address this challenge on today’s mobile devices.

They offer a solution for creating a secured and controlled ‘sandbox’ environment on smartphones and tablets (including Apple iOS devices) that keep all business apps, email and documents tight access controlled, encrypted, and managed by the IT department without impacting the personal side of the device or requiring a complex device-level password. With a secure container, IT controls the business assets while the user controls the personal assets, and we start to move toward a world where it no longer matters who owns the device, what version of the operating system it is, or what personal services are enabled. If IT can secure and control a consistent business workspace environment on each device without having to worry about what’s happening on the personal side, we may end up with a solution that actually increases the level of security and data integrity while decreasing the control and support required by IT. And when coupled with the right integrity monitoring and threat detection software, you can also ensure that the business workspace is locked down or proactively wiped from the device when tampering, anomalies or malicious threats are detected in the personal space.

However you look at it, this new age of mobile computing and consumerization will be a paradigm shift for many IT security professionals. But if you take the time to understand the underlying risks, the needs of the business and the wants of the end users – and are willing to embrace new approaches to protecting corporate assets on increasingly personal devices – you just may end up being the protagonist hero of this otherwise frightening horror film.

About the Author

Bruce Gilley President, Fixmo US

Bruce Gilley is the President of Fixmo’s US operations. Gilley brings over 30 years of Federal, DoD and Intelligence Community engineering, acquisition, and management experience to Fixmo. Prior to Fixmo, he led CloudShield Technologies Federal Sales and Operations, and helped establish CloudShield’s market leading position in Cyber. Gilley was the GM/SVP of the Intelligence Systems Business Unit for L-3 Communications – Titan Group where he drove a $200M line of business and led the capture and execution of programs focused on intelligence, information operations and C4ISR. He served 21 years with the US Navy, developing, fielding and supporting advanced cryptologic and information warfare capabilities.Gilley holds a BS in Computer Science from Old Dominion University and a MS in Information Systems from Naval Postgraduate School. 

Visit Bruce online at http://fixmo.com/

 (Sources:  FIXMO, CDM and SYMANTEC)