A secure and productive mobility strategy is a game changer for any business in today’s connected world. It’s becoming more imperative for users to gain access to corporate data on their mobile devices both inside and outside of the corporate network.
Mobile workflows can be faster and more intuitive than those on desktop computers, but enterprises need to be cautious before allowing the widespread use of sensitive business information on unsecured mobile devices. In many cases, unfortunately, that means user productivity is overlooked in IT’s pursuit for data security.
Fortunately, businesses are no longer required to sacrifice usability for security. Below I’ve identified the “seven deadly sins of mobile security,” along with tips on how to best avoid or tackle them so usability and security aren’t pitted against each other.
- Avoid Relying on Device Management Alone
Let’s be clear, Mobile Device Management (MDM) is not a security solution; it’s a device management solution. While MDM can often help to secure corporate devices housing corporate data, there are many scenarios where a containerization approach is a much better fit. In some cases MDM and containerization can augment each other but a containerization approach to mobile security is a major benefit to businesses looking to protect corporate data on devices that hold a mixture of corporate and personal data on them.
App-level, device-independent encryption secures corporate data more effectively and containerization is key to keeping enterprise data and personal data separate. This provides the same advanced protection regardless of device ownership and management status.
- Don’t Sacrifice User Experience on the Alter of Security
As more content and applications are being mobilized and mobile devices replace laptops and desktops as our primary computing sources, there needs to be a much greater emphasis on user experience. Apps need to be easy and compelling to use for the experience to be successful. Security controls that hamper positive user experiences, especially on personal devices, will encourage users to find other, often less secure, ways to access corporate data.
Security needs to be a foundation underneath your application, not a cage around it. By building productivity applications on top of a solid security footing that hides the details from the user and abstracts the complexity for the administrator, it is possible to deliver applications that are both highly usable and highly secure.
- Avoid Protecting Corporate Data with Personal Passcodes
Passcodes are not a “one size fits all” item. Using just one device-level passcode means that the same level of authentication stands between a user and his game of Angry Birds as between him and your sensitive corporate data. Using a simple passcode means that your data is at risk but using a more complex code will get in the way of the user performing common, every-day tasks and will hamper user acceptance of your mobility strategy.
Apps and their data must be protected with passwords and cryptography that is independent of any underlying device-encryption. This offers peace of mind for IT managers and employees when a device passcode is hacked, as the app data will still be encrypted.
- Stop Obstructing Business Workflows
Users need to get their jobs done. If you don’t give them the tools they need to do it, then they have a strong incentive to find some other way. Inevitably this will lead to “shadow IT,” where users find their own solutions using consumer-grade tools over which you have no control.
As you roll out your mobility strategy, it’s important to ensure that users have easy access to the full set of tools they need. Furthermore, you need the ability to not only manage the data used by those tools but also to ensure that the set of tools work seamlessly to provide the whole workflow that the user needs. The user doesn’t just need the parts; those parts have to work together, securely sharing both data and services between the parts to make the user’s job easier, not harder.
- Don’t Treat Security Inconsistently Across Platforms
One thing that is certain about mobility is the diversity of devices and operating system versions. Another thing that is certain is that you can’t afford to have lower security on some devices than others. Operating system diversity and fragmentation is one of the main challenges for IT, and in the mobile space, diversity and the lack of a common security paradigm causes a lot of problems.
A device-agnostic secure mobility platform can help cure these headaches. A secure container can raise the security of all devices up to a high level, as opposed to managing devices to the lowest common denominator as MDM often does. This allows IT to have the confidence and control while users still get to choose the device and OS that they like the best.
- Disallow Data to Leave Your Control
Data breaches often happen when data is moved outside of the control of IT-approved policy configurations. Data needs to move around to be useful, whether it’s moving between applications, between devices or between users. You need to make sure that you keep control of the data as it moves and that it does not end up in some unsecured app.
The right mobile app security solution must allow a business to determine how data moves into, out of and around the enterprise domain. Containerizing this data and applying shared workflows helps keep data within the confines of the business. As the data is segregated, it also makes it possible to remote wipe any corporate data in the case of a crisis, a lost or stolen device or employee termination.
- Don’t Stop Security at the Edge of Your Enterprise
Traditional MDM solutions might be part of a solution for corporate-owned devices. For employees with a Bring Your Own Device model, they are an up-hill sell. For anyone beyond your employee base, they are a complete non-starter.
Unfortunately your need to secure data doesn’t stop at the edge of your enterprise. Whether you are sharing data with your suppliers, business partners or franchisees or if you are giving your customers, patients or citizens access to business systems, your data is going to need to make it onto devices outside your organization and with that data comes a need to secure it.
It is essential that a mobile security solution is flexible enough to secure the use of sensitive business information wherever it goes. It needs to be able to cope with identity models that go beyond your corporate Active Directory, and it must continue to offer security even when the devices are ones that you will never be able to manage at the device level.
As mobile devices get more powerful, they enable us to be ever more productive. Our corporate mobility solutions need to grow as the platforms grow more capable, and they need to evolve to fit usability and security requirements for both IT and end users. Enterprises looking to secure mobile apps and corporate data should look out for the seven deadly sins of mobile security to ensure a strong user experience paired with an efficient data protection strategy.[su_box title=”About Dr. Nicko van Someren” style=”noise” box_color=”#336588″]
Dr. Nicko van Someren is the Chief Technology Officer of Good Technology where he is in charge of future technology strategy and research. Nicko has extensive experience in the security industry. Prior to joining Good he served as Chief Security Architect at Juniper Networks, responsible for leading the technology and design direction for the company’s Network Security products, as well as promoting Juniper’s security solutions to industry and government sectors. Before joining Juniper, Dr. van Someren was founder and CTO of the security technology company nCipher Plc. where he led the research team and directed the technical development.Dr. van Someren holds a doctorate and First Class degree in computer science from Cambridge University in the UK. He is a fellow of both the Royal Academy of Engineering and the British Computer Society.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.