Ask the Experts: How to Master Modern Mobile Security

Written by

Anurag Kahol, CTO and Co-Founder, Bitglass

Cloud tools and applications are increasingly being used in the enterprise, enabling employees to better collaborate and increase overall efficiency. Additionally, bring your own device (BYOD) environments allow workers to operate from their preferred mobile devices and from anywhere with internet access, making it easier to share information and complete objectives. BYOD also leads to increased levels of employee satisfaction and reduces costs for organizations. However, the use of personal devices makes the management and security of the flow of corporate data more difficult. A recent Bitglass report on BYOD and security found that:

  • One in five organizations lacks visibility into basic, native mobile apps on personal devices
  • Only 56% of companies employ key functionality like remote wipe for removing sensitive data from endpoints
  • 43% of organizations do not know if any BYOD or managed devices downloaded malware, indicating a significant lack of visibility
  • 24% of organizations do not secure email on BYOD

Tools that are designed to protect managed devices do not translate well to securing personal devices, and unfortunately, some companies are hesitant to adopt BYOD for that reason. In fact, a recent study from Verizon found that 33% of organizations have suffered a breach through unmanaged devices.

BYOD environments change an organization’s threat landscape and they require a different approach to security. Businesses must have a solution to mitigate the chances of data leakage, authenticate employees’ identities, detect anomalous activity and address other mobile security threats as well. As a result, companies need to implement controls that enforce:

  • Multi-factor authentication (MFA)
  • Data loss prevention (DLP) tools
  • User and entity behavior analytics (UEBA)

"BYOD environments change an organization’s threat landscape and they require a different approach to security"

Mastering mobile security starts with the proper implementation of the aforementioned controls via an agentless solution that is deployed in the cloud. By leveraging an agentless solution, organizations will greater enhance overall employee mobility without the typical deployment, privacy or management obstacles that usually accompany both Mobile Device Management (MDM) and Mobile Application Management (MAM). This is due to the fact that employees will be required to have a software agent installed on their device with MDM and MAM, which yields control of that device to the organization and therefore controls how each worker uses their device, the apps that can be installed, and more. As such, this can hinder the overall user (employee) experience and even invade workers’ privacy, as well as result in poor third-party and cloud app integration.

Fortunately, the availability of agentless, BYOD security solutions can address all of the issues associated with agents in MDM and MAM. In fact, agentless MDM solutions can help organizations control the flow of data, remain compliant, support cloud and third-party apps on any device, enable full visibility and audit, allow DLP from devices, and more without any software required. Therefore, organizations can have a robust foundation for keeping data secure in BYOD environments while being able to embrace the benefits of increased efficiency, reduced costs and improved levels of employee satisfaction.

Anthony Di Bello, VP of Strategic Development, OpenText

Users today are digital nomads. Mobile and virtual, their devices (phones, tablets, notebooks, laptops, etc.) are everything to them. It’s been over a decade since the practice of Bring Your Own Device (BYOD) became popular, and consumers now switch from personal, to public, to corporate networks automatically and seamlessly. With respect to access, they demand zero friction. Many in the tech industry have been talking about killing the password for years, but we are starting to see a real trend toward relying on mobile devices for what some call ‘zero sign-on’ access.

While employees and consumers have started to take a more proactive approach when it comes to cybersecurity over the past few years, there is still more that can be done around mobile devices. 2020 will be a key year for mobile device security given new demands being placed on these devices. 

Organizations have enjoyed the multiple benefits of BYOD, and employees desire even more business functionality on their devices – but the implications for security are enormous. Fortunately, as the concept of the network perimeter has changed with the rapid adoption of cloud and mobile technologies, attitudes towards security have shifted. Businesses now realize that breaches – including breaches involving mobile devices – are inevitable. Businesses must embrace a solution that provides security without compromising privacy or functionality.

As the concept of a network perimeter further dissolves over the coming years, the enterprise especially will need to re-shape security strategy to account for the flexibility we are extending to our work force. It is time to acknowledge a simple fact: you can’t protect what you can’t see. 

"The enterprise especially will need to re-shape security strategy to account for the flexibility we are extending to our work force"

In particular, there are three challenges that must be overcome before organizations can be comfortable extending this kind of access control to mobile and wearable devices.

Visibility: unlike laptops and desktops, corporate IT does not have root-level access to mobile devices. BYOD devices are managed through Mobile Device Management (MDM) solutions restricting both business data and visibility into a virtual container on the device. For organizations to be confident in using these devices to broadcast a signal granting physical access, organizations will need hardware-level access to monitor the security of these components. 

Privacy: as organizations look to gain hardware-level access to mobile devices in order to use them as access control devices, new measures need to be put in place to ensure the employee’s personal activity is restricted from corporate view in a BYOD environment. GDPR, CCPA and similar mandates are the primary drivers for these requirements.

Control: this covers two things, the first being controls ensuring the person holding the device is the individual authorized for the access that device grants. This will likely involve a second factor, such as verification through the device camera before access is granted. Without the means to control and verify access at the device level, there will be additional risk in implementing this type of solution. Secondly, the organization will require an ability to deny access or shut down the device if the holder’s identity cannot be verified.

Arun Kothanath, Chief Security Strategist, Clango

Mobile devices are rapidly becoming part of every modern environment. The challenge is managing the ever-increasing demand for ease of access to information versus ensuring fail proof security governance. While regulatory requirements are still maturing, it is not enough to rely on complying with industry and federal regulations to keep your organization secure.

Mobile devices present unique vulnerabilities that demand different security strategies across multiple avenues of the device mobility spectrum, including mobile applications, content and identity. 

In the new digital world, mobile devices are more than just another means to access information. These devices are perfect targets for attackers, since they are used for Multi-Factor Authentication (MFA) to critical applications and as a means for password-less authentication. Protecting the device must be a top priority. All mobile devices must have malware protection installed and access controls enabled. Additionally, enabling device-level biometric authentication measures will add a reliable safeguard against unauthorized access.

When enterprises deploy their own applications to their mobile workforce, all enterprise data protection aspects need to be considered. Data at rest and in transit should be subjected to the same data protection standards as any enterprise data. The ability to link company data to employee devices and ensure the data is secured and that overall integrity is preserved, is crucial. Encryption may seem like an obvious defense mechanism, but the application should adequately identify users’ identity and privileges and enforce appropriate security controls. When APIs and micro services are used, data privacy must be guaranteed by enforcing authenticated standards.

The enterprise’s mobile strategy should be to use Mobile Device Management (MDM) technologies that will incorporate visibility across the organization. Most often, enterprises are forced to support Bring Your Own Device (BYOD) policies, which complicate standardization. However, having an enterprise application store, enforcing encryption for enterprise data, enabling a ‘find, lock and erase device’ feature and blocking suspicious application installs will improve the overall security posture. Periodic mobile audits and penetration tests also rank high on the list of necessary cybersecurity activities.

"Consider a risk-based, continuous monitoring approach for mobile authentication"

In order to have a successful mobile security strategy, creating organization-wide awareness of mobile security is probably the most important action. Employees, along with anyone who is accessing the enterprise resources, should be knowledgeable regarding the risks of browsing, accessing data stores and enterprise applications, and the required security controls.

Organizations must also ensure that mobile devices are part of the enterprise identity and access management practices. A ‘least privilege’ strategy as defined by your organization’s overarching data classification strategy will help to oversee mobile device security. Access certifications and entitlement governance should be part of the overall mobile security framework. In most cases, choosing an MDM capable of interfacing with an enterprise identity governance framework is highly recommended.

Consider a risk-based, continuous monitoring approach for mobile authentication. This approach will ensure continuous awareness of risk and will allow the organization to take appropriate actions based on context. However, this approach relies on the enterprise’s understanding of its users, data and access patterns. It also relies on the ability to quickly react to potential policy violations.
In the digital world, a mobile device is part of an individual’s identity. This makes defending the mobile device equally as important as protecting one’s identity. 

What’s hot on Infosecurity Magazine?