Smartphones and tablets have become ubiquitous in the enterprise in recent years, but to help employees get the most from using mobile devices, while keeping both users and enterprise data safe and secure, a good enterprise mobile management implementation is essential to help manage and monitor an organisation’s mobile device...
Mobile security is nowadays all about enabling businesses to isolate corporate data on personal devices, but above and beyond that is the ability to control what users can do with the documents containing that personal data.
For example, such technology should be able to prevent credit card data from being copied, because the document and its related system understand the data is highly personal and therefore prevents that process every time.
Taking back control
Enterprise mobile management (EMM) has evolved from mobile device management (MDM). When integrated with a comprehensive mobile security system, EMM is the ideal way to decrease enterprise risk caused by the proliferation of mobile endpoints touching the corporate network.
EMM and MDM can provide much-needed controls over mobile devices that many organisations fail to consider.
Clive Longbottom, service director at Quocirca, says areas such as maintaining the patch level of apps on the device are pretty much a given, but the capability to create corporate partitions on devices is not always considered.
“This is needed so that the partition can be regarded as being ‘owned’ by the business, and can then be deleted should the device be stolen or lost, or when an employee leaves the organisation,” he says.
“Without such a partition, if it is an employee-owned device, full permission will have to be gained from the device owner before the whole device is blitzed – and if permission is not granted, a massive security hole is left in the wild.”
Deploying mobile security in the enterprise
Mobile security is about access control and secure communications, paired with real-time detection and rapid response. Mobility has not been fully embraced, primarily because organisations feel that appropriate controls are not yet in place, says Eric Green, security strategist at Cyber Adapt.
“As bring your own device (BYOD) and remote working arrangements continue to evolve and gain momentum, EMM plays a critical role in business operations. It is imperative to have adequate control over mobile devices, as they can rapidly become exposed to risks and security threats due to non-compliant apps that leak data and vulnerabilities in device operating systems,” he says.
Longbottom says organisations should create device partitions to contain the corporate apps and the data created by them.
“Make sure the corporate partition is airlocked from the device, so preventing cut and paste and so on where an employee could copy data over to an insecure area without the organisation knowing about it. Encrypt the partition, so that no one can just copy the data. Use secondary security to gain access to the corporate partition – preferably using 2FA [two-factor authentication],” he advises.
Having a mobile security strategy
A good mobile security strategy should cover not just the devices themselves, but also corporate data, applications and users.
To build an effective mobile security strategy requires the input and participation of all parts of the organisation. Problems such as confidential data going missing or ending up in the wrong hands could affect everyone in the enterprise. Getting human resources, legal, financial, operations, IT and the board together to talk about data and where it should be is essential.
An assessment will be needed to determine how data is assessed, where it is and what it is used for. Any obvious problems can then be fixed.
In addition to the technical detail, procedures and policies are also important. Organisations need to consider issues such as mobile access limits, data limitations and password practices. These all need to be considered to ensure an effective mobile security strategy.
The strategy should also incorporate a disaster recovery plan. Mobile security is not just about data loss –there can also be cases of mobile misuse to think about. Effective responses to any number of incidents should include clear communication strategies and appropriate responses.
Businesses should look for comprehensive EMM solutions, which not only work to keep devices and applications safe, but also monitor for issues with connections or data, says Lee Hull, executive director at IT services firm Intercity Technology.
“It’s also important for organisations to be able to react to these insights to tweak and strengthen their security and corporate mobility strategies – and the solution itself needs to be flexible enough to allow this,” he adds.
Jon Seddon, head of product at managed services provider GCI, says enterprises need to work back from what the Information Commissioner’s Office (ICO) is looking at for the EU’s General Data Protection Regulation (GDPR) as this is helping to shape EMM strategies.
“There is one basic principle that it has issued specifically in terms of BYOD – it is important to remember that the data controller must remain in control of the personal data for which they are responsible, regardless of the ownership of the device used to carry out the processing,” says Seddon.
“Everything works back from this principle, so it means the right systems and processes must be in place to stay in control of the data. This means being in control of data and being able to wipe data should a device get lost or the employee leave a business. This is a great example of how EMM helps.”
Quocirca’s Longbottom says some tools are either targeted purely at a single type of device, or are too slow in keeping up with new devices or operating system upgrades as they come along.
“Make sure the chosen tool has a track record of rapid assimilation of such changes. Similarly, make sure the tool is agnostic as to the means of connectivity – it should deal with devices that are connecting via the corporate network as effectively as those coming in over mobile or public Wi-Fi connections,” he says.
Intercity Technology’s Hull says that with the visibility that EMM provides, organisations should be at an advantage when it comes to security. But due to the sheer number of devices, applications, data and networks across an organisation, it can be difficult to ensure that all devices are included and secure. Comprehensive provisioning procedures should also be followed to ensure that all devices are part of an organisation’s EMM regime, he adds.
Lee Hull, Intercity Technology
“It only takes one device to bring down a whole network, so businesses need to have a solution in place to prevent this in the first instance and ensure employees are practicing strong security hygiene,” says Hull.
Green says one of the unavoidable pitfalls when deploying EMM is that organisations might be misled into believing that it secures the enterprise, without additional support in place.
“If a business is simply using the SSL [secure sockets layer] protocol for communications, it can be easily exploited – without appropriate detection, threats go unrecognised and without remediation,” he says.
“A report by the US Department of Homeland Security [DHS] indicated compromised EMM systems or EMM system impersonations are increasingly becoming threats to mobile security, reinforcing the need for a second layer of protection.”
Important trends in EMM
Alvaro Hoyos, chief information security officer at cloud-based identity and access management provider OneLogin, says the most impactful EMM trend is not around devices, but the workforce and the need to unlock productivity.
“The requirement to secure access to a wealth of cloud applications for an increasingly mobile workforce is pushing companies to look for a new kind of EMM. Companies want to accelerate the onboarding of more remote employees, contractors and even business partners to their networks, apps and platforms,” he says.
Hoyos adds that, for this reason, companies need to secure access to their services with the understanding that devices and users – and not the corporate networks or firewalls – make the new perimeter.
“Reducing the friction caused by the previous generation of device management is imperative, and a new generation of EMM that provides lightweight, yet comprehensive solutions in the realm of unified endpoint management [UEM] is the obvious solution,” he says.
Making mobile more secure in the future
Hoyos says that as far as mobile security is concerned, EMM will become more lightweight on one hand and more comprehensive on the other, including potential support for a broader set of devices, the internet of things and analytics.
“Identity and device intelligence will sit at the heart of this evolution to ensure companies can still have the right level of access control and granularity they need,” he says.
Quocirca’s Longbottom says that as the market continues to settle on two main mobile operating systems – Apple and Android – black hats will step up their attacks on the devices, particularly via phishing attacks that install payloads onto the devices.
In the face of a growing number of attacks that are increasingly sophisticated, all organisations that have personal or commercially sensitive data on mobile devices are urged to ensure that they have the necessary controls and tools in place to prevent attackers from gaining access to that data and the organisation’s network.