|Topic:||Cutting mobile content risks|
|Author:||Kees Van Veenendaal|
|Title:||VP and General Manager of EMEA|
Kees van Veenendaal is the VP and General Manager of EMEA at MobileIron; he
brings more than 25 years of experience throughout EMEA, the Americas and APAC to his role.
Prior joining MobileIron, Mr van Veenendaal was Vice President Worldwide Sales for Trapeze Networks; Vice President of EMEA sales at Extreme Networks; and Managing Director of US Robotics Benelux. Mr van Veenendaal also held senior European management roles at Gandalf, Digital Communications Associates.
Kees van Veenendaal has an MBA from Universiteit Nyenrode, the Netherlands.
The old model for content security – heavy containerization – protected data by separating it from other data and blocking unauthorized apps or users, but users did not like the experience. People that buy an iPhone or Android device do not want to flip between enterprise and personal screens and use third-party apps instead of the native experience they love. This compromises productivity and creates security risks as employees develop workarounds. Targeted containerization secures enterprise content within the native experience.
Mobile technology is driving a massive shift in the ability of IT departments to truly support the way people want to work. Across Europe, we see companies becoming Mobile First organizations, embracing mobility as a primary computing platform in order to transform their businesses and increase their competitiveness. A mobile deployment used to mean the company issued 200 BlackBerrys to executives. Now, it means that every employee in an organization is using mobile apps and accessing corporate content via a mobile device that may or may not be owned by the company.
The result is that people expect to be able to access the corporate content they need on any device at any time. However, as soon as you put email on a mobile device you risk losing enterprise content. Email attachments can be forwarded or uploaded to a consumer cloud storage service. Content can be cut and pasted from one email account to another. Apps introduce additional security risks. Data moving between an app and the corporate network is vulnerable to man-in-the-middle attacks via rogue Wi-Fi hotspots. App data stored on the mobile device could be accessed by a malicious app a user inadvertently installed. Securing mobile content presents several distinct challenges.
Mobile Content Security Challenges
Mobile devices are consumer devices not corporate devices
In the days of old mobile, everyone was issued BlackBerrys because the IT department could lock them down. That’s not possible with the new mobile operating systems. Now, mobile devices are no longer issued by IT. People who love using their smartphones and tablets in their personal lives bring them to work. Then the Mobile IT team needs to figure out how to secure corporate content without compromising the employee’s privacy in terms of their personal content. Regardless of whether the mobile device is owned by the employee or the company, most devices will be used for both personal and professional use.
Mobile devices store large amounts of data in small, easy to lose packages
Storage capacity is growing, and, in addition, most Android devices have removable SD cards. Content is stored in email attachments and in mobile apps. And all of it is in a small device that is easily lost or stolen. Enterprises need to be able to ensure the security of data-at-rest on the device.
Mobile devices are hyper-connected
Apple devices have iCloud and any device can connect to file-sharing services, such as Dropbox. This makes it very easy for an employee to move data to clouds outside enterprise control. Mobile devices are also constantly connecting to any available network, private or public whether or not it is trusted. As a result, data moving between a device and the corporate network is vulnerable to man-in-the-middle attacks via rogue Wi-Fi hotspots. Mobile IT needs to be able to secure data-in-motion as it travels to and from the device.
Lockdown will fail
Mobile devices should never be locked down like laptops because lockdown fundamentally damages the user experience impeding productivity and impairing adoption. The core tenet of successful mobile deployments is the preservation of user experience. A mobile program will not be sustainable if user experience is compromised when employees start using their personal devices for corporate email and apps.
Every computing deployment, whether mobile or not, carries some risk of content loss. With mobile, there are several best practices which organizations follow to mitigate this risk to the point that it is acceptable given the positive business value of mobile.
Best Practices for Securing Mobile Content
Email attachments are the primary source of enterprise documents on mobile devices. Mobile IT’s challenge is to give users access to business email on their mobile devices while ensuring those users cannot save business email attachments to apps or clouds outside IT security controls. The security challenge of mobility for the enterprise is that this one-click sharing of information from the device to external services is simple and frequent. A business email attachment can quickly end up in Dropbox without any malicious intent or even effort on the part of the user.
Ensure every device is under management
Every device needs to be connected to a Mobile IT platform that can secure and manage the device, the apps, and the content. If the user deactivates or removes the management client from the device, that will trigger a policy violation in the system. The system should be configured to immediate block the device and the apps on it from accessing the corporate network.
Monitor the operating system
When a device’s operating system is jailbroken or rooted the established data security measures are no longer reliable. Therefore, automated rules should immediately quarantine the device, remove corporate data, and notify the administrator. Companies should also determine what versions of an operating system they are willing to support. Devices running on the latest version will be up-to-date with all available security patches while older versions will not.
Set and enforce passcode policy and encryption: Passcode enforcement prevents unauthorized access to the device. Companies should also implement an auto-wipe policy that wipes the device completely after a predefined number of failed password attempts. This minimizes the risk of brute force attacks on lost or stolen devices.
Protect email and attachments
Restricting email forwarding prevents corporate email from being forwarded through the user’s personal email account on the device. It also prevents emails from being moved by the user from a corporate inbox to a personal inbox. Companies also need to be able to restrict the ability to use third-party file readers or document management apps to open email attachments. When an attachment is opened in one of these apps, it can be saved or distributed completely without the knowledge of IT. As a result, email attachments are the biggest risk of mobile data loss.
Especially in BYOD initiatives, user and device identity must be strongly established. Securing email, Wi-Fi, and VPN access using certificates protects identity and also improves the user experience since certificates provide complex credentials automatically.
Define the role of iCloud
In a well-designed corporate deployment, iCloud will not increase the risk of data loss. iCloud does not back up any email or PIM content that comes from corporate sources such as Exchange or Notes. iCloud also does not back up encrypted data, which means data from apps that use iOS Data Protection will not be stored in iCloud.
Blacklist known threats
The mobile app landscape moves quickly but most organizations have identified a set of file readers or other apps that they do not trust. These apps should be blacklisted so that if an employee downloads a blacklisted app, a remediation action will be automatically triggered. This action could range from a simple non-compliance SMS notification to a full device quarantine which strips the device of all enterprise email, apps, connectivity, and settings until the threat is removed.
The old model for content security was ‘heavy containerization’ A container is set of protected data. This data is separated from all other data on the device and is protected from unauthorized apps or users.
In the first generation of enterprise mobility, all business data and associated apps were segregated into monolithic, email-based containers. While this protected business data, it forced users into an experience they did not like.
People buy an iPhone, iPad or Android device because they love the user experience that was developed specifically for that device. When they use that device at work they want to be able to have that same experience. The heavy containerization approach forces people to flip between enterprise and personal screens on their device or requires they use a third-party email app instead of the native experience they love. Not only do these approaches compromise productivity but they create security risks as employees figure out workarounds.
In the new generation of enterprise mobility, user experience is core and the new answer is ‘targeted containerization,’ securing the enterprise content within the native experience and leaving the personal content untouched. Mobile First companies know that mobile access to corporate content is critical and their vision is that employees can work the way they want to, on the device of their choice, with the apps that they love, and access to the content they need, all in a secure environment.