On Monday 13th October, an article was published in The Guardian, a leading British newspaper, titled “Mobilised forces: keeping data safe”. The Guardian brought together some of the online security’s leading players, including Infosec Partners’ own Mark Oakton, to discuss the future of secure mobile including how companies could ensure data from mobile devices is kept secure, when accessed by staff from various locations and at different times.
Whose Data is it anyway?
The continuing rise of Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) has brought with it significant challenges to organisations. When companies allow staff to use their own mobile devices for work, they give employees access to corporate websites and company sensitive data, on the same smartphones and tablets where they keep their personal data and countless apps, posing considerable risk to the security of corporate data.
How would you feel, if a device that you owned and had been using in a BYOD environment, got remotely wiped, as soon as you informed the company that you were leaving? What if that smartphone, had the only copies of the first moments of your son’s life, the last moments of your mother’s life, or other precious, unique and irreplaceable memories?
Would you believe that there have been instances of this happening? Whilst this mitigates the risk for the company that the outgoing staff member might take data with them, it also leaves the company wide-open to legal challenges and litigation.
The Guardian article highlighted Symantec statistics claiming there are 3262 malware variants on Android apps but only 1 on Apple’s App Store. This is slightly misleading in that these are primarily found on small unregulated third-party app stores in the Middle East and Asia. By contrast the percentage of apps carrying malware on Google’s official Play Store was found to be less than 0.1% and a report from F-Secure acknowledges rigorous checks mean any malware encountered there tends to have a short shelf life.
The biggest risk by far with all apps are the privileges they request. There is usually lots of diligence when installing the app, but how much when updating? The owners of mobile devices usually scrutinize an app’s requested privileges most when then are about to install it. Whilst relevant apps even those approved by an organisation may initially not request many privileges, subsequent updates may start requesting excessive access. Whether these privilege requests are intended for commercial gain, simply pure laziness on the developers’ part, or requested with malicious intent, no single security solution can tell you what data is actually being taken.
Secure Mobility. Myth or Reality?
The field of mobile security has seen some significant growth in recent years. Mobile Device Management (MDM) solutions are abundant, and enable organisations to set certain criteria that the users smartphone or tablet must meet, in order to be allowed on the corporate network. However this can and frequently does cause frustration by limiting the functionality of mobile devices.
Mobile Application Management (MAM) solutions are now also rapidly developing, and involves having a corporate app store on staff devices, which allows staff to pick and choose the most productive approved apps. Using these specific apps ensures all data associated with them are encrypted both on the device and in transit to and from servers.
Those attending the discussion generally agreed that whilst there are more solutions to help create a Secure Mobile environment, the overall technology was still relatively immature. Infosec Partners’ Mark Oakton raised the question to what extent the existing technology provides security, on a score out of ten – with 1/10 the least secure and 10/10 security Utopia. The answer? None of the panel wanted to air their opinion.
It’s a matter of Trust.
The whole concept that out-of-a-box BYOD solutions suddenly mean that untrusted mobile devices can be treated the same as trusted corporate-owned and corporate-managed devices is flawed. With Secure Mobility technology still relatively in its infancy, it may be advisable to actually think of BYOD devices in the same way as ‘guests’.
Enterprise Mobility Management (EMM) is the term coined that includes MDM, MAM, people and processes. Technology alone is not enough, and a suite of best-of-breed technologies as well as expertise is required to achieve best-practice Secure Mobility.
Through its sister company VIPIT Security, which provides Reputation and Information Protection services for significant individuals and families, Infosec Partners has also been providing a highly-tailored EMM approach for Secure Mobility. Working with technologies such as Mobile Iron, AirWatch, Druva, Silent Circle, the Vertu Signature and the recently released Blackphone, VIPIT clients already receive best-practice Secure Mobility delivered through the expertise of Infosec Partners consultants.
With the lines between corporate and family life becoming increasingly blurred, Directors and Executives at home in particular are ever in need of advice and guidance to help secure both their work-related and personal assets and information.
Focus on Security.
“These discussion events at the Guardian led by Tom Brewster are highly worthwhile, and a pleasure to be part of” said Mark Oakton. “The articles lose little impact, as they clearly have to be limited to a certain number of words to fit into the newspaper. But having deep discussions with people like the systems architect of the British Army, and sharing real-life opinions, ensures that we all maintain our focus on Security and don’t easily get distracted by the marketing hype”.
For more information about Secure Mobility, please contact Francisco Ordillano firstname.lastname@example.org