A Framework for Securing the Mobile Enterprise
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  byod mobile mobile-security security
0 Comments | 2,472 Visits
This post is written by Vijay Dheap, master inventor and Product Manager for IBM Mobile Security Solutions.
Do you recall the late 1990s, when small and large businesses alike rushed to establish their presence on the Internet? Well today, organizations are pursuing a similar strategy when it comes to mobile. However, the difference in the adoption of current smart mobile technology is that it has forced our organizations to react and play catch-up instead of taking the traditional deliberate, but proven, technology adoption process. Historically, computing technologies were evaluated and validated by enterprise or government IT organizations before they diffused into mainstream use. But, mobile shatters convention; rapid consumer adoption is now translating into a core business requirement. The first wave of enterprise mobile adoption generally happens at the upper echelons of the business when executives demand their IT organizations make corporate data accessible via the consumer smartphones and tablets they have just bought. Suddenly, the crown jewels of the organization needed to be defended and protected on platforms that have not been vetted for business use. The second wave comes from the democratization of the mobile workforce in an organization. Organizations carefully hand-picked individuals who were granted corporate devices for work tasks but now employees armed with their own devices and data plans are demanding greater access to become more efficient and competitive in a challenging work environment. More recently, this outside-in demand is evolving into a two-way street as the business value benefits mobile affords becomes apparent – such as greater responsiveness and productivity.
A challenge for IT
Now, the challenge is posed to IT. Make it all happen and make it all happen securely, because if trusted relationships with consumers, partners and employees are sacrificed in the pursuit of new opportunities it will not only negate the potential but will also put the entire enterprise at risk. In designing a security posture for the mobile enterprise we must begin our discussion on an understanding of the multifaceted nature of mobile technologies. First, there are the new devices themselves running brand new platforms. Second, the coupling of communication with computing delivers versatility in accessing and moving information. Third, the mobile app has emerged as the dominant interaction pattern to deliver rich user experiences. It is also worth noting that given the dynamic innovation taking place in mobile, new user behavior and novel capabilities will always precede security best practices.
A method we can employ to assess if we have considered the various elements of mobile engagement is to simply “follow the data”. After all, an enterprise concerns itself with the devices, networks and applications only to guarantee the integrity and security of the proprietary data that flows through them. We need to be able to establish that data initially residing on enterprise systems is accessed via hardened APIs by a safe mobile app employed by an authenticated and authorized user, and the data is transmitted over a protected channel to the user’s secure device that can defend stored data. But the security responsibility does not end there. Mobile security is unique because the context – location, time, network among others – in which a mobile device is employed, can influence the risk requiring continuous visibility of the device, user and apps. Visibility alone is insufficient and needs to be coupled with management capabilities to mitigate risk when security events take place.
Securing the Mobile Enterprise
This analysis directly motivates the framework for securing the mobile enterprise. It becomes apparent that the security enforcement points for mobile engagements are on the device, at the network and in the mobile app. Many organizations get started with a focus on device security. This covers enrollment and configuration of new mobile devices for business use to monitoring for compliance and to deprovisioning them by remotely wiping corporate information. Some organizations initiate their foray into mobile by building apps and need to incorporate security in the mobile app. Mobile app security entails enforcing security standards and best practices during development, testing for vulnerabilities, identifying threats to the app and delivering updates. Once organizations delve deeper into their mobile projects they recognize the perquisite for mobile security at the network. Blocking mobile threats, controlling network traffic, authenticating and authorizing users, encrypting the channel of communication, as well as monitoring all the security events are roles for security at the network.
We can substantiate the completeness of the framework by considering the top ten mobile security risks the Open Web Application Security Project (OWASP) community has identified. Security enforcement points on the device, at the network and in the mobile app are required to provide a layered approach to combating all those risks. This framework promotes a holistic view of mobile security without which an enterprise leaves itself vulnerable. I welcome you to comment and/or connect with me on twitter (@dheap) to continue this discussion and provide me with your feedback.
To learn more about how IBM is addressing mobile security concerns, visit http://www.ibm.com/security/mobile/. Get the full story on the IBM Security announcement made today here.