Other than the impacts on operational costs, the 105 participants in Sand Hill Group’s Q4 2011 study, “Leaders in Mobility Strategies: Tug of War Between Business Risk and Value,” ranked security and privacy issues as the primary focus areas in developing their strategy for transitioning to a mobile environment.
Mobile security vulnerabilities
Mobile security involves several layers:
- Device operating system
- Extended cyber-enterprise (secure access to third-party apps such as Salesforce.com)
- App store
When we conducted the survey and in-depth telephone interviews late in 2011 for our “Leaders in Mobility Strategies” report, we found that 49 percent of the respondents had not yet developed a formal security policy on mobile devices and technologies — even though most of them were already on the mobility path and had adopted a bring-your-own-device (BYOD) model.
As illustrated in the diagram below, mobile devices have unique security vulnerabilities that do not exist in other enterprise communication end points such as desktops or laptops.
© 2011 Sand Hill Group. All rights reserved.
Another mobile security risk is that security patch and update management is immature in the mobile space. Consumers — employees — are not yet in the practice of updating security patches regularly. In addition, mobile operators or manufacturers lack the same automated security update/patch management as Microsoft or Apple have on PCs and Macs.
Current state of security
Security for a mobile environment today is much like the early days of laptops. There is a sea of emerging mobile security solutions from both startups and more established software companies; we’ve published articles about several of these solutions on SandHill.com in the past few months. Organizations are trying to sort through the hype and figure out which products to use.
As companies learned over the years with laptops and desktops, a good mobile security strategy should be comprised of multiple solutions to provide in-depth security for the mobile device.
Secure access to applications
The security and management strategy around supporting a BYOD policy includes an access-only approach to applications. This tactic prevents employees from downloading and storing any information on their mobile devices.
In addition, most of the CIOs we interviewed said their companies were looking at ways to separate corporate and personal data in “container” structures on the devices. There are now several software companies with products enabling containment.
Virtual desktop. Another method of containment is virtualization. This strategy eliminates the need for a BYOD policy and reduces device support costs while maintaining security and control over access to corporate applications and data. Now that software vendors such as VMware and Citrix and others are making virtual desktops more secure and robust, more organizations are adopting this strategy.
Using this strategy, a desktop in an employee’s home becomes the means of mobility. The employee accesses corporate applications virtually, and the company maintains control over the applications’ security. When the desktop shuts down, the connection to the applications is discontinued and no corporate data remains on the desktop.
“Smartphones and tablets are not yet powerful enough to handle this like desktops, but they will get there,” stated a CIO we interviewed in the study. “I believe the adoption of the virtual desktop strategy will rapidly increase as this technology and wireless technologies mature.”
However, a virtual desktop strategy has drawbacks even if mobile devices become powerful enough to handle it. It assumes continuous online availability, which is not assured in many locations, even in major metropolitan cities like New York City.
Social media sites
Allowing employees to access social media sites such as Facebook and Twitter from the company network is also a security risk. The challenge when employees go from an enterprise environment/network to another Internet site is that the company’s policies get shifted to the security vulnerabilities and lowest-common-denominator approach used by those sites.
Organizations need to make sure their company’s code of conduct for employee behavior covers policies regarding accessing social media networks and websites through the enterprise mobile environment/network. Requiring employees to sign a code of conduct when hired is a common practice at many organizations. The HR department should extend the code of conduct to include policies social media access through the enterprise mobile environment and network.
Small and midsize businesses
Respondents in our study on Leaders in Mobility Strategies observed that small or midsize enterprises often do not fully consider or are not aware of how to deal with security issues on mobile devices. A highly effective strategy for small and midsize businesses in implementing mobile security strategy is to use cloud-based solutions from service providers rather than trying to train the IT staff with the necessary expertise to implement and support security in a mobile environment.
The amount of data and access to the data is not as complex of an issue in a small or midsize business as it is for large enterprises. With lower complexities, using a cloud services provider will provide ample mobile security. This strategy will also achieve a huge cost savings.
Tackling privacy issues
Enterprises must ensure they comply with privacy regulations around mobile devices. The growth of adoption of mobility in businesses is raising privacy concerns and debates. Even privacy advocates realize that privacy itself is not necessarily something that can be driven just by laws; however, enterprises must protect the use employees’ private collected data and information.
The laws around privacy are very confusing to employees. Often they simply click through disclosure agreements without understanding what they are doing, and thus inadvertently allow their personal data to be used in ways that they may not want. An executive in our study observed that Google could make a big improvement in Android by ensuring that installed applications are “much more verbose on what information is being collected and how that information is being used by that mobile device. The privacy and security information should be much more in depth for the end user of the device.”
Another privacy issue arises because of location-awareness technologies used in mobile devices. At any given moment the carrier and many applications know, with pretty good accuracy, where a user is. On the enterprise mobile device, this could result in inadvertent disclosure of personal or corporate information to public sources.
U.S. healthcare regulations. The healthcare industry is another area of concern regarding mobile devices. Physicians like the tablet devices. But U.S. healthcare regulations around patient privacy mandate that patient data cannot be downloaded to the devices.
European privacy regulations. Privacy laws vary from country to country; global enterprises must keep this issue in mind when managing data in a mobile environment. In European countries, for example, the laws prohibit comingling employees’ private data (including contacts lists). Enterprises also need to understand how these regulations impact back-up storage by third-party providers and by default in some device operating systems/
Device-monitoring agents. In securing a mobile environment, executives understand that they need to centrally manage the end point — the device. This often involves installing an agent on the mobile device in order to control the user activity. This touches on privacy regulations because these agents can also monitor and report what a mobile user is doing or report the user’s location.
Some companies choose not to locational capabilities in monitoring devices, due to privacy concerns raised by employees. Instead, they use monitoring tools for “typical usage.” The tools collect data such as use of a mouse, typing speed, and other characteristics. When someone other than the employee does something different from those characteristics, the company knows immediately that it is not the employee.
10 best practices for transitioning to a secure mobile environment
Our study revealed many lessons learned that respondents made when first transitioning to a mobile environment. The following 10 best practices will help your company avoid missteps and pitfalls around security and privacy when moving to a mobile environment.
- Understand what your external security threats may be, including how mobile devices come into your organization and what they are doing.
- Develop mobile apps that have security in mind from the inception.
- Piggyback on your existing Web security mechanisms to provide mobile authorization and authentication security.
- Provide an additional layer of interaction to access back-end enterprise servers.
- Encrypt all corporate data on the device and make it accessible only via double-factor authentication.
- Encrypt all communications between the device and the back-end corporate systems or cloud servers.
- If using a containment approach to segment the corporate data on a personal device, encrypt the application data container.
- Ensure strong encryption algorithms and adequate key lengths.
- Don’t overlook the privacy considerations. Carriers and apps at any given moment have location awareness of users that inadvertently can result in disclosure of information to public sources.
- Involve attorneys in drawing up the corporate mobile policies as there are privacy regulations to take into account. However, it is important not to become too legalistic. It will take a while for the legal system to catch up to the realities of the quickly evolving mobile environment. The best approach at this time is to seek a good understanding of the parameters of what could happen in various situations and determine which risks are unacceptable.
For other articles in the series on findings in the Sand Hill study, see “Hidden Cost Factors and Total Cost of Ownership for Enterprise Mobility,” “The What, Who and How of Enterprise Mobility Adoption,” “Five Trends in Enterprise Mobility for 2012 and Beyond,” and “CIOs Reveal Risks and Strategies in Enterprise Mobile Solutions.”
M.R. Rangaswami is co-founder of Sand Hill Group and the publisher of SandHill.com.