We often make things harder than they have to be by securing everything, when some things just aren’t as important as others. Often times, the steps we take to secure our mobile devices do not provide management or security benefits. They’re simply, “security theater,” or measures intended to provide the feeling of improved security while doing little or nothing to actually secure, like some of our favorite airport “security” practices.
Last week I spoke with a company rolling out a MDM product as THE mobile security solution. The company was concerned about the security of mobile apps, data and access back to their network. They decided to roll out a MDM solution because it “secured the device,” which really means it allowed them to set a passcode on the device. However, it fails to address their actual security needs. The MDM, or EMM as it has been reclassified, does not provide any security capabilities that align with their concerns including app tampering prevention, data encryption, access control or authentication.
Not only does this implementation miss their requirements, it also comes with huge overhead for IT. The EMM solution requires managing the device, which adds work to IT’s already full plate. The team has to ensure they could manage various versions of iOS, Android and more. They also have to troubleshoot how policies are applied across different device operating systems, versions and even different device models. The ROI on their mobile security investment quickly erodes, as the time the spent addressing device OS and version issues diverts resources from addressing original security concerns. Additionally, their choice results in a loss of privacy for their users, especially for BYOD users, which is at odds with the increasing pressure from regulators and global laws to protect user privacy.
This story is very common. I’ve traveled to over a dozen cities for IT and security round tables in the past year and have spoken with more than 200 people about their security strategies. Every person I’ve talked to had some variation on their own, “security theater,” and stressed the need for a change because their existing strategy and execution wasn’t working.
Mobile is one of those rare areas that has moved so quickly, we in the enterprise can’t keep up even if we’re at the bleeding edge. Technologies are being released and consumed by our users at such a rapid pace that our previous strategies just don’t apply any longer. EMM products are configuration tools, they have a purpose but security is not one of them. Thinking about mobile security is much like thinking about security in other parts of our enterprise. We care about “the noun” or the thing of value, and in most cases the thing of value is the data. So we must focus on monitoring, logging and controlling the data as close as possible – this is what we do everywhere else in the organization and mobile shouldn’t be the exception.
We’re finally at a time where managing and deploying mobile applications and securing and fortifying virtually any mobile app can and must co-exist. We can finally stop worrying about the glass, plastic and circuits and move up the stack to focus on the applications that matter. Those applications that don’t have the built-in security controls and prevention capabilities or that require management and distribution. By applying controls to those applications and enforcing encryption, authentication, secure connections and DLP, we gain visibility into the actions of the users, applications and data.
So here is the easy guide to mobile security:
• Focus on the apps and data to meet your requirement as the threats to the device are evolving and devices can’t be trusted.
• Apply monitoring and security controls to the apps and data
• Use a mobile app catalog to distribute both your internal and secured versions of 3rd party applications
• Monitor apps and data to prevent security vulnerabilities
• Implement solutions that allow apps to connect without full device VPN
This straightforward strategy will reduce time spent attempting to manage various devices and focus teams on ensuring user privacy, applying controls and allowing solutions and processes to scale while still securing internal and 3rd party applications.