In this interview, Adam Ely, COO of Bluebox, discusses the most significant mobile security challenges for enterprise security professionals, illustrates how BYOD is shaping the enterprise mobile security landscape, and offers advice for CISOs trying to protect data confidentiality and integrity while working with an increasingly mobile workforce.
What are the most significant mobile security challenges for enterprise security professionals?
Mobile has become a flashpoint between security and IT professionals and lines of business. In the pursuit of increased productivity and convenience, BYOD and increasingly BYO App, are the new norm, whether security and IT departments admit it or not. While not intentionally malicious, this employee behavior puts the enterprise at risk, particularly for unintentional data loss on mobile devices. IT and security professionals need to determine how best to bridge this divide, crafting policies and applying technologies to appropriately manage risk while enabling the business.
One of the leading considerations for enterprise security professionals within mobile is protecting the data inside 3rd party applications that they did not develop, and controlling what those applications do with the corporate data. It’s crucial to understand and control what the apps are doing with the data, where they are storing the data and where they are sending the data, as well as what individual users have permission to do with that data.
You can’t secure what you can’t see. Thanks to mobile, a lot of corporate data is now outside the four walls of the company. But most companies don’t know how employees are using the data and where the data, particularly sensitive data, is throughout the mobile ecosystem. IT monitors network traffic, servers and desktops and as a result, they have a pretty good sense of the risk each of these possesses. However unlike the case of a lost back up tape, where IT knows the true extent of the risk or exposure, in the event of a lost phone or tablet, many companies just don’t know what data is actually on the device. As a result, the potential ramifications of lost mobile devices can’t be fully assessed.
Understanding how the individual is using the data on their device is essential to successfully protecting data in the mobile world. There is no substitute for reaching out to peers and communicating with users to determine patterns of use. New mobile data visibility tools are also available to provide on-going insights into the most current usage patterns, allowing IT to tailor policies and controls to ensure security. Only then, will IT be able to know give a positive user experience while securing corporate data.
How is BYOD shaping the enterprise mobile security landscape? Some think using a VPN solves most problems, would you agree?
BYOD is changing the mobile security landscape by shifting the control from IT into the user’s hand. Adding a device that IT doesn’t have 100 percent control over to the network exaggerates the problem. BYOD has changed how we look at mobile security much the way that the cloud has changed the way that we look at enterprise network security. BYOD has forced us to find new ways of securing corporate data. Instead of focusing on securing the device, we now have to look at which data needs to be protected while also considering user experience and user productivity. This fundamental change in mobile security shifts us away from limited containers that only fit enterprise needs toward solutions that fit both enterprise and use needs. About 2/3 of companies report putting enterprise needs above the user needs. As a result, users simply ignore security policies and simply chose to “go around” IT.
BYOD has also changed user expectations of privacy, and rightfully so. Since users are now using privately owned devices to benefit the company, we must respect their privacy. The number one concern of users with mobile security rollouts is privacy. Employees are constantly pushing back on MDM implementations due to fear of employers seeing too much about their personal lives. User experience and buy-in is key to a successful BYOD program. If they user doesn’t feel like their information is private, they’ll simply un-enroll.
Using a VPN actually creates an additional set of problems and security concerns. Using a VPN drains the battery on a device and many services, like iMessage, don’t respond well when the VPN connects and disconnects. This creates a bad user experience. Most of all, connecting to a VPN adds the mobile device to the corporate network and introduces a host of additional security concerns.
What advice would you give to a CISO trying to protect data confidentiality and integrity while working with an increasingly mobile workforce using a variety of devices and operating systems?
My advice is to look at mobile security holistically. CISOs should understand that data protection is top priority and work backward from there. The role of the CISO is to support the organization in doing business securely. Put controls in place that ensure that the right data is protected, applications are secured, and the integrity of the device is maintained. Ensuring security and integrity at all layers – the device, application and data – while simultaneously focusing our protection and time on the actual data protection is key.
Additionally, talk to your users. Find out what tools they need (and want) to use as well as what tools they are already using. A recent study showed that employees were using seven times as many apps for work related purposes than IT expected. This demonstrates that if you put barriers in place that reduce user productivity, they will go around IT, potentially using insecure applications and creating an even greater risk that IT has no insight into. Being transparent with your users about why IT needs certain controls in place is helpful in gaining user support and compliance. CISOs must act as trendsetters by adapting with technology to produce a positive user experience that gives users flexibility, increases productivity, and provides IT with the insight they need to protect corporate data.
Every year we hear that the next is going to be the one with a serious mobile malware explosion. What’s your take on these predictions?
The numbers have shown an increase in malware from year-to-year. However the true inflection point will occur when we see a significant increase in device functionality.
Much like how we saw PCs become more powerful, once these mobile device platforms open up more, we will see mobile malware becoming a bigger threat. This is why it is crucial for CISOs to remain one step ahead of the curve. If we keep evolving with technology, we will be able to better prevent mobile threats to corporate data in the future.
Additionally, as researchers continue to find new ways to exploit mobile devices we will continue to see an increased risk of malware in the mobile ecosystem. In the lead up to Black Hat next month we are sure to see many examples of this.