A truly mobile enterprise is better designed to handle modern day opportunities as an organization. That’s why, any CIO you meet today is working on making productivity-on-the-go a reality by having everything business including email, documents, CRM and BI apps run on mobile. Yet, according to nearly every analyst study, security is the primary inhibitor to both enterprise mobility and bring-your-own-device (BYOD) programs. For example, according to the MobileIron’s user conference held earlier this year, 73 percent of CIOs say that while mobility is forging forward in all aspects of business, security loopholes, if ignored, will derail mobility within the enterprise.
If you are a CXO or an IT manager looking to address security concerns around your organization’s mobile strategy, give this post a read. We have prepared a comprehensive 10-point checklist on key techniques that will help you address your concerns around creating a secure mobile environment:
- Formulate Strong Authentication Policies: Authentication policies are a must-have on every security policy. The key is to formulate an effective one that enforces a combination of Pin Lock – basically a 4-digit security code, Inactivity Timeout – where a user needs to punch in the device PIN everytime he/she needs its access after leaving it unattended, and Two-Step Authentication, which uses user SMS, fingerprints or voice recognition as a security token. Built-in features like Touch ID in iPhone 6 make it easier to deploy two-way authentication.
- Encrypt Your Data: Did you know that sending data over open Wi-Fi, un-encrypted email and exposed mobile printing solutions are among the most lethal enterprise security threats? One cannot blame employees as they just want to get the work done. Even if that means sending documents containing sensitive data to personal email accounts or using unsecured public wi-fi. But this often leaves company data at risk.
An end-to-end encryption strategy will take into account all the ways data enters and leaves the company’s network. Most importantly, it takes a close look into how it’s being stored within the enterprise. Make sure your implementation is as transparent as possible. For example, if an employee’s data gets backed up over the internet at the end of the day, your encryption process has to occur before the data is transmitted. This way the data remains clean while getting backed up and remains encrypted with 256-bit AES when it gets stored.
Encrypting backup data is pretty simple, and has to be mandatory in case you are shipping your enterprise data to an offshore location. Commercial backup tools like Netbackup contain encryption services for this purpose.
- Manage Application Security: Encrypting data alone isn’t enough. It is also important to monitor the applications employees use on their devices.
The first step is to start keeping a track of all the apps along with their sources installed on your employee devices. For example, if your employees are using Dropbox aggressively for file sharing, make sure it’s downloaded from an authenticated app store. Secure third party apps like these centrally. Create security gateways that can granularly analyse these apps to restrict access to enterprise data. And ensure to completely revoke the device’s access privileges once users leave the organization.
Understand the core needs your employees are trying to address by accessing these third party apps. If your employees rely heavily on third party productivity tools like Evernote, Wunderlist & OneBox, try putting in-app data controls. This means controlling access based on multiple factors like type of device, user id, application set, and time and day of location. This will help in protecting sensitive corporate data.
- Handle Mobile Back-end Security with Care: If you are involved with the team developing the app for your enterprise, address security and access control issues earlier on. The more integrated the security precautions, the better. Begin with taking all the heavy work off the device and bring it to the back-end. Basically, make sure that the app’s client (app itself /on-device code) has very little decision-making powers. You can now focus on securing the mobile app by controlling what the application sends and receives on the back-end.
At the minimum, secure your back-end by using Secure Socket Layer (SSL) encryption. Serve all user authentication (login) forms and actions over https. But considering the complex mobile device network today, SSL falls short in a lot of security details. For example, a regular smartphone remembers most Wi-Fi networks it connects to. Any rogue device that behaves like an SSL proxy in this situation (also called as a man-in-the-middle attack) can wreak havoc then. So additionally, ensure only legitimate users gain access to the back-end of the application. Formulate strong access controls with an API gateway service like Apigee, Mashery or Layer7. Create well-defined interfaces that define the part of the apps that users can access without logging in with a user account.
- Avoid Caching your Data: Your mobile app data can be stored in a variety of ways actually. You can store log / debug files, or as property lists or SQLite databases among others. From a security point of view, the best way to avoid a data breach is to avoid plainly caching your data.
You can configure your iOS and Android apps to not cache web traffic, especially the https traffic. You can do that for iOS by installing a NSURLConnection delegate and disable the newCachedResponse. If you operate on a web app in particular, turn off the auto-complete setting. This will avoid all unintentional caching over the browser too.
You can also compartmentalize the use of your enterprise app within the device to easily segregate the kind of data being cached on the device. This will allow you to wipe out enterprise data as and when required. Data caging is a fine technique that can help you do that. Add a password to the data cage to double up on security. Installing MDM tools from Citrix, Mobilelron and Symantec etc can help you create such security layers for your corporate apps and give complete control over the way data is controlled on your employees’ mobile devices when they access your network.
- Authorize the IT team for an Enterprise Wipe: Simply put, an ‘enterprise wipe’ is a tool that deletes enterprise-related data on a mobile device while keeping an employee’s personal data intact. It identifies the required features and data sets that are related to corporate use (for example VPN connections, user login data, passwords and data files that were downloaded within the corporate space) and target wipes only these files as compared to a remote wipe that simply deletes all data on a mobile device. MDM tools are your best bet to perform an extensive enterprise wipe.
Alternatively, virtualizing your mobile apps can ensure no data resides on the device and sort of ‘containerize’ the corporate apps . You can choose from a host of vendors like VMware, IBM, and Novell offer application virtualization tools like VMware ThinApp, Microsoft AppV, Citrix XenApp, and Symantec’s Workspace Virtualization. However, enterprises are not a fan of this technique as creating that extra layer in order to maintain separation for mobile devices is a lot of work and has led to performance issues in several cases.
- Train your employees: Most employees don’t willingly cause security breaches and put the organization’s data at stake. However, according to a research conducted by Ponemon Institute, it costs $137 to resolve each record harmed by human error or negligence. This reflects upon the lack of knowledge amongst the users about device security measures and existing policies. The best tools turn out to be ineffective when not used correctly. It is also important to conduct regular training sessions on the subject and educate both your employees AND your app developers about the mobile security policies in place.
- Maintain a comprehensive employee and contractor directory: Keep a close track of the users and access rights given to them on their mobile devices. The most commonly used tool for this purpose is Azure Active Directory. It provides a range of identity and access management services to help enterprises become secure and more productive.
- Reimburse Your Users Efficiently: Reimbursing enterprise mobile users is probably one of the most underrated techniques of enterprise mobility. Many companies are yet to formulate a clear and effective reimbursement policy for employees on the go. Why are we talking about this in a blog post on enterprise security? Because financial incentives are strong motivators for policy compliance. It’s hard to say no to a company that offers to cover full or at least some of the costs that are involved in keeping a mobile device up to date with the latest antivirus software,firmware and other security technologies.
- De-risk Third-Party Collaboration: Collaboration and file sharing have worked out well for the enterprise and have enjoyed quick user adoption too. But when employees use consumer-grade, uncontrolled file sharing sites like DropBox and Google Drive to share sensitive data, things can get bad pretty quickly. Though there is not much one can do to completely stop this, providing enterprise wide solutions controlled by the IT team can possibly reduce the damage and ensure data security. For example, if you are a globally distributed organization, recommend your users to share content over Box, a third party collaboration app that can now be managed securely through VMware’s AirWatch. Third-party apps are also a good reason to take a close look at enterprise risk management in the form of third party management and Service Level Agreements (SLAs).
Given the increasing concern amongst CIOs about potential mobility threats, several enterprise mobility management (EMM) software have also made way into the marketplace. Some notable EMM come from top names in the industry including Dell, AirWatch and Mcafee.
What are your thoughts on security challenges of enterprise mobility? Have you tried any of the software or techniques mentioned in this post to combat them? Do let us know in the comments section below. Help us take this conversation further on Twitter.