In February 2012, the TechTalk blog highlighted the growing threat to business data security coming from the Bring Your Own Device (BYOD) trend, and the increasing problem of corporate data being downloaded and saved to employee-owned mobile devices. This is a significant problem for many businesses, and one they must address as a matter of urgency. The rising profile of this issue was emphasised at the Mobile World Congress held in Barcelona in March, and at the 2012 RSA conference, where mobile data security and mobile device management was one of the, if not the, key topic.
The trend towards BYOD is irreversible, and the risks are clear
As businesses (in particular, IT departments) come to terms with the exponential growth of BYOD there has been a widespread acceptance that there’s no going back; employee-owned mobile devices are in the workplace to stay.
The dangers of unmanaged devices accessing and saving corporate data should not be underestimated. There’s now widespread knowledge that mobile devices contain interesting, sensitive, and potentially valuable information, and they have become a target for those looking to exploit the value of this information. A recent experiment conducted by the security technology company Symantec [1], who deliberately ‘lost’ 50 mobile phones across a number of major cities in the US and Canada, demonstrated clearly the risks to businesses if data-rich devices are lost or stolen.
The results of the survey give unequivocal proof of the need to secure all devices used by employees to access and store corporate data. The mobile phones containing potentially interesting but ‘fake’ data were left in restaurants, elevators, convenience stores, and student unions, and monitored by Symantec to track location and usage. Despite the fact that the mobile phones were easy to return (the only contact listed in the address book was ‘Me’ which could be used to contact a Symantec researcher directly), of the people who found one:
- 90 percent looked through files and applications
- 80 percent looked at the corporate data on the phone
- 64 percent accessed social networks
- 47 percent accessed cloud-based docs
- 45 percent located salary info
- 43 percent visited online banking
Half of the phones were eventually returned. However, even the majority of those returning them had already accessed sensitive info.
So how do businesses manage and secure their data on an increasing variety of devices that are almost impossible to track?
Mobile-data security vendors are working rapidly to address this challenge. With the mobility market is expected to become a $1.2 trillion marketplace by 2020 [2], securing those hundreds of billions of mobile devices promises to be a lucrative business. However, finding a solution is far from straightforward with the continuing proliferation of mobile devices something of a moving target. An effective solution currently must have the capability to secure data on employee-owned mobile phones alongside those that are company provided, incorporating multiple operating systems. It also needs to secure company- and employee-owned tablets and, in the case of employee-owned devices, allow the identification and separation of business data from personal data to facilitate management of the former. Finally, flexibility to adapt as new devices come to market is critical. Unsurprisingly, there isn’t one solution available today that’s widely accepted to solve all these issues, but the options are numerous and growing.
What are the current key solutions?
Mobile Device Management (MDM) - businesses are increasingly turning to MDM to manage their devices. MDM software secures, monitors, manages and supports the mobile devices deployed by a business. These include company-provided and employee-owned mobile phones and (in some cases) tablets. Key features of MDM software is the ability to implement security policies, track the location of a phone, wipe data remotely, monitor usage and compliance, and separate business and personal data (and selectively wipe).
However, whilst MDM is undoubtedly an effective way of managing and securing mobile devices, some would argue it doesn’t go far enough, placing a lot of emphasis on a company’s IT team to ensure that all devices being used to access company data are managed. This can be a drain on time and resources if a range of devices are being used. Companies also have to design policies that will be acceptable to employees, avoiding interfering their personal user experience; otherwise, there continues to be a risk of unauthorised employee-owned mobile devices being used.
Mobile Application Management (MAM) – is being advocated by some as a more effective alternative to MDM. MAM enables businesses to manage specific applications and data without having to worry about the entire device or an employee’s personal data. This a policy that is more likely to appeal to users of personally-owned devices, who may not feel comfortable with their employers having the ability to monitor device usage.
MAM allows businesses to secure company apps, applying policies to specific applications and the data contained within them. For example, the IT team can disable copying, pasting, or forwarding of data from an app, or add additional security layers (such as passwords). Company-compliant versions of apps are placed in a custom-company app store for download. However, this is still not a water-tight solution as it remains possible for users to disregard company policy by downloading unmodified apps. As such, MAM continues to place faith in the employee to respect company data and, as seen in the previous blog, not all employees can be relied upon to respect the sanctity of corporate data. Indeed, it is hard to envisage employers being happy with ‘good faith’ policies in the long-term.
Cloud services – there’s no doubt that cloud services have a key role to play in enabling employee mobility; they have the potential to allow employees to work as if in the office, in any location, and on any device. Usage of cloud services is increasing, and solutions such as Microsoft Office 365 or Google Apps are well known and widely used to facilitate mobility. For this reason, many people (myself included) expect the critical mobile-data security-management solutions of the future to be based in the cloud. There will, of course, need to be developments; currently not everyone is convinced of the security of these services. Examples of data theft (by Wiki leaks among others) have highlighted vulnerability to hackers. In addition, a trend towards using personal cloud-file sharing and synchronisation accounts (for example Dropbox) has been known to leave a company at risk to unauthorised access or corporate data being held by ex-employees. Even so, if used properly, cloud services have the sought-after ability to store data in a secure environment and allow it to remain on servers accessible by mobile devices; that is, rather than being downloaded to, or saved on, the device, thereby removing a key area of vulnerability for businesses.
By effectively solving the two biggest security-related issues, mobility and security, cloud services have a strong case for forming the basis of future corporate mobile data security. By using cloud services to containerize data, and combining this with a cloud-based MDM or MAM capable of implementing data security and management policies, many of the major mobile security hotspots are negated. As a result, mobile data security vendors are currently working hard to produce solutions that secure data in the cloud. In addition to this, some companies are considering the development of their own ‘private cloud’ in which to secure and manage data being accessed by mobile devices.
There are also other options currently being offered or developed by mobile data security vendors, mobility solution providers, and the value-added resellers who provide solutions in partnership with them. It was recently rumoured the US government was trialling prototype LG phones which have two separate operating systems [3], these dual systems allow the user to run business data on one OS and keep personal use to the other.
As the market evolves, we await for the next ‘gold standard’ solution
For many years, the BlackBerry Enterprise Server was accepted as the gold standard for mobile-device management and data security. However, the market is currently fragmenting as businesses look to solve contemporary issues of diversifying corporate device portfolios, tablet usage, and incorporation of BYOD. The widespread nature and urgency of this issue means that businesses across all markets are seeking the ‘next big thing’. Many are waiting for the optimum option to become clear before updating their tools and policies, and their clarifying their approach to BYOD.
[3] http://midsizeinsider.com/en-us/article/mobile-security-can-business-phones-dou
