Shaping mobile security

Most of us are familiar with the “triangle’ project management model, which highlights the constraints on delivering results in projects. The three corners of the triangle are fast, good and cheap, showing that in any given project, all three attributes cannot be optimized: one will inevitably be compromised to maximize the other two. You can have a good project delivered quickly, but not cheaply, and so on.

It’s traditionally been the same in IT security, especially when it comes to mobility. In this case, the three corners of the triangle are security, mobility and productivity. Usually, organizations have taken one of two approaches: either enabled mobility to boost productivity, with security inevitably being compromised; or they’ve tried to deliver more effective security for mobile fleets, compromising productivity.

Recent research shows that a majority of organizations have used the first approach, with mobility racing ahead of security. We surveyed over 700 IT professionals worldwide about mobility and mobile device usage in their organizations, and 72% said the number of personal mobile devices connecting to their organizations’ networks had more than doubled in the past two years. 82% expected mobile security incidents to grow over the next 12 months, with higher costs of remediation.

And while 56% said they have to try and manage business data such as email, contact information, corporate calendars and customer data on employees’ own devices, 44% of respondents don’t currently attempt to manage business data on personal devices at all.

An issue that’s getting out of hand
It’s this last point that is significant – nearly half of organisations don’t manage or secure employees’ own devices. So it’s no wonder that for most companies, their approach to mobile security is so skewed out of shape.

Why have security strategies to protect data and assets on mobile devices fallen behind? Part of the reason is because IT teams don’t have endless time and resources to invest in securing mobility. They have to prioritise – and the influx of employee devices is racing ahead of the resources available to manage them.

Those organisations may be relying on employees being security-conscious in processing corporate data on their personal devices – and many employees will demonstrate that responsibility. However, employees are typically focused on working more efficiently and getting their jobs done, not on whether their actions might create a security risk. Most of the time, nothing happens despite the risk. But accidental losses will still occur. In our survey, 87% of IT professionals said they felt that careless employees posed a greater security risk to their organisations than cybercriminals.

Multiple devices, multiple problems
So how should organisations approach protecting their sensitive data against the risks of loss or theft from both corporate and personal devices? One of the key issues is that mobile security is not a single problem, but a mix of challenges from securing remote access, to securing data on devices, to securing documents that need to be shared. There’s also the challenge of making users aware of the organisations’ data security policies and of the possible consequences from data losses, through education.

Various disparate solutions attempt to address mobility and security, but none provides a complete solution. Enterprise mobile management (EMM) solutions manage device configurations, but do not secure business data and documents in uncontrolled environments. Similarly, mobile solutions that are focused on a specific sub-segment of security are not integrated with the organisation’s corporate security policy or infrastructure.

None offers a simple, integrated approach that secures mobile devices from threats, and secures data and documents on devices in line with corporate policies – making it easy to apply security, while still empowering staff with simple, secure mobile working.

Three cornerstones of security, mobility and productivity
What’s needed to enable this is an integrated approach that addresses the three main mobility problems. These are:

• Extending protection against threats to any device, wherever it’s being used
• Being able to set up a secure workspace on any device, to protect business data
• To protect business documents anywhere inside or outside the business, on any device.

The first problem occurs when a device becomes infected by malware when used outside the corporate perimeter. This makes the data stored on the device vulnerable, and when the infected device is used again, the threat can spread to the corporate network. An effective solution to this issue is to deliver security to devices as a cloud-based service, using an encrypted VPN tunnel.

This prevents suspicious file downloads, block malicious websites, and stop bots before they can cause damage, protecting users, networks and business data from threats inside and outside the company network. It also enables corporate security policies to be extended to all devices, for easier management.

The second issue is enabling secure use of personal devices while protecting and managing business data on those devices. The solution in this case is to create a secure business environment on the device which segregates business and personal information and applications, while protecting both. This lets users access corporate email, documents, and assets from within a secure, encrypted application workspace on the device that is separated from personal data.

The third mobile security problem is protecting business documents everywhere they go, both inside and outside the network. Here, the ideal solution is to secure the document itself, to ensure only authorised users can open and read frequently-used document types such as Word, Excel, PowerPoint and Acrobat. Security should be established when the document is first created, and travel with it, so that corporate security guidelines are always enforced, with full logging and auditing of who accessed the document.

Taking a device-agnostic approach to security, and focusing more on managing and protecting the use of business data greatly simplifies mobility challenges. Locking down devices too tightly can interfere with employees’ application user experience and their privacy, which in turn can lead to them trying to work around the organisation’s policies. Also, the type of device being used to access and process the information does not matter as long as the data and session are secured, and the person using the data has the appropriate rights to do so.

With this approach, organisations can ensure their security project triangles have the right balance and shape: they can enable true enterprise mobility and productivity anywhere, without compromising security.