Mobile security strategy

Mobility is transforming the way enterprises conduct their business, it's up to IT to create a good mobile security strategy. With so many solutions and technology available, how does IT make sure it covers all scenarios business require, how does IT ensure it implements a non-intrusive solution on private devices, how does IT ensure compliance, and most importantly how does IT protect confidential information under all these constraints... How does IT lead?

"Many organisations struggle to find suitable solutions in their mobile security strategy for remote PCs and Laptops used by both staff and external contractors/consultants who require access to information hosted in the corporate network, but is IT being forced to use technology that is not entirely best suited and causing conflict with users," says Sean Glansbeek, Managing Director of Seven Days Technologies.

Let's look at some of the technologies available:

MDM - mobile device management predominately secure ports, applications, hardware and has the ability to view and report on the devices' full usage and data residing on the device. Some more advanced MDM solutions can track devices, remotely control devices as well as automatically reconfigure the device based on its location.

Containerisation - secure application/container holding only company information (e-mail and PIM, File Shares, Intranet and HTML5 applications such as SharePoint and SAP) and completely separate from private applications and data. True containerisation does not require any MDM features or solutions.

VPNs - virtual private networks allow users access to the company network and users work with the same abilities as if they were on the network.

Multi-session - solutions that allow users to run a remote session off a back-end system.

Data collaboration - send and collaborate information to both staff and external users such as consultants, customers and business partners. These solutions come in various forms and are mostly public cloud based.

"Many companies are implementing MDM solutions for BYOD (privately owned mobile devices), however, due to their nature in operation this becomes extremely intrusive and users are very uncomfortable with IT having so much control over their private devices. MDM is better suited to company owned devices as then there is no discussion," Says Sean Glansbeek.

Containerisation is a far better offering as this keeps all business data in the container and prevents any data leakage as the data cannot be moved, copied or saved outside of the container. True containerisations solutions also only allow users to edit and view documents inside the container, offer separate e-mail and PIM applications and do not use any of the devices' native applications. Companies can also allow users access to secure Intranets, file shares and HTML5 applications such as SharePoint and SAP, all in one container and without the need for additional VPN solutions. Also very important is if a device needs to be wiped, then only the container is wiped and not the whole device thereby not destroying private information.

MDM is now used for what it was initially built to manage corporate-owned devices and applications; however, some MDM solutions are week in securing the actual data and cannot prevent data leakage as users still use the native e-mail application for business combined with their private e-mails and documents are saved anywhere on the device.

Companies using native custom built business applications would need MDM to secure the application; however, due to the high development and maintenance costs of these applications companies should investigate the HTML 5 alternative due to its flexibility and short development time frames.

"So it makes sense for companies to implement a solution that offers true containerisation for privately owned devices and MDM for corporate-owned devices, this then avoids all conflict and actually offers better information security than just MDM would. Some companies that have implemented MDM are now also adding containerisation as they have realised the shortcomings of MDM," says Glansbeek.

What about BYOPC (bring your own PC)?

This is the next big hurdle, most people working today use a company provided computer which is configured to provide easy access to all required business systems. Traditionally this has been the only way for employees to work as the desktop or laptop needs to be "trusted" in terms of security.

But what happens if you don't have a company laptop and need to work from an "untrusted" device such as a home PC, Internet caf'e etc. Or if you require contractors and partners to access certain IT resources from their own PC?

IT does not feel comfortable offering VPN access to unmanaged and privately owned PCs and laptops for staff and external consultants as this creates significant risk of data leakage and network compromise.

While multi session based solutions such as Citrix or SSL VPN can offer remote access from untrusted devices, securing these mobile and remote users is complex and expensive. Multi session access is traditionally implemented either via IPSec, VPN or access gateways in combination with additional products for two-factor authentication, end-point scanning, network access control and traffic inspection along with a DMZ infrastructure deploying numerous products from multiple vendors.

What if one could conduct "Remote Application Management"? This is where a remote access client runs from within Windows/Mac or USB on an employee's or contractor's personal PC and presents the user with a menu of applications they are allowed to access.

Providing an end-to-end secure connection users can only work remotely on the application, document(s) in a file share, remote desktop or browser based applications such as SharePoint without data leakage. All data stays within the company network and is not downloaded to the user's local PC or USB drive, and in high security requirements one can use a bootable USB stick and force the local hard drive to stop working.

Solutions offered by a company called Excitor give customers a platform to secure information on private or company owned mobile phones and PCs or laptops.

Lastly what happens when you want to distribute files to staff or external parties who do not require data that is available the container and MDM is out of the question. This is where Data Collaboration takes place, but not through public cloud solutions such as Drop Box, but more private cloud based solutions offer where companies have their own cloud and control their own data. These solutions offer browser access, secure containers on mobile phones and tablets as well as file synchronisation to PCs if required. Companies then have the ability to manage their own data, control how data is used and offer a complete end-to-end secure connection. With the new Data Protection Act companies need to understand that if they store or share confidential information in public cloud solutions then they may fail compliance.

Accellion offer secure private cloud data collaboration and file sharing solutions with connections into various enterprise content management (ECM) systems such as SharePoint, Documentum and Windows file shares.

"It goes without saying that if corporates could put a mobile information security plan in place that focusses more on the information and not the device then this will help IT formulate a good security strategy but also get buy in from users," concludes Glansbeek.