Most companies now provide network access and application support for non-PC devices like smart phones and tablets and many are developing new applications and business processes designed specifically for these devices. Business managers look at iPhones, Android devices, and even Windows phones and see opportunities for revenue growth, cost cutting, and improved communication everywhere.
Okay so business folks are gaga over mobile, but ask any CISO about mobile computing and you'll probably get a frustrated look in return. Security professionals know that mobile computing means securing thousands of various devices as well as the applications and content that resides on them. These mobile gizmos are often loaded with suspicious software for gaming, social networking, file synchronization/storage, etc. Furthermore, many are owned by employees, not employers, which means the security team needs to walk on eggshells as they protect the confidentiality, integrity, and availability of organizational assets. What a nightmare!
So what are the biggest challenges with mobile computing security? ESG recently published a research report titled, The State of Mobile Computing Security, and asked 242 security professionals working at enterprise organizations (i.e. more than 1,000 employees) this very question. They came up with a laundry list:
43% of security professionals say: "Protecting data confidentiality and integrity when sensitive data is accessed by a mobile device over a network."
41% of security professionals say: "Protecting data confidentiality and integrity when sensitive data is stored on a mobile device."
41% of security professionals say: "Enforcing mobile security policies."
36% of security professionals say: "Integrating mobile device security technologies with other enterprise security technologies and processes."
35% of security professionals say: "Educating end users on best practices for mobile computing security"
34% of security professionals say: "Establishing the right workflows and processes between the security team and other IT groups."
34% of security professionals say: "Managing malware and other threats on mobile devices."
34% of security professionals say: "Ensuring that IT staff members have proper training and skills on mobile computing security."
That's a lot of challenges! My take-aways:
Data, data, data. Mobile computing clearly exacerbates problems around data discovery, classification, access, storage, and usage. Large organizations need to start here by locking down their most sensitive data as best as they can. This means bolstering privileged account security with vendors like Courion, CyberArk, and Lieberman, locking down the data itself with controls from firms like Vormetric, tightening network access with Bradford, Forescout, and Great Bay Software, and managing on-line file storage services with tools from Blue Coat, Palo Alto Networks, and the MDM vendors.
Security policies must align with controls. The two most common mistakes here are establishing weak security policies that do almost nothing, or creating more stringent mobile computing security policies that can't be enforced with existing security controls. It's important to assess the capabilities of security controls before making this mistake. This will also help identify what's needed for future security policy support.
Mobile computing security must shed its rogue status. Mobile computing teams often act in a very independent manner. This helps with specialization but tends to eschew existing IT efforts. This can't go on as mobile computing security depends upon coordination with other policies, controls, and oversight. Mobile computing management leaders like Good Technology and MobileIron are already accommodating this need. Others like Citrix (Zenprise), IBM (Fiberlink), and VMware (AirWatch) turned to acquisitions to address and capitalize on this integration requirement. Either way, mobile computing processes and technologies must join the IT (and information security) League of Nations ASAP.
Mobile computing security skills are in short supply. Not a surprise since almost all cybersecurity skills are in short supply. CISOs should keep this in mind and make sure that they include training, services, and "turnkey" mobile security products in their plans.