What I’m Learning about Mobile Computing Security Best Practices

When I started my career at EMC in 1987, the company ran the business on Prime Computers. I was able to convince my boss that I could improve the quality and efficiency of our group’s business reports with a PC, so the company purchased a Macintosh computer and printer for me to use. This may have made me the first PC user in EMC history though I can’t be sure.I’ve had PCs at every job since, but it wasn’t until the mid-to-late 1990s until any of these machines had any security software installed on them. In fact, I think it was the rise of spyware that drove the deployment of security software somewhere around 1999. I use my personal history to illustrate a point: PC infrastructure, management, and operations was fairly mature before security software became a requirement. Because of this, PC management was never quite aligned with PC security. This remains true today. From an operations perspective, the division between PC management and security makes no sense at all. It adds overhead and complexity. What’s more, neither group is tightly connected with the actual applications used by PC users.To me, this is an important take-away that can and should be addressed with mobile computing. In fact, leading organizations are actually aligning mobile security with all other IT activities – software development, infrastructure, device management, etc. I’ve been talking to a number of CISOs as background for an upcoming research project I’m doing on mobile computing security. Here are three common suggestions I’ve heard to make sure that security is integrated into the mobile computing strategy:1. Get security people involved early with business process and application planning. While many organizations simply allow BYOD, leading companies go after mobile computing with a business plan in mind. They tend to think about business process automation, cost savings, real-time transactions and analytics, visualization, etc. They also include the security team in these early brainstorming sessions. This provides the CISO with a perspective on the who, what, where, why and how of mobile computing so they can do proper risk assessments and planning. 2. Don’t overlook application development security. Mobile application development is growing at an extraordinary pace. This often means hiring third-party developers with little security development skills. It also may mean using common libraries that receive little security testing or oversight. Proactive CISOs make sure that secure software development best practices and testing is not pushed aside to get mobile apps out the door. 3. Mobile devices are not PCs. Obviously, but when it comes to security, many organizations treat them as such. For example, strong passwords for VPN access or proprietary mobile email clients tend to alienate users who are used to point-and-click simplicity. Somehow CISOs have to align strong security with mobile usability or users will eschew mobile services or circumvent mobile security controls.There is an important lesson here for vendors as well – Do not emulate the PC model for mobile computing! That said, somehow vendors need to marry old world security controls with mobile flexibility and simplicity. This is probably why mobile-focused vendors like Good Technology, MobileIron, and Zenprise have established themselves as MDM and MAM leaders. The market will certainly mature, but mobile computing will continue as a brave new world. Vendors who appreciate this distinction and design their products accordingly have the best chance to succeed. As the philosopher George Santayana said, “those who ignore history are bound to repeat it.”