I have worked on mobile security strategy for RSA for the last two years now, and during that tenure the market continues to evolve and move at a rapid pace, which no doubt is putting more stress and uncertainty into the minds of security professionals. But, just the other day I saw a graphic in Computerworld that really summed up the entire mobility movement. Take a look:
For those interested in reading the entire article, here it is (but don’t dare click away until you have finished this compelling blog): Poor pre-launch showing plagues Windows 8
What we are seeing with the mobility movement is not just about the next shiny new device, and the worry of that device being left in a cab or a restaurant. We are really seeing a fundamental shift in the way IT is consumed, and subsequently secured, and it’s mostly driven by mobile. The graphic above shows the amount of Windows PCs that currently have Windows 8 installed on it compared to Windows 7 at the similar time in its life (Windows 8 ships October 26th). Now, a difference between a 1.6% share and a 0.33% share may not seem like that much on the surface, but you need to think about the kinds of people that typically deploy early releases of these operating systems.
People upgrading early are not likely to be the consumers of IT services. More often than not, early upgrades are for the development community to build the applications that we all know and love on the next operating system (like how a number of apps were ready for the Retina display when I bought my MacBook pro this summer). Sure, some of this shift between Windows 7 and Windows 8 is due to Apple continuing its dominance in the laptop market and more applications moving to OSX. But a lot of this discrepancy is also due to the mobility movement and the shift of IT consumption to iOS and Android devices rather than traditional PCs.
The new SBIC report, “Realizing the Mobile Enterprise: Balancing the Risks and Rewards of Consumer Devices”, highlights these shifts. Consider these quotes:
Roland Cloutier (VP, CSO, ADP) – “Mobile apps have the power to increase organizational agility…No matter where someone is in the world, they can manage their workflow around anything…”
Dr. Martijn Dekker (SVP, CISO, ABN Amro) – “A huge benefit of mobile devices is the user interface…This is simply how people want to interact with IT systems nowadays…”
This shift in how IT is consumed can have a dramatic effect on the security world. It also pushes the importance of mobile beyond just protecting the endpoint from a lost/stolen scenario, and actually makes it an even bigger problem around how you authenticate users and federated identity in a non-Windows, web-based world.
Considering this, there are a number of trends we have come up with around mobility that make it a distinctly different and new security challenge to consider:
BYOD: This is a marketing term, but the fact that devices are either personally owned (or treated as personal devices) has serious implications. First and foremost, enterprises have lost control of the endpoint image, which creates an issue around enforcing agents or installing security patches. Many enterprises are struggling just to get users to install MDM on their devices, let alone deeper agents like anti-virus or malware forensics agents to protect against advanced threats. In addition to the lost endpoint control, BYOD also creates a problem about when and how enterprise policy is applied. Obviously when a device belongs to an individual there is an expectation that enterprise rules are only being applied when working, but this is starting to be the case even when enterprises provide devices for users, especially in phones. For example, EMC purchases our phones for us, but I still treat that device largely as a personal device. It’s my only cell phone (my only phone at all, in fact), and I have a number of personal apps loaded on it. The simple fact that I carry it all day everyday means that a large percentage of the time it will be in use for personal reasons. This forces enterprises to think about applying security policy in only enterprise scenarios, not on the entire device. This is one example where MDMs tend to come up short.
Off Network: Network visibility is a drug to security teams. Its needed more than anything else to understand what users are doing and when they are doing it. That is the reason why so many advanced threat tools today are network-based monitoring tools. Unfortunately, in the mobile world, enterprise networks don’t have to be touched all that often. For phones, just about all of the network connectivity goes across carrier networks, and its only when the phone asks the enterprise for some information that the enterprise can monitor it. As soon as the data gets to the device – you’ve lost visibility from a network perspective (picture a sensitive piece of content being uploaded to Dropbox from a mobile device). The use of cloud services only exacerbates this problem, because then you have disconnected endpoints (that enterprises don’t own) connecting to cloud services (that enterprises don’t own). Nowhere in that interaction does the enterprise network see the traffic. That lack of visibility can be troublesome for security teams.
“Chatty” Interaction Model: This is always a tough trend to explain, and the term “chatty” has been the best way I have been able to describe it. Basically, what it boils down to is the fact that mobile users have very frequent context shifts between work and play. The best way to illustrate this is email and calendar. Just a few years back, if I wanted to check my email at night or see what time my morning meetings were, I needed to boot up my laptop (which likely was a 10 minute process), open my VPN client, usually respond to a two-factor authentication challenge, and then open Outlook. The Blackberry (remember that?) changed all of that. It gave quick access to email and calendar without the need for VPN. That began the blurring of work/play. iPhone and Android brought in more play to these devices, and what we are left with is a consistent flip between work/play throughout the day. You might check email, make a quick response, and then hop onto your Facebook app right after that. That switching does not provide good areas for strong authentication, and blurs the line as to when enterprise security policy should be applied.
Web/Federated Access Model: This one is mostly driven from the “app” economy Apple created and the chipping away of Microsoft’s dominance in the enterprise. More and more cloud services are being used for enterprise purposes (Google Apps, Salesforce, Box, Office 365, etc), and each of them make use of web-based authentication standards. As enterprise app development evolves, more and more things will be developed in the mindset of “mobile first” (see Microsoft graphic above). That will push more traditional enterprise authentication and identity management into a web standards world.
Fighting against these trends isn’t the wisest idea. Apple has shown that consumers have an awful lot of control around enterprise IT policy. But you still need effective ways of delivering security. Fundamentally, you still need to secure data, secure identities, and get threat visibility, but you need to do it while working within these trends and not trying to push the old model on the new.
The SBIC report on mobility that I mentioned earlier gives a great overview of the security options available to enterprises today, including MDM, application containerization, enterprise authentication, and application malware detection. Specifically, the report calls out the need for MDM, but cautions against the over reliance on MDM as a security solution. Consider the quote from Marene N. Allison (Worldwide VP of Information Security, Johnson & Johnson), “…If you talk to security professionals at this point we just settle on MDM. It’s not like we can get all of the features we want yet. MDMs are still too immature.”
The overall mobile management market is maturing beyond just device management into application and data management, which allows for granular policy enforcement and network connectivity into enterprise apps. These management products will ultimately encompass the next generation security infrastructure in mobile, similar to the way VPNs made up the traditional remote access infrastructure. Strong authentication methods, especially those that rely on risk-based methodology, as well as data security and threat forensics will be layered on top of these infrastructure components to create a true mobile security stack that can take much of the mystery out of BYOD.