The mobile market is growing: Budgets are being allocated; devices are being deployed; apps are being developed; and consumer and workplace usage is increasing. IT is being consumed differently and mobility is the centerpiece. Evidence of this can be seen in PC Shipment forecasts. For the first time in 11 years PC shipments are set to decline.
Think about the influences driving this trend. More employees are being armed with mobile devices every day to improve productivity and how they engage both colleagues and customers. Online services are being developed to reach new mobile markets. Cloud file sync and sharing services such as Box or Dropbox are improving how employees and partners do business together driving mobile usage. The extensibility of mobile applications is improving how information is being shared locally on the device and with backend systems. And employers are enabling employees to Bring Your Own Device (BYOD) as part of employee satisfaction and cost-cutting strategies. Businesses are taking full advantage of mobility.
But as mobile devices have evolved, their always-on connectivity, the number of apps deployed for personal and corporate purposes and the new usage models all have resulted in an increased mobile risk profile. We’ve broken down five areas of risk businesses are or should be thinking about when deploying mobile devices and applications. Let’s go through each one.
Losing the mobile device has always been a risk – whether employees are leaving phones in plane seat pockets or taxi cab seats – but the risk of unauthorized access also is increasing. Add to that the sensitivity of data being communicated to or through the device itself. Whether through email, files or apps, sensitive data such as PII, IP, NPI, PHI and PCI can be found on the mobile device and is often unknown to the business. The likelihood of a device getting into the wrong hands and gaining access to sensitive information is a real threat.
The Perimeter is Disappearing
The network perimeter – once a Security professional’s greatest concern – is gone. The increased adoption of cloud services, including software-, infrastructure- and platform-as-a-service, and the collaboration with parties outside an organization has erased the traditional IT perimeter. Sensitive information is persistently sync’d from laptops to the cloud and then to the mobile device putting the business at significant risk. Employees leave, groups dissolve and data is lost. Businesses are challenged with enabling these new productivity service models while mitigating these very evident risks.
There are three real local threat vectors to the mobile device that increases the risk of the mobile platform and its application environments. First, outdated operating systems or trojans in apps like angry birds or fake apps like Pokemon making their way into Apple’s fiercely guarded App Store increase the risk of vulnerable mobile software being downloaded to the mobile platform. Add to that the ability to share information between apps and users’ work modes to quickly accomplish tasks and you have an inside threat of carelessly moving information into exposed areas. Finally, the extensibility of applications that consume information from third party content sources through open APIs along with the threat of directly accessing and exfiltrating data from the app can increase risk.
BYOD and Privacy
News flash: it doesn’t matter if it’s a worker bringing their own device into the workplace or the corporation issuing the device to the employee – the user has a privacy expectation. If the user is accessing GPS capabilities to navigate to a client site or to their kids’ soccer game location there’s an expectation that the information will be held private and won’t be collected and left in the hands of the employer. The same applies to pictures, music, contacts and personal apps. So employers are stuck in the middle. They risk liability of accessing employee information, but still must separately control their corporate data. Security has to shift from controlling the device to controlling the app and information in order to maintain user privacy – whether it’s delivering service to the employee or the consumer.
While mobile provides a unique challenge it is one of many channels of communication and should not be viewed in a security silo. Whether it’s web applications, mobile apps or API services access, policies should be managed centrally. And while data often flows to the mobile device, it doesn’t end at the device. Sensitive information flows through a broad set of systems including message services, laptops, archives and cloud services. In order to reduce the risk and scalability issues that come with decentralized management, organizations should be approaching mobile security comprehensively across all applications and data – not the mobile platform alone.
In order to mitigate of these new mobile risks but continue to realize the business benefits of the platform in the world of BYOD, organizations need to take a balanced approach to security and make Identity the core element to achieving these goals. With proper identity controls, organizations can be more confident in who’s accessing the device and applications, the data their accessing and the data they’re sharing – all in a world where privacy is expected and business cannot be inhibited.
For more information and discussion, join our webcast, Identity is the New Perimeter Part 4: Identity and BYOD, on October 25 at 1 PM ET, where we discuss mobile risks, the challenges for security and identity based solutions that take a balanced approach to mobile risk reduction and business enablement. And for more information on CA solutions, please visit: http://www.ca.com/us/it-security.aspx.