New Risks are Threatening Mobility Gains – Identity is Key to Moving Forward

The mobile market is growing: Budgets are being allocated; devices are being deployed; apps are being developed; and consumer and workplace usage is increasing.

The mobile market is growing: Budgets are being allocated; devices are being deployed; apps are being developed; and consumer and workplace usage is increasing.  IT is being consumed differently and mobility is the centerpiece.  Evidence of this can be seen in PC Shipment forecasts.  For the first time in 11 years PC shipments are set to decline


Think about the influences driving this trend.  More employees are being armed with mobile devices every day to improve productivity and how they engage both colleagues and customers.  Online services are being developed to reach new mobile markets.  Cloud file sync and sharing services such as Box or Dropbox are improving how employees and partners do business together driving mobile usage.  The extensibility of mobile applications is improving how information is being shared locally on the device and with backend systems.  And employers are enabling employees to Bring Your Own Device (BYOD) as part of employee satisfaction and cost-cutting strategies.  Businesses are taking full advantage of mobility.


But as mobile devices have evolved, their always-on connectivity, the number of apps deployed for personal and corporate purposes and the new usage models all have resulted in an increased mobile risk profile.  We’ve broken down five areas of risk businesses are or should be thinking about when deploying mobile devices and applications.  Let’s go through each one. 


Lost device


Losing the mobile device has always been a risk – whether employees are leaving phones in plane seat pockets or taxi cab seats – but the risk of unauthorized access also is increasing.  Add to that the sensitivity of data being communicated to or through the device itself.  Whether through email, files or apps, sensitive data such as PII, IP, NPI, PHI and PCI can be found on the mobile device and is often unknown to the business.  The likelihood of a device getting into the wrong hands and gaining access to sensitive information is a real threat.


The Perimeter is Disappearing


The network perimeter – once a Security professional’s greatest concern – is gone. The increased adoption of cloud services, including software-, infrastructure- and platform-as-a-service, and the collaboration with parties outside an organization has erased the traditional IT perimeter. Sensitive information is persistently sync’d from laptops to the cloud and then to the mobile device putting the business at significant risk.  Employees leave, groups dissolve and data is lost.  Businesses are challenged with enabling these new productivity service models while mitigating these very evident risks.


App Threats


There are three real local threat vectors to the mobile device that increases the risk of the mobile platform and its application environments. First,  outdated operating systems or trojans in apps like angry birds or fake apps like Pokemon making their way into Apple’s fiercely guarded App Store increase the risk of vulnerable mobile software being downloaded to the mobile platform.  Add to that the ability to share information between apps and users’ work modes to quickly accomplish tasks and you have an inside threat of carelessly moving information into exposed areas.  Finally, the extensibility of applications that consume information from third party content sources through open APIs along with the threat of directly accessing and exfiltrating data from the app can increase risk. 


BYOD and Privacy


News flash:  it doesn’t matter if it’s a worker bringing their own device into the workplace or the corporation issuing the device to the employee – the user has a privacy expectation.  If the user is accessing GPS capabilities to navigate to a client site or to their kids’ soccer game location there’s an expectation that the information will be held private and won’t be collected and left in the hands of the employer.  The same applies to pictures, music, contacts and personal apps.  So employers are stuck in the middle.  They risk liability of accessing employee information, but still must separately control their corporate data.  Security has to shift from controlling the device to controlling the app and information in order to maintain user privacy – whether it’s delivering service to the employee or the consumer.


Heterogeneous Environments


While mobile provides a unique challenge it is one of many channels of communication and should not be viewed in a security silo.  Whether it’s web applications, mobile apps or API services access, policies should be managed centrally.  And while data often flows to the mobile device, it doesn’t end at the device.  Sensitive information flows through a broad set of systems including message services, laptops, archives and cloud services.  In order to reduce the risk and scalability issues that come with decentralized management, organizations should be approaching mobile security comprehensively across all applications and data – not the mobile platform alone.


In order to mitigate of these new mobile risks but continue to realize the business benefits of the platform in the world of BYOD, organizations need to take a balanced approach to security and make Identity the core element to achieving these goals.  With proper identity controls, organizations can be more confident in who’s accessing the device and applications, the data their accessing and the data they’re sharing – all in a world where privacy is expected and business cannot be inhibited. 


For more information and discussion, join our webcast, Identity is the New Perimeter Part 4: Identity and BYOD, on October 25 at 1 PM ET, where we discuss mobile risks, the challenges for security and identity based solutions that take a balanced approach to mobile risk reduction and business enablement.  And for more information on CA solutions, please visit: http://www.ca.com/us/it-security.aspx.

Written by

Tyson Whitten

Tyson Whitten is a CISSP with 10+ years of information security experience managing application, network…

Published in

Security

View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!

  • http://www.sheistocktips.com/ SHRISTOCKTIPS

    SHRISTOCKTIPS has
    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website. http://goo.gl/sMgZ7n

    Regards

    SHRISTOCKTIPS TEAM

  • king lear

    testing comment functionality, please do not publish this

  • http://www.rachelmacik.com Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • http://www.linkedin.com/in/michelehudnall Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.
    https://www.netiq.com/communities/data-center-solutions/accelerating_business_overhauling_service_management/

    Nice Post and Timely!

    @HudnallsHuddle

    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.