Mobility

The key to securing mobile devices

David Donnelly

There’s no denying that large IT enterprises are becoming increasingly mobile. Research indicates that mobile phone sales worldwide rose to 1.5 billion units last year, and according to new data from the Pew Research Center’s Internet and American Life Project, more than half of all mobile phones in the United States are smart phones.

In addition, a recent Gartner report reveals that tablet PC sales are on pace to reach more than 300 million units worldwide by 2015. As for laptops, IDC predicts that sales will reach nearly 400 million units worldwide in the same period. Federal agencies are no exception to this trend. The U.S. government wireless voice and data market will grow to $17 billion by 2018, a 14 percent compound annual growth rate, according to Market Research Media.

However, allowing mobile devices into the enterprise — whether issued by an agency or via the bring-your-own-device (BYOD) movement — poses new security risks. Beyond ensuring that mobile users have adequate security training, agencies must choose where to tackle the mobile world’s underlying security vulnerabilities. Many organizations reflexively focus on the hardware first by fortifying each new device with additional security products. But that approach falls short when device ownership, usability and end-to-end protection come into play because agencies can only lock down and limit what they own or have the legal means to control.

There has to be a better way to address new mobile devices and the rest of agencies’ endpoints in a centralized, sweeping security program that would adapt to tomorrow’s wave of devices and operating systems. Fortunately, there is a new approach to securing mobile devices and data: It’s called application control.

The apps-first charge

Traditional device-centric ways of framing security are increasingly challenged by the fact that applications gather and hold agencies’ most sensitive information. The reach of those applications creates the root security issue. Although mobile devices face numerous risks and threats — including loss of the device and malicious code that targets mobile operating systems — unauthorized parties gaining access to data via the device presents the chief and most common danger. Equally harmful is the potential for a user to install an application that introduces prohibited or malicious content into the agency’s network.

Application control negates those threats while offering additional benefits, including the ability to tune precise, flexible controls that enforce key policies and risk-tolerance standards while preserving interoperability and productivity across myriad device platforms and partners. Application control applies enterprisewide, even to endpoint systems that predate BYOD but still present vulnerabilities.

Application control means dictating what apps can do and who should have access to them via which devices. You tackle security from the inside out by implementing controls for fixed and mobile users alike according to policies and what is appropriate before discussing what kinds of devices will reach the network in the future.

In contrast, tackling security from devices inward means you are only as secure as your skill at counting and configuring machines. It is technically difficult and practically impossible in large enterprises.

The limits of device-centric security

The National Institute of Standards and Technology’s draft version of Guidelines for Managing and Securing Mobile Devices in the Enterprise urges agency officials to think about physical and network risks in terms of what they believe they can mitigate. But that’s a wide-open question given the unique world of mobile devices.

If you’re set on following the harden-every-handheld route, you should ask, “Will my agency be able to dictate mobile security software settings to other agencies sharing my network?” and “Can I legally compel my employees to accept security software on devices they purchase themselves?” If the answer to those questions is no, then you’re significantly compromising any device-centric approach to mobile security.

Every exemption and unmanaged device means attackers have one more open door into the network. The reality is that any effort to adopt a standardized approach to device-based security will be an uphill battle. As the federal CIO Council’s BYOD toolkit explains, new devices constantly emerge and cycle in and out of the workplace, and no two agencies use them in the same way or agree on acceptable-use policies and restrictions.

Regardless of form factors and operating systems, agencies are hard-pressed to easily maintain configuration settings or control over devices, even more so when some handhelds are owned and administered by employees.

Seizing the high ground

To reduce the attack surface susceptible to malicious code, abuse and accidental data disclosures, agencies can’t fight the security battle device-by-device in the trenches. To extend the battlefield analogy, it makes more sense to seize the high ground in security by implementing an application-control foundation throughout agencies’ networks. Implementation should stay flexible and cover internal apps, such as databases, and external Web-based apps such as cloud-powered messaging, collaboration suites and even social media sites, which are fundamentally Web applications.

Once you control those apps, you relieve a significant security burden from your mobile assets because you are proactively limiting what kinds of agency information can reach some or all devices in the first place, regardless of whether hackers find a way into a tablet PC or smart phone. Agencies can implement granular controls according to their policies, such as prohibiting certain devices or users from being able to retrieve or copy specific types of data.

The beauty of application control is that it works both ways. It restricts where authorized applications can flow, and it blocks the use of unauthorized apps that create security risks, such as file- and device-syncing software or video-sharing sites. In addition, agencies can fine-tune the controls — for example, by configuring them to permit use of certain Web applications deemed necessary for work or by restricting access to social media sites to employees who are responsible for updating an agency’s official profile.

Driving security and ROI

There are strong budget and productivity arguments for application control. Many agencies can already set and deploy those controls through compatible products, such as network intrusion-prevention systems. In such cases, agencies could derive higher returns on those investments.

Productivity gains offer further tangible benefits. Although device-centric approaches to layering security on handheld devices often stir usability complaints, application control does not degrade mobile interfaces or hardware. Controls are transparent as long as users stick to authorized apps and activity. That point is crucial: Application control lets agencies share network resources on demand with almost any type of device.

Security beyond mobility

Complexity is the enemy of security. A single protection approach spanning all assets is always preferable to piecemeal defenses for different users and devices, including workstations, laptop PCs, smart phones, tablet PCs and whatever appears next.

So much depends on users and what they carry. Effective training, awareness and features such as screen locks and pass codes are important. But beyond those basics, federal agencies should rethink mobile security approaches that are based on counting and owning every device because they are destined to face formidable management and performance hurdles as well as novel threats.

In short, protect what is yours, and make application control your security foundation. The apps-first mind-set can pay dividends no matter where employees work, and it offers a comprehensive, all-inclusive answer for removing needless risk from our must-have devices.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Mon, Nov 19, 2012 Pete Stark Washington, DC

I've heard several speakers on this subject cite the mantra of "protect the data at the source" (with proper permissions and a solid authentication process), which strikes me as much the same as what you propose here. Is there any significant difference between the two approaches?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above