Mobile Security Is Still Important

7 Feb 2016

While the UC vendor community still emphasizes the importance of mobility, one topic that doesn't get nearly enough attention is mobile security. Fortunately, there have been a number of developments that had improved the overall ability to secure sensitive information on or accessible through mobile devices, but organizations still must take steps to put them in place. And unfortunately, many organizations still seem to feel that "denial" is an adequate approach to security.

Probably the single biggest boost for mobile security has been the move to the cloud. If we can store the data in the cloud rather than on the device, we can alleviate much of the concern regarding exposures created by lost or stolen devices. However, if the device is not password protected and there is no password required to sign onto the app to access that data, a stolen device is still a potential data leak. Many of the B2C apps, particularly those from the financial services community, have now moved beyond passwords to biometrics like Apple's TouchID for authentication. With Windows 10, Microsoft will be offering a whole range of biometric options through its Hello function.

If the data is going to reside on the device, on-device encryption should be a required element. However, without a hardware device to do the encryption (i.e. a "crypto chip") the device performance will slow to a crawl. Crypto chips are standard on all current iPhones, Samsungs, Microsoft Luminas and the BlackBerry Priv, but you won't find them on many lower end Android devices. So it's probably a good idea to maintain the list of "acceptable" BYOD smartphones.

One of the biggest developments for on device encryption in Mobile Device Management-Enterprise Mobility Management (MDM/EMM) systems has been the idea of a secure container. This is a separate, encrypted region on the phone where enterprise data and apps can be stored; the user has to sign-on to the container to access those apps. The original concept was to have an IT area on the device that could be wiped remotely if it were lost or stolen. The secure container would also allow corporate date to be wiped if the employee left the company and would still leave the personal data untouched.

Now the secure container has become a key element in data loss prevention (DLP). The container keeps track of what data it controls and IT can enforce policies as to how that data can be handled. Printing or copy & paste can be restricted, and we can also prohibit forwarding data to personal email or personal cloud storage.

In Windows 10 Mobile, Microsoft will be adding a new capability that makes these functions more user friendly. With the Enterprise Data Protection (EDP) capability, IT will be able to identify apps as corporate (i.e. "trusted") versus personal. Any data downloaded to a trusted app is automatically encrypted and DLP policies can be defined. If the user attempts to violate the policy, the action can be prohibited or the user can be given a warning that they are about to violate the policy. If they choose to proceed, an auditable trail is created.

EDP also supports "enlightened" apps that can be used for both business and personal. So, for example, Outlook could have both business and personal email accounts, but EDP would keep track of what messages were downloaded from the corporate email versus your personal Gmail or Yahoo account, EDP would enforce the same DLP policies on the business emails and their attachments.

While a significant percentage of organizations, particularly those in financial services and other regulated industries, have implemented MDM/EMM systems, many still look to manage mobile devices with the rudimentary capabilities built into Microsoft's Exchange Active Sync (EAS). EAS will allow you to enforce rudimentary policies like passwords, encryption and minimum password strength. However, the remote wipe function wipes the entire device and not just the corporate data (i.e. "There go the baby pictures"). That can be a major issue with employee-owned devices and is flat out illegal in some countries.

Threat resistance from malware has also improved across the board. Apple's iPhone and Windows 8.1 and Windows 10 devices limit data sharing between apps and can protect against apps escalating their privileges. Android has added some of those same capabilities with Android for Work, but the isolation mechanisms are different so you should look at those closely.

Most have also taken significant steps to protect against malware by implementing secure boot capabilities that test the firmware against credentials built into the hardware and tie that to the O/S load to create a secure chain of trust. The MDM/EMM systems also include jailbreak (iOS) and rooting (Android) detection to prevent devices whose inherent security mechanisms have been compromised from getting on the network.

While the mobile security tools are improving, it is still up to organizations to develop a mobile security plan and policy to ensure that the adequate protections are in place. That starts with a comprehensive, written mobile policy that is read and accepted by all users regardless of whether they are using company provided or personal (i.e. BYOD) devices; in some cases those policies are the same and in others they are markedly different.

We are seeing increasing emphasis on mobility in UC, but from a mobile security perspective, most of those initiatives are embarrassingly amateurish. It's great that a user can have an app that provides mobile access to the UC platform, but most of the discussion seems to be out of step with the mobile security measures we are taking with other mobile apps. In short, if the mobile security "bomb" goes off, you don't want to be the party that lit the fuse.