Avoid These Common Mobile Security Blunders
When asked to identify the largest impediment to implementing an Enterprise Mobile Strategy, “security” is almost always #1. In fact, the 2015 Apperian Executive Enterprise Mobility report suggests security is more than twice as important as any other challenge.
What challenges are you facing in achieving mobility goals?
1. Blame it on the Tools.
An oldie but a goodie. Last year I worked with a multi-billion dollar pharmaceutical client. As part of the overall mobile strategy engagement, they specifically asked that we review their MDM options as their current platform wasn’t meeting their security needs. What we found was that the issue wasn’t the platform—which was quite powerful and well regarded in the industry. The problem was in what they chose—or rather, didn’t choose—to do with it. For starters we looked at the policies they had implemented. We found fewer than a dozen…all applied monolithically across users and covering only the most basic needs. “Well,” we thought, “it’s a new MDM installation. Maybe they haven’t had a chance.” Then we learned they’d had the platform…for four years.
Another major issue was the client was unable to provide secure access to the SharePoint sites acting as a storehouse for institutional knowledge. Though they knew the answer was pretty simple: implement Kerberos on both MDM and SharePoint and you’re all set. The issue was not with the MDM platform but in the manner (and version) with which they implemented SharePoint. It was simply not properly architected. But rather than fix the problem, the SharePoint team instead chose to blame the MDM team.
The moral of the story is that most of the tools that are out there are quite capable. You just need to spend the time and effort to get the most out of them. And as the above story illustrates, many companies aren’t even getting the basics out of what they spent money on.
2. Network & InfoSec teams don’t consult with Mobility Leads
Mobile cuts across virtually all silos within an organization. That’s why it’s critical to establish a Mobile Center of Excellence to create strong governance across teams and roles.
We’ve encountered situations where no certificates are in place to allow mobile devices–even corporate owned devices–onto the main wireless network. Instead, all mobile traffic is shunted to guest access. We’ve also often seen cases where there are no/limited Network Access Controls solutions in place. Properly implemented, NAC can supply differentiated network access and policy enforcement based on user credential/role, device type, posture, access method, time of day, location, etc. Such systems dramatically improve the security of the wireless switching environment.
Collaboration between teams quickly solves a lot of these problems.
3. Let’s treat all our data and users the same
We frequently run into this egregious problem. Security folks are cautious by nature. Often their starting point is to “lock it all down,” using the worst possible outcome from the most sensitive data as the baseline, then dialing it back from there.
This strategy causes a couple of mobile security blunders: Make it too hard to use the apps and you wind up with low adoption/high dissatisfaction (robbing your mobile strategy of any momentum) or you entice users to subvert the security measures you put in place. Consider the tale of the large bank that forbid users from taking screenshots on company-provided phones. This became a problem whenever a user tried to troubleshoot an issue with the Help Desk, but couldn’t take a screenshot to show the problem they were experiencing. So what did these users do? They snapped a photo of the corporate phone screen from their personal device and then sent it to the Help Desk—over an unsecure, consumer email system. Problem solved!
The other issue arises when a company starts “dialing-back” security: how far should we loosen the reins to provide an improved user experience? Too often this becomes a series of one-off negotiations that all start at the same place (No!) and end up at very different places from app to app, with no consistency in how these decisions are made.
To solve this challenge, create a repeatable framework for implementing security policies at network/device/app levels based on 1) the sensitivity of the data being accessed and 2) the different classes of users. At Propelics, we call this a Policy Characteristics Framework. Based on our risk classification, these standards outline business and technical policies as well as end-user support models. Typically, perspectives abound regarding what capabilities are available—from network security, regulatory, human resources, and from legal and business teams. Defining these standards and balancing the needs of these groups with the Business creates a blueprint of repeatable solutions for IT.
4. But users don’t want MDM profiles on their devices!
Many company users can’t install MDM profiles on their devices to help manage mobile security issues. Frequently these devices already have an existing MDM profile and are being used by partners or contractors who work for other companies. In other cases, companies choose not to install profiles on devices that are personally owned. Further, some employees balk at the idea of having a profile installed on their device at all.
The end result is these companies simply don’t publish internal apps to these users and instead cut their mobile journey short with email, contacts, and calendar access (yay, ActiveSync!).
Which is a shame. Because in reality this is not a hard problem to solve. If you employ an MAM solution (a.k.a. Enterprise App Store) from Apperian or App47 you can simply wrap security policies around the apps that help those users do their jobs better and add more fuel to the mobile strategy fire.
5. Wait, we can test for that?
Lastly, one more quick fix. Lots of IT organizations are concerned about vulnerabilities exposed through mobile apps. It’s a reasonable concern, especially since many companies use third-party software (like Propelics, marketing agencies, and IT outsourcing partners). Some provide secure coding standards to ensure apps are designed and coded properly.
Despite this anxiety, few companies actually put their apps through security and penetration testing before launching them to employees. Some companies don’t do it because they aren’t aware such tools exist. Others feel testing is ‘advanced’ stuff they’re not mature enough to take on. A few more think it’s just too expensive. But today, none of these reasons are valid. Tools like HP Fortify and IBM’s AppScan make testing easy and inexpensive enough to be on every enterprise mobile app deployment checklist.
Hopefully these anecdotes resonate with you and offer some insights on how to proceed. We all know mobile security is important and that for many organizations it’s still a vexing task. For some it can be tough to escape the organizational biases around desktop, web and enterprise app development. In many cases there’s such a panic about the assumed vulnerabilities introduced by mobile (like nobody can photocopy or fax sensitive documents!) that companies let themselves become paralyzed by fear.
But the challenge is far from insurmountable.
Feel free to give me a shout via email or on Twitter or setup a (free) call with one of our strategists and we can chat about how Propelics can help you to best address your mobile security challenges.