Enterprise Mobility Management: the base of next-gen security.
Individuals and organisations using mobile device are exposed to constant risk. A layered approach is required to ensure a holistic defense against this.
It offers fantastic opportunities to improve or transform business processes, to improve productivity and drive down costs.
However, organisations are struggling to leverage or even manage their mobile devices and projects.
Joined up thinking is critical; organisations must look at the basics of delivering any change into an environment – people, process and technology. Focus on too much of any one of these and projects run a significant risk of failure.
On top of all of this complexity, there is the constant requirement to manage the risk of mobile to the organisation. Mobile devices are inherently risky as they are small, portable and easy to lose/have stolen, but at the same time can store large amounts of data.
As smart devices have become more prevalent in the enterprise and more integrated, they now offer a potentially far more attractive target than before. Smart devices can hold large amounts of personal and corporate data as well as offering an entry point for a potential attack on the organisation. We can see this clearly by the exponential increase in attacks on mobile devices over the last two years.
Device management controls are the first step in ensuring devices have basic security enabled. Most organisations at this point have some level of Enterprise Mobile Management (EMM) tool in place to manage their smart devices. These are implemented with varying degrees of success but at a minimum most have a passcode requirement, jailbreak or root detection, and encryption of some or all data on the device enabled. More mature deployments have implemented additional controls around data loss prevention by restricting corporate data from being shared to non-approved applications and possibly some device level restrictions, like preventing cut and paste, or screen grabs. Unfortunately, there can be resistance to this level of restriction as the user experience is impacted.
Are these types of controls described above enough? Unfortunately, the answer is probably no. Threat actors are now using sophisticated methods to attack users via their mobile devices at multiple layers, for example at the application and network layers using a variety of clever methods.
The most common seen in the market are:
As already mentioned EMM tools can help ensure the device is more secure and also use VPNs and containers to try and protect the data at rest and in transit however they do not provide constant threat analysis of applications installed or real time behavioural analysis of the network traffic.
An enterprise may whitelist and allow a particular app for access to corporate data however this is rarely targeted at a specific app version. Older versions of applications are more likely to have vulnerabilities and can present a risk as users rarely update.
Mobile users are by their nature, highly likely to use multiple Wi-Fi hotspots and therefore are very likely to be exposed to man in the middle attacks. EMM solutions cannot detect this type of attack as they have no visibility of the network traffic.
What’s needed is a layered defence approach. EMM is the foundation but requires other tools such as App Risk Assessment, Mobile Threat Prevention (MTP), and Secure Gateway type tools to provide a holistic view of the threats on mobile devices. The good news is that all of these tools exist and the market leaders all integrate seamlessly with EMM solutions to simplify provisioning and even enable automated remediation, for example, by removing all corporate data or even performing a device wipe.
This type of total mobile endpoint protection is becoming more and more critical in the light of both the increase in sophistication and volume of attacks but also due to the increased impact of data breaches on organisations from reputational damage and regulatory fines. The incoming EU General Data Protection (GDPR) has eye watering, potential fines of €20 million or 4 per cent of global turnover. But even these huge financial fines could be only part of the cost of a breach with the ability for affected data subjects to bring what amounts to a class action suit against the data controller and processor(s) involved.
Unfortunately, it is generally recognised that even with all of the layered defence described above there is still a chance that a breach could occur if an attacker was sufficiently skilled and motivated. In this case it’s critical to be able to understand how the breach happened and what the attackers did next, bearing in mind that the mobile device may have just been an entry point or even just a part of the reconnaissance stage of an attack. For effective data breach disclosure, it’s also critical to understand what was lost. In order to do this final part of what we call Next Generation EM Security, it is necessary to take all the information from the different tools and import it to the organisations SIEM. This is the logical next step to go from reactive basic device security to proactive automation for mobile endpoints and full audit and visibility of threats. In my opinion, no one vendor can do this yet, but it’s definitely possible to start tying these technologies together and integrating with security operations centres (SOC).
Less than 30% of mobile applications are tested for vulnerabilities and 44% confessed to taking no measures to protect their mobile environment.
A recent Ponemon Institute study *, conducted on behalf of IBM Security and Arxan Technologies, surveyed 600 IT and IT security practitioners. Some of the interesting findings from this report were:
The survey showed that less than 30% of mobile applications are tested for vulnerabilities and 44% confessed to taking no measures to protect their mobile environment.
*2017 Study on Mobile and IoT Application Security – Ponemon Institute