Mobile Device Management: Balancing Business Agility and its Risk
As BYOD continues to accelerate, mobile technology and mobile applications are increasingly becoming a source of risk.
One of the key issues related to the use of mobile devices is the data itself. As users employ more mobile devices to access corporate data, risk of losing control of the data increases. Questions to ask in “following the data” include: “What data is being accessed? What controls are in place? If a device is used to access the cloud or third-party service provider, will that data be stored on the device?”
Security must also consider mobile devices as an attack mechanism. Jailbroken mobile devices, for example, can pose a threat because as soon as they enter the building they can connect to and attack the wireless network and capture data. Similarly, applications installed on the device can also pose a security risk. Users have a tendency to simply download updates to personal applications, or add new applications, without giving a thought to the security of the application. As a result, security professionals are challenged in differentiating between business and personal applications, and determining the security state of each of the applications.
While Mobile Device Management (MDM) is gaining recognition in the marketplace, informal polls reveal a “wait and see” approach as security executives keep an eye on next-generation solutions that startup organizations will be bringing to market. In the meantime, security organizations are using existing controls to protect the devices and restrict access to data. One approach is to use Network Access Control (NAC) to direct visitors to a guest network with limited access capability. Another solution is to establish a Virtual Desktop Infrastructure (VDI) or clean room. Each has pros and cons. On the pro side, when the VDI connection is closed, little data remains on the device. Drawbacks, however, include the user experience and performance issues.
Technology alone will not fix the problem. Policies and procedures for mobile device security should be tightly integrated into all existing policies and procedures to provide uniformity across the board. In addition, security awareness on behalf of the user is critical. By making security relevant and tying it back to the user’s personal life, security organizations can gain greater cooperation in protecting the organization’s assets. |