Security in a Mobile World

Mobile Strategy Comments (2)

As mobile devices become more powerful and more widely used, security has become the proverbial elephant in the room. Everybody knows there is an entirely new set of security issues that come into play, but few are sure what to do about them. And the excitement to deploy mobile content can make companies and organizations compromise or even overlook the security implications.

The convenience of mobile devices is their downside. A portable item that can have access to your work and personal information is easy to misplace or be stolen. PIN security codes help to protect that information somewhat, but the only way to truly protect the information included is a mobile wipe. That needs to be able to be completed in a timely manner to keep your information from getting into the wrong hands.

Custom applications for mobile devices are another risk. Whether they are native code or mobile web apps, if they are accessing remote data, there is a risk. Researchers find that most mobile apps (over 50% total, and nearly 90% of third-party apps) do not use secure connections for data access. Something as simple as requiring SSL connections can help protect that data.

Another concern as mobile devices are being more frequently used in the corporate world is that they add new vectors for potential threats. The devices are using new operating systems that don’t fit with most security vendors’ software offerings. Some companies, such as Symantec and F-Secure, have recently introduced security software for mobile devices, but they don’t work with the integrated security systems that most IT departments are familiar with. Some companies may rely on their network security gateways to protect mobile devices until users switch to mobile connections and bypass those methods entirely. That adds the risk of a mobile user accessing a compromised file and bringing it into the network, bypassing security controls. Add in the already known issues of unsecured wireless networks and Bluetooth vulnerabilities when mobile users are outside of the office and it is easy to see why some corporate IT departments are nervous about the proliferation of mobile devices on their networks.

After hearing all of that, it could seem like mobile security is nearly impossible to achieve. It is easy to become paranoid about vulnerabilities when you research security issues. The good news is that there are good points to talk about. The new mobile operating systems run apps in separate memory spaces that make it more difficult for potential viruses to hijack a device. The review process for iOS apps and the new security requirements for the Android Marketplace should help keep apps more trustworthy. The mobile device makers are taking the issue seriously. They understand that people want their devices to be secure and are taking steps to improve that.

So what’s the answer? As with any evolving technology, use common sense and caution. Don’t rush into content mobile delivery. Create a standard for best practices for your mobile users and then distribute the information in all of your regular channels such as newsletters and your intranet site. You can also consider procedures such as requiring PIN codes, setting up a remote wipe method, and considering data encryption. The most important step is to find a comfortable middle-ground between security and ease of use. As mobile devices become cheaper, if your policies are too restrictive, users can easily get their own phones or tablets and circumvent all the protection you put into place. Mobile devices should be used to make tasks more convenient. Keep them that way, and everybody will be happy.

Follow Float
The following two tabs change content below.

» Mobile Strategy » Security in a Mobile World
On October 20, 2010
By
, , ,

2 Responses to Security in a Mobile World

  1. Robert Gadd says:

    I agree 100% with your statements that mobile security is a critical issue for every enterprise considering content delivery/access from mobile devices, but in our experience, there’s no “middle ground” offered or given from enterprise IT/InfoSec/Risk teams who are seeking to deploy mobile learning initiatives to their workers at scale. Sure, we all may encounter the occasional “shunk works/proof-of-concept” effort that’s focused more on “does this work/what’s the potential” than it is on long-term security, but we’ve never been given the proverbial “hall pass” suggesting we need not worry so much about security as you suggested with your statement “…the excitement to deploy mobile content can make companies and organizations compromise or even overlook the security implications” – that just never happens in any carrier, FSI, insurance, healthcare, pharma, tech OEM or government-scale account. We’ve actually experienced security audits that have taken longer to conduct and pass than the systems take to install and integrate!

    The reality is there are actually a myriad of ways the “mobile learning experience” can be locked down and controlled in this space and, in fact, the environment can actually prove to be MORE SECURE than desktop content delivery if approached correctly. And I’m referring to authentication/verification methods that go far, far beyond the simple SSL and on-device encryption methods you’ve cited above that any InfoSec team expects out of the box.

    In our experience, the mobile app approach provides, by far, the best route to secure content in the mobile learning space because that installed app can be tied directly to device and network services that can confirm the identity of the person learning and their device. We worked diligently to ensure our customers/partners can select from a Chinese menu of security choices that can directly tie to user’s access to content not just to their account credentials (UN/PW including enforcement of STRONG and ULTRA-STRONG passwords) but also to their devices MTN (mobile telephone number), their device serial number (be it an ESN/P-ESN, IMEI, MEID or UDID), a separate PIN code, and even renewable device-specific single sign-on tokens (federated, OpenID, other) that uniquely identify the user with their app with their device at a specific time). If any of the above recorded credentials are deemed “out of whack” with what’s recorded/provisioned on the server upon any regular content or data sync, the device’s mobile content and the app are remotely wiped automatically ensuring information can’t get into the wrong hands at any time. We even can restrict app/content access and actual use to predefined work hours to ensure a non-exempt/union employee can’t access mobile learning on a personal or company-issued device outside of their scheduled work hours in any given week.

    True, most IT teams are just starting to encounter these questions and beginning to develop their strategies and policies to address these issues. But real answers are out there when they start looking to meet their own standards and can’t just look the other way. It may not be inexpensive to achieve, but these sorts of organizations are more focused on the value of securing their information/devices/networks than they are on saving money and cutting corners especially where security is involved.

  2. […] have read about the security of mobile devices is the common sense of the user, as mentioned by the Float Team.  And, an EDUCAUSE article speaks to the issue by stating “Users need to understand the […]

Leave a Reply

Your email address will not be published. Required fields are marked *

« »