Who's on the Mobile Security Job?
As smartphones of all platforms and sizes are becoming the business tools of choice, mobile encryption is rapidly making its way to the top of IT managers' agendas. Unfortunately, the old encryption technology models are not fitting the bill -- they are simply not designed for the mobile space. So where can you go from here? Try the cloud.
Enterprises are coming to realize that while their VPNs might be doing a fine job of controlling data, mobile devices have turned into a veritable wild west of security nightmares.
It was all well and good when the only thing they had to worry about was data being accessed by enterprise BlackBerry users. Its proprietary server infrastructure has always provided a welcome security blanket for email security. Today, however, almost every smartphone in use can be a business device.
And that's a problem that IT managers are not happy about.
Talking Outside the Security Box
You could just as easily see a worker download confidential email on an iPhone, Android or Windows device from any location -- more often than not over an unsecured WiFi network.
Lawyers, brokers and financial analysts could all be playing loose with data on their smartphones, sending and receiving all sorts of confidential information -- from client names and addresses to staff cuts or mergers. That same information can also make its way to other users and devices, where enterprise control is lost for good.
This is not an emerging issue that's been simmering slowly on the back burner. Over the last four quarters, growth numbers for the Android platform have outstripped the iPhone, according to recent industry reports from IDC and Morgan Stanley.
Adding to the challenge is the fact that Android applications can be downloaded from any location, rather than just a centrally managed app store. In addition, we have yet to see what will happen with Windows Phone 7.
All in all, IT managers need to resign themselves to the fact that every phone is potentially a business device and therefore a danger to security. Once they've acknowledged that, they can apply some creative thinking to the problem.
Playing By the Old Rules a Losing Game
The answer may seem simple: data encryption. But therein lies the problem. Current encryption technology models are simply not designed for the mobile space.
First of all, there is no platform standardization, which means applying the typical "one- size-fits-all" encryption approach used at the desktop level is not an option. Simply put, the job of issuing and managing digital certificates for multiple platforms used in multiple locations is a logistical impossibility.
Some IT managers have attempted to apply lockdown measures on the mobile inventory they know about -- but that will barely scratch the surface of where and when information is exchanged. They can't apply the rules if the information makes its way out of their purview, which it often does.
On the other end of the communications trail, recipients can't receive and open encrypted emails without considerable inconvenience. In many cases, they have to contact their office and acquire a digital certificate, which is both inefficient and more complex than it needs to be.
In the event of a security breach, managers may turn to wiping devices. This is hardly a sustainable option, given the vast numbers of workers who conduct their day-to-day business chores at client sites, in airports and coffee shops, or at home. Closing the enterprise communications doors will simply grind productivity to a halt.
The New Playing Field
Mobile encryption demands an entirely new approach that "decouples" the device dependencies from the process. What that means is looking at the infrastructure and workflows that support encryption and establishing a secure gateway for accessing and disseminating data. This can easily be accomplished in the cloud.
A secure cloud approach allows enterprises to apply encryption rules to incoming and outgoing data automatically at the source. They simply move applications and data to the cloud, secure the information there, and allow people to access it without downloading it. This is simply an extension of the lock-and-key approach that has been used extensively in more traditional enterprise settings.
With a central management model that fully protects data at all times under predefined business rules, mobile device users can send and receive encrypted messages easily and securely from any device and location. Data remains encrypted while in motion or at rest, and is never stored on devices. At no time can unauthorized users read the data.
The processes required to use such a system on a day-to-day basis are simple enough: Users can download the encryption application from their mobile platform provider and simply open it when they want to compose secure emails, including attachments.
Receiving encrypted emails is equally easy: The phone displays an alert that there is an encrypted email, and the user simply opens the application to read it. Once that information is read, it goes back to its encrypted state until it is needed again.
There is no question that data encryption for mobile devices is in its early stages. Yet recent conversations with enterprises and developers indicate that it is rapidly becoming a No. 1 priority, as Androids and iPhones are infiltrating the mobile workforce at a staggering rate.
One financial services company that is seeking a mobile security solution, for example, recently reported it had to address encryption needs for up to 800 Android users.
Given the inherent complexities and risks associated with multi-platform device management, a central server/cloud approach makes sense, since policies can be automatically enforced, and users can pick up, login and decrypt messages regardless of their location.
This centralized model brings with it the ability to audit and report communications activities. Email encryption just happens to be one of the first security applications to go this route.
While email encryption may represent only one part of the entire mobile security picture, it addresses one of the largest threats to enterprise security. It is only a matter of time before the same model will can be applied to voice, SMS and instant messaging.
With the right infrastructure and workflow and the right back-end identity management and credential platform, mobile security is manageable. Getting there is a matter of knowing how to simplify the complexities of the whole equation, and taking control in way that makes sense.