Enterprises have sensitive data that resides on a variety of clouds, servers, files and databases — whether they are banks that store credit card numbers, health care providers that need to secure sensitive patient health records and comply with Health Insurance Portability and Accountability Act regulations or product innovators that need to keep their designs a secret. The value of this information is unlocked and enhanced when accessed and updated by users such as employees. Mobile reduces the time it takes to retrieve and update the information to near-real time, which boosts productivity for all stakeholders involved. Content security is crucial to secure this data.
The information itself can be in the form of documents or as data on databases that are accessed via applications. In either case, end users then access this data via an endpoint such as a laptop, smartphone or tablet. With the proliferation of mobile devices around the world, employees now expect access to corporate information on their devices of choice. Mobile adoption is unprecedented in its scale and speed, with approximately 1.3 billion smartphones shipped in 2014 alone. Enterprises need to ensure data and content security on these new form factors and the apps that run on them. As the bring-your-own-device (BYOD) trend continues to grow, it is even more important for corporations to isolate enterprise data from personal data on the device to ensure enterprise data security while simultaneously maintaining user privacy.
Securing the content requires focusing on two components: the back end (cloud or on-premises server) where the data resides and the device itself, which allows end users to access the data.
Securing the Back-End Infrastructure
The back end needs to ensure only authorized devices and users access the data irrespective of software-as-a-service or on-premises solutions. This is achieved by monitoring and blocking unauthorized access based on the device and user security posture, typically in conjunction with access management tools. This could be as simple as a username and password or as full-fledged as an identity and access management system.
Device-Side Data Security
The device side, however, requires a completely new set of security capabilities given that mobile device operating systems have a different user interaction model from those on laptops. The data storage and flow between apps on the device can be better controlled with the help of mobile device management (MDM) and enterprise mobility management (EMM) solutions. EMM solutions not only provide visibility of the environment and secure the devices, but they also secure the apps and the content on them.
BYOD smartphones and tablets now necessitate that chief information officers (CIOs) completely isolate and control the corporate data without touching the personal data on the device. One way to ensure this complete separation of corporate content is through containerization.
The EMM industry has evolved from managing just the device to the concept of containerization in order to isolate all the corporate data via an encrypted app on the device. With containers, multiple encrypted apps share common code (via a software development kit or wrapper) and can then be configured over the air by security policies through an EMM solution. For BYOD devices, IT can now manage just the corporate data without even having to control the entire device. This quells fears among employees that their workplace is now monitoring their devices and/or activities. Containers can be used to deliver a complete corporate persona for work-related activities such as email, calendar, contacts, documents and browsers for intranet access.
For content, end users can be allowed access to a wide variety of corporate repositories for document access with a single-app user experience. IT can still enforce strict security via EMM on how these documents are stored and used on the device.
Some of the important security features for containers include encryption and data leak prevention. Through encryption, data can be stored in an encrypted database on the mobile device. Through data leak prevention, the flow of content between apps can be controlled through the following features:
- Managed open-in, which allows documents to flow between work-related apps that IT has approved and distributed through the enterprise app store.
- Cut/copy/paste restrictions, which disable inadvertent leakage of data out of corporate apps.
- Selective wipe, which is offered either through core MDM or via the container. All the corporate content can be wiped out in case the employee leaves the company, the device is lost or the device does not report back to the EMM server for a predefined period.
- Per-app virtual private networks, which allow users to access internal, behind-the-firewall repositories seamlessly, irrespective of the network they are on, without a device-level virtual private network.
The rate of mobile adoption has been so fast and so robust that malicious apps and newer threats are detected regularly. However, it is up to the CIO, chief information security officer and IT teams to ensure corporate content is secured for mobile access. With EMM and content security, mobile can be a great success story in enabling employees to access corporate information right at their fingertips wherever they are — and there is a great opportunity for IT to be an enabler.
Learn more about securing mobile devices in the business environment
Image Source: iStock
Product Manager, IBM
Kaushik Srinivas is a contributor for SecurityIntelligence.