Does Anyone Doubt Mobile Security Should Be a Strategic Initiative?
According to eMarketer, the global smartphone audience surpassed the 1 billion mark in 2012 and was projected to total 1.75 billion in 2014. Meanwhile, Gartner projects more than 268 billion mobile app downloads will have taken place by 2017. As the pace and adoption of mobile computing grows, so do the security risks and threats. Cybercriminals are practical actors; they follow the money and the path of least resistance. The mobile platform is proving to be a choice target for malware where double-digit or even triple-digit growth has been reported. The malware is looking to steal sensitive user and enterprise information. So what should enterprises do?
Start by Securing the Device and the Data on the Device, but Don’t Stop There
A key concern for enterprises is data leakage. Are your employees using their mobile devices as a conduit to share and exchange enterprise data? The best and easiest way to address this concern is to manage employee devices via bring-your-own-device policies. However, there is always a trade-off between security and utility. You need to ensure your mobile device management solution provides flexibility in terms of policy definition and enforcement. For example, could a stronger device password be required? Do you have a secure way to share enterprise content and safely collaborate with fellow employees? Could you selectively wipe enterprise data from a compromised or at-risk device but ensure personal information is not removed? As enterprises gain control and confidence over securing devices and data, attention must be paid to the mobile applications on the device.
Your Mobile Applications Live in a Hostile World
Enterprises have little to no control regarding the installation of their mobile applications. Chief information officers and chief information security officers agree that their mobile applications are installed on at-risk devices. The risk may be introduced by mobile malware or be on devices that have been rooted or jailbroken. Rooted or jailbroken devices make mobile security and mobile operating system security ineffective. Therefore, it is incumbent upon each organization to ensure all sensitive mobile application data is encrypted. However, once you build a secure application, you must keep it secure. Since mobile applications are in the wild, they can be easily reverse engineered. Organizations that have sensitive intellectual property or want to prevent having their mobile apps repackaged with malware should first harden the app prior to its release.
Mobile Authentication and Access Policies Must Adapt Based on Security Risk
Mobile users have zero tolerance when it comes to consumability. There is an expectation that mobile applications will be easy to use. When secure access management requirements collide with ease-of-use concerns, there must be a flexible and adaptable approach to secure authentication. Organizations cannot apply the same stringent access control policies for every application, yet they need to detect and prevent fraudulent transactions. What is needed is an adaptive approach that considers context. For example, is a user attempting a bank transaction from an unrecognized device in a historically different location? In this scenario, a one-time password might be sent to the user to enforce stronger authentication. The authentication requirements must adapt based on context.
The IBM Mobile Security Framework
IBM has developed its Mobile Security Framework to provide a holistic approach to mobile security.
Mobile security risk is prevalent on the device when it comes to protecting content and data, safeguarding applications, managing secure access and detecting fraudulent transactions. Organizations require a holistic and integrated approach to managing mobile security risk. A collection of point products does not provide an end-to-end solution. A holistic approach to mobile security should address all the risks and the unique interdependencies between them.