As mobile grows, so do security threats. I recently had the opportunity to attend a breakfast with several chief information security officers (CISOs) and hear them talk about their mobile security concerns and strategies. It quickly became apparent that everyone had their own unique company cultures and primary concerns they were trying to address. Here’s how the meeting played out:
Breakfast Is Served
We were arranged around a long boardroom table, and introductions started directly opposite me, meaning I would be the last to introduce myself and comment on mobile threats and strategies. My goal was to learn as much as possible about their concerns and educate them on my experiences without delivering a biased sales pitch. It turned out to be one of the most valuable mornings I have had in the past several years.
The first few attendees got right into the issue of protecting devices, managing the end-user experience and dealing with the cultural concerns of Big Brother. Their primary concern, which is consistent with the results of IBM’s “The State of Mobile Security Maturity” report, was how they could secure a device so that if it were lost or stolen, they could locate it, wipe it and prevent it from becoming a conduit back to the enterprise.
The challenge is doing this without having a major impact on the end-user experience and making users feel as if the company is watching their every move. This theme was consistent with what I hear every day. I was ready to jump on the topic, but there were several more attendees ahead of me.
Challenges Surrounding Access Controls and Mobile Security
The discussion around user experience led right into the topic of managing access. The CISOs talked about how they can manage access to make it as simple as possible while also maintaining security. They posed the question, “If my access control is strong enough, do I need to worry about protecting the device?”
While it still wasn’t my turn to speak, the answer is “no” — one security measure does not replace the other. They are both part of a layered-defense approach to securing the enterprise.
Then, they teed up the topic of context-based access control: How do I put some intelligence around my access-control decisions so I can decide what level of authentication is required based on context around the session? This is a topic I really enjoy talking about. Every session has so much context that goes with it, and when viewed in relation to previous sessions, the context can assist you in making the right authentication decision.
Balancing Personal and Corporate Information
From there, the discussion turned to securing content and collaboration. However, they didn’t use those words — those are the words used in the IBM Mobile Security Framework. They did talk about how they could protect documents, separate business and personal content and allow for document creation, editing, etc.
The mixing of business and personal content is a major concern for companies. How do you protect business content that is intermingled with personal memos, contacts, documents and other things? No one wants to see this month’s sales plan or the new product strategy accidentally shared outside the company. This led to discussions about secure containers and how they affect the end-user experience.
I thought we were going to miss the topic of application security, but someone finally raised questions around managing apps. How do you manage end users who constantly add and update apps on their devices? How do you identify devices that have apps with known security issues? How do you conduct whitelisting and blacklisting of apps? As long as we’re talking about identifying risky devices, how do you identify devices that contain malware or have been jailbroken or rooted?
There are several answers here. First, provide users with approved apps via a private app store or supply a list of approved apps. End users will often go with an approved option if it is offered to them. In the absence of approved apps, they go with whatever they can quickly and easily get their hands on. Second, educate users on what makes some apps dangerous and how jailbroken or rooted devices affect the built-in security features of a device.
The Need for Tough Love
Finally, be prepared to enforce your security measures with tough love. Put simply, there are certain things you cannot tolerate if you want to have a secure enterprise. Tell employees that if they insist on doing these things, they will not have mobile access to the enterprise. This doesn’t have to be a consequence that lasts forever. As soon as the risk has been remediated, they can again have access to sensitive corporate resources.
By the time the CISOs were done with introductions, they had raised all the topics I had planned to discuss for the day. It was obvious that the CISOs had the full range of mobile security concerns on their plate, even though they each had their own top priorities. I thanked them for the perfect lead-in to my pitch and started my presentation.
My presentation was laid out as the IBM Mobile Security Framework. While it carries the IBM name, it is really a blueprint that anyone can use when they develop their mobile security strategy. It introduces the following four imperatives:
- Protect devices
- Secure content and collaboration
- Safeguard applications and data
- Manage access and fraud
My key message to the audience was that they have identified the mobile threats, but as soon as they search for a solution, they should take a holistic view of the challenges and look for an integrated approach to addressing them.
To learn more, watch a panel of IBM Mobile Security experts in our on-demand webinar titled, “Take an Integrated Approach to Mobile Security and Address the Full Breadth of Threats.”