Mobile device security
With BYOD, one might think vendors would be scrambling for new tools and techniques to handle the onslaught of users insisting on adding their smartphones and tablets to the corporate infrastructure. That, it turns out, does not seem to be the case, says Peter Stephenson.
In a relatively brief period, we have begun to see a stability that suggests maturity in the security products intended for the mobile market. This is not for the reasons we might expect – such as the technology not being ready for mobile device security, or that mobile devices don't need anything special or, more likely, there isn't a market. The truth seems to be that the vendors are looking at evolving requirements and saying, “Yep... been there, done that”.
The state of the art in the products we looked at in this test is remarkably mature and effective. These are a batch of really fine tools, and selecting among them was a difficult task. When a product misses a tie for Best Buy because trivial improvements are needed to documentation, you know that the market is the real winner.
Mobile device security addresses several important issues. For example, being able to control the disposition of sensitive information that resides within the enterprise but can be accessed by a mobile device is very important. This addresses privacy, intellectual property and other confidentiality issues.
Also, mobile devices are prone to theft. It is important to be able to control access to sensitive information if the device is lost or stolen. Having a capability available to remotely wipe the device, either completely or selectively, is critically important. The most complete systems can do a selective wipe based on what is stored on the device as corporate or personal data. Most people dislike the idea of a forced wipe of personal data, such as music and photos, given that the device is theirs and not the organisation's.
Anti-malware and hacking safeguards are important as well. For Android devices especially, there is a serious potential problem with malware. The Google Play Store contains a plethora of applications that are minimally vetted before being allowed to be sold or given away, so the possibility of malware containing backdoors and Trojans is potentially high. Not all of this malware is intended for the device itself, of course. Much of it is intended simply to be spread to the enterprise – making the Android device a sort of ‘Typhoid Mary' (the first person in the US identified as an asymptomatic carrier of the disease).
Access controls are also important since, if the device is in use by an unauthorised person, it would be a bad thing for that individual – with embedded credentials – to be able to access the enterprise with an automated login. Along with this is access to the data on the device itself. Today, open source forensic tools are available that can extract data from many types of popular mobile devices. That means that even if a thief cannot gain access to the device, there is a possibility that access to the data may be gained forensically. Encrypting the data on the device is important to protect against this unauthorised bypass of access controls.
All this goes together to make a world-class mobile device security solution. So, when one is looking at this type of tool, what should be required? While features might seem to be the hot button, before one starts thinking about functionality, ask what the environment looks like. In simple terms, what types of devices are you willing to support? Apple iOS is an obvious choice, but Androids are gaining market share rapidly and BlackBerry is also growing in strength. There are also a few dark horses, such as Kindle and Nook.
One probably won't want to support everything, but implementations should support the leaders.
The following reviews are the products that scored most highly. For the full range of reviews from the SC group test, go to: www.scmagazineuk.com/group-test/section/332