For all of its merits, mobility among staff has brought a range of issues around data protection, as CIOs try to guard against attacks from third parties and even their own staff. These issues present a real threat to employers tasked with securing sensitive company data, and encryption alone may not provide the solution.
However, mobile data loss can be prevented and its impact mitigated in many cases. Most issues exist due to a lack of stringent regulation on staff using their own devices for work, who may be more prone to sharing files accidentally, or less inclined to encrypt their data sufficiently. Employers should be aware that solutions to these issues are available, either through software designed to control intentional or accidental corporate data sharing or ensuring that staff isolate their work browsing from personal activity.
Mobile devices receive corporate data in three main ways; through email (and attachments in particular), apps, and the web. It goes without saying that all three carry the potential for attacks from elsewhere – and that employers should look into their workforce's usage patterns in each area.
This process is not sufficient in isolation – employers are presented with a long list of potential threats where mobility is concerned in addition to the human error issues mentioned above. Certain apps, even popular offerings relevant to the individual's objectives, can carry potential security weaknesses and IT directors seeking to prevent such occurrences are undermined if employees are freely downloading malicious apps as part of their personal use. The result leads to malicious apps that have the ability to speak to other apps on the device, including apps that contain or access corporate data.
Mobile data loss threat vectors typically fall into one of four categories:
· Risky and malicious Apps – data exfiltration
· Jailbreak or rooting activity – device opened to vulnerabilities leading to data exposure
· User data leakage – copy/paste, upload, screenshot, open-in, etc.
· Unprotected networks – rogue access points, interception of data-in-motion, man-in-the-middle attacks
Devising your security strategy involves careful considerations regarding the user, device, and network. An enterprise mobility management (EMM) platform can provide the necessary proactive and reactive controls to mitigate these threats. Additionally, CIOs running a mobile workforce can safeguard sensitive data through the following means:
Fundamental device controls can enforce a mobile device password and encryption. Depending on the use-case, some customers may additionally leverage operating system specific device controls and lockdowns to disable the ability to install additional apps, camera, screen capture, cloud backups, Bluetooth, USB, and numerous other controls.
Separating corporate information
Splitting personal data from corporate data is key, but so is preserving the native user experience. Separating corporate email, data, web and apps from personal ones, protects the rest of the device.
Jailbreak and root detection and mitigation
Many EMM platforms provide the ability to perform hacking detection. Once detected, your EMM platform should provide the ability to quarantine a device. This quarantine varies across EMM platforms, but can include a simple alert, block network access, or selectively fully wipe the device. This approach is also recommended by the PCI Council.
Malicious and risky App detection and mitigation
Even legitimate apps we use everyday may have arguably risky behaviours that may lead to data loss when they secretly distribute data. Anti-virus and anti-malware are just other apps on mobile devices, and cannot address threats themselves. App Risk Management services which plug into an EMM platform provide an effective quarantine solution once a threat is detected.
VPNs or Application Tunnels can encrypt the data-in-motion to deter interception attacks. These are commonly referred to as per-App VPN or Application App Tunnels which allow the administrator to be more restrictive than a standard VPN by only allowing specific apps to access the network, thus all other apps (including malicious apps) are blocked. Certificates are fundamentally supported on mobile operating systems. When used to authenticate the SSL/TLS tunnel this provides protection against interception and man-in-the-middle attacks, especially when you have users connecting to Open WiFi.
In summary, controlling mobile data loss can be accomplished by leveraging a mature EMM platform that is not only mobile device aware (Mobile Device Management/MDM), but also MAM (Mobile Application Management) and MCM (Mobile Content Management) aware. This can provide the necessary controls to mitigate data loss stemming from the user, device, and network. Additionally, the EMM platform must employ both proactive and reactive security controls, to not only prevent mobile data loss, but also respond to threats by quarantining the device and removing the sensitive corporate data. When approaching your mobile security strategy, ensure that you incorporate a defence-in-depth approach leveraging many of the outlined approaches. This will allow you to not only control mobile data loss, but achieve compliance as well.
Contributed by Mike Raggo, Security Evangelist, MobileIron