Today’s mobile world requires a different focus – one that emphasizes BYOD-Bring Your Own Device, Apps-Applications, increased usability, multi-platform users, and the unique associated with all those security challenges. We simply can't get visibility granular enough into the operating system to see what is going on, and thus can never fully trust the device. Companies must layer on protections that they control regardless of the state of the device or the app.
In the current IT enterprise landscape, mobile security technologies must provide seamless connectivity, security and trust relationships between the user and enterprise regardless of the device or manufacturer, while enabling application-level visibility and control to protect the organization from dynamic vulnerabilities.
The relentless progression of the wireless-mobile industry introduces four main forces driving BYOD and mobile apps while deftly reshaping how we think about the art of mobility and mobile security requirements. Like the iPhone, the catalyst of the BYOD movement, this thought progression ignites the next level of change—highlighting the need for a true mobile security solution, in conjunction with enterprise mobile management-EMMs and mobile device management-MDMs.
BYOD—Not Just for Employees Anymore
About a decade ago, mobility meant buying, setting up and issuing BlackBerrys to employees on an as-needed basis. Mobile-ready companies are expanding beyond just enabling BYOD employees, increasingly engaging with partners, vendors and customers via mobile apps on devices. This means we no longer have control over the device, making traditional IT and MDM approaches to mobile security obsolete.
Because the rise of mobile apps is unstoppable, in addition to devices, we must shift renewed focus to securing apps, regardless of the device, without impeding the user experience. To do this, we must adopt a model where trust is proven rather than assumed. We must use a zero trust model for mobile and weave in the security we need to ensure users are safe despite the growth of apps and mobility.
Anybody can be an App Developer – Operating System Vulnerabilities Emerge Constantly
With the growing focus on mobile, enterprise CIOs to small business owners are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps. As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app “developer”.
This variability in security knowledge, use of outsourced development houses, coupled with time to market pressures that favor usability over security features, results in less secure apps. In fact, the Ponemon Institute found that only 41 percent of respondents reported that their organization had sufficient mobile security expertise and most (55 percent) say they don’t test apps or are unsure if they do. And according to the research firm Gartner, 75 percent of mobile applications will fail basic security tests through 2015.
To address this problem, we will have to adopt security solutions that work at the app level and provide a consistent security framework across all mobile apps. Such solutions will do more than protect the device, but also guarantee that improperly developed apps don’t become an attacker's front door. Only then will CISOs and CIOs have confidence in the integrity of mobile apps.
The App Explosion
We’ve quickly moved from just a handful of critical business apps like email, calendar and browser to hundreds of thousands of productivity apps—and their potential inherent vulnerabilities present a bigger attack surface back into sensitive enterprise data. Sensitive information is constantly being exposed as employees become their own IT departments, loading unsecured apps onto their devices and keeping the real, already stressed IT department up at night. A recent survey by LogMeIn found that 70 percent of enterprises have some presence of “bring your own application” (BYOA), and the same study found that 64 percent of respondents will download their own solution even when one is already in place. In essence, we require a more granular view of all mobile touch points, not available from EMMs. This is the case even for apps downloaded from Apple or Google.
Mobile App Vulnerabilities Emerging
Knowing mobile apps are inherently vulnerable, hackers are being given the opportunity to launch sophisticated campaigns. Attackers love targets that are always connected, but hard to monitor, detect and alert on—making mobile devices the perfect avenue for attack. This is evident as we see the trend of both researchers and hackers looking for and uncovering significant vulnerabilities below the device level. One example of this is Stagefright, which has been called the “Heartbleed of Mobile.”
There is also the constant stream of updates and the use of generalized app frameworks to consider. Time-to-market pressures are paramount for mobile app developers, so they often use outsourced frameworks during development or continue updating their apps. It provides speed in the development process, but it also means that developers could easily be introducing security risks unknowingly—especially when third-party components are involved.
Ultimately, the pace at which mobile is evolving in the enterprise is completely unique, changing how businesses have to think about security. Companies need to establish trust and security in a world where they have less and less control—over devices, over apps and their users. The only way to do this effectively moving forward is to truly understand how people work and interact on mobile while knowing that threats are present. We know that attackers follow users and the popularity of mobile apps in conjunction with the emergence of their security flaws means that mobile is prime to be the next attack vector that threatens corporate data and user privacy.
Applying a zero trust model to mobile and the right security controls at the app level could align productivity and security. But the bottom line is that it’s no longer about the device; it’s about the applications.