Jon Kuhn

With the seemingly endless parade of high-profile attacks and data breaches recently, many businesses are taking a critical look at the security and management of their own networks, asking themselves, "Could we be next?" One rapidly growing point of concern enterprises should be focusing on is the ever-expanding presence of a diverse fleet of mobile devices connecting to their IT infrastructures.

A recent Symantec survey found that only 51 percent of respondents who use their smartphones for work had been educated by their employer on policies and/or best practices regarding the security of their work-related smartphones. To make matters worse, 42 percent said they were not aware of any mobile device security and/or management software or tools in use by their employer.

In today's always connected world, mobile devices not only serve as enterprise endpoints, they simultaneously see extensive use as personal devices for downloading applications, browsing websites, sharing files and social networking. In fact, the survey also found that 91 percent of companies allow employees to use their work-related smartphones for personal use. The extent to which this consumerization of IT is spreading creates a major security and management challenge.

To compound this issue, most mobile devices entering and exiting enterprises store and access confidential information. The survey found that 73 percent of respondents said they use their work-related smartphones to access such information, with 73 percent of that being competitive or proprietary data. Unfortunately, cybercriminals have taken notice of this trend, even if enterprises have yet to.

The ideal mobile security and management strategy is an all-encompassing approach that seeks to offer protection not only on the enterprise side of the fence - where data is used, created and stored - but also from the telecommunication service provider side - where the devices connect and communicate with corporate back ends. Each side requires a unique set of tools to effectively mitigate the risk these devices create.

Protecting and Managing the Devices and Data
Mobile devices are becoming more sophisticated every day. This sophistication provides tremendous productivity increases, but as they provide greater corporate access and store more data, they are also increasingly being targeted by attackers. In a related vein, the theft and loss of devices also presents a significant risk. As a result, companies need to manage the devices and the data on and accessible through them to make sure all is secure. In short, companies need to stop making exceptions for mobile devices and treat them as they would any other endpoint.

The first step is to implement security and management software on the devices - much like those used to secure and manage the data on PCs. This includes security software, management tools, information protection technologies and authentication solutions.

Security Software
Though mobile threats are still in their infancy and are at nowhere near the level we see targeting traditional computing platforms, some creative cybercriminals have found ways to exploit smart mobile devices through viruses, Trojans, SMS or email phishing, rogue applications and snoopware - mobile spyware that activates features on a device without the user's knowledge, such as the microphone or camera. It's therefore growing increasingly important to employ the mobile security solutions that provide a barrier against these attacks, similar to their laptop and desktop counterparts.

Security solutions that feature network access control capabilities can also help to enforce compliance with security policies and ensure that only secure, policy-compliant devices can access business networks and email servers.

Management Tools
As important as security software is, it's only one part of the overall equation. Security software must go hand-in-hand with tools that enable enterprises to manage and properly configure the various mobile devices that connect to their networks, such as mobile device management, or MDM, solutions. After all, a well-managed device is a secure device. By increasing IT efficiency with over-the-air deployment of configurations, applications and updates, management solutions help ensure devices have the required policies and applications and that they are configured correctly and kept up-to-date. This not only improves end-user productivity by managing mobile device health, but also ensures security vulnerabilities are not present on the devices.

Information Protection Technologies
The biggest threat to mobile devices remains the risk of loss or theft. As more companies use these devices simply as additional endpoints, data stored and accessible through them is put at even greater risk. Corporate email and data from line of business applications on smartphones often contains intellectual property or information subject to government regulation. The loss or theft of the device exposes sensitive data and may result in financial loss, legal ramifications and brand damage. Strong password/PIN policies prevent unauthorized access to the mobile device and its data. Mobile encryption technologies provide protection for data communicated and stored on end-users' mobile devices. Remote wipe and lock capabilities enable an enterprise to remotely delete all of the corporate data on the device to ensure the data cannot be breached.

Another consideration is as individual-liable mobile devices permeate enterprise networks, organizations need a granular control over these remote wipe capabilities so that only the corporate owned data can be wiped. Finally, enterprises need to make sure that the appropriate data leakage prevention policies are in place to reduce the flow of sensitive data out of the mobile devices.

Authentication Solutions
Most enterprise networks require a username and password to identify users, but usernames and passwords can be compromised. Using two-factor authentication technology provides a higher level of security when users log in to the corporate network. Quality authentication technologies extend the same safety measures to users when logging in from a mobile device. As enterprises develop custom applications, they need to look at extending the authentication to these apps as well.

Protecting and Managing the Service Provider Networks
As more enterprise endpoints access the service provider networks directly (via mobile devices), organizations need to feel comfortable that these networks are also free of attacks and threats that could proliferate into their own systems. Superior mobile security and comprehensive network protection allows the service providers to offer that confidence to enterprises.

Network Protection
As malicious threats designed to be propagated via mobile networks increase, so too must the measures implemented by providers to block these threats. Service provider networks should be protected at their edge, never allowing these threats to get in. By building a network-wide policy control and enforcement system, these networks are guarded against malware. This network-wide solution must include an application-level security policy that protects against the predominant types of traffic entering the network, including the web, SMS, and MMS. By putting this application-level policy in place, service providers can identify and evaluate new threats from devices as soon as they appear and prevent them from reaching other enterprises and end users.

Services Revenue
Improving overall security with a network-wide policy control and enforcement solution has additional benefits. It empowers providers to offer revenue-generating protection services for both enterprises and consumers. These include enterprise-level control capabilities where users may browse the web or by controlling devices connecting to the enterprise infrastructure. These capabilities can be sold as a Security-as-a-Service to corporate customers to drive corporate customer retention and acquisition. They can also be offered as consumer-level control capabilities, providing individual subscribers control over their mobile presence across all services.

Security Insight
In order to protect network stability, performance and subscriber trust, it's critical that service providers have real-time insight into what types of activity is happening within their network. In addition, service providers must comply with the increasing regulatory requirements being placed on them. An intelligent security solution designed to identify, manage and report suspicious activity, in real-time, enables a proactive approach to improving network efficiency by allowing only valid traffic to traverse the network. In addition, operators must ensure they properly store and make retrievable application-level traffic requested by enterprises, helping meet regulatory requirements for data retention and recovery.

The brave new world of enterprise mobility - where computing is breaking down corporate walls and flowing into the real world - is in full swing. Completely securing and managing this mobility and the anytime access to corporate data it represents has to become a central focus of enterprises and the industry as a whole. Ideally, this would include integrated protection strategies for end users, enterprises and telecommunication service providers.