Technology, the Enterprise or the User: Which Owns Mobile Security?
By George Platsis
It’s not outrageous to suggest that you might be reading this on a mobile device. Nor is it outrageous to think that most people use a mobile device for the majority of their reading these days. I’m even writing this on a mobile device. So for those not following along, at this point, mobile security is really just security. There really isn’t any difference anymore.
What Makes Mobile Security Different?
The unique challenge with mobile devices is that we haven’t accepted them as what they are: powerful pocket computers that are always transferring and storing data. Today’s pocket devices absolutely steamroll a 1999 workstation and transfer and store data like it’s a commodity. They’re ubiquitous too.
That’s what makes mobile device management so difficult today: The devices are powerful, they store and transfer extremely valuable data, and there are just so darn many of them. Not too long ago, it was one desktop for a household of four. Now, it’s four devices per person — and that may even be an understatement for some.
You No Longer Own Your Pipeline
Remember when you owned the infrastructure you used? There was a different mindset then. You invested in it, you owned it and you maintained it. Nowadays, it’s all about services, meaning a lot of what happens is actually happening outside of your own ecosystem. You not only have to worry about your own network, you also have to worry about that random Wi-Fi network you’re plugging into.
So how did we get here? Simple: We sought freedom and convenience. Security was not really on our mind. You can really only have two of the three, and with security concerns on the rise, we need to reweigh and reallocate our priorities.
To best manage mobile security within your enterprise, you also need to maintain another balance: technology, enterprise and user responsibilities. With more mobile devices on the way due to 5G deployment, winning this device management game means establishing the right foundations before you start divvying up responsibilities.
Treat the Problem From a Risk Management Perspective
According to Verizon’s “Mobile Security Index 2019,” 33 percent of respondents admitted suffering at least one compromise due to a mobile device, with the majority saying the impact was major. Furthermore, 67 percent said they’re less confident about their mobile security than other IT assets. Clearly, there is marketplace worry and a lack of confidence.
At the center of any security issue is the concept of risk, so if you are not treating this problem from a risk management perspective, you’re missing the boat. This piece won’t go into the how-to of risk management; there is plenty of information on that. This piece outlines what you need to know to properly divvy up responsibilities between the three groups mentioned above. Just keep in mind these risk choices as we run through considerations:
Define Your Business Processes and Needs
Assume for a moment that you have done all your standard risk management work. Does it mean anything without proper definitions of your business processes and needs? Not really. You see, if you define your business processes and needs, you can map out how certain vulnerabilities will impact your business. More importantly, you can decide which risk choice you wish to make.
For example, does a particular business process absolutely require a certain application that has known security flaws and must be installed on all devices? Well, if it does, you may find yourself in a case where you have to choose risk acceptance.
This initial mapping is incredibly important, because if you muck it up, you’re just building on poor foundations where the result is increased fragility. It won’t matter what you do later if you’re starting on shaky ground.
Configure and Set the Right Permissions
By now, you should be at the point where you know what you want and you know what risk choices you’re going to make. This is where the nitty-gritty comes in — the stage where you make the technical changes that align all your business processes and needs against your risk choices.
Need certain ports open? Fine, make sure those are open and close all the others. Don’t need an application? Create a rule that bans installation of it on any device. Have concerns about certain hardware products? Put them on a ban list, preventing them from entering the procurement process.
At this phase, you should also be asking the following questions:
Do we have a possible scale problem?
Do we have computational or bandwidth issues on the horizon?
Do we need security information and event management (SIEM) and/or security orchestration, automation and response (SOAR) solutions?
Do we know which devices we will allow on the network?
What policy considerations should we be thinking about?
What do we want our endpoint detection and data loss prevention to look like?
You’ll note that so far, this sure looks like a lot of enterprise work. Well, it is. The enterprise really needs to ensure the foundations are set up correctly if it wants to get mobile security and device management right.
Now comes the tough stuff: figuring out who is responsible and accountable for what. A metaphor could be useful here. Imagine a well-built, three-room house. The builders got everything right in the construction stages. Certifications, licenses, the best materials — you name it. Now imagine this house has three occupants, one for each room. They all live harmoniously together, can enter each other’s rooms pretty freely, with some expectation of privacy of course.
Sounds good so far, right? Well, there is one requirement: Each occupant is responsible for maintaining their room, because if one room is not well-maintained, it can ruin it for the others. They’re all connected, and what impacts one impacts the others.
Welcome to the world of mobile security and device management. That’s exactly the scenario you’re dealing with, and it’s only going to get more difficult to manage as we see more and more devices and data. The bottom line is that all three aspects — technology, the enterprise and the user — must be responsible for their own piece of the mobile security pie.
Mobile Security Isn’t Easy
There are plenty of resources out there to help identify mobile security problems. The Open Web Application Security Project (OWASP)’s Mobile Top 10 is a great place to start for technical issues. Unfortunately, I think we’re still a ways away from a UL-type certification for mobile and internet of things (IoT) devices. The marketplace isn’t ready for that slowdown.
The key to deciding who is responsible for what in the mobile security arena really begins with getting your risk management assessment and mapping right. These assessments and, specifically, the risk choices are not easy, but remember the old rule: Anything worth doing isn’t easy. Protecting your critical data is always worth doing.