In recent years, the mobile workforce has grown rapidly. Many forward-thinking companies have recognized the benefits of remote work and have adapted accordingly. However, allowing anywhere, anytime access to corporate data creates new risks that are difficult to address with most security solutions. Before the mobile workforce explosion, businesses used a “trusted” device model to secure remote access to corporate information. Unfortunately, with the plethora of personal devices used by the workforce today, this legacy approach is no longer reliable or secure.
Trusted Devices 101
Endpoints are considered “trusted” if they meet certain security requirements or if the enterprise can control them in some way. Typically, they have an installed software agent that directs traffic to the corporate network so that basic security checks can be completed. Once checks like passcode verifications and operating system (OS) updates are complete, trusted devices will receive unrestricted network access so that users can access all of the data that they need to complete their work. This is usually done through a VPN tunnel to the corporate network. However, these virtual private networks also grant unfettered access to services that remote workers may not be utilizing; for example, Active Directory. This only serves to increase the risk of data exposure.
Security Starts with the OS
In most organizations, Apple’s iOS has emerged as the standard for trusted devices. According to the second edition of the Mobile Security and Risk Review, Apple products account for over 80% of mobile devices trusted in enterprises worldwide. Apple’s native approach to hardware, software, and services has created a distinct security advantage over less centralized platforms. IT managers typically turn to Apple in their efforts to secure corporate data while enabling employee mobility. A recent Jamf study found that 90% of IT professionals say that it is easier to secure Apple devices than it is to secure mobile devices running other operating systems.
False Sense of Security
In general, mobile platforms are more secure than legacy desktop platforms, like Windows, because they are closed ecosystems. However, all of them, including iOS, are still susceptible to data loss, theft, and cyberattacks. Despite this, trusted devices are granted too much access to valuable enterprise data. Even government agencies and some of the world’s largest financial services institutions use the trusted device security model and grant remote workers excessive data access. Instead of focusing solely on device security, organizations should be more concerned about data sharing, stolen credentials, and achieving visibility over cloud data. While firms should deploy solutions that secure data wherever it goes, many merely adopt device-centric tools.
MDM Isn’t the Answer
Most organizations have turned to mobile device management (MDM) and mobile application management (MAM) to address common security issues. Through the installation of agents, these solutions can exert control over devices. From a single platform, IT departments can enforce password protection, wipe data remotely, and restrict unsecure network transmissions. However, setup and maintenance of this type of software can create significant logistical issues. IT teams have to manage the installation of software across thousands of devices and ensure that they are all updated regularly.
In bring your own device (BYOD) environments, seeking to deploy these solutions on employees’ personal phones and laptops is typically viewed as a draconian invasion of privacy. Through software installations, MDM solutions force all device activity through the corporate network. This allows IT to monitor corporate data on employees’ devices, but also grants visibility into personal information related to banking, social networking, and more.
While MDM and MAM harm the speed and functionality of devices and applications, employees are primarily concerned about their private data being viewed by their employers. A recent Bitglass study found that only 44 percent of employees would accept MDM or MAM on their personal phone. Employees tend to reject these solutions and work around IT, putting corporate data at risk.
Focus on the Data
Rather than monitor all activity on all devices, companies should only track corporate data. Likewise, instead of trying to control all devices touching data, organizations should simply limit access from risky endpoints and unauthorized users. In other words, companies should consider agentless mobile security solutions. These tools require no installations, meaning that they respect employee privacy while monitoring only corporate data.
This new approach to mobile security emphasizes the idea that it is no longer the device that needs to be protected. While most organizations have a false sense that trusted devices are safe, no endpoint is completely secure from data leakage. Rather than adhering to outdated paradigms and labeling devices as trusted in the name of security, enterprises should simply look to protect their data.
[su_box title=”About Rich Campagna” style=”noise” box_color=”#336588″][short_info id=’102584′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.