When one starts talking about securing an organization’s move to mobile computing, the first area of focus and investment is typically in mobile device management (MDM) technologies. Deploy an effective MDM product; build and deploy mobile security policies for your organization’s mobile-enabled devices; and thus control the risk of those pesky mobile devices. There are even predictions that mobile devices may be more secure than traditional computing devices by sometime in 2014 (see this IBM XFORCE 2012 Trend and Risk Report). So the question is, if we are able to fully lock down mobile devices with MDM products, and mobile devices provide some security enhancements on top of typical notebook or desktop computing models anyway, does this mean mobile security is now a well-known commodity? Problem solved? Next please?
My answer to this question is no, as the transformation to mobile computing involves much more than just the mobile device itself, and it’s all this other stuff that still needs focus. This “other stuff” that one must consider with mobile computing, beyond the devices themselves, includes the following:
Mobile computing brings an accelerated shift of employees bringing their own personal devices to the table, which introduces all sorts of legal liability and data privacy challenges to any organization. Bring your own device (BYOD) exists in traditional laptop computing, but for many organizations in the mobile world, personally owned devices become the majority of devices. In IBM’s case, over 80 percent of its mobile workforce is using personally owned mobile devices.
One of the other buzzwords in the industry for years now is the consumerization of IT. This is the concept that technology is now leading in the consumer space first and then driven into the enterprise from there. With the advent of app stores and other such concepts in the mobile world, consumerization truly reigns as king. What this means from a security standpoint is that the risks of data leakage of sensitive enterprise data into consumer-oriented technologies is also very, very real.
Mobile devices also introduce all sorts of environmental risks that were not as common with traditional notebook worlds. Mobile devices are smaller and more easily lost or misplaced. They are used in public places where passcodes being entered can be more easily observed. They are used at all hours of the day and night, and in all sorts of physical, geographical and other use cases that were simply not feasible in a desktop and notebook computer world. This of course means all sorts of risks associated with each of these new environmental factors, which also did not exist before.
So how does one address this larger problem of mobile computing when considering all of the issues above and beyond just the device form factor? I believe the key is to move beyond the device itself and shift security awareness and intelligence into the infrastructure and application layers. These layers can make near-real-time decisions that take into consideration elements of device ownership, legal risk, data leakage and many environmental and other factors to apply policy-based access that is appropriate given all these variables.
Now, of course, trying to put all of this security intelligence into your applications themselves would be quite costly and time consuming—not a short path on its own. Fortunately, vendors such as IBM are beginning to offer security infrastructure technologies that can help close this gap by providing context-aware security intelligence at the infrastructure level. IBM Security Access Manager for Mobile, recently announced with version 8 of the IBM ISAM product, is one great example technology in this area.
What do you think about moving mobile security away from just the historical device focus, and into the data center and cloud? Contact me, @whtworek, on Twitter to discuss.Tweet