Is your organization developing its own custom applications specifically for mobile devices? (Percent of respondents, N=242)

Transcription

1 Solution Brief Check Point Capsule for Mobile Computing Security, Operations Efficiency, and Business Enablement Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst; Kyle Prigmore, Research Associate Abstract: Organizations are increasingly reliant on mobile devices for BYOD and business process improvement, but mobile security continues to lag behind. Point tools provide some help for IT operations but they don t provide a true enterprise-class mobile security solution. Check Point Capsule is a refreshing alternative that may actually bridge the enterprise mobile security gap. Why? Check Point Capsule is one of few mobile security products that provides threat prevention, document-level data security controls, and granular access controls that can mitigate security risks while enabling mobile business processes. Overview Mobile computing is no longer a fad recent ESG research data shows that 87% of enterprise organizations say mobile computing is either critical or very important for supporting business processes and employee productivity. 1 While access and calendars are common mobile applications, many organizations are now developing and deploying new types of applications to bolster employee productivity or improve customer relations. In fact, ESG research indicates that 42% of enterprises are actively developing a significant number of mobile applications themselves (see Figure 1). Figure 1. Development of Custom Mobile Applications Is your organization developing its own devices? (Percent of respondents, N=242) devices but we plan to do so within the next 24 months, 10% devices but we are interested in doing so in the future, 4% Yes, my organization is developing a modest amount of its own devices, 38% devices and we have no plans or interest in doing so in the future, 5% Yes, my organization is developing a significant amount of its own devices, 42% Source: Enterprise Strategy Group, Source: ESG Research Report, The State of Mobile Computing Security, February All ESG research references and charts in this brief have been taken from this research report.

2 Enablement 2 Clearly, mobile computing devices such as tablet computers and smartphones have supplanted PCs as the primary user devices and are poised to dominate end-user computing in the future. Mobile Computing Security Challenges Remain In spite of a seemingly unlimited number of business benefits, mobile computing also comes with numerous security concerns as it introduces new devices and new threat vectors to enterprise organizations. These risks are already creating security havoc. According to ESG research, 47% of enterprise respondents indicated that they have experienced security breaches as a result of a compromised mobile device. Why are these security breaches occurring? Mobile computing is still a nascent IT domain but it is evolving at a frantic pace. Furthermore, mobile computing is distributed and constantly changing by its very nature. Finally, mobile devices are often lost or stolen and thus breached. Beyond security breaches however, security professionals also find mobile computing security particularly vexing. In fact, ESG research indicates that enterprise organizations face an assortment of mobile security challenges such as (see Figure 2): Protecting sensitive data at rest and in flight. A significant number of security professionals (43%) claim that it is challenging to protect confidential data when it is accessed from a mobile device while 41% say it is challenging to protect sensitive data when it is stored on a mobile device itself. This is certainly understandable as mobile computing can create blind spots where the security team can t monitor or manage sensitive data once it is accessed and stored on mobile devices. To paraphrase an old management adage, you can t secure what you can t see. Enforcing security policies. Many security policies were originally created with PCs and wired Ethernet ports in mind. While the proliferation of Wi-Fi access networks stretched traditional security policies beyond their original boundaries, mobile computing adds additional challenging dimensions that fall way outside of the legacy policy spectrum. Why? Unfortunately, many organizations find that the only way to address policy enforcement is by implementing new tools and infrastructure for mobile computing security. This creates additional technology complexities and operational overhead for an already overwhelmed security team. Integrating mobile security into existing cybersecurity processes and technologies. As organizations create a mobile security overlay infrastructure, it becomes increasingly difficult to maintain consistent policies, coordinate enforcement actions, or monitor users and devices across the network. This will likely improve as mobile security matures but CISOs are asking a legitimate question: Why can t mobile security be managed with existing tools and processes? This is a logical question since mobile devices are IP-based and access the same resources as other systems. Given this, it makes sense to manage the nuances of mobile computing with tried-and-true approaches if this is possible.

3 Enablement 3 Figure 2. Mobile Computing Security Challenges Overall, which of the following would you say are the biggest challenges around mobile computing security at your organization? (Percent of respondents, N=242, multiple responses accepted) Protecting data confidentiality and integrity when sensitive data is accessed by a mobile device over the network Protecting data confidentiality and integrity when sensitive data is stored on a mobile device 43% 41% Enforcing security policies for mobile devices 41% Integrating mobile device security processes and technologies with other enterprise security processes and technologies Educating users on best practices for mobile computing security Establishing the right workflows and processes between the security team and other IT groups 36% 35% Managing malware/threat management on mobile devices Ensuring that staff members have proper training and skills on mobile device security Dealing with lost/stolen mobile devices containing sensitive data 33% Supporting new device types 31% Creating security policies for mobile devices Dealing with scale issues caused by the sheer number (i.e., hundreds, thousands) of mobile devices to protect/secure 29% 28% Discovering mobile devices as they gain access to the network 21% None of the above 2% 0% 10% 20% 30% 40% 50% Source: Enterprise Strategy Group, 2014.

4 Enablement 4 What s Really Needed for Mobile Computing Security? CISOs are being asked to support BYOD, embrace new mobile applications for business process improvement, and make sure to mitigate new mobile computing risks. Regrettably, accomplishing these goals can be quite cumbersome when they require new skills, processes, and tools simultaneously. Rather than layer-on discrete mobile-only security solutions, large organizations may be better off by extending their existing security controls that support mobile-friendly functionality. To accomplish this task, security professionals must look for mobile security platforms providing: Unified policy management across all mobile devices. Tablet computers, smartphones, and PCs are different types of end-user computing devices but, as the ESG data indicates, security becomes difficult when different devices are managed with different policies and enforcement points. To bridge this gap, enterprises need security tools that support a wide variety of mobile devices while offering device-specific options for policy creation, management, monitoring, and enforcement. With a unified policy management platform across device types, security professionals can create and enforce security policies based upon business processes and users rather than remain in the technical weeds at the ios or Android level. Strong document-centric data security. When it comes to data, most mobile computing security remains elementary, offering VPN capabilities, storage encryption, or partitioning methods like containerization. These security controls are critical to establish a secure business environment on mobile devices but mobile security should also enforce policies at the document level as well. For example, it may be okay to access and view sensitive data in a spreadsheet on an ipad, but unacceptable to share this document with others. Mobile security tools must provide granular access controls and digital rights management (DRM) for what can and can t be done on a document-by-document basis throughout each document s lifecycle. Granular access policy enforcement. To balance business productivity and IT risk, authorized mobile users should have seamless connections to key applications supported by granular access controls for high-value IT assets and sensitive data. For example, the CFO will always have seamless access to end-of-month reports from the corporate LAN regardless of the device she uses. Alternatively, some organizations may want to preclude this type of access when she tries to access documents from a public network, geographic locations, or various timeframes like the end of the quarter. The key here is being able to enforce these policies across several parameters like user, device, document sensitivity, etc. Threat management. Mobile malware isn t considered an enterprise threat vector today but it likely will be in the future. Many organizations already block PCs from accessing malicious URLs or downloading suspicious files so why not extend these best practices to mobile devices as well? Enterprises should prepare for this eventuality with the right controls and monitoring capabilities for threat prevention, detection, and response sooner rather than later. While all of this security functionality is critical, leading CISOs also recognize that they need security tools that are intuitive, easy to deploy and integrate, and deliver immediate value. The goal? Help the overworked security staff work smarter not harder. It s a given that large organizations need strong security efficacy but security technologies that can accomplish this goal AND streamline operations will go to the head of the line. Introducing Check Point Capsule A lot of mobile security options have come from new vendors with a sole focus on mobile devices but this myopic coverage isn t extensive enough for enterprise organizations and can create operational overhead as previously described. Check Point Software, a recognized leader in enterprise security, intends to alleviate these issues with the announcement of Check Point Capsule. Check Point is focused on bridging the mobile security gap as Capsule offers: Mobile threat management. Check Point Capsule allows organizations to extend corporate security policies to mobile devices via a secure cloud. This can be used for an assortment of security functions such as

5 Enablement 5 denying access to malicious files, blocking malicious websites, and preventing C&C communications with malicious hosts. In this way, Check Point can help CISOs implement best practices for threat management in the mobile world, just as most organizations do today for protecting employees, PCs, and sensitive data. Secure business environment. Mobile devices have two major functions: personal use and professional use. Check Point Capsule segregates the business data and applications from the personal data and applications, allowing users to seamlessly access business apps without sacrificing ease-of-use or device performance. This also helps mitigate risk because it protects corporate networks and assets from nefarious consumeroriented software. Protect business documents. Check Point Capsule allows organizations to customize how they secure their documents, regardless of where they go. Features include native password-protection, specifying a list of authorized recipients, and document encryption that stay with the document throughout its lifecycle. In this way, Check Point takes mobile data security beyond basic encryption by introducing business-centric DRM into the mix. Check Point s announcement is well timed as many organizations are in the early stages of the mobile security maturity curve and CISOs want mobile security rather than IT operations technologies to mitigate risk. Just as important, Check Point Capsule brings Check Point s security management and operations prowess to mobile security, aligning ease-of-use with strong security. Given these business, operations, and security benefits, Check Point Capsule could be in the right place at the right time. The Bigger Truth The onslaught of mobile devices has made security more difficult for enterprise organizations and, unfortunately, the security industry addressed this increasing security challenge with an army of add-on point tools. This has created a mobile security gap along with an operations nightmare. Furthermore, mobile security tools provide basic data confidentiality and integrity protection but they lack granular access policies or DRM-like capabilities at a document level. Check Point clearly recognized those concerns and is now introducing a unique top-to-bottom mobile computing solution that can help organizations bolster mobile security, lower IT risk, and align business-centric security policies with granular controls. Given these advantages, CISOs would be well served by investigating Check Point Capsule and assessing how it aligns with their mobile computing business and security needs. This ESG brief was commissioned by Check Point and is distributed under license from ESG. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at