Meeting the Challenges of the Borderless Network: The Six Do s and Don ts of Effective Mobile Security

Transcription

1 Meeting the Challenges of the Borderless Network: The Six Do s and Don ts of Effective Mobile Security

2 Mobile is here to stay Statistics support what IT departments already know, mobile devices have overtaken PC s in popularity and will continue to gain ground in the workplace for the foreseeable future. In 2013, US sales of Android smartphones and tablets exceeded PC sales by almost $400M, while the global sales of all mobile devices grew from $821M to $1.2B. Whether organizations are providing mobile devices to employees or allowing them to bring their own devices (BYOD), the advantages of mobile connectivity in the workplace seem to have outweighed the risks for most organizations. This universal acceptance has occurred because mobile connectivity offers benefits for the bottom line: The mobile workforce lowers costs Companies save on travel expenses and the cost of office space, and gain in employee satisfaction and retention. A Citrix study reported 53% of business leaders cited lowering cost as the main reason they supported mobile devices at work. Mobile devices increase productivity Surveys show that mobile technology can increase productivity by as much as 45%. A recent Telework survey of 300 government offices found that 76% of workers report that mobile devices have increased their productivity on the job. They enhance workforce flexibility to speed up business processes Workers have access to business applications on mobile devices anytime and anywhere, enabling them to process orders, respond to customers and troubleshoot issues whether traveling, working at home, or onsite.

3 Security challenges of the borderless network Some of the features that make mobile devices an advantage in the workplace are proving to increase the security risks and present new challenges to IT security professionals. As mobile technology continues to evolve, so do the tactics of cybercriminals dedicated to exploiting weaknesses. What has been called the new threat landscape is particularly treacherous for corporate data now traveling on thousands of mobile devices. Advanced persistent threats and zero-day exploits are increasingly aimed at the mobile workforce. Unfortunately, security vendors are often trying to secure the borderless network with technology that was developed before a mobile workforce even existed. Some of the obstacles present in providing comprehensive mobile security include: Cybercriminal syndicates engage talented hackers and exchange or sell exploit kits freely, with tactics as creative as the solutions they are trying to foil. The fact that mobile technology is evolving quickly adds more challenges for security vendors trying to protect networks and data. The cost of data breaches continues to rise and many losses are the result of sensitive data exposed on employee personal mobile devices. Costs from regulatory fines, litigation, brand damage, and more, can mount, and aren t confined to large enterprises. A 2013 Ponemon report showed that even losses of 100K records or less cost an average of $5M per incident. Securing mobile devices can be costly because of the lack of integrated solutions. Many vendors are striving to upgrade legacy security solutions to encompass technology that didn t exist when the security solutions were first created. As a result they try to integrate third party mobile device management (MDM), which can create gaping security holes. BYOD introduces unique security challenges While allowing employees to bring their own devices to the workplace may seem to be a cost-savings approach, the price of securing them can be significant. Some of the problems security professionals encounter in trying to secure their BYOD users include: What security experts call the Consumerization of IT speaks to the thousands of applications available on mobile devices, some of which may be the product of cybercriminals looking to gain access to user data stored on devices, or worse, deploy malware on a user s network. Anonymizer and filesharing services accessed by BYOD users are fertile ground for cybercriminals seeking exploitable vulnerabilities.

4 Shadow IT, which describes a phenomenon resulting from the growth of cloud-based applications where users can upload data to sites such as Dropbox or LinkedIn, without getting IT permission. Some BYOD users are circumventing IT, sometimes unintentionally, or even in groups, by uploading data or downloading risky applications. Most of the mobile applications are very low cost or free, and mobile users seem eager to deploy them, even when they are using their mobile devices for both job-related and personal tasks. The fact that many users prefer to use one mobile device compounds security issues. One survey found that 38% of users prefer to have only one smartphone for both work and personal use. Operating system fragmentation is a BYOD issue because of the variety of operating systems used in mobile devices. This makes securing BYOD users more complex because versions may vary depending on when users choose to upgrade their devices. Users who fail to perform timely upgrades can have bugs from previous versions, making securing those devices more problematic. Uniformly enforcing corporate policies and regulatory compliance is more complex for BYOD. It may be possible to apply corporate-wide policies to company-owned devices, but granular policy enforcement across a range of platforms and users who are off-network on personal devices can be daunting. Compliance becomes particularly critical considering employees may be storing sensitive information such as intellectual property or customer data on a personal mobile device. Erosion in network performance can occur from multiple mobile devices driving up bandwidth consumption. A Cisco study showed that knowledge workers in the US own an average of 3.3 devices each. Imagine those devices are looking for, and installing application updates as soon as they connect to the network. Many organizations aren t prepared for this level of demand and many security solutions lack the bandwidth management tools required to handle spikes caused by mobile usage. These factors can erode network performance and jeopardize high availability (HA) environments.

5 Do s and Don ts of Effective Mobile Security The challenges to securing mobile devices on the corporate network are difficult, but there are ways to assure that your organization is getting the most effective mobile security solution possible. The following are some do s and don ts to help you find a solution that allows you to enjoy the benefits of the borderless network, while mitigating the risks. DON T create separate silos for traditional network security vs. mobile security Because most traditional Web security solutions were created before users were accessing the Internet over smartphones and tablets, they lack built-in features designed to encompass mobile users seamlessly. Traditional security vendors have been forced by necessity to integrate third-party solutions into their technology, often with uneven results. Choosing a solution that forces you to deploy separate security modes for onsite users, corporate-owned devices and BYOD, can increase complexity, demanding more IT resources and ultimately driving up total cost of ownership (TCO). DON T overlook the challenges of application control With hundreds of thousands of mobile device applications available and more being created every day, your mobile security solution needs to have granular application controls if you expect to protect regulatory compliance and enforce your AUP. Location awareness is also important and there are many examples of violations such as nurses posting pictures of patients rooms on Facebook, which violates HIPAA privacy rules; or a CEO posting stock information on LinkedIn that was later found to violate SEC rules; and similar incidents. Controlling social media access can be especially complex for BYOD users where privacy rights are at play. 1 2 DO make sure your solution offers integrated security across your network and all users Look for a solution with next-generation technology that includes mobile enablement as part of its core capabilities. For corporate-owned devices, MDM should be integrated with your existing security solution to assure uniform policy enforcement and protect devices and the sensitive corporate data on them. The solution you choose should also be able to support multiple and mixed OS platforms to assure data protection and defend against advanced attacks across your BYOD users, whether on laptops, tablets or smartphones. An integrated solution that supports both corporate-owned mobile devices and BYOD will not only extend advanced threat and data protection across all devices, it will be easier to manage, requiring less administrative time and lowering your TCO. DO choose a solution with granular appli cation control and location awareness Protecting regulatory compliance such as HIPAA, CIPAA, SOX, GLBA and also assuring the security of intellectual property, while observing the privacy of an owner s personal data on mobile devices demands a solution that can deliver content-aware policy enforcement as well as location awareness. A security solution that can give you granular application control that includes location awareness allows you to enforce policies when your users are at work and on the network and then turn them off to protect privacy rights when he or she leaves. For instance, a BYOD user at work and on the corporate premises, is subject to regulatory requirements and the AUP, but as soon as they leave the building, your security solution should be able to detect their location and protect their privacy by ending the connection.

6 Do s and Don ts of Effective Mobile Security DON T deploy a solution that decrypts HTTP/SSL traffic indiscriminately Tools exists that can protect sensitive data sent via mobile devices by decrypting HTTPS/SSL traffic. This is an important feature when users are handling your organization s private data, such as patient health information or intellectual property, on a mobile device which is an everyday occurrence in many organizations. However, if all data is subject to SSL decryption, it raises privacy concerns with BYOD and off-network activity. Indiscriminate SSL decryptions can also open a security hole that leaves you vulnerable to man-inthe-middle (MiTM) attacks. 3 DO choose a solution that protects data with selective decryption A next-generation solution that offers dynamic scanning of SSL traffic with selective decryption provides a valuable balance between privacy and security and protects your organization from MiTM exploits. With selective decryption, you are able to apply your organization s policies and protect sensitive or regulated data while leaving personal data on mobile devices untouched. Since the majority of mobile users keep both personal and work-related data on their devices, the ability to enforce policies while supporting privacy is critical. DON T forget the impact of BYOD on bandwidth/network performance Even the largest networks may strain under the weight of multiple devices demanding bandwidth simultaneously. Many traditional solutions that claim to manage bandwidth use stateful shaping technology, which applies policies continuously to maintain network performance. Unfortunately, this approach is not effective for peak usage times, or if you want to assure optimal network performance for critical business processes. If your security solution doesn t offer more granular bandwidth management, you could be jeopardizing availability, as you try manage all the mobile devices connecting to your network. This can prove especially risky in highly regulated environments such as healthcare, finance and government agencies where HA (high availability) is critical. 4 DO choose a solution that offers intelligent bandwidth management A solution that offers true intelligent bandwidth management can allow you to throttle bandwidth to fit the usage patterns and requirements of your organization. For instance, a technology that can throttle to maximize traffic during peak hours, rather than throughout the day, can enhance end-user experience and assure that critical business processes are never jeopardized, while still meeting the bandwidth requirements of your mobile workforce. A solution that uses stream-based policies rather than static enforcement allows you to increase bandwidth where it is needed the most, and throttle back where less is needed. This is accomplished if your solution offers directory aware bandwidth management that can prioritize traffic based on an individual user s network access. If you have employees engaged in important business tasks that require more bandwidth, a stream-based approach allows you to accommodate them and assure the continuity of business-critical processes.

7 Do s and Don ts of Effective Mobile Security DON T ignore the need for granular user- based reporting on mobile devices Pay attention to the reporting capabilities of the solution you choose. Organization-owned devices may change hands and if your security solution is applying policies to corporate-owned devices by IP address, the device could be used by multiple employees during the day, giving you no way to identify users and apply policies accurately. In addition, many solutions created before mobile security was an issue, offer third-party MDM, which forces users to proxy their requests in order to authenticate, opening a security hole that may be difficult to defend. 5 DO make sure you can securely authenticate mobile users to assure accurate policy enforcement and reporting A solution that offers built-in next generation MDM allows you to authenticate users securely and easily, without the inherent vulnerabilities of proxy authentication. In addition, if you can apply policies by seamlessly binding directory services to your mobile workforce, you will be able to monitor and report on activity per user, managing your mobile workers as accurately and securely as you do your onsite employees. This not only assures accurate enforcement and reporting that meets your AUP and regulatory compliance requirements, it adds a layer of protection against advanced threats and data loss. And by ensuring an easy and seamless authentication process for your users, you will also discourage them from going rogue and attempting to circumvent network security. DON T neglect employee training on mobile device usage Although threats and data loss can occur via external hacker exploits, they also happen inadvertently due to employee ignorance or negligence. A recent survey of IT professionals by Cisco found that 39 percent of them were more concerned about the threat from their own employees, than the threat from outside hackers. This concern seems well-founded as evidenced by a Forrester study of data breaches, which found that 36% of them were caused by inadvertent or misuse of data by employees. The study also found that 52% of employees were not familiar with their organization s security policies, providing further insight into why these internal data breaches may be occurring. Unfortunately, regulatory compliance or AUP violations, loss of customer data, brand damage and other results, negatively impact the bottom line whether the act was intended or not. Ignoring user education on mobile devices, both corporate-owned and BYOD, is asking for trouble. 6 DO build a Human Firewall with employee education Having security solutions in place that help you manage your mobile traffic, protect devices and enforce policy across your organization is imperative, but you need to support those measures with training and a strong acceptable use policy (AUP). Your AUP for mobile devices should incorporate both corporate-owned devices and BYOD users and should be signed by every employee. Training to make sure employees understand your organization s security policies and expectations as well as the consequences for violating regulatory and AUP rules should be clearly stated with special attention paid to social media use when on the corporate network. If your organization conducts compliance training, make sure employees understand the specific vulnerabilities associated with sensitive corporate data on mobile devices.

8 iboss Mobile Security Comprehensive protection for the borderless network iboss Mobile Security solutions, including MobileEther, combine advanced threat defense with full-featured, built-in mobile device management (MDM) and unrivalled BYOD protection to deliver solutions that secure your network no matter where, when or how it is being accessed. With iboss you easily go beyond traditional mobile security solutions that can create security gaps, and extend comprehensive Web security across your mobile users via the cloud with one click. Features include: Advanced protection against APTs and zero-days attacks across all mobile devices Data loss protection to keep sensitive data from leaving your organization via mobile devices Streamlined interoperability across all platforms: Mac, ios, Android, Windows, Google Chrome Comprehensive user-based reporting via a central management console for accurate policy enforcement of all mobile users, including BYOD Regulatory compliance protection with secure SSL scanning that includes selective decryption for an added layer of security High Risk User Auto Quarantine Automatically locks users attempting prohibited activities such as music or file downloading Full-featured, built-in mobile device management (MDM) with next-generation authentication and user-based policy enforcement closes security holes created by proxy authentication with third-party MDM BYOD directory integration and binding across Active Directory, edirectory, Open Directory, and LDAP for added authentication security Granular application control to reduce security risk by ensuring that only authorized applications can be used on mobile devices, and by limiting which Web applications can be accessed from any device Intelligent bandwidth management protects the mission critical traffic from being adversely affected by non-work related browsing About iboss Cybersecurity WP/MS-06/15 iboss Cybersecurity defends today s borderless networks against malware, advanced threats and data exfiltration with innovative Web Security, Mobile Security and FireSphere Advanced APT Defense. Backed by patented technology and leveraging leading threat protection and unsurpassed usability, iboss is trusted by thousands of organizations and millions of users. Visit iboss, Inc. (P) Sales@iboss.com U.S. HQ 9950 Summers Ridge Rd., Bldg. 160 San Diego, CA All rights reserved. iboss, Inc. All other trademarks are the property of their respective owners.