Mobile Security Challenge Emerges Smart IT Leaders Evaluating Pervasive Security Options

Similar documents
Tablets: Will They Replace PCs?

Chris Boykin VP of Professional Services

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

How To Protect Your Mobile Devices From Security Threats

BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE

BYOD: Infrastructure Requirements & the Effect on Business Processes

The Ultralight Branch

How To Support Bring Your Own Device (Byod)

Business Benefits of Smarter Networks for Smarter Branches

Managing Remote and Mobile Workers Adam Licata, Enterprise Mobility SE, TSO Brian Sheedy, Sr. Principal TEC, Endpoint Management

CHOOSING AN MDM PLATFORM

ENTERPRISE MOBILITY USE CASES AND SOLUTIONS

Symantec Mobile Management 7.2

A guide to enterprise mobile device management.

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Video Conferencing: A TCO Analysis

Storgrid EFS Access all of your business information securely from any device

Wireless Services. The Top Questions to Help You Choose the Right Wireless Solution for Your Business.

IT Agility that Drives Business Forward

TRUE COST OF OWNERSHIP FOR UNIFIED COMMUNICATIONS

Healthcare Buyers Guide: Mobile Device Management

Secure Your Mobile Device Access with Cisco BYOD Solutions

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

EasiShare Whitepaper - Empowering Your Mobile Workforce

BYOD(evice) without BYOI(nsecurity)

Athena Mobile Device Management from Symantec

Key Requirements of Enterprise Mobility Management Solutions

How To Make Your Computer System More Secure And Secure

Three Best Practices to Help Enterprises Overcome BYOD Challenges

Ensuring the security of your mobile business intelligence

How cloud computing can transform your business landscape

Device Independence - BYOD -

A CIO s Guide To Mobility Management

Three Best Practices to Help Government Agencies Overcome BYOD Challenges

Choosing an MDM Platform

perspective The battle between MDM and MAM: Where MAM fills the gap? Abstract - Payal Patel, Jagdish Vasishtha (Jags)

Bell Mobile Device Management (MDM)

Extending Collaboration to BYOD Devices

Symantec Mobile Management Suite

Systems Manager Cloud Based Mobile Device Management

What Is Cisco Mobile Workspace Solution?

Symantec Mobile Management for Configuration Manager 7.2

Mobile Device Security Risks and RemediaAon Approaches

Enterprise Mobility How the mobile world drives business

Comparing Alternatives for Business-Grade File Sharing. intermedia.net CALL US US ON THE WEB

Voice and Video over IP: Leveraging Network Convergence for Collaboration

Symantec Mobile Management 7.2

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Mobile Device. Management-

Productive and Secure Enterprise Mobility with Cisco and Citrix


Optus Future of Business Mobility Insights Paper Maximise the potential of your mobile workforce

Mobile Device Management in the Systems Management Ecosystem. Katie Wiederholt, Dell Software

Riding technology waves

Securing Health Data in a BYOD World

Technology Shifts. Mainframe Windows Desktop Internet

SA Series SSL VPN Virtual Appliances

Practical Enterprise Mobility

How To Manage A Mobile Device Management (Mdm) Solution

How cloud computing can transform your business landscape.

WHITE PAPER Secure Enterprise Data in a BYOD World IDC OPINION IN THIS WHITE PAPER. Sponsored by: Excitor. Jason Andersson January 2013

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

AirWatch Solution Overview

Why Cloud Computing Needs a Cloud-Intelligent Network

UNIFIED COMMUNICATION COMPARISON GUIDE. Unified Messaging, Mobile Integration & Unified User Interface

BYOD: Focus on User Experience, Not the Device

EXTENDING THREAT PROTECTION AND CONTROL TO MOBILE WORKERS

The Truth About Enterprise Mobile Security Products

Internet Exchange Between IT and Business Requirements

Symantec Mobile Management 7.1

HOLDING ON TO YOUR BANDWIDTH

IBM Endpoint Manager for Mobile Devices

Microsoft Enterprise Mobility Suite

Secure Mobile Solutions

Symantec Mobile Management 7.1

Hosted Desktop for Business

DUBEX CUSTOMER MEETING

Cisco Mobile Collaboration Management Service

Enterprise mobility trends 2015 and beyond

Enterprise Mobility: A Market Perspective!!

Mobilize SharePoint Securely: Top 5 Enterprise Requirements

A 3-STEP PLAN FOR MOBILE SECURITY

Mobile Performance Testing Approaches and Challenges

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

WHITE PAPER AUGUST 2014

Information Technology Strategic Plan

HIGH-SECURITY MOBILITY MANAGEMENT FROM BLACKBERRY

Taking Charge with Apps, Policy, Security and More. October 16, 2012 Sheraton Denver Downtown Hotel Denver, CO

2012 Unified Communications & Collaboration SURVEY. Exclusive Research from

I D C V E N D O R S P O T L I G H T. T a m i n g t h e C onsumerization of IT w ith C l o u d - B a s e d M obile De vi c e M a n a g e ment

The Holistic Guide to BYOD in Your Business Jazib Frahim

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Application Performance Management: New Challenges Demand a New Approach

How To Secure Your Mobile Devices

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Bring Your Own Device:

Best practices for WiFi in K-12 schools

Enabling Secure BYOD How Fortinet Provides a Secure Environment for BYOD

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

Transcription:

Mobile Security Challenge Emerges Smart IT Leaders Evaluating Pervasive Security Options By Robin Gareiss Executive Vice President and Founder, Nemertes Research Executive Summary As more employees bring mobile devices with new types of apps into the workplace, IT must provide pervasive, policy- based access to these apps without compromising security policy, degrading performance, or significantly increasing cost. Most organizations use Mobile Device Management (MDM) and/or Mobile Application Management (MAM) solutions to address security requirements. But moving forward, IT leaders must rethink mobile security. Because organizations use both on- prem and cloud- based apps, they likely will end up with both cloud- based and on- premise security solutions. But unless these are tied together with unified policy and management, and address numerous types of mobile devices along with various threats, this is not a viable security strategy, particularly in a Bring- Your- Own- Device environment. A hybrid fixed and mobile workplace providing a mix of on- premise and cloud applications needs an array of security solutions directed by a flexible security policy that follows the user, regardless of device or location. And though the vast majority of companies (84.4%) see the benefit of a pervasive security solution, few (29.4%) say they re deploying such a solution today. The Issue All indicators are up when it comes to mobility: More devices, more users, more budget, more applications. Business and IT leaders are advancing on several fronts: employee- owned device policy, tablet plans, application development processes, use policies, and security to an extent. So far, most mobility security strategy has centered around shifting from BlackBerry Enterprise Server to multi- platform MDM and MAM solutions. Business technology leaders must begin planning now for a security paradigm shift, one that will pull together disparate security policies into a single, user- centric, universal policy that can apply to whatever devices and apps employees use, with flexibility based on the contextual risk factors. 1

The Facts: What s Happening With Mobility? The growth in mobility is causing numerous challenges in organizations. IT and business leaders must first understand the size and pace of mobility growth in order to determine the impact that growth will have on the network and applications. Budgets are up. More than two- thirds of companies are increasing spending, by an average of 19.7%, in 2013. In fact, mobility budgets now account for 7.7% of the overall IT budget. Nearly 60% of organizations expect the number of mobile devices they support to increase in 2013, and by about 35%. Likewise, half expect an increase in the number of employee- owned devices, going from an average of 39% of all devices used for work purposes today to 45% by 2013. (Already, 69% of companies support BYOD.),!"# +!"# 234)$56$2*789$&'9*)7:)$;7<:)=$>3$?5>.@)$A:7B)$!"#$ *!"# )!"# (!"# '!"# &!"# "%#$ "%#$ %!"# $!"#!"# &'()*')($$ +,-$ +./.01,-$ Figure 1: Type of Traffic Increase Smartphones, as a group, account for the majority of mobile devices, but tablets will grow rapidly from 2012-2014. Specifically, iphones make up the highest percentage of total mobile devices within the organization (26.6%), followed by tablets (23.7%), Android phones (18.5%), and BlackBerry (17.8%). In some cases, the IT staff will provide some support for all devices whether owned by the company or the employee and in other cases, support only company- owned devices. This increase in devices, not surprisingly, causes an increase in the network traffic in at least 62.7% of organizations (11.8% were unsure, 25.5% say there is no increase in network traffic). The majority of traffic increase is happening on the Internet, followed equally by the WAN and the WLAN/LAN. The more autonomy employees get with their mobile devices, the more likely the technology team cannot accurately predict the network impact of those devices. Only 34.8% of those reporting 2

an increase in traffic say they re concerned about it. They have the tools to monitor the situation, optimization techniques to improve performance, or relatively low- cost bandwidth to boost the capacity when needed. We feel we are prepared for this type of traffic increase, says the CIO of a healthcare company, which is a heavy adopter of mobility. Those who are concerned cite bandwidth limitations, performance concerns, cost, and security issues. Organizations have in place many network management and monitoring tools that provide metrics around bandwidth utilization, and even predictive analysis for capacity planning. But it s not the same on the applications side. One of the key challenges facing the technology team is simply knowing which mobile applications employees use. Without that knowledge, it s difficult to appropriately size networks, assure productivity, and prevent employees from accessing potentially harmful apps. More than half (52.7%) of IT professionals say they do not know how many mobile apps their employees use. When asked why, nearly half (47%) say they have not built out a process for tracking the number and type of apps, while 42% say they have no tools available to track app usage, and another third say they have not thought about asking. Nonetheless, 74.5% of IT professionals say it is vital or very important to have a comprehensive, enterprise view of app utilization, including those used from mobile devices demonstrating a void between best practice and actual practice. $!"# =;>$?-,@.$A-0$B,-C$(-C$D),>$D-/12+$E336$E4+$F,$G6+H$ ($"#!"#$ (!"#!%#$ '$"# '!"# &&#$ &$"# &!"# %$"# %!"# $"# '#$!"# ()*+$,-.$/012.$-0.$34-5+66$ 7-4$)33$.4)581,9$ :-$.--26$)*)12)/2+$.-$.4)58$ )33$06)9+$ :+*+4$.;-09;.$)/-0.$)681,9$ <.;+4$ Figure 2: Reasons for Not Knowing Apps in Use What s clear, though, despite the lack of deep knowledge on the part of IT, is that the enterprise network is facing an influx of consumer applications riding atop 3

those consumer devices (BYOD or not). Public, consumer- focused apps can create and amplify security concerns in any network, and allowing them on mobile devices, which typically have fewer security controls than laptops/desktops, may put the network at significant new risk. Figure 3 shows the degree to which organizations support some common Web- based apps such as LinkedIn, Gmail, Facebook, Twitter, and YouTube, which often are used for official purposes by sales, marketing, and support staff. 45&'0-(6$#/0!""#$%&'$()708(09(+0*+"(,'30-&)&./30&)1:(,02()',(#;!""#$%&'$() *+""(,' -&)&./0&)10 2()',(# 0*+""(,'30-&)&./30 2()',(#!"#$%&'# ()*+, (-*),./*0, 123"4.(*5, (/*+, 0)*-, 637%899$ (/*+, (/*+, 0-*-, :;"<<%= (.*), 0)*-, 0.*-, >9?:?8% /*@, ()*+, 0.*-, :?284= ()*+, (.*), ((*@, A9B*#%< 0(*+, (-*), /*@, ":?#%C 0.*-, (.*), /*@, Figure 3: Company Support Levels for Mobile Apps Security managers must work with the lines of business to determine whether company policy should allow access to specific sites, such as Facebook or YouTube, during work hours and for whom. On one hand, they may decide in favor of access if the organization has a presence on the social media sites and certain (or all) employees must access the site. On the other hand, they may decide that such access doesn t apply to certain types of employees. And, of course, such sites are not monolithic, and both the lines of business and security staffs often want to allow access to some parts or apps in a site without having to automatically allow access to all. For example, they may want to allow access to Facebook but not the Farmville or Bingo apps. Crucial Crossroads: Addressing Mobile Security Today The large number of organizations without insight into the number or type of mobile applications running on mobile devices is an impediment to effective implementation of security policies. Without this basic knowledge, it is difficult to block specific apps, or to provide granular control of specific URLs. Nemertes has tracked mobile security in a few ways. As of the first half of 2012, about 46% of organizations used MDM to secure their mobile devices, and by September of 2012, nearly 55% were using any combination of MDM and MAM. Our projections have MDM adoption growing rapidly, to 84% by 2014. (Please see Figure 4.) MDM has become the catch- all phrase for mobility management and has grown 4

from simple device management (remote wipe, GPS and camera control, asset management, etc.) to broader device and application management. On- prem MDM solutions remain the most common (62.5%), but we expect cloud to grow (31.3% use cloud- based solutions today; 6.3% have hybrid environments). 90% 80% Mobile Device Management Adoption, 2011-2014 Percent of companies using MDM (Projected) 84% 70% 60% 50% 40% 46% 56% 30% 20% 21% 10% 0% Figure 4:MDM Growth, 2011-2014 2011 2012 2013 2014 IT professionals say the primary reason they use MDM/MAM is to manage and secure corporate apps (62.7%), followed by the need to secure sensitive corporate data (60.8%), track assets (49%) and deliver apps consistently to a range of platforms, including mobile devices (25.5%). These are fine as far as they go, but MDM/MAM tools generally do not provide a framework that includes context in security decisions; that is, a single set of policies dictating different rules for accessing apps based on the device, method of connectivity, or location of a device. What s more, MDM/MAM systems can be intrusive, generally requiring clients resident on the devices. As companies allow more employee- owned devices, the employees may resist adding clients to the devices or worse yet, figure out ways to disable the rules. Consider typical corporate scenarios: It s common for knowledge workers to use a laptop, tablet, and one to three additional networked smart devices. As organizations mobile- enable more business apps and corporate data, what policy is applied where? When an employee accesses a cloud- based corporate CRM app from his laptop in the office (either tethered or through the WLAN), how does the security policy differ from when he accesses that same app from a home office, from airport WiFi, or via 3G/4G broadband mobile data services? Today, most organizations have different policy enforcement points in the form of different tools the MDM on the 5

mobile client may enforce application access policy on smartphones, while secure container services may control document access, while WLAN controllers may dictate access to the corporate LAN. Policies can (easily) be implemented inconsistently across the several tools, and tools may (easily) get out of sync with current policy, creating loopholes allowing erroneous access. MDM is not the only type of security that companies use for mobile devices, though it is the most common. IT professionals say they use a variety of techniques to secure mobile devices, including passwords, encryption, virtual desktop interface, VPNs, and network- based MDM (using the WLAN access to control mobile apps). A combination of techniques best implements robust policy, but a centralized policy engine one that reached across enforcement points, follows the user from device to device, location to location, and which can shape access decisions based on that contextual information is central to making a pervasive strategy practical. Figure 5: Type of Mobile Security in Use Though most organizations believe they adequately can address the effects mobility growth has on the network, nearly 70% say they are very concerned about the overall risks introduced into the organization by the growing number of mobile devices (and by extension, the applications they access). Despite the relatively widespread adoption of MDM/MAM, three of the top four most frequently cited concerns are securing the device (23.5%), securing the data (21.6%), and securing the apps (17.6%). So although organizations use various methods of security, IT organizations remain concerned about how to effectively secure the growing number of devices, along with the apps they use and data they access. (Please see Figure 6.) 6

Figure 6: Reasons of Those Concerned About Risk Introduced by Mobile Devices As Figure 6 further illustrates, we re at the early stages of mobile security policy development. Top of mind now are the basics: Securing devices, apps, and data; addressing the increase in network traffic; tracking costs. But like many emerging IT paradigm shifts, the small number of bleeding edge companies are concerned with more advanced issues because they already have addressed the basics. The bottom half of Figure 6 shows some of the more advanced concerns, including creating an employee use policy, controlling which apps are installed on the device and which apps the employee uses, device utilization reports, and obtaining granular application control. Shifting to the Cloud Though most apps today are run in the data center and remotely accessed (53.6%), these and other apps are increasingly moving to the cloud. As a result, companies must address how they will operate a centralized policy engine that controls access to both cloud- based and on- prem apps. Hosting applications and data in a cloud is a logical solution to the problems of serving mobile workers, as it leverages the Internet core more effectively to provide faster access to apps, while avoiding the cost increases of enhancing bandwidth, security, optimization, and server capacity on the corporate Internet link. The challenge, of course, is maintaining 7

the same policy- driven security when devices access cloud- based apps without going through the corporate network to do it. Cloud adoption of apps overall, at 74.3% (roughly the same this year as last), will spread a bit further next year as 82.1% of organizations plan to adopt Software as a Service. However, commitment to SaaS, as measured by number of SaaS applications in use, continues to climb steadily and quickly. The percentage of organizations with more than five SaaS applications rose from 19.7% to 28.6%. This year, 40% of organizations have two or fewer SaaS applications; by 2013 only 28.6% will. The average number of SaaS applications is rising from about six this year to eight in 2013. Compatibility and customization account for 39.1% of the challenges facing SaaS deployments, security 30.4%, and performance 17.4%. Data centricity and bandwidth remain concerns, as does data security, says an IT director in a midsize healthcare company. Figure 7: State of Deployment: Pervasive Security Moving Toward Pervasive Security A centralized policy engine is at the core of a pervasive security policy. IT professionals understand the value of such pervasive policy, but few have implemented one. Nemertes asked IT professionals: What is the state of deployment of pervasive security policy in your organization? We further defined a pervasive security policy as a consistent policy applied to all applications (cloud or on- prem) defining the ability of users to access and change information regardless of the device 8

or network they use. Nearly 30% of organization state they have already implemented one, and another 60.8% are planning to implement or are evaluating. However, in conversations with IT executives, many said they had not explicitly determined which vendors they would use, how they would architect the solution, or what their detailed requirements were. Several said they did not know, weren t sure, or were still researching which vendors offer products and services in this emerging space. Vendors explicitly cited as providing what IT professionals define as pervasive security solutions include Blue Coat, Cisco, Citrix, Dell, HP, IBM, McAfee, Microsoft, Oracle, Symantec. A few were developing in- house solutions either solo or with the help of a vendor. What is clear, however, is IT professionals generally say they require the benefits a pervasive security strategy would afford them. For example, we asked: Do you need to be able to follow a user on any device, on any network, and use policies to manage access to apps? Nearly 60% of IT professionals say they do. Even more profound, 84.4% say they see the benefits of a user policy that is universal across desktop, laptop, and mobile devices depending on the time of day, user group, location, and other factors. Effectively, this means either a) an agent that can monitor all activity on the device, or b) a redirect to a network- based proxy that implements security policy, or c) a required VPN access that can ensure connectivity to a secured network. Defining the behavior of the agent and/or VPN- connected network requires an identity- based directory. If this sounds familiar, it is. This is how most modern MDM solutions work. The key difference, however, is that the security is pervasive and flexible. Pervasive security implies context- awareness above and beyond simple, role- based security. To help separate security from pervasive security, let s examine a common scenario. Facebook can be an excellent networking tool, or a gateway for accidental dissemination of corporate information. The difference is in the context, or how an employee uses the app. Pervasive security takes a granular look at the information Facebook is attempting to share (or the URL), checking against a set of rules and either blocking or allowing the action. The permission may change based on the device or location, as well. Such context- aware security makes for a much better security model than brute force blocking of all or even specific apps. In doing so, pervasive security solutions control policy and operations around popular apps, ensure user choice and maintain privacy. IT staffs should not develop their mobile security strategy in isolation. Ideally, there is a single set of security policies governing all users, devices, locations, applications, and data. In fact, 72.6% of IT professionals say it s vital or very important to have a mobile security solution with unified policy and reporting with the corporate security solution. 9

Conclusions and Recommendations Companies that are power users of mobility and UC, and highly distributed, are pioneers of the move to cloud- based applications and security. By seeking a solution that provides appropriate security levels granularly, with a flexible policy engine able to address contextual factors such as location, use cases, job roles, access methods, and more, organizations can unify their security strategies while expanding the benefits of mobility. The time is ripe for unified, cloud- enabled solutions, but educating the market on growth patterns, costs, and risk avoidance is paramount to success. Business technology leaders should consider the following: Understand your organization s metrics. What are the security and mobility budgets, and do they align with the growth in mobile devices and apps? Track the effect mobility has on your corporate network, and make adjustments regularly. Track with granularity what mobile apps employees use, how they re changing, and what effect they have on the network. Regularly revisit security policies based on change in apps, user behavior, and network capacity. Though MDM/MAM solutions are the most common way to address mobile security today, evaluate network and security vendors whose pervasive mobile security solutions address demand for a more comprehensive security strategy. Evaluate the vendor s architectural solution. Where do the policies reside? Where are the policy enforcement points? Is there a cloud- based solution, replicating policies across a provider s network so as to bring the policies closer to the users? Does enforcement require routing traffic through the provider s network? How is that network distributed? What are the cost differentials of the different types of architectures? About Nemertes Research: Nemertes Research is a research- advisory and strategic- consulting firm that specializes in analyzing and quantifying the business value of emerging technologies. You can learn more about Nemertes Research at our Website, www.nemertes.com, or contact us directly at research@nemertes.com. 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information