November 18, 2016 - by Synoptek
Any experienced burglar will tell you that the best place to break into any building is at the points of entry; doors and windows. The same can be said for data theft. The best place to break in is at the endpoints, especially mobile devices, where people most often make authorized access.
This is important to think about for those who hear “security” and only think “firewall.” The firewall is a great security tool, but only one of many that all need to be incorporated to create an effective security strategy for any network. When some of those points of network entry include mobile devices selected by the end users themselves for their convenience and ease of use, careful consideration of those other security measures becomes even more critical.
Perhaps the most important consideration, however, is the vigilance required to maintain close scrutiny of the entire data environment. The people responsible for assuring the effectiveness of the security and the integrity of the data are most severely distracted by exceptions to their established rules and standards. Every effort to align mobile device security strategy with corporate network security strategy pays off in greater assurance.
A Comprehensive Mobile Device Security Strategy
The fundamentals of a comprehensive security strategy start with authentication and authorization of entering users and network access control to evaluate the devices they are using to request access, then continue through rights management, directory services, data encryption and decryption, with intrusion protection services constantly monitoring the environment for potential intruders. Missing on any of the fundamentals creates that “weakest link” that defines the true effectiveness of your security.
Publish a BYOD Policy
Just because your company has established a“Bring Your Own Device” (BYOD) initiative does not necessarily mean you must throw the doors open to all comers. The establishment and publication of a thorough BYOD policy should absolutely begin with stated and enforced requirements for acceptable devices. To be acceptable, a mobile device must be able to support the required level of encryption, user authentication, and other access security capabilities that the rest of your network adheres to. This alone will remove a tremendous burden from your security team, as they will not be required to invest significant time researching and evaluating every device that every user “throws at them.”
If possible, your policy should require compliant devices that can be managed using existing security and network management systems. The newest generation of tablet and laptop/tablet hybrid devices run a full version of Windows 10, which should make them compliant with and manageable by the majority of management and security systems in use today. Many platforms now manage a wider variety of mobile operating systems than ever before, including Android and Apple iOS as well as Windows.
Consider VDI as Your Transport & Session Strategy
Many have commented that “MDM” which traditionally stands for “Mobile Device Management” should really stand for “Mobile Data Management” because it is the safety and security of the data that is the largest concern. Unchecked, mobile users can easily obtain corporate data from the network and share it publicly using their own private communications software, including email, text and others. This may violate not only corporate data security, but also federal and state regulatory compliance!
The primary strategy available to protect against data being shared in unauthorized ways by mobile users is data containerization in a secure workspace. This creates a distinct separation between the user’s personal data and the corporation’s private data.
Another strategy has been used with great success because it completely avoids transferring any data from the corporate network to the user’s device. This also means that a wider variety of devices may be acceptable for use in a BYOD environment. That strategy is virtual device infrastructure (VDI.)
In VDI, the actual user session runs on a server in the corporate data center. That server manipulates data internally while running the user’s applications. Only the screen appearance of those applications is communicated to the screen of the user’s mobile device. The actual data never leaves the data center and no data is ever recorded on the user’s device.
Since the screen appearance, and the user’s keyboard and screen gestures, are the only thing being transported across the network, the user experience is so fast and efficient that the user perceives it as being a local session.
Network Team Relief
Both data containerization and VDI require significant effort on the part of your network and IT support providers, but the return in reduced impact on their ability to effectively monitor the security of the network and data is more than a sufficient payback!
Mobile security CAN turn into a security nightmare unless you take a cautious and comprehensive approach to securing the entire network chain from user to mobile device to network to core and back. Talk to Synoptek about the many companies we’ve helped to wake from their nightmare.