Approaches to Security Compliance for Real-Time Mobile Data Access
Michael T. Raggo | August 20, 2014
Security Compliance often varies from organization to organization due to varied industry regulation as well as internal security policies and procedures. Mobile is fundamentally different than other enterprise technology and therefore requires a revised approach to security policies and countermeasures. We often see organizations attempt to repurpose security frameworks from the PC world and apply them to mobile. Traditional PCs employed an open operating system where data is openly shared across the PC. This contrasts sharply with mobile operating systems (iOS, Android, Windows Phone 8/8.1), which employ application sandboxing. This presents a challenge to products like anti-virus and antimalware, because these show up as other apps on the device and are challenged with attempting to remove malicious or risky apps. Mobile has also brought forth per-App VPN, allowing organizations to selectively allow corporate-approved apps to access the network while blocking personal apps.
Security compliance in the Mobile Era
We’ve all seen the headlines; retail breaches of consumer payment data continue to occur. But those organizations that embrace mobile now have a way to automatically mitigate POS threats. In mobile, retailers can leverage enterprise mobility management (EMM) to identify threats such as Jailbreaking or Rooting activities, and automatically take action to mitigate a breach. For example, EMM enables organizations to quarantine a Jailbroken or Rooted device by blocking it on the network or even wiping the device to remove the Mobile POS app and it's data.
The Payment Card Industry (PCI) Security Standards Council, the open global forum that is responsible for managing the PCI Security Standards, is embracing mobile and adapting it's requirements. MobileIron participates in the PCI Council and the PCI Mobile Task Force where we join forces with the Council to understand emerging mobile security technologies and to enable mobile-specific security controls and countermeasures for Mobile Point-of-Sale.
The same can be said for healthcare. There have been a number of patient data breaches despite organizations embracing HIPAA 164.312 Technical Safeguards. Enabling mobile not only provides for a better employee or patient experience, but when an EMM solution is used, healthcare organizations can secure data-at-rest and data-in-motion through the many policies natively provided by the EMM and mobile devices. These include Access Control, Encryption, Audit Controls, Integrity, Authentication, and Transmission Security. By using these proactive and reactive controls, threats can be minimized, and attacks can be mitigated with automatic countermeasures.
Adapting security for real-time mobile data access
In order to adapt security compliance to mobile, organizations must first understand the threats unique to mobile apps, content and devices. The Top 4 Mobile Threat Vectors we see at MobileIron are:
• Malicious and risky apps
• Jailbroken or Rooted devices
• User data loss (Intentional or Accidental)
• Unprotected networks (e.g. Man-in-the-Middle attacks stemming from Open WiFi networks)
Risky Apps are those free or paid apps we use everyday in our personal lives and even at work. Enterprises are quickly realizing that many of these iOS and Android apps (about 81% according to Appthority) may have risky behaviors that collect PII information and share GPS, location, email address, or even contact lists with adware sites and other suspicious sources (for additional information, see NIST's SP 800-53 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf ). App Risk Management and App Reputation Services provide the method to understand the risk of the more than 2.5 million apps across the Apple AppStore and Google Play so organizations can make educated decisions about risk. These App security products integrate with MobileIron to provide identification of the malicious and risky apps on user's devices and enable MobileIron's Quarantine to mitigate those threats.
Jailbroken (iOS) or Rooted (Android) devices present a huge risk to corporate data because, once a device is jailbroken or rooted, the mobile operating system is compromised allowing apps to speak to one other and expose corporate data. Prompt detection and mitigation is key. MobileIron employs jailbreak and root detection both online and even offline to allow corporate data to be wiped from the device to mitigate data loss.
The corporate perimeter has become blurred with the introduction of mobile. Combine this with Web 2.0, cloud services, and a plethora of ways to share data; and you have a huge threat to enterprise data loss. For example, iOS devices allow for screenshot, copy/paste, syncing, and open-in functions. Fortunately, with an EMM solution, a variety of controls exist to control this data sharing at the device level or the app level through secure access to and containerization of the corporate data.
Man-in-the-Middle attacks have been around for more than 10 years. As long as users travel and connect to Open WiFi networks, we'll have Man-in-the-Middle threats allowing interception of sensitive data. Fortunately with user or device certificates, organizations can leverage per-App VPN connections and end-to-end session trust to protect data-in-motion and ensure that users' data is not hijacked.
More broadly, EMM enables security and compliance with a broad countermeasures framework for protecting mobile in the enterprise:
• EMM to apply consistent policies for apps, content, and devices across mobile
• Advanced certificate-based authentication is inherently supported in mobile and protects users on insecure networks
• Device password, encryption, ongoing compliance monitoring, and automated remediation authenticate identity
• Secure email attachments protect against data loss
• Jailbreak & Root detection & mitigation safeguard data at rest
• Secure Mobile Gateway prevents access from unauthorized devices and apps
• Containerized Apps provide data-at-rest encryption, enterprise app store, restrict copy/paste and open-in for data loss prevention (DLP), app reputation services, secure on-device content repository, secure web browser
• Per-App VPNs for secure access behind the firewall
Be Proactive, Be Prepared
Mobile enables security through its many inherent security controls and organizations are increasingly adding EMM for additional security and management capabilities. When applying IT Security controls to mobile, it's important to first understand the fundamental differences between mobile and the legacy PC world, many of which we've outlined in this article. The great thing is that the majority of these controls can be provided natively by EMM and APIs already exist to integrate with the rest of your existing security infrastructure. No company wants to be the next breach headline, so it's always important to incorporate both proactive and reactive security controls. Being prepared will allow an organization to achieve compliance, but also minimize the threat of a data breach.
MobileIron teams up with Cisco to provide a holistic approach to securing mobile data access for the demanding security compliance requirements.
ClickToTweet: @mobileiron and @Cisco team up on Security Compliance Real-Time Secure Mobile Data Access #mobilesecurity http://ctt.ec/QJ695+