The Physics behind Mobile Security- For Every Action there is a Reaction

February 19th, 2015   /     /   Smarter Identity

Enterprises continue to respond to the ever changing business landscape- new agile competitors, new technologies, and new business models. For example:

  • Cloud-only companies have entered markets applying innovative technologies to better connect their network of remote employees, partners and customers.
  • New and advancing technologies have cleared the adoption chasm and are entering mainstream IT, such as cloud services, mobile, social, and big data analytics.
  • Creative business models have emerged where organizations:
    • focus on core strengths and embrace outsourcing of services to optimize business resources.
    • leverage technology to accelerate product development, respond to customer requests, create online communities and customer loyalty programs, and build a digital brand.
    • adjust their marketing tactics in real-time in response to market trends and events.

And with all this change (the action) comes new risks that need to be addressed (the reaction), particularly with mobile devices and users. I wanted to put this into context and look at three areas specific to enterprise mobile security:


Figure 1: Three Reactions to Mobile Trends supporting Enterprise Mobile Management

1. Enterprise to Consumer: BYOD and the Consumerization of IT

Action
Consumer standards are not enterprise standards. With the introduction of the first iPhone in 2007, the smartphone revolution hit mainstream, particularly with consumers. Prior to this, enterprises had connected remote or privileged employees to their corporate email via VPN’s or other proprietary interfaces for Blackberry, Palm, and early Windows phones. Now that users had their own iPhones with touch displays and onscreen keyboards, and access to all their personal digital assets in the cloud, they quickly revolted when asked to carry multiple devices- one for work, one for personal.

Reaction
Enterprises had previously tried to solve the mobile management and security challenge by applying existing desktop and system management models to this new form factor. The focus was on managing another IT “asset,” controlling device configurations and locking down certain functions. Why? - to minimize the risks associated with downgrading security settings or downloading unauthorized applications. In many respects, the MDM or Mobile Device Management market emerged to address this problem by applying the traditional “desktop systems management” paradigm to mobile devices.

2. SaaS, Cloud and Mobile Native Apps- the Application Transformation

Action
The Internet and the WWW (world wide web) brought us a means to connect devices globally and share information in the form of interlinked hypertext documents and applications via a browser. Standards such as TCP/IP and HTML formed the foundation for its widespread adoption and success, and commercialization really began in the 1990’s.

With mobile smartphone and tablet adoption, the need for a richer user experience drove the development of new mobile applications that improved upon the mobile web browser experience. In fact, the industry has begun to nickname newer smart phones as “app phones” to distinguish them from earlier less-sophisticated smartphones. Mobile apps began to appear in 2008, as did the application distribution platform or online app store such as Google Play, Apple iTunes App Store and Microsoft Windows Phone Store. Users could now download specific apps designed to interact with data and applications outside the browser. Downloading personal apps and acknowledging how these apps interacted with the device’s resources was placed into the hands of the consumer. This approach was inadequate for enterprises subject to various privacy and compliance concerns.

Reaction
As enterprises began to understand the full scope of the mobile security problem, they broadened their mobile security strategy beyond MDM to MAM, or Mobile Application Management. MAM introduced a means to put controls around mobile apps, whether internally developed or commercially available, in order the mitigate risk. Securing mobile applications by decomposing and rebuilding to meet specific requirements can be time consuming and demand technical skills outside the scope of the enterprise’s core strengths. Techniques to secure applications include concepts such as app wrapping, containerization, etc. and have been incorporated into a bigger solution domain with MDM called Enterprise Mobility Management (EMM).

3. Device to User Centric Management- the Implications for Security and Compliance

Action
Over the last decade, IT has undergone significant transformation which impacts security and compliance. Gone are days where physical assets and network boundaries could be secured, and security controls were managed through their association to hardware. Mobile and Cloud are two examples:

Mobile workers carry on average 3 devices. As it becomes easier to connect to SaaS or cloud apps, users are accessing these apps from more types of devices and this is being amplified by growing BYOD trends. It’s becoming less feasible for IT to manage all these physical devices. Year-over-year adoption of cloud services has risen over 50%. Having corporate data sprawled across hundreds of cloud services is forcing organizations to evaluate how they will proactively manage all this distributed data from a security, compliance and governance perspective. Locking down devices and wrapping mobile apps is not enough.


Figure: 2 User-and-Data Scenario

Reaction
If you take the perspective that users (e.g. employees, partners and customers) and the data they rely on for work are completely abstracted from hardware, then you recognize the need for new approaches to monitor and control this information exchange. It suggests less focus on the device to dictate policy, and more on the user behind the device. New security models are emerging that put the user at the center of security design, with user identity and authentication being key elements. Nearly every security service, including identity and access management, is being re-architected for this new paradigm.

In summary, transitioning IAM services to the cloud represents the most logical point of enforcement. Subsequently, we’ve seen the emergence of cloud-based identity management or Identity as a Service (IDaaS), and the next generation mobile SSO solution predicated on OpenID Foundation’s NAPPS.

The Forrester-OneLogin webinar titled “Is Mobile Access to Cloud Apps Putting Your Company at Risk? - Navigating Mobile Security & Identity in a Cloud Centric World” puts much of this into perspective. View the recording at: https://www.onelogin.com/resources/webinars/is-mobile-access-to-cloud-apps-putting-your-company-at-risk

About the Author

Chip Epps joined OneLogin in 2014 to help advance cloud security initiatives and the evolution of identity and access management. Having worked previously at Symantec, Trend Micro, and Websense he focused on securing virtual data centers and implementing SaaS-based compliance solutions. Prior to a career in security, Chip worked at Peregrine Systems (now HP), promoting ITSM and service management within a dynamic IT environment.

View all posts by Chip Epps