Most enterprises support the “mobile first” movement,
whether enthusiastically or begrudgingly. Many enterprises have
developed mobile apps for internal use, and almost all allow employees to use
their personal mobile devices to access corporate email, calendars, and other
resources. Few companies have strict policies preventing use of BYOD (bring
your own devices) for productivity purposes, nor do they
prohibit use of social network or messaging apps while at work. Mobile use in companies
has become entrenched, and it’s here to stay.
Meanwhile, startups and other high-tech firms have jumped to
fill the void in mobile security solutions. In the past few years, a variety of
innovative approaches have been introduced to the enterprise market that
address threats related to mobile malware and data leakage. This has led
industry analysts and other thought leaders to coalesce around common solution
definitions to help enterprises navigate their way through the highly diverse
solution landscape. The consensus seems to be that a general solution
definition, defined by Gartner as Mobile Threat Defense, or MTD, is the universal
answer to enterprise mobile security.
But MTD is hardly in response to a large and growing
adoption of mobile security solutions by enterprises. In fact, the real
question is why are the aggregate MTD revenues so low? Why have so few
enterprises adopted an MTD solution?
Having seen this apparent contradiction up close, I have a
theory as to why the MTD adoption is so low. Because MTD introduces a new
paradigm based strictly on mobility threats, and because MTD does not leverage
current enterprise security infrastructure, it represents a big challenge to
enterprise security teams. MTD is another expense, sure, but the real reason it
hasn’t been widely adopted is that it’s hard to deploy.
Consider some of the elements of an MTD enterprise deployment
and consider how little alignment exists with current security solutions:
- Mobile app/agent deployment to all employees, and all the challenges associated with the requirement that all users must deploy this security app (help desk, battery drain, “big brother” concerns by employees)
- Remediation policies, including requiring employees to delete offending apps (including related HR policies)
- Enterprise policies regarding rooted/jailbroken devices
- EMM integration
- PII management, especially regarding EMM integration and agent deployment
On top of that, there’s a whole new taxonomy for the
enterprise IT staff to master and new concepts that must be operationalized:
mobile malware and its many variants (spyware, trojans and fake apps, ad fraud,
click fraud, ransomware); man-in-the-middle attacks; targeted attacks, secure
transport enforcement; OS vulnerability assessment; and the list goes on.
Finally, BYOD devices are far more personal, and likely to
have far more personal data, than legacy desktop or laptop systems. Taking some
element of control over such devices in the workplace raises big concerns for
employees who have their text messages, chats, pictures, and other personal data on
their device. Even the apps that are installed on the device can imply much
about a user. Any mobile security deployment that’s not done in conjunction
with clear and transparent HR policies will almost certainly encounter personnel issues down the road.
This is the heavy lifting of MTD: A security team has to master new concepts, terms and systems to deploy and manage MTD. Furthermore, the system has to be justified even though it doesn't leverage the current security infrastructure.
So what should an enterprise do?
In upcoming posts, I will be exploring options for
enterprise mobile security that leverage existing security infrastructure while
providing a more lightweight but effective solution. Stay tuned!
No comments:
Post a Comment