While there are Multiple Considerations to Secure Mobile Traffic, it’s the Network Where You Must Start...
The topic of mobility and BYOD has become a fairly divisive subject, because of the differing perspectives on how to resolve security challenges for the mobile user. Within the SecurityWeek contributor set alone, perspective on this ranges from the complexities of dealing with BYOD to a recommendation to keep personal and business devices separate. The fact is, we all have strong affinities for our favorite mobile devices, and just as organizations had to embrace the desire for users to use Macs in the office (remember that controversy?), users are now making their own choices about the mobile devices they use at work. When employees are given the resources to do their jobs in more places, they find better and more productive ways to work.
The challenge is how to give users the full advantage of their mobility platform of choice without introducing risks to the business. A key part of that challenge is enabling flexible mobile security options depending on the device and use case. For example, an employee on an unmanaged device may just require access to the Internet, while another employee on a managed device may require full access to specific data center applications. Your mobile security solution should support both use cases.
Existing Approaches Have Limitations
When looking at the landscape for mobile device security, there are a number of approaches that are available. There are container and VDI technologies that isolate data, for example, offerings from Good Technologies or Citrix VDI solutions.
Containers work well to isolate sensitive data into a sandbox, but the technology is limited to certain applications. Therefore, any time a user chooses to use other productivity applications on the device, there are security risks introduced as users create business content outside of the container. Similarly, virtualization provides many benefits to partition where data goes. Business data stays in the data center instead of the endpoint, making it ideal for regulatory and compliance-driven environments. However, much like the limitations with containers, there are productivity applications that may be used outside of VDI. In addition, not every application is designed with the right interface for VDI on a mobile device.
Mobility and BYOD challenges have also created a secondary market around mobile device management products. Designed to manage the settings on a device, MDMs are typically used in conjunction with legacy VPN products to address mobile security. Yet the ephemeral quality of VPN means that when a user disconnects, they will not be subject to network security controls and therefore may inadvertently be downloading malware or sharing files inappropriately.
Therefore, while each element of existing solutions addresses part of the challenges around mobile security, there is no individual approach provides a complete solution.
Start with the Network
I recently spoke with Brian Tokuyoshi, a Senior Security Analyst at Palo Alto Networks, and his advice for security teams is to avoid tackling the problem from the standpoint of dealing with all the permutations of endpoint technologies and start with the common denominator – the network. The network is the right place for IT to see all mobile traffic and enforce control between applications and mobile users, and that’s true regardless of what device is being used. Even with BYOD use cases, the organization can’t control what users do with their own devices, but they can control access to applications once the users touch the network.
But what should be the element of control within the network for mobile devices? Logically, the control structure belongs to the firewall, the one device that sits in the right location for enforcement, and can monitor and safely enable mobile user access to data center applications. The key criteria for this firewall needs to be the ability to understand applications, users and content, so mobile users are identified and access only applications allowed by policy, while content is scanned for known and unknown threats.
The threat aspect is particularly important for mobile users. For most users, the only defense for vulnerabilities in device’s operating system is to install the latest patches, but with so many devices in use, the organization has no idea how much exposure they face against emerging threats. Very few users have antivirus software running on their devices either, thus opening the door to the risk of downloading malicious code. Addressing vulnerabilities and malware protection in the network provides mobile users and device with a scalable, network-based protection for mobile device traffic.
In addition to the firewall as a control point, the traffic must be safely brought on to the network. This is where an always-on VPN connection complements the protection provided by the firewall. An always-on VPN connection to the corporate network, regardless of location, ensures that users have the same enforcement policy regardless of whether they are at using a desktop or using a mobile device.
Secure the Data and Device
Container or isolation technologies and MDM solutions now become options to add on to the network-based firewall protection (with always-on VPN). MDM solutions will establish profiles to govern device settings and device state, while containers and isolation technologies provide additional options for organizations with highly sensitive data and stringent regulatory requirements. Because these options are used with the firewall network protection and a secure always-on VPN connection, security extends to mobile users whether or not they are using container applications, non-IT sanctioned productivity applications or personal applications.
In summary, while there are multiple considerations to secure mobile traffic, it’s the network where you must start. This means maintaining a secure connection, keeping the traffic across it safe, and extending it to all users. By retaining control of the network, organizations can embrace mobility by making it safe for all users in all locations, regardless of the device. Starting from this premise, it becomes much easier to think in terms of how to make mobility work for your organization by providing the security to enable safe usage rather than trying to prevent it.