Security Experts:

Identifying Mobile Blind Spots

Until We Know What is Occurring on Devices, We Cannot Determine if Our Controls are Effective at Managing Risk...

Be it corporate owned or BYOD, the enterprise has gone mobile. We talk about BYOD a lot because it’s new, scary, and it’s harder to control, but at the end of the day both corporate-owned devices and BYOD have something in common – companies don’t really know what’s happening on them.

IT monitors network traffic, servers and desktops and as a result, they have a pretty good sense of the risk each of these poses. If you lose a backup tape you understand what the exposure is. You can easily determine what was on that tape and understand the liability – exactly what data is at risk. If you lose a mobile device however, many companies cannot answer the same questions.  Yet there is just as much sensitive data on mobile devices these days as on our backup tapes. We have to gain that visibility because we can’t control what we can’t see.

BYOD Risks

Most companies have some sort of mobile policy in place; however, many still don’t understand the true risk that mobility poses to their organization. They provision devices or let users have access to resources on their own devices, but they don’t really understand what data they are actually accessing, what the user is doing with the data on the device, or where the data is going, let alone how to secure it.

I recently spoke with a Fortune 100 company that felt that they had a solid mobile security solution. However when asked, from those implementing the security to those setting the policies, no one really knew what the mobile security tools in place were protecting. Furthermore, they had no idea what was really happening with their corporate data, how access to corporate applications, both internal and cloud-based, were being protected on the device, or whether or not applications could access the VPN. They assumed that the MDM solution they had in place was doing what it needed to do; when in fact, it didn’t even come close. They weren’t actually protecting what they thought they were protecting, weren’t mitigating the risks they thought they were mitigating – they had a big mobile blind spot: visibility.

Until we understand what is occurring on devices, we cannot determine if our controls are effective at managing risk. How can we if we don’t know what’s being protected, what’s not, and how devices are being utilized? Until we have these facts, we’re just making assumptions. The way to overcome this is by gaining visibility into what’s really happening at a granular data level. Armed with these insights, we can craft proper implementations and controls to meet both the organization’s requirements for risk management as well as the employee’s requirements for productivity. As we know this second part is important in the BYOD state. Without it users will go around controls, and create more blind spots.

Many of us create our own blind spots through assumption. I spoke with another company recently that had assumed that their security solution was encrypting everything (mobile, application, data and device); however when they looked further they realized that the encryption only applied to certain parts of the operating system and did not actually protect the application data they were most concerned about – the ones that contained confidential information. Without protection for third-party apps, they had a big mobile security gap. This is when they realized that they needed a solution that would protect the data stored by the applications that their employees were using. Figuring out what data was traversing these applications –both on and off of the device — was the first step to controlling, and ultimately protecting, their corporate data.

Beyond that, it’s important to understand what data is on the devices, how it got there and where it goes from the device. Fundamental insights include which applications are opening or copying data on the device or in the cloud, whether users are emailing or sharing the data with applications that have loose privileges or permissions, as well as the content and context of the data stored on these devices. It’s not enough to know that a corporate file is being stored on a device, but to know what kind of file it is. Is it PCI or HIPAA sensitive? Does it contain account data, product design, etc? Understanding how people are using data on their devices provides insight into how to support them, and ultimately allows IT to put better policies in place to manage risk. Going back to the lost device scenario above, it helps IT understand the true risk when a device is lost because they now have detailed insights into what was on the device.

Lack of insight into data has caused a gap in our controls. Many organizations are simply relying on what’s natively on the device – using configuration tools and hoping that’s enough – but if we don’t know where the data is or what people are doing with it, how can we really protect that data? We can’t. We’re just checking a box for the sake of checking a box. The same is true for applications.

Today, many organizations still don’t understand which applications carry sensitive data and which need to have enterprise security controls. Nor do they know which applications their teams are using and which they need to support. Without this, we can’t apply appropriate controls to those applications - again creating a gap in our mobile security controls.

Just like any blind spot, mobile blind spots simply require additional tools to give us the visibility we need to keep the most important thing safe. Be it the passengers in a car, or confidential corporate data, visibility enables us to make the right decisions, whether changing lanes, or implementing mobile security policies.

Related: Dealing with Mobility and BYOD Security Challenges? Start with The Network

view counter
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties. Adam is a CISSP, CISA, NSA IAM, MCSE and holds an MBA from Florida State University.