Introduction to Mobile Security Risk Management

Chances are, your company is already managing mobile devices in some way. But, do you have any risk management policies or best practices in place? More likely, it was simply a situation where the business said, "We need this. Make it work."

I spoke with Jeremy Allen, principal consultant with the Intrepidus Group, a consulting firm that specializes in mobile security. We discussed the steps to making wise decisions about mobile device management (MDM) based on risk management and strategy.

3 Questions to Ask About Device Management

1. What data is going to be available on the devices? This is a balance between what level of data availability is best from both a security and practicality perspective. Obviously it'd be more secure to simply ban network access of mobile devices, but that wouldn't work for most users.

"One thing we're seeing is, oftentimes organizations just don’t want to put really sensitive data on mobile devices, because of the risk. But there are a lot of things you can put on the device that aren't sensitive," said Allen. "It all comes down to trade-offs like that and understanding what the worst case scenario is when a device gets stolen, whether users will accept entering passcodes to get to email, etc."

2. Who is going to have the devices? Once you know the what, you need to know the who. Certain employees have access to more sensitive information—it might make more sense to limit network access; put more restrictive policies on the device; limit them to secured BlackBerry phones; or restrict access to corporate data, email, and applications while off site. These are all potential steps you can take.

"For some organization, limited risk management works fine, because there aren't terribly sensitive things in their email," said Allen. "And then there's some departments, such as HR, that just might not get email on their personal device."

3. What are the potential risks vs. potential costs? Ultimately you have to balance risk vs. cost. How much could it cost your organization if a phone was lost or stolen? Contrast that with the cost of paying for employees' phones and mobile device management.

Another factor is productivity—will restricting access levels hinder productivity for highly mobile users? If so, it may be a bad idea. But if you work at a financial institution where data sensitivity is at its highest, the risks may very well outweigh the benefits.

"Let's say you take a hypothetical organization that is going to roll out 5,000 iPads. They don't want them to end up as paperweights because they locked them down so much, they aren't useful or compelling to users. You have to understand the risk involved in the platform specifically and what you want users to do with it," Allen said. "So you have to ask what data will be walking out the door every day, and can you live with the risk of that? If you can't, are there things you can do with your mobile device management strategy that can reduce the risk to an acceptable level?"

If you are unsure of how to go about making strategic decisions about risk management, or even what security policies are available to you, these would be good discussions to have with a consultant or your mobile device provider.

After the jump, we'll look at three other trends in mobile security, including the differences in today's mobile OSs, application security threats, and more.

Other Trends in Mobile Security

When it comes to security, BlackBerry is still king. There's a growing sentiment that Exchange ActiveSync (EAS) offers acceptable security policies, and since EAS works across all the major smartphone platforms, it's not really a big deal which devices you support. There is some truth to this, but for organizations that need the best security and policy management on mobile devices, BlackBerry is still king.

"In terms of who is the best at mobile security, BlackBerry is definitely the best at devising a mobile device platform, the kind that's by business, for business. BlackBerry Enterprise Server has total control over that device, pretty much, from an administrator's perspective. RIM does such a great job at documenting these things that most organizations have had years to get a handle on BlackBerry administration," Allen said.

"With iOS, you can take a personal device and enroll it, but then at any time in the future the user can voluntarily say, 'I don't want to be managed by this MDM server.' When they terminate the relationship, they lose all access to corporate email, but they're essentially always able to do that, even on corporate-owned devices. There are pitfalls with all the platforms, so it's not a very cohesive thing to manage from one platform to the next. Android is even less far along in terms of what can be managed," Allen said.

"With that being said, we have realized in most cases that iOS does set an acceptable bar for security requirements. I'm not saying you can't trust these platforms at all. But because each platform provider has a different philosophy, it can vary. It can even vary between Android devices—for instance, Motorola's XOOM tablet has a fork where you can do all sorts of crazy, advanced device management that probably matches the BlackBerry level of management, but for some other Android tablet, you probably won't have that level."

The takeaway? You really need to understand how the policies work for each platform (and even device) to determine which to support.

Related: EAS Logo Program: Good Start, But Not Far Enough 

Applications are the threat of the future. "I think in the next year we're going to see a lot of awareness for application privacy. People install dozens of applications and they leak your private data like it's going out of style," Allen said. "There's an awareness that many applications do this and to use almost any application you have to click through and let the application have access to your contacts. It's not necessary malicious behavior, but less than ideal behavior."

This growing fear of application security (boosted by concern's about Android's unregulated Marketplace) has led a number of vendors to provide application security and control. (You can read more about it in this product comparison of MDM solutions.) 

You have to trust your mobile users. At the end of the day, a level of trust and education is necessary to keep your organization safe. If there are users you're not comfortable with trusting with a device, maybe they shouldn't be given a device.

"Ultimately, you're trusting your users to do the right thing, and even with a BlackBerry, a lot of security comes from policy and user awareness that you shouldn't do these bad things. Yes you can terminate the MDM relationship, but we'll know because we can clear your device. And if we find out you did this on purpose or it keeps happening, we'll take away your toy or you'll get more severe HR punishment," Allen said. "So this is what Apple calls the carrot and stick approach—you get the carrot of email access and things like that, and they hope the stick of you deleting the MDM relationship would be bad enough that you won't do it."

Follow Brian Reinholz on Twitter 

Follow Jeremy Allen on Twitter

Follow Intrepidus Group on Twitter 

Related Reading:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.