Dyman Associates Management: Why mobile security requires a holistic approach
Its remarkable how much can change over the course of just a couple of years. We've seen bring-your-own-device (BYOD) evolve from a buzzword to an accepted practice with a strong business use case. Cyber criminals are savvier than ever and using mobile-optimized techniques and malware to obtain more targeted prizes, such as Social Security numbers and credit card information. Decade-old attacks are even resurfacing under new guises, and with far greater precision than their predecessors. And of course, the proliferation of mobile devices available to an increasingly remote workforce continues to plague IT security professionals who are all too aware of the potential threats.
However, for all the considerable hype around each emerging mobile threat vector, one simple truth remains often overlooked: The only secure way of handling mobile devices is in a managed way. But what exactly does a managed approach look like?
IT security professionals and cyber criminals are continuously battling to gain the upper hand. The trouble is, for the most part, the good guys are being more reactive than proactive. While we are learning from mistakes or flaws in security frameworks as they are breached, cyber criminals are already plotting the next attack, carefully considering areas of network security that are most susceptible to infiltration. How many more high profile incidents, such as the Adobe or Target hacks, must we endure before going on the offensive? As an industry, it's time to realize that mobile security has been, and continues to be, a systemic problem. Unfortunately, despite myriad expert warnings and sensitive data being put at risk, many mobile technology companies' primary focus remains on the consumer market instead of the enterprise market.
To put it bluntly, endpoints like personal laptops, smartphones or tablets remain the weakest points within a security infrastructure. That's why it's so befuddling how organizations are still permitting unmanaged devices on their corporate networks. With the technical ability of today's cyber criminals, intercepting unencrypted communications, for example, is as simple as taking candy from a baby. While proactive steps to combat threats such as these are clearly necessary, it's important to note that there is no one magic technology that can efficiently safeguard against every type of malicious situation or attack.
It boils down to this – there is no substitute for fundamentally robust network security components being seamlessly implemented to establish defense in depth. Ideally, this will include everything from client device firewalls to IPsec VPNs. An important caveat to include here is, even these rigorous security mechanisms aren't failsafe against users ignoring common safety precautions, such as blindly clicking on links or opening suspicious e-mail attachments. This means companies should not take for granted that everyone within their organization is equally savvy about basic technology and security protocols—they must continuously educate and reinforce best practices.
Comprehensive solutions are hard to come by, as many security solutions designed to combat mobile threats can, at best, be described as siloed solutions that lack integration between critical security functions and the ability to be managed by IT. To be clear, these solutions do not lack sophistication because, in many cases, they are perfectly functional for the tasks they are designed to perform. Rather, the issue is that threat detection, mitigation and response requires an integrated and managed approach that is often difficult to obtain, considering the way mobile threats are currently tackled.
For instance, because mobile devices are constantly exposed to different and often hostile public networks, the best security technologies are barely enough to secure a user. Therefore, in the absence of a one-size-fits-all security product – which does not appear to be on the horizon – the best option is to interconnect the range of best-of-breed security products and technologies and have them work together, focusing on providing defense-in-depth rapid threat response. IF-MAP, for example, is an open standard that is well-positioned to deliver in this area. IF-MAP provides the possibility to interconnect different IT security systems for an accurate representation of the health status of an IT network.
All things considered, the problem with mobile devices remains a systemic one. Organizations must be more and more proactive about patching up the holes in their remote access strategies at every stage, from policy creation to the technologies' implementations. IT administrators must reach out across the aisle to everyone, from designers, software architects, company management and end-users, to ensure that the necessary security precautions are being taken, and that corporate compliance is being adhered to. If this collaboration and holistic approach can be accomplished, we are likely to see fewer headlines about major corporate network breaches. Let's make 2014 the year that we take action.