Dionisio Zumerle uses an arresting word to describe one of the trends that's reshaping how organizations will have to secure the mobile devices their employees use: promiscuity. The Gartner analyst's definition is decidedly less steamy than what many minds will conjure up, but it's imperative for good mobile security today.
Zumerle is talking about people's tendency to indiscriminately use their smartphones and tablets for business and personal use -- toggling between, say, a Salesforce app to check on customer data and the news feed on Facebook, or a data analysis tool and an email from an aunt on Gmail.
Add to that kind of promiscuity this: enablement, said Zumerle, who co-wrote the recently updated report "How Digital Business Reshapes Mobile Security." Organizations want to give their workers freedom to access the internet on their iPhones, on their Android phones, on their tablets. They're less interested in imposing lockdowns on devices in the workplace.
"It's about how mobile can allow enterprises to look further, to be more efficient, to even introduce you to new business models if you want or new ways of interacting within the enterprise," Zumerle said in an interview with SearchCIO. "Security should be something that should be built on this, should be embedded. It's easy to say, but it should interfere as little as possible."
The last trend is convergence -- operating systems and applications working on mobile devices and PCs. Put them together -- promiscuity, enablement and convergence -- and you have a new mandate, not just instructions on how to implement an enterprise mobility management (EMM) tool to manage and secure mobile devices. For good mobile security, organizations have to balance the need for secure applications with users' need to access data -- whatever it may be.
In his talk with SearchCIO, Zumerle detailed what mobile security measures organizations should take today -- and how they should get started. Here are excerpts of that conversation.
What do most organizations need help with now on mobile-device security?
Dionisio Zumerle: If I had to summarize the biggest part of my calls on mobility, the main underlying question is, how much is enough? And are we doing enough, or are we doing too much right now? There are some enterprises, for example, that spend, let's say, 80% of their time trying to eliminate 20% of their risk. They worry about advanced malware, but then you ask them about passcode complexity and they have four-digit passcodes. Or you ask them if they block sideloading applications, and they don't. It's the wrong focus to try to protect against advanced, targeted attacks on mobile devices when you haven't done those basic things.
Some enterprises have difficulty in even getting basic tools in place, because there's pushback from top management. The CIO might say, "Well, we need EMM tools in the enterprise to mitigate some of the risks we have." [Business leaders'] reply would be, "What did we do last year?" And probably [CIOs'] reply would be, "We didn't really do anything. We didn't have a tool last year." [The business would say], "OK, if nothing happened last year, do the same thing next year."
How should organizations be thinking about mobile security risk?
Zumerle: It's important to understand the organization, the environment it's in, the risks you might have, the regulatory environment as well. From there, define the requirements -- what is the security need? -- and then try to translate those requirements in a logical mobile policy. You'll have a better idea of what sorts of technical tools you'll need to translate that logical policy into technical enforcement.
We did a survey [in which] we asked BYOD [bring your own device] users, "What would you do if your device was hacked, or you lost your device or something bad happened to your device?" We asked users who were underground BYOD -- they hadn't told their employer; then we asked users who had BYOD from a [company] policy. Two-thirds of the underground BYOD users said, "I wouldn't say anything. I wouldn't tell my employer." When we asked the users who do have a formal BYOD policy, fully one-third of them said they wouldn't report a lost or hacked device. That tells you that there needs to be some sort of technical enforcement. How strict and how complete depends on the risk profile of the enterprise.
What are the trends driving the need to change mobile security strategies?
Zumerle: The three main trends are promiscuity, enablement and convergence. Promiscuity -- you have users using devices with personal and business data. Think about note-taking applications, for example, and cloud-based storage. Think about cloud sync-and-share applications. Think about virtual personal assistants -- you can send text messages, for example, to your colleagues. There's more and more promiscuous use of these devices, and we're going to have still more. That tells you that you need to find intelligent ways of coping with that promiscuous use when you want to have security on devices.
The second thing is enablement. There's a peculiarity about the mobile security market: It's not actually the mobile security market. It's the secure mobility market, and that makes a big difference. Security is a characteristic that is important, but it's an enablement market. If you look at the enterprise mobility management players, you won't find the traditional endpoint security players in there [as] leaders in the market. One of the reasons is that the buyers of this technology look for enablement. They want to know that with these solutions my workforce can go to the internet, I can mobilize my enterprise applications. The messaging around being able to lock down devices, being able to stop or block functionality, that's less interesting for them. So it's a market that has to bring security, but if it only brings security, that's not going to be enough.
The third thing is convergence. For example, now Android applications will be supported by Chrome OS. You have Windows 10 having the same kernel between mobile and laptop. You also have Metro apps running on both platforms. So you're starting to have platforms that can reach more form factors and can make different objects interoperate. That's becoming more interesting for enterprises. When you look at the digital workplace, for example, you can start finding new ways of working or more flexible ways of working -- but it also expands the surface of attack.
What practices should all organizations adopt for good mobile security?
Zumerle: One of the things we always talk about is being tactical. You have a major operating system release for mobile -- I mean Android and iOS -- basically every year. For Windows or Mac OS, it's about three years. That alone can tell you that with mobile you have a technology that moves three times as fast as traditional IT.
There are a lot of interesting things that are coming out for enterprises now. You have, for example, native containment: You're starting to have mobile platforms themselves giving you the possibility to contain your apps. What you want to do is to implement solutions that allow you to respond to your needs today and also allow you to stay flexible and be able to reconsider your architecture or your choices in the next 24 months. What you don't want to do is have choices that keep you locked in, say, five years from now. That's because things are very, very volatile right now in the enterprise mobility market.
The other thing is it's important to try instead of aligning users to what your decisions are, try to align your tools, your practices to how users are using their devices. So instead of, let's say, locking a file sync-and-share app, offer them a legitimate alternative. Offer them an enterprise file sync-and-share app that is usable. Or offer them data file-based encryption for specific files and then allow them to send those files over the file sync-and-share application of their choice, for example. And why is that? Because there's so much IT activity that takes place outside IT. You can call it shadow IT, you can call it BYOx, you can call it citizen IT -- a better term, more constructive term -- but the reality is that there are a lot of users that just go ahead and decide to use an application or a device, and there's not much an enterprise can do about it. What you have to do is be a facilitator for those decisions, provide options and not try to own the risk.
Any final advice for CIOs on managing mobile security risk?
Zumerle: It's important not to try to see what everyone else is doing and implement the same thing. It's important to think about what your own use cases are, what your own needs are, who your user population is. At some point, you also need to involve stakeholders from [human resources], from legal [and other departments] to come up with a mobile policy. That mobile policy will show you the way to the tools that can allow you to enforce that policy to some extent on your devices. It's also important to understand that at this stage the enterprise might need to get [another type of tool] for just small pockets of the population with very specific needs. It's tough to find any one-size-fits-all tool to cover the entire enterprise.
Give mobile devices mobile security platforms
Know what operational security is? Find out here
Maslow's hierarchy of needs -- and good mobile security