Is mobile technology on a course to become more secure than traditional computing?
Seven or eight years ago, that was a far-fetched notion. Today, the answer to that question is, “Yes, it must, and soon.”
Related: Securing the Internet of Things
I’ve been writing about organizations struggling to solve the productivity vs. security dilemma that’s part and parcel of the BYOD craze for some time now. I can recall President Obama issuing BlackBerry phones and ordering his administration to copy his personal practice of using only hardened mobile devices. Yet, many of the government-issued BlackBerry phones got used sporadically, as staffers reverted to their personally owned iPhones and Androids.
What has happened over the past couple of years is that mobile computing has become the cornerstone of our work and personal lives. Meanwhile, threat actors, as you might expect, are increasingly probing for, regularly discovering and enthusiastically exploiting mobile security flaws.
The good news is that cybersecurity vendors continue to innovate, as they have all along. And they appear to be closing in on fresh approaches that should translate into solutions for the longer haul. It is early still, but it looks like we may not have to carry two smartphones, after all, a locked-down company phone, as well as our favorite personal device.
I had the chance to discuss this with Jonas Gyllensvaan and Brian Egenrieder, Chief Executive Officer and Chief Revenue Officer, respectively, of mobile security vendor SyncDog. We spoke at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:
Securing provisioned devices
From the very start of the smartphone era, employees demonstrated that they did not mind paying for the latest, coolest device and use it for both home and work tasks. By 2011 or so, it was clear the BYOD trend was unstoppable, and companies began to impose much tighter security constraints.
Along came MDMs (mobile device management) services to handle the inventorying and provisioning of these new endpoints. MDMs gave companies the ability to micromanage company-issued devices, adding password protection and remote wiping capabilities. A security staffer could remotely “brick” a company device gone temporarily missing, even if it had just slipped under a couch cushion. The employer could even block access to apps stores, disable phone cameras or use the device’s GPS function to monitor where an employee spends work and personal hours.
Employee’s bristled – and companies responded by exerting even more granular control by embedding EMM (enterprise mobility management,) MAM (mobile application management) and UEM (unified endpoint management) systems on provisioned devices.
Influence of youth
Still, younger workers looking for an edge kept reaching for their personally owned phones. They sought to leverage hot new consumer apps and to immerse themselves in social media — for both personal and work-related networking and collaborating. App-happy senior executives began to follow suit, demanding access to company e-mail and databases via their new smartphones and touch tablets.
“The millennials really changed how they worked, as well as how the older generation is now expecting to work, using their mobile devices,” Gyllensvaan observes. “Employee demands have now reached a pinnacle where productivity is expected on a mobile device wherever you are. That’s the starting ground for where we are today in the mobile space.”
Threat actors, of course, are fully aware that mobile devices have surpassed desktops and laptops as our go-to endpoints. Some 33 percent of companies participating in Verizon’s Mobile Security Index 2019 survey admitted to having suffered a compromise involving a mobile device — and the majority of those affected said that the impact was major.
Verizon’s poll also found that 67 percent of organizations were less confident of the security of mobile devices, as compared to other IT assets. Company provisioning is proving to be too cumbersome to issue the latest, coolest devices. What’s more, employees really don’t relish having to tote both a company-issued phone and their personally-owned device, although, for the moment, that’s still a fairly common practice.
SyncDog sought to take a fresh approach by deploying robust encryption to mission-critical apps and sensitive company data. Notably, it does this in a way that takes the device the employee happens to be using out of the equation.
Access to company systems – namely, corporate email and software-as-a-service tools – routes through a highly secure white-label mobile app, which the company brands as its official in-house app. This leverages the fact that employees, young and old, have become habituated to using mobile apps over the past couple of years.
SyncDog inserts a protected virtual workspace on the phone – with the look and feel of a typical mobile app. In the back end, work and personal functions are definitively separated.
“Security typically involves prohibiting employees from doing things,” Gyllensvaan says. “We wanted to start with preserving user experience and productivity and then layer security on top of it. This way, employees want to use the security mechanism, instead of finding ways to avoid it or work around it in order to get the job done.”
Convenience and a cool user experience is all well and good. On the other hand, in the mobile space, security is a whole other ball of wax, one that, by and large, has been overlooked by developers of the vast majority of apps.
With SyncDog’s solution, security is under the covers, from the user’s perspective. In the back end, security is the main focus.
“Encryption is the mainstay of our approach,” Egenrieder says. “We make sure data is encrypted, both at rest and in transit, so no matter when the user is accessing it, how they’re accessing and using it, whether they’re online or offline, that data is always going to be secure.
“And then we take it another step and make sure that data is completely separated from the personal side of a device as well,” he continues. “So we’re eliminating that factor of having to carry multiple devices, or having to sign documents that the company has the right to wipe your entire device if you were to leave the company or lose the device.”
This clear delineation between personal and work-related use of any given mobile device, regardless of who owns and controls it, is a significant breakthrough. Yet it is just the start of a long run of people, process and technology advancements we’re going to need. I’ll keep reporting from the trenches. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-the-march-begins-to-make-mobile-app-security-more-robust-than-legacy-pc-security/