The Mobile Security Gap

No one has fully figured out how to throw a security blanket over the enterprise mobile environment, that chaotic patchwork of geographies, carriers, operating systems, applications, device types and ownership models.

Any enterprise tackling web security for mobile devices must contend with three difficult problems: manageability, user experience and containerization. Enterprises that buy a homogeneous fleet of mobile devices for their employees under a strict set of policies are in the best position.

Using a mobile device management (MDM) solution, they can configure the devices (sometimes in a tamper-proof manner) to route web traffic to the security proxies of choice. But user experience can be a severe challenge if the proxies create latency.  Cloud-based proxies in a distributed, global fabric have the best chance of delivering low latency service, but turning this on for mobile devices may be a hard sell to the business and the users alike.

 Enterprises operating under the bring your own device (BYOD) model find themselves in an even more difficult position on security. In many jurisdictions, the only reasonable protection solution for an organization’s data on a worker-owner device is to containerize it into a separate logical or virtual partition so as to avoid having to touch any of the user’s personal data or functionality. But containerization – whether using Good Technology, Samsung Knox, or another solution – adds complexity, still creates latency and may cause more user experience issues.

 Thus, enterprises are caught between a rock and a hard place when it comes to mobile device security from malware on the web. Users are accessing important services from these devices and storing sensitive data – at least email – on them too. Android devices and Windows devices are especially vulnerable. And even users of the relatively robust IOS and Blackberry systems can succumb to phishing lures that security gateways could mitigate – if only the organization could hook them up.

All the usual compliance risks and obligations apply and are worsened by the absence of web security for mobile devices. But who is ready to tackle the manageability, user experience and/or containerization issues? Not many enterprises as yet. I created this little rant because, nestled  as it was inside of another post I was writing, it seemed too long a digression. On the other hand, there’s a lot more to say, and I’ll certainly expand on the mobile security topic. Please drop me a comment in here if you’re seeing any progress in the space, or have something you’d like me to cover.

Subscribe to Blog Notifications...  HERE