An important choice in securing mobile communications is whether to protect the data directly or to focus on the device. Matt Bancroft, the president and co-founder of startup Mobile Helix, says that there are two problems with focusing on the device: To do so adequately would inconvenience users and, even if those steps are taken, it is an approach that doesn’t work. Bancroft tells IT Business Edge blogger Carl Weinschenk that protecting the data directly is the way to go.
Weinschenk: What to you is the context of the discussion on how to protect mobile devices?
Bancroft: The context is pretty much everybody today carries with them at least one mobile computing device, most more. They use them in every aspect of their personal life. It is an extension of themselves… There is a natural desire to use the same device for work.
Most businesses have hundreds if not thousands of apps they’ve developed over the last 20 years that employees use to do everything from the most mundane things to much more sophisticated things such as creating quotes, sharing material between team members and accessing sensitive product information. They use a broad range of apps, some developed in the enterprise and some by third parties. Those apps need to be accessible on personal devices. There are a bunch of security needs that need to be addressed.
Weinschenk: What should be considered?
Bancroft: The first thing to consider is the nature of the device. Mobile devices get lost or stolen. If you allow them to hold sensitive corporate information, there needs to be a mechanism in place to protect that device and a mechanism for keeping anything that is a threat from getting into the network.
Weinschenk: What are people discussing in the security world?
Bancroft: The most relevant debate in the industry is about the right security model. The fundamental question is: Do you achieve security by protecting the device or by protecting the data and not worrying about the device?
The traditional IT security model with PCs and computers is protecting the device and making it as secure as possible and therefore protecting the data and the network. That model starts with the device. You put antivirus, a firewall and layers of security on the device. The goal is to keep the device safe.
Weinschenk: What is your assessment of that?
Bancroft: Even though it is common practice, devices still are attacked and infected. So they are not safe. The mobile approach is to try to do the same thing by protecting the device. That is what mobile device management is all about. People say, “Let’s prevent people from doing risky things and scan the device and blacklist bad apps that we don’t want people to put on their own device. Let’s insist on some kind of password or PIN code that applies encryption using that PIN code.”
Weinschenk: What is the result?
Bancroft: Number one, they are unpopular with users and, number two, they don’t work.
Weinschenk: What is the alternative?
Bancroft: The intelligent approach is to start with the premise the device is not secure, yet the data on it is sensitive, and corporate information needs to remain secure and the device has to be sufficiently isolated from the network so that if it is infected it doesn’t matter.
There are companies beginning to promote data security, not device security. The talk in the industry is that this is a smarter way. Yet most companies are focusing on protecting devices by deploying MDM and not focusing on data.
Naturally MDM companies are evolving. MDM offers containerization. This partitions sensitive corporate data from personal data. That’s part of the right approach. I agree with that approach, but it is only part of the solution.