Mobility exploded onto the business scene during the past decade and, needless to say, is here to stay. Now, important and sensitive tasks are as likely to be performed on smartphones, tablets and other non-PC devices as on big machines sitting on office desks.
Security has been a bit of a game of catch up. It is complicated by a couple of ongoing challenges: Like diet and exercise, people (and the companies for which they work) pay lip service to good security practice, but usually skimp, forget or get lazy. On top of that, the emergence of bring-your-own-device (BYOD) approaches complicated things significantly.
But great progress has been made. SNS Research reported in September that the investment in mobile device and network security in 2013 alone will be $9 billion. This slideshow covers some of the latest techniques and approaches to bolstering mobile data security.
Click through for some of the latest techniques and approaches to bolstering mobile data security.
Encrypt Data at Rest and in Motion
Data is vulnerable both while it is in transit and when it arrives and is stored in a mobile device. For that reason, experts suggest encrypting both in transit and at rest.
Mobile applications can be isolated from the underlying device operating system and security precautions taken in case the device goes missing. In such a scenario, the application would not exist if an unauthorized person tried to access the network.
Mobile Device Management
Mobile Device Management (MDM) enables organizations to institute a consistent set of policies and security applications across the entire device holdings. Procedures, such as wiping data off lost or stolen devices, can be executed through MDM platforms. Increasingly, MDM is being combined with applications that protect the data and the communications channels between the device and the corporate network.
Mobile:Helix defines containerization as “a separate, partitioned and secure environment on a mobile device in which to run corporate applications and store related sensitive corporate data.” In other words, it is a discrete space in which the access rules and security are different – and, presumably, more stringent – than in other areas of the mobile device.
A piece at InformationWeek points to an HP study that found several problems on the server side of the connection with a mobile device. Web backends to mobile networks feature flaws in application programming interfaces (APIs), Web services and a lack of know-how in Web service or API security, according to the story.
Passwords are challenged in a couple of ways: People tend to use numbers and words with which they are familiar, and that can be found by hackers perusing Facebook and public records, and they often are written down. Carnegie Mellon University is working on a mnemonic approach called person-action-object (PAO). In PAO, people make up absurd stories – Bill Gates swallowing a bicycle is the one used in the story – that enable creation of truly random passwords that users don’t need to write down.
Proper Session Management
A number of steps must be taken: Distrust of the client should be the default setting; encryption should be complete; sessions should terminate if not used in a limited amount of time; a secret should be shared between client and server; a request’s validity should be of limited duration; requests should not be allowed to automatically repeat or modify requests.
Use Fully Formed Apps
Ensure mobile apps employ environmental and biometric sensors, and add device access control, content management and data loss prevention (DLP), encrypted data storage, and application management and security, among other layered features.
NetMotion suggests that key features of virtual private networks (VPNs) optimized for mobility include true application persistence, in which sessions are maintained through loss of connectivity, standards-based security such as two-tier authorization and FIPS 140-2 AES encryption, a centralized management console and wireless performance optimization.
PCMag’s latest test awarded eight antivirus vendors (avast!, Avira, ESET, Ikarus, Kaspersky, Kingsoft, TrendMicro and TrustGo) with perfect scores of 13. The categories tested were protection, usability and extras. Eleven vendors got scores of 12.5 and two others got 12.