Workplace mobility has become essential. As workforces shift to remote, work-from-home statuses, employees and freelance contractors are simultaneously privy to confidential information. As online collaboration has skyrocketed, clients may require on-site visits. Complex projects are typically easier to execute in-person, so employees travel far and for extended periods.
With all the data packets moving around the internet, mobile security is more important than ever. Here’s a brief look at the need for security and how Enterprise Mobility Management technologies (EMM) handle security. Implementing a broad range of EMM solutions, including virtual mobile solutions (VMS), provides holistic security coverage.
Cybersecurity is a Necessity
Every head of IT or CTO knows how important security is to the organization. Unfortunately, IT security rarely drives sales and is often placed on the back burner.
In the SME context, small businesses tend to forego security until budgets allow for implementation. Large enterprises spend more on security, but fundamental uncertainty often pervades the industry. According to a Boston Consulting Group (BCG) survey, the average security budget, as a percentage of total IT spending, ranges from 3.7% to 10%. That is only 6.3 percentage points, but a whopping 300% in terms of ratios pointing to little conformity, making strategy difficult.
On the other hand, governments often demand security, but legislative solutions tend to take time, and according to the same BCG survey, private companies lack regulatory guidelines.
In the meantime, a lack of security and improper implementation can be costly.
A detailed BM and Ponemon Institute report settled on an average of 3.92 million USD in 2019. Nearly 30% of businesses faced a risk of a breach, but only about half of the breaches were malicious. The other half consisted of human and system errors, such as accidentally exposing AWS S3 buckets or Github repositories to the internet. Malicious attackers need only find them lying wide open to take advantage.
The same investigation pointed to a breach identification time of more than 200 days and a containment time of nearly 280 days. On top of that, for highly-regulated industries, particularly healthcare and financial services, the timeframe of long-tail costs exceeds months to become years, as investigations drag on and uncover more offenses.
How EMM Components Handle Security
Security is an essential part of any IT framework, and each component of the EMM universe handles security for the enterprise in a different way. Many of the distinguishing characteristics of each element are definable in terms of their security impacts. Most applications are a combination of these components.
Full Permissions and Control – Mobile Device Management
Mobile Device Management (MDM) handles security at the device level. With it, a remote IT team can access a device’s data and location. Device-level access means vulnerabilities are patchable through forced updates, and stolen devices can be remotely “bricked,” so they do not boot, leaving the device unusable.
While MDM can be a viable option in some cases, it’s not necessarily a plug-and-play solution. With full-system access comes the need for on-going maintenance, monitoring, and fixes. Overloads are common, and frequent updates are necessary. In BYOD programs, MDM permissions can be challenging to implement, and often, the system struggles to distinguish company files from personal data.
MDM presents adoption and privacy issues for employees as IT departments have control over mobile devices. In the event of a corporate data breach, a remote wipe could mean a devastating personal loss. Many end-users reject MDM solutions and either resist or circumvent them altogether.
Mobile App Management
Mobile App Management (MAM) is an option for organizations implementing BYOD programs. In MAM, apps, not the device, are the focus. MAM uses ringfencing to separate in-app content and actions from the rest of the device. Ringfencing is also used to prevent non-corporate apps from connecting to corporate resources. For example, the corporate app can access company servers and in-office computers while rejecting similar but unapproved remote-access programs.
MAM security implementations include password-protecting the apps, blocking corporate apps awaiting updates, monitoring usage to flag unusual behavior, and restricting apps from connecting to unapproved networks.
Password-protecting apps serve as the first line of defense against false authentication and can be combined with hardware-based, one-time passwords (OTPs) for further protection. Blocking apps until their updates are sufficient prevents known vulnerabilities from being exploited. Restricting only corporate apps allows users to access other programs without issue.
A similar blocking technique ensures remote apps are only functional when connected to specific pre-approved networks. Since an app is under corporate control, usage is easily monitored to identify suspicious behavior.
Essential Data – Mobile Information/Content Management
Mobile Content Management (MCM), also known as Mobile Information Management (MIM), protects a remote device’s data. MAM controls access to computing and data resources and ringfences the content and actions. MCM manages data where it’s stored and while it is moving.
When guarding sensitive information, encryption is critical. Many MAM implementations will store at least some sensitive data on employee devices, and encryption protects that “data-at-rest.” If an employee’s device is stolen, encryption safeguards the data from simple storage reading. Encryption via HTTPS-encrypted tunnels and VPNs also protects data-in-motion as it travels down the wire and over the air. Encrypting traveling data should be a top priority in cybersecurity.
Access restrictions form another leg of MCM. In company applications where employees wear many hats, it’s best to limit data access. Use frequent audits to avoid trapping teams into quickly outdated access silos.
Who’s There? – Mobile Identity Management
Traditional authentication methods, like passwords and security questions, are only part of the Mobile Identity Management (MIM) package. Context-aware identity management empowers an organization to restrict access based on known geolocations, networks, and behavior. This access can be managed by apps on the device or remotely on the server-side. With a tablet or smartphone fingerprint ID, internal systems can grant or deny access based on whitelisted devices requiring employees to register their devices before getting remote access, a relatively minor hurdle for appreciable security benefits.
Geolocation can be approved server-side, though network approval may need implementation via MAM (for example, the installed app can refuse to connect to non-approved Wi-Fi networks). A determined attacker can use spoofing to circumvent these measures, but it is one more barrier for malicious action.
Virtual Mobility Solutions in the EMM Constellation
Virtual Mobility Solutions (VMSs) morph the EMM components into a virtual version. Instead of practicing on-device management of apps, content, and identity, VMS moves the entire mobile device into the cloud and onto the corporate premises.
VMS brings considerable benefits to data access controls. The virtual device runs containerized and on corporate servers, leaving almost nothing on employee devices. Updates and patches go out without interfering with the employee device. Containerization allows data siloing, providing the container access to specific databases configured within the corporate server. IT teams can enforce read-only access, and monitoring of actions become a server-local task.
Identity management is also pushed on-premises. Some on-device identity management can still provide a barrier (such as requiring a password to access the smartphone). Still, responsibilities like checking networks, monitoring behavior, and other MIM duties can be moved to the server.
The VMS design also uniquely protects data. Instead of storing and processing data on the local device, it is all stored and processed in the cloud. Solely image data is sent to the client device, which then employs a viewer window to “see into” the remote container thwarting sophisticated attacks like RAM dumps on the local device.
VMS is an excellent step forward into the era of the cloud. The security benefits draw from multiple EMM components and exist in a single framework. Hypori aids its users in transitioning to secure, cloud-focused EMM. With Hypori’s highly secure, centrally managed, reduced-cost virtual mobility solution, organizations benefit from willingly adopted BYOD programs that maintain 100% separation of personal and enterprise data. Learn more about how Hypori can help industries move to convenient, confidential cloud-based data management.