“Cloud computing and mobile computing are parallel developments because both, in some way, involve moving applications and data from the client to the server,” said Tony Iams, senior vice president at analyst firm Ideas.
But that doesn’t mean security issues are identical.
“Running business apps on mobile devices, especially when companies are thinking about BYOD [bring your own device], opens up a whole new can of worms with respect to security,” said Kamesh Pemmaraju, analyst at the Sand Hill Group.
What has changed in the move from laptops to mobile devices is that, instead of intruders attacking Windows OS, for example, they now have to know multiple mobile platforms -- iOS, Android, Windows mobile, etc. But this diversity among mobile devices not only complicates life for hackers, it also complicates life for IT administrators.
BYOD compounds security issues because employees use a single personal device to access both personal and corporate data. To make sure apps are secure, mobile devices need to be centrally administered, centrally managed and provisioned, added Pemmaraju. Private clouds are built to provide centralized management control, most often from a single management console, over various pools of resources, such as servers, storage, etc. This central control expands naturally to mobile device protection and authentication for application protection.
Mobile security must extend beyond the device
Mobile device security should start with on-device protection, ensuring that end users enter a password to access the device. But protection needs to spread beyond that -- to applications and data. IT teams must ensure mobile devices aren’t being used to access sensitive information or remote corporate databases.
Running business apps on mobile devices, especially when companies are thinking about BYOD, opens up a whole new can of worms with respect to security.
Kamesh Pemmaraju, analyst at the Sand Hill Group
Experts recommend the bare minimum for mobile device security should include a firewall, anti-malware, strong passwords, lock-out and data removal after multiple failed logins, as well as the use of gateways between mobile devices and the enterprise network. Additionally, any mobile-based application that accesses corporate data should be stored in the cloud, with centralized security provided by the cloud provider.
Mobile device management (MDM) tools can help centrally secure devices. In a cloud environment, MDM tools can extend the centralized cloud security policy to mobile devices, giving IT a single comprehensive security policy for all enterprise devices. MDM tools such as those from Sybase, MobileIron and Symantec can unify security measures across disparate mobile devices.
In addition, some enterprises use hypervisors on mobile devices to isolate personal data from corporate data and to remotely wipe lost devices. MDM tools can also perform a remote wipe of data if a device is lost or stolen.
Identify weak links in mobile cloud and plan ahead
Even mobile apps built specifically with security in mind are at risk. In many instances, end users are security's weak link; the best-written app with the highest levels of security can be brought down with a single download.
In the case of BYOD, end users download applications from app stores and run them on devices that also access corporate data. End users trust that app stores are secure, even though certain applications within them can be nothing more than malware. Therefore, limiting access to back-office applications and data is critical.
Marcus & Millichap, a large commercial real-estate firm headquartered in Calabasas, Calif., prohibits across-the-board access to corporate databases via mobile devices. Real estate agents at the company can only view secured data, inventory, information on buildings for sale and research reports via a Cisco VPN and a Web browser running on a mobile device. The company prohibits end users from changing data from their devices.
Marcus & Millichap uses a downloadable iPhone/Android application that lets end users collaborate through email with other agents and brokers. The app does not have secure layers, so it only allows communication among loan originators and other agents via text message or email.
Identify at-risk data early on, advise some mobile cloud security experts. Monitor traffic on networks to identify content that’s sent across communication channels (data in motion), scan storage to identify where sensitive data is located (data at rest), monitor data as end users interact with it (data in use) and alert users if data is sent to an unauthorized device.
Creating mobile security policies can be difficult, especially with BYOD. But nearly all polices should include rules about the number of devices employees can sync, limitations on which apps employees can download and rules about connecting to corporate internal networks via mobile devices.
If you plan to integrate mobile devices into the enterprise, include the following policies and technologies to ward off hackers and prevent mission-critical data loss:
- Data encryption
- Password logins
- Authentication for corporate application use
- Mobile device management (MDM) tools that extend corporate security policies to mobile device usage and can remotely wipe devices
- Activity monitoring and logging to identify security issues
- Separating employee information from corporate information
- Using VPNs to access corporate data
The mobile device explosion is perfect for cloud in terms of administering and managing backend support, said Pemmaraju. “Many enterprises have not gotten to the cloud stage, yet mobile is simmering on the horizon,” he added. “Mobile will accelerate corporations moving to the cloud. Separating out personal from corporate on the mobile device is extremely important.”
Bill Claybrook is a marketing research analyst with over 35 years of experience in the computer industry with the last dozen years in Linux, open source and cloud computing. Bill was research director, Linux and Open Source, at The Aberdeen Group in Boston and a competitive analyst/Linux product marketing manager at Novell. He is currently president of New River Marketing Research and Directions on Red Hat. He holds a Ph.D. in computer science.