Mobile Device Security and the Cloud
Security of the endpoint, the mobile device, still important in a Cloud world.
Someone recently said to me, “With everything moving to the Cloud, mobile device security really isn’t going to matter anymore. Sensitive data will never be stored on the device.” The thinking is that sensitive corporate data will be centrally stored and not held on mobile devices. And with the proliferation of 3G and 4G networking, access should be available from almost anywhere.
However, this doesn’t mean that we no longer need to worry about security of the endpoint device.
When more and more applications became web-based, did we suddenly no longer have to worry about the security of the endpoint workstation or notebook computer? Certainly not. We aren’t just talking about what happens if a device gets lost or stolen. There are still threats to the endpoint itself that, if not addressed, will leave the endpoint vulnerable. And a vulnerable endpoint can lead to the exposure of sensitive data.
But there’s no sensitive data on the device, you might say. You’d be wrong. Most mobile applications store credential information on the mobile device. That, coupled with the often weak user authentication requirements of the typical mobile device is all that separates the bad guys from your data. Even if the data is primarily accessed only using a mobile web browser, it’s highly likely that data is cached on the device for performance purposes.
Ultimately, success here is all about controlling the access and consumption of the data that you’re making available to mobile users. Can you confirm without a doubt that the user is who they are, using an authorized device, and using the appropriate method to access this information? Do your access controls still apply if that data is stored on a mobile device? Great. Can you ensure the integrity of the hardware device, the operating system running on the device, the application used to access your information, the other applications running on that device, the communication protocol used to access information, and the 3G or 4G network itself?
I bet you can’t. And with the BYOD (bring your own device) movement just starting, most of these things are not within your control. You are just not going to be able to control everything and eliminate all risks.
But that doesn’t mean you should do nothing at all. You need to understand what you can control and take measures to reasonably protect the remote device, its data and the access method (hardware, software, communication protocols) so that you’re not putting the organization’s sensitive information at risk.
Ken SmithKen Smith is GreenPages Technology's Senior Security Solutions Architect and contributor to the journey to the cloud blog. He is responsible for developing information security strategies to help clients reduce risk and demonstrate due diligence in protecting their information assets. Ken has participated in hundreds of enterprise-scale security initiatives including security program development, PCI DSS security assessments, gap assessments, audits, corporate security policy development, vulnerability and risk analysis, sensitive data discovery, security countermeasure design, incident response, forensics, and penetration testing.