In Part 1 of this series, we explored how the increasing cost of data breaches coupled with the risk of increased mobility poses formidable challenges for IT-based organizations. The post discussed how MDM/MAM solutions can help to provide a basic level of protection, but fall short in certain key areas. In particular, MDM and MAM solutions do a poor job of providing application-level security unless organizations choose to rebuild or recode their applications. Organizations should complement their MDM/MAM deployments with solutions that use strong encryption and digital signatures to protect their sensitive data.
Using strong encryption and digital signatures can add another layer of protection if a mobile device containing sensitive data is lost or stolen. MDM/MAM solutions typically provide remote wipe of the device in the event of loss or theft. However, because this feature works at the device level, it erases all data on the device, including the end user’s personal data. This lack of granularity in MDM solutions is often cited as a barrier to end user adoption of corporate BYOD programs.
“An ideal solution instead would be to manage cryptographic data security, maintain separation between personal and professional data, and constrain the scope of the remote wipe capability to the organization’s proprietary data, leaving the end user’s personal data untouched.”
An ideal solution instead would be to manage cryptographic data security, maintain separation between personal and professional data, and constrain the scope of the remote wipe capability to the organization’s proprietary data, leaving the end user’s personal data untouched. In addition, this approach would potentially address the privacy concerns many users have about turning their personal devices over to the control of their employer’s IT department.
Another growing threat to mobile data security is the explosion in mobile malware and network-borne threats. These are additional threats, under which MDM solutions fall short. Because an MDM solution works at the device level, if mobile malware manages to get on the device, it can access and exfiltrate proprietary data on the device. If the device is connected via a device-wide IPSec VPN to data center assets, the malware could potentially spread or gain access to data center resources as well. If the data were secured using fine-grained encryption (i.e. each data chunk encrypted with its own unique, long encryption key) then a malware data thief would have a very difficult time recovering anything useful in a timely manner.
Similarly, if a user connects to the internet via an insecure WiFi hotspot, all proprietary data should be encrypted on the wire or face the risk of a man-in-the-middle attacker gaining unauthorized access to sensitive data. An application level VPN can help to protect data-in-motion from this sort of threat. Unlike the device-wide VPN policy, an MDM solution can manage the application-level VPN and prevent other applications on the device from accessing intranet resources.
Managing devices can provide a minimum baseline for security compliance. However, organizations should focus instead on deep security of their applications and data itself, regardless of whether it resides on IT-issued or user-owned devices. This data-centric approach is especially important in scenarios where non-employee collaborators such as partners, contractors, and consultants require access to sensitive data.
In these scenarios, MDM/MAM solutions are particularly ineffective because IT cannot realistically mandate these external entities to subscribe to their particular MDM/MAM policies and applications. By combining encrypted storage with encrypted transmission at the application layer, an organization can help to ensure that their data is managed and as safe as possible from potential security threats. The solution should provide these benefits even when authorized business collaborators, such as partners and contractors, who are not subject to corporate IT policies access the data.
To learn more about how Sencha solutions can help to address mobile data security challenges, please click here.