As a mobile security expert, I have a terrible confession to make: I have lost not one, but two mobile phones at various industry conferences.
Fortunately, they were thoroughly password-protected, backed up, et cetera, so no data was lost, but it underscores a big problem with mobile devices: they’re mobile.
Losing mobile devices isn’t a new problem. Ever since the first Blackberry was bestowed upon an employee, the fear of losing our mobile devices has been with us. (There’s even a name for the fear of not having your mobile device with you, nomophobia.) But mobility has become much more complicated in recent years.
For instance, IT is no longer the company-sanctioned dispenser of mobile devices; employees often dictate their own mobile preferences and bring their own devices into the mix. This opens a security can of worms for companies, which now have to worry about whether their employees are as conscientious about their mobile device security as, say, me. (Hint: They’re not.)
The cloud only compounds this problem.
Now, you have employees accessing applications on someone else’s infrastructure with devices that you don’t control. Mobile device management (MDM) addresses part of the problem by authenticating the devices that connect to your corporate applications. But what happens when, as I outlined in my introduction, an employee loses a device? How do you know the person using the device is really the trusted user they say they are?
The fact that business applications often live in the cloud, rather than the corporate data center, means that enterprises need to expand their trust zones. To accomplish this, enterprises must extend their trust models to incorporate the concept of cloud identity management: a single, overarching system of identification that simplifies user authentication, authorization and access so that the secure login experience is consistent from cloud to cloud and app to app.
Solutions such as VMware’s Workspace ONE is designed to provide this “single-touch experience” by allowing employees to log in once and instantly be authenticated against the enterprise directory without additional password prompts. (And we’ll talk more about those pesky passwords in a moment.)
Cloud identity management is also where mobile application management (MAM) becomes increasingly important.
MAM allows enterprises to set their security policies at an application-specific level. For example, you can specify which employees can access certain applications, which devices they can access them with (and where), what other apps they can use to copy/paste/share information in an app, and so on.
That may seem like overkill on the surface, but it’s important to remember that, in a cloud-enabled world, we don’t always know who is on the other end of that cloud. Allowing a device to have access to all of your corporate applications simply because you’ve authenticated that device is akin to giving anyone who rings your doorbell complete access to your entire home.
Now, I know what you’re thinking: “Great, more passwords and security protocols for people to grumble about.” But there’s a way to increase cloud security without adding more manual processes. It’s called AirWatch Tunnel, and it’s an automated virtual private network (VPN) solution from VMware that automatically creates VPN tunnels between a client device and an application over the cloud.
So, instead of having a VPN client on a mobile device that grants broad access to your entire corporate intranet for weeks/months, you have a dynamically generated tunnel that allows a single device-to-application session and then tears down the tunnel when the session is over. No extra passwords needed, no additional steps for the user to follow.
Managing application access, in and of itself, won’t eliminate 100% of potential hacks into your network, but it will greatly mitigate the damage caused by a successful hack into the system. Just as the cloud has enabled businesses to embrace mobility, it has emboldened hackers to use stolen mobile devices as a way to gain entry to corporate intranets.
In a perfect world, of course, mobile devices would only go where we want them to go. Creating a secure digital workspace where mobile devices only access what we want them to access is a workable compromise between protection and perfection. ▪