As enterprises mobile enable their applications, they are providing variety of mobile devices to their workforce who can access these applications from anywhere. Such proliferation of devices come with certain associated risks.
- Device loss or theft: Physical loss of the device is the first risk which leads to productivity and loss of sensitive data.
- Unauthorized network penetration: Since mobile devices provide a variety of network connectivity options like Bluetooth/Wi Fi, they are easy targets of malicious attacks. Attackers who gain access to a mobile device may be able to impersonate a legitimate user and gain access to the corporate network.
- Intercepted or corrupted data: With so many business transactions taking place over mobile devices, there is always concern that critical data could be intercepted along the path through the Internet cloud, via tapped phone lines or intercepted microwave transmissions.
- Malicious software: Though traditional desktop malwares like viruses, Trojan horses, and worms are not yet that significant in mobile devices, there is a growing consensus among security experts that mobile devices will be targeted.
- Unsupported or unsigned applications: Older applications that are no longer supported, while they may still work, are dangerous because they may be vulnerable to attack by new viruses. If an unsigned application is installed on a device, it could make changes to a device that would jeopardize its security.
LEVELS OF PROTECTION
Enterprises have evolved with controlling and monitoring their desktop environments. To ensure a secure mobility platform, enterprises have to implement security systems, broadly, at 2 levels - Device & Application level and Network level
Device & Application Level: Since devices are more vulnerable to physical loss, protecting the data on the device becomes critical. Options which can secure the data in the device & application level are:
- Data encryptions to conceal the data/content transmitted over the network
- Validation of user’s identity with passwords/biometric techniques
- Electronic signatures to authenticate the user
- Mutual authentication by both the communicating parties
- One Time Password (OTP) which regenerates for every session
- Device tracking using Global Positioning Systems (GPS)
Network Level: Security at the network level is more complex than at the device/application level with policy formations and compliance conformations. Options at the network level to guarantee security of the enterprise applications running on the mobile devices are:
- Filter & monitor the Media Access Control (MAC)/Internet Protocol (IP) when access to the server & application logs is requested from the mobile devices. A policy permitting only a pre defined device list into the network should be in place.
- Segment the network (WLAN/Service Set Identifiers (SSID)) for specific group of people’s devices. Assign & permit these specified devices to the data required by these set of employees.
- IT department should be able to penetrate into the visibility of the employee-owned mobile device applications (used for both personal & the enterprise purpose). They should be able to control the installed & running applications to filter unwanted/unauthorized applications, on these mobile devices over the network.