It’s surprising how quickly we get comfortable with our new mobile devices … and how quickly they can seem ‘old’.
Although I got my 4G Android only several months ago, it feels like I’ve had it much longer. And my first iPhone, purchased about 3 years ago, already seems like it is from another era. While wonderful for many consumers, this rapid rate of change of mobility has led to heartburn for many security professionals. As an example of the problem, the current phase of mobility – “The Consumerization of IT” – has quickly resulted in more confidential enterprise data residing on personally-owned phones and tablets than ever before. Typically the devices holding this data are not only unmanaged by the enterprise, they are not even registered within the enterprise.
So the perimeter-based boundaries that remain around our enterprises continue to be eroded by mobility and as they becomes more malleable and ad-hoc, our information systems become increasingly vulnerable to attack. Like most systems in which security is an afterthought, many enterprises’ current approach to mobile security is ‘bolted-on after the fact’. Mobile devices are treated as miniature versions of desktop PCs, to be managed using lighter-weight versions of our desktop security services. A key limitation of this approach is that it applies static management methods to the highly dynamic realities of mobility; that is, it enforces a single policy on a mobile device whether it is in the workplace, at a customer site, at an employee’s home, in a foreign country, or somewhere in between. Given that the consumerization of IT really just started a couple of years ago, it is not surprising that our security architectures are still static and based on fixed perimeters, but now the time is right to roll out security architectures of the future which design in the realities of mobility from the beginning.
In secure enterprise architectures which account for mobility from their inception, mobile devices and their supporting network and cloud infrastructures will employ intelligent management that enable the system to automatically adapt to changing conditions. The devices and infrastructure need to automatically and dynamically adapt the enforced privileges of the mobile device user in a way that is consistent with security policies for the user’s location and context. Mechanisms for enforcing these dynamic policies will reside on the mobile device itself (i.e. the device’s personality and capabilities change with device location and context) and also within the supporting network infrastructure (i.e. network authentication and access control requirements will dynamically change for a user depending on their location and context).
Ideally, by the time you get your next smart phone, mobile security topologies will have become as adaptive as our devices are mobile and security professionals will feel some relief.
Daniel Madey is AirPatrol’s Senior Director of Products and Development.