There is no question these days that mobile is a major security concern, both for individual users and for businesses deploying BYOD (Bring your own Device) programs. Many recent reports have highlighted a rise in mobile security threats, including one study that claimed mobile threats doubled from 2010 to 2011.
With the data security risk posed by mobile users, businesses must determine how best to protect company information in an environment that is no longer as contained as it once was. For IT departments, the question of securing the business comes down to a fundamental debate, according to Network World. The site recently featured a point/counterpoint series between industry experts Kevin Flynn and Lawrence Reusing to discuss whether mobile security efforts should be focused on the device or the network.
The case for focusing on network security
According to Flynn, a network security product manager, the network has historically been the most effective place to spearhead security efforts. While BYOD is now at the center of the discussion, the push from employees for IT to adopt new technologies has happened with various applications since the 1980s. IT departments can draw on the lessons from efforts to support desktop publishing applications, Internet adoption and Web 2.0 tools as they develop their mobile policy.
“Simply put, the network has always and will always be the final authority on what information goes to and from devices,” Flynn said.
He noted that a network-centric security approach is the easiest way for organizations to incorporate mobile into its existing architecture, as opposed to a strategy that tries to monitor individual users. The latter approach offers the problem of dealing with human behavior. Flynn cited a survey that found most Gen-Y workers consider BYOD to be a right and that almost a third would go against company security policies that forbid using their device at work.
Not only might IT be fighting against users by trying to handle mobile security on a device-by-device basis, but this approach is more technically challenging, Flynn said. The wide range of mobile platforms and operating systems complicates standardization, as even the same mobile device management software can offer different levels of security when installed across multiple devices. He argued that the most effective data protection plan must therefore begin with the standardization provided by securing the network.
The case for focusing on device security
For Lawrence Reusing, a mobile data security manager, the focus on mobile security should begin with the device itself, even though a layered approach that incorporates network security is likely the best practice.
At the crux of the issue is that mobile devices and laptops all provide individual access points to a company’s network, and, particularly as the number of mobile workers rises, these provide a huge number of potential pain points. Many mobile employees work from unsecured networks at places like coffee shops, Reusing noted, which could quickly place corporate resources in harm’s way.
“Strong on-device security is a must,” Reusing said, pointing out that content-level encryption is an important, effective form of protection for most threats. Acknowledging that it cannot protect against every threat, Reusing advocated for multi-layer authentication in order to provide as many security roadblocks as possible.
However, Reusing pointed out, human behavior is the biggest threat, and endpoint security solutions need to anticipate users making the easiest choices. Automatic encryption and mobile device management software are important components in a device security plan, he said.
“Mobile device security too often takes a back seat when IT takes up the challenge of securing the network,” Reusing wrote. “While network security and device security must work in tandem, security should start with the end point in mind.”
Data Security News from SimplySecurity.com by Trend Micro.