Someone recently said to me, "With everything moving to the cloud, mobile device security really isn't going to matter anymore. Sensitive data will never be stored on the device.” The thinking is that sensitive corporate data will be centrally stored and not held on mobile devices. And with the proliferation of 3G and 4G networking, access should be available from almost anywhere. However, this doesn't mean that we no longer need to worry about security of the endpoint device.
When more and more applications became web-based, did we suddenly no longer have to worry about the security of the endpoint workstation or notebook computer? Certainly not. We aren't just talking about what happens if a device gets lost or stolen. There are still threats to the endpoint itself that, if not addressed, will leave the endpoint vulnerable. And a vulnerable endpoint can lead to the exposure of sensitive data.
But there's no sensitive data on the device, you might say. You'd be wrong. Most mobile applications store credential information on the mobile device. That, coupled with the often weak user authentication requirements of the typical mobile device is all that separates the bad guys from your data. Even if the data is primarily accessed only using a mobile web browser, it's highly likely that data is cached on the device for performance purposes.
Ultimately, success here is all about controlling the access and consumption of the data that you're making available to mobile users. Can you confirm without a doubt that the user is who they are, using an authorized device, and using the appropriate method to access this information? Do your access controls still apply if that data is stored on a mobile device? Great. Can you ensure the integrity of the hardware device, the operating system running on the device, the application used to access your information, the other applications running on that device, the communication protocol used to access information, and the 3G or 4G network itself? I bet you can't. And with the BYOD (bring your own device) movement just starting, most of these things are not within your control. You are just not going to be able to control everything and eliminate all risks.
But that doesn't mean you should do nothing at all. You need to understand what you can control and take measures to reasonably protect the remote device and the access method (hardware, software, communication protocols) and the data on it so that you're not putting the organization’s sensitive information at risk.
For more information, download this BYOD Webinar!