Turning Enterprise Security on its Head…

A data centric rather than device centric security model turns IT security on its head but it leaves the enterprise more secure and it is also more realistic and simpler to deploy and support.

We have talked about devices being treated as “tools” for employees and not IT infrastructure. That is a radical shift in thinking. A related concept that we also firmly believe is that security must focus on enterprise data and not devices. This concept is another radical shift in IT thinking.

Device security currently focuses on securing the endpoint or device. These device centric models are flawed because:

• As soon as the device is compromised, the enterprise network is exposed as well as data on the device and back in the network (see jailbreak discussion below).
• Endpoint based security creates separate architectures that become increasingly complex and unwieldy (for both mobile and fixed access) with increasing layers of solutions needed to be added to plug the next gap in the model (VPN, Anti-Virus, Firewall, MDM, MAM, etc).
• Increasingly the device may not be owned by the enterprise, applying IT security policies to personal devices is fraught with issues and ultimately does not work.

A data centric approach focuses on the actual enterprise data and–or applications. The model focuses on sensitive corporate data and creates a robust encryption barrier surrounding that data, both at rest and in transit. Data is protected regardless of the device operating system or device state (e.g., rooted/jailbroken, protected with a device management policy or not, etc.).

The model also aligns well with personally owned devices/BOYD because IT only looks to secure and control its own “assets” – the enterprise data and-or the enterprise apps. This is a much more collaborative and reasonable position to pitch to employees whose support is critical for success.

A data centric security model adheres to a few essential principals:

• All data must be encrypted, in transit and at rest, and all encryption keys must be generated from strong credentials that are device independent.
• All encryption technology is implemented independent of the underlying device platform, ensuring that attacks on the OS don’t compromise the app/data.
• All sessions must be authenticated with strong credentials, and IT must be able to implement secure session management policies.
• All communications must be verified, end-to-end, precluding the possibility of unauthorized proxy access along the way.
• IT must have the tools available to implement the principle of least privilege. Data should be available to mobile employees who have a legitimate business case for using that data on a mobile device, and it should only be available under the circumstances (online/offline, location) justified by that business case.

To learn more:

• Please Join our Webinar with Maribel Lopez of Lopez Research on the 30th July.
• Our whitepaper on “Securing Corporate Data” goes into a lot more detail. Please click here to download the paper.

— Matt

A smarter approach to securing sensitive corporate data while increasing flexibility and reducing complexity. Too good to be true?

We are going to be talking about security a lot because we see some real issues with the current enterprise security models and we also have some smart and practical ideas about how to do it better. To help frame our thinking at the highest level, it all starts with a shift in focus to securing sensitive corporate data and not the device that is being used to access it. This shift is profound, and has impacts on the whole enterprise security paradigm.

Over the last 10 years, corporate IT has witnessed an astounding transition often called “consumerization”, but better termed “empowerment”, as individual employees have assumed the right to seek and adopt the tools that they need to best execute their jobs. Consumerization has had a profound impact on IT’s software infrastructure, and now its impact is extending to endpoint computing devices. Technology has arrived at the point where IT can cease to treat the various devices that employees use to interact with corporate data and applications as infrastructure, and can treat them as tools.

Infrastructure should be centrally managed and controlled by IT. However, the increasing device diversity in today’s endpoint computing market does not fit with a “command and control” model. Diversity in form factor and operating system encourages consumers (who are also employees) to adopt the devices that best fit their personal needs, budget and preferences. As such, IT’s preferences are becoming increasingly irrelevant, as employees find a way to bring their chosen tools to work – starting with mobile phones and then tablets and now leaking into other computing devices. Hence, IT needs to recognize that devices are tools, not infrastructure, and IT can (and should) embrace this transition.
Rethinking endpoint devices as tools requires two fundamental changes in thinking for corporate IT: (1) applications infrastructure must migrate to a ubiquitous platform, not a vendor or device-specific platform, and (2) endpoint security must focus on data, not devices.

Corporate applications, whether they are built in-house or built by a 3rd party, must operate on any device to enable employees to choose the best and most convenient device tools for their jobs. IT has already made great strides in this area – application infrastructure for “fixed” use has increasingly moved to the corporate intranet or, more recently, the cloud. The web and the browser is already a ubiquitous delivery vehicle. What has been missing is the full feature set required to power IT’s complete application stack across both fixed and mobile access and use: including sufficient performance, offline access, flexible and powerful graphics, and a complete client-side programming language.

HTML5 is very close to being that platform. Where gaps in the standard remain, PhoneGap (now Apache Cordova) is a viable, cross-platform, and open source option for closing those gaps through simple integration. Hence, with the browser as the target application platform, IT can build a unified applications suite targeting devices as varied as smartphones and desktops.

While HTML5 addresses the development and delivery of applications to any device, it does not necessarily secure the data. However, browsers do solve one of the most important aspects of endpoint security via the https protocol – browsers can ensure end-to-end trusted communication to the corporate network. Hence, a security solution for browsers is simply a matter of securing data at the endpoint and leveraging the features already available in the https protocol to ensure trusted communications.

Notice that device security plays no role in securing corporate data delivered through a browser. IT cannot keep up with the diversity of devices employees will demand while dragging along an expensive and complex software security stack (including anti-virus, personal firewalls, full-disk encryption, network access control, application whitelisting, mobile device management, etc.) to secure them. A more reasonable and effective goal than securing all devices touching corporate data is to secure all apps touching corporate data. The more those apps converge on the browser as the delivery platform, the more this challenge reduces to building a secure, cross-platform corporate browser. In brief, building a truly secure corporate browser requires:

• Full encryption of all client-side data
• Client and server validation using https’ certificate validation features
• Protecting access to corporate apps with a unified sign-in
• A comprehensive data policy engine built into the browser that allows policies for data sharing and offline access to travel with the data itself and be contextually aware
• App-level device-independent implementation of all critical security functionality to ensure that security is not compromised by a compromised device or operating system

A secure browser that enhances the rendering and communication features of a standard browser with the additional security features outlined above enables corporate IT to build a unified applications platform that extends across devices of all shapes and sizes without compromise in functionality, performance, or security. The endpoint device then transitions to a tool for employees to select, rather than another piece of infrastructure that must support the sanctioned IT software stack to ensure its acceptability in the corporate environment.

Mobile security is part of our mission at Mobile Helix. We provide our customers with highly secure solutions which allow their employees to meet and exceed the company’s business objectives. Our solutions support this approach to security – to find out more about them, please go to our website: www.mobilehelix.com

.

– Seth