Mobile computing is driving both massive changes in the role of IT and the way we do business. Unfortunately, the growing use and sophistication of mobile technology is occurring in parallel with an increasing velocity of privacy and mobile security issues.
Accelerating security breaches and privacy leaks should not surprise anyone, because frankly we face an environment which has not been seen before, for at least three reasons.
- The amount of data traversing our networks, through our data centers and transacting with our mobile devices, is growing at such an exponential rate that we can barely measure it.
- By 2020 up to 30% of corporate data will completely bypass traditional perimeter security methods and flow directly from mobile devices to the cloud.
- Mobile is the new platform for innovation, replacing the traditions of the Windows desktop era.
Judging by my conversations with CIOs, it is becoming clear that they struggle to keep up. The pace of change is unprecedented. Compounding those issues is the fact that most CIOs and CSOs have been worried about capability, while the balance of the executive team, especially the CEO and board of directors, are worried about outcomes.
It goes without saying that every traditional aspect of how their enterprise does business and how IT transforms to a profit center driving business outcomes -- while still saddled with efforts to keep systems alive and support end users -- is under attack, or at least being rethought.
At the end of the day, time -- not money -- is a CIO's biggest enemy. The new corporate mandates for CIOs and their counterparts are to use technology to drive innovation, managing risks/rewards, internally and externally, for business growth and to thwart competitive and bad-actor threats. For many, addressing the new challenges brought about by mobile almost seems insurmountable because of the speed of change and the unknowns that create new risk and mobile security issues. The pace of change and the new dynamic of end-user computing bring massive challenges to information security and end-user privacy.
National security and intelligence professionals have long used a technique of analysis referred to as the Johari Window. I've used the concept to help me break a wide array of complex topics into more easily digestible bites that can be intellectually consumed and acted upon. The concept forces us to break strategic problems like security into three domains: known knowns, known unknowns and unknown unknowns. I think the technique creates a brilliant distillation of quite complex matters, especially mobile security issues. Let's take a look at my theories for applying the Johari Window to mobility.
- Mobile is driving a true evolution to every aspect of our business.
- Mobile devices are hostile to enterprise architectures.
- Data velocity is growing at a pace that we can barely measure, consume and analyze.
- By 2020, the mobile ecosystem will be upward of 10 times bigger than the desktop ecosystem.
- Every mobile device will be hacked or has been hacked, or is creating a personal/corporate digital exhaust, which flows into the public domain, to be exploited.
- BYO devices, sensors and applications are the norm, not the exception.
- We know new attack vectors, methods and global actors are increasing at a horrid pace. The unknowns are how they will evolve and the nature of their sources.
- We know that employees are inadvertently creating a digital exhaust of personal and corporate secrets. The extent of data leakage and its ramification are unknown.
- Most companies understand that mobile is the core of digital transformation and driving the demands for business agility. The unknown is how to effect that transformation and how to navigate and balance the new risks of innovation.
- We know that existing security perimeter methods and local device techniques like MDM are not effective 21st century tools.
- How should enterprises modernize to be as agile as the people they expect to use it?
- How will enterprises evolve their end-user computing environments to fully embrace multiple operating systems, application environments and mobile device ownership models?
- What new security models and methods will be most effective to defend enterprise information, thwart attacks and provide the needed sterility to protect employees, partners and customers?
To combat mobile security issues, enterprises should start now to develop a defense-in-depth strategy model. This method assumes a layered approach, including a zero-trust model, to thwart the more sophisticated and high-velocity attacks that are being created not just by mobile, but also cloud and emerging IoT applications. CIOs should consider four strategies:
- Treat all mobile devices, including IoT sensors, as hostile threat vectors.
- Inspect and sanitize the use of third-party APIs for data leakage.
- Move beyond the use of Global Address List (GAL) access policies and toward digital identity methods and digital rights management (DRM) solutions.
- Educate end users; at the end of the day, they are the guardians of the gate.
Governance challenges of Mobile data security
How to avoid mobile security issues
Important tips for mobile computing