Why a structured approach to security cuts mobility risks

IT leaders are facing an uphill task overcoming security problems stemming from supporting bring-your-own-device (BYOD) and enterprise mobility amid an explosion of personal devices and applications accessing the network.

Alarming statistics from Dimension Data’s recent Secure Enterprise Mobility Report reveals that 90% of survey respondents do not have the capability to stop employees using their personal mobile devices to access enterprise systems on their own. And while massive 82% of respondents allow employees to use personal devices and applications for work, only 32% have conducted security audits of applications touched by mobile devices.

Earlier this year, Check Point Software Technologies Ltd’s second mobile security report reveal that almost 80% of businesses the company surveyed had a mobile security incident in the past year. These incidents tallied up to over six figures for 42% of businesses, including 16% who suffered damages that cost more than US$500,000.

Despite the potential hefty losses, 63% of businesses still do not manage corporate information on personal devices while 93% face challenges adopting BYOD policies. Nonetheless, more than half of businesses Check Point surveyed report sensitive customer information stored on mobile devices, up from 47% last year.

Adding to the security challenge is the rollout of 4G LTE networks and devices, which introduce more IP-based communications to mobile infrastructures, making them vulnerable to Internet-based attacks. Practices such as consuming public cloud services from a mobile device, and an employee bringing work home, also increase the risk of corporate data leakage.

To help businesses bolster their security posture and protect critical data, Dimension Data has combined its integration, support and operational expertise with Check Point’s advanced technologies, from firewalls to innovative software blade offerings. Both companies have worked together for more than a decade.

Method and structure

Instead of pushing products, Dimension Data encourages organizations integrating mobile solutions to manage information security risks through a consistent cycle of governance, risk and compliance (GRC); policy and procedure; technical controls and implementation; and finally, testing and assessment.

Mobility affects many aspects of a company’s information security architecture so it must first incorporate data security in all aspects of risk assessment and evaluation, as well as compliance efforts. Then, with a detailed understanding of the risk profile and implications of mobility solutions on data security governance, the company reviews and refreshes its policies and procedure to cater for them.

After policy has been aligned with the GRC drivers, the organization can develop technical security policies and controls to enforce these policies and deploy them to mobile devices. With technical controls in place, organizations should assess the mobility solution and endpoints to highlight and demonstrate any vulnerabilities and flaws that may have been overlooked.

“We have a framework and a methodology behind this approach,” says Neville Burdan, general manager of Platforms and Applications at Dimension Data’s Solutions Development Group. “Clients typically come to us based on their need in one of these interlinked areas.”

Dimension Data’s consulting methodology brings greater clarity and holistic awareness among people and processes for secure mobility via the following stages:

  • Gather information on requirements
  • Develop goal and purpose, scope and use case
  • Update existing risk assessment and recommend new security policy and compliance procedures
  • Develop the system architecture
  • Develop implementation plan and next steps

End-to-end coverage

Check Point, meanwhile, has developed end-to-end solutions that not only protect the network but also the data, wherever they may be – in the cloud or in the mobile device.

On an unmanaged mobile device, for example, installing the Check Point Mobile app creates a secure container and enables secure VPN access to corporate web applications, files and Microsoft Exchange servers.

“For managed devices, we have the Check Point Endpoint Security Software Blade,” says Itai Greenberg, product line manager at Check Point Software Technologies. “You get the same level of security on the security gateway as on your client – the same IPS, anti-virus application, etc.”

With the Check Point Software Blade Architecture, organizations can simply fulfill specific business needs from a selection of predefined turnkey security solutions.

At the corporate date center, the Mobile Access Software Blade, for example, provides “enterprise-grade remote access via both Layer-3 VPN and SSL VPN, allowing users simple and secure connectivity to their email, calendar, contacts and corporate applications,” Greenberg adds.

Check Point has also established ties with telcos to secure the infrastructure between end users’ mobile devices and their companies’ corporate networks. The Check Point Carrier-Grade unified platform protects 3G and 4G LTE network infrastructures, enabling telcos to secure all interfaces including radio access, Internet and roaming. The scalable platform’s advanced inspection and security for LTE protocols combat sophisticated attacks such as spoofing, DDoS, signaling storm, over-billing attacks and malware.

“We are also inspecting all the traffic and making sure that the traffic meets security or compliance requirements,” says Greenberg. “We’ve done the same with the roaming network for many years and we now support the new LTE protocols. We narrow down the security risks on those protocols.”

“Enterprise mobility is an end-to-end solution from platforms, apps, security and connectivity through to the end devices,” says Burdan. “Users have their personal choice of iOS, Android or Windows Phone. We just need to work out what the business needs to manage.”