What is less understood is how a whole tier of commonly available apps exist that represent a more covert threat to a security plan. As a result, building a strategy that comprehensively manages both the device and app side of potential threats is now essential, since it only takes failure at one end to compromise your organisation’s data.
A first consideration in this strategy is that many apps rely on “uncontrolled” repositories. This means they store device data in an area that can be accessed by both business and personal apps, sometimes in the cloud, sometimes on multiple pieces of hardware. The data problem with these repositories is that they can’t be controlled, managed or protected so it’s difficult to fully account for your businesses data. Yet in many ways, this is the epitome of the BYOD trend: a shared space that cannot be defined as solely business or personal in how it is used but its freedom has the potential to unlock great value to your organisation.
Navigating this challenge involves finding careful, intelligent methods to let employees use whatever device is convenient to access business data. Completely blocking such services isn’t necessary – it’s possible with more sophisticated solutions to take a more granular approach to try to target the data being shared itself. Increasingly, this preferable alternative lets the employee make the most of the app while mitigating against much of the potential risk for the business. And, when it comes to native apps like email, this approach really is the only feasible solution. The fact is, employees’ use of apps and the efficiency gains from working in new ways represent such a leap forward in productivity that they are worth embracing.
A second consideration when developing a security strategy involves assessing vulnerability at the stages before the app reaches your company. With iOS, your company should be relatively safe from malicious apps showing up in the App Store, thanks to Apple’s stringent policy for vetting submissions. On Android devices though, it’s much easier for your employees to install unsigned apps, and examples of Apps in the Google Play Store with malicious intent are becoming a more regular concern. The most important thing is to be prepared and able to deal with threats like this if they emerge. Being aware of announcements in the media and outside world about such potential vulnerabilities is a key part of this process.
To help create a data secure business environment, software and hardware is being developed to work together to split a device into two partitions, one for personal use and one for business use. The idea is that such a division leaves data far better protected, secure in a container that personal apps can’t access. This partitioning helps mitigate the security risk presented by apps, but it potentially ignores the important fact that there’s a balance to strike.
For example, a separation can cause user experience clashes and issues. An employee can end up creating a shortcut to a secure camera app that will then save pictures only to the secure picture roll, not showing up in the personal one. It begs the question: is this complexity for your employees going to create new problems?
By contrast, the way in which phone manufacturers are opening up application programming interfaces (APIs) in their operating systems to allow the creation of more secure apps is a much more subtle but effective approach. Examples such as Samsung’s SAFE and iOS7’s mobile device management features allow tremendous granularity of security management, and it’s not hard to imagine that security and manageability are key reasons these two are leading the pack in enterprise market share.
More than ever, it feels like hardware manufacturers, app developers and security specialists are managing to offer secure environments and convenient protection in the workplace. But the battle is far from over and the biggest danger of all can be if you believe you’ve already won. The only way to operate with confidence is to ensure you’ve created a business strategy that accommodates all of the above, but is aware and able to change as new threats appear. If you can manage that, you should be able to find the tools and partners that turn a potential threat into a source of real advantage.
Stephen Midgley, Vice President Global Marketing at Absolute Software