This article can also be found in the Premium Editorial Download "Information Security magazine: Insider edition: Layering mobile security for greater control."
Download it now to read this article plus other related content.
Application virtualization can reduce risks to mobile devices, but cloud computing could still foil plans for enterprise security. IT professionals need to deal with workers who use cloud-based file storage and productivity services for both personal and business purposes.
"Many security controls are abstracted away to a third party such as Amazon, who presumably has better resources than a small company to monitor and improve security," said Rohit Sethi, vice president of Security Compass, an IT security consulting company in Toronto.
Leaving security to cloud-based file storage service providers can lighten the load for IT departments that may not have the specialized skills required to administer certain aspects of the infrastructure, but it also takes control from the enterprise.
"Somebody else controls your data, which can lead to issues in the case of a breach," said Sethi. "You may not have the ability to shut down a server and/or obtain a copy of the hard drive for evidence, for example."
Foley & Lardner LLP, a global law firm in Milwaukee, uses a combination of cloud-based file storage services and virtualized desktops.
"Where the data is stored is not taken lightly," said Rick Varju, director of engineering and operations at Foley & Lardner. The company's document management system is stored in the cloud, with access available through a secure connection.
It's not just about technology
But deploying application virtualization and knowing where the data is stored are not enough.
"Oftentimes, the user is the weak link in the process," said David Glenn, executive vice president at IT consulting firm Creative Breakthroughs Inc. in Troy, Mich.
Mobile end users need to be educated on how to keep corporate data safe, and they should be held responsible for doing so. Employees who copy files into their personal cloud-based file storage services and then access them later for work can unintentionally introduce security breaches.
"CIOs have lost control over what applications employees are adopting to do their work," said Arif Janmohamed, a partner at Lightspeed Venture Partners in Menlo Park, Calif. There are thousands of "shadow IT" applications, he said, adding, "It's a compliance and data security leakage issue."
Lightspeed recently invested in Netskope, a software developer that analyzes a company's cloud-based applications and gives IT admins visibility into how, where and when workers use cloud applications.
"Most companies have no clue of what's going on in the cloud," said Sanjay Beri, CEO of Los Altos, Calif.-based Netskope. Traditional companies block the applications, he said, but it's better to use the app in a way that will not expose the company to security risks.
Despite all the measures that IT shops may take to incorporate mobile virtualization into their organizations, lost, stolen or hacked devices inevitably endanger sensitive data and systems.
"Make sure the data on those devices is protected in some way, which could mean remotely wiping the device or using encryption or password-protection technology," advised Foley & Lardner's Varju. "At least put a protective wrapper around the technology. BYOD initiatives are trying to solve the data protection and security problems that go along with the freedom of choice."
In addition, IT administrators can take steps to avoid problems by instituting data security policies and standards.
For example, have a single and unified view for policy identification, recommended Erik Frieberg, vice president of product marketing for end-user computing at VMware Inc. in Palo Alto, Calif.
"A lot of companies buy six or seven solutions, and [they have] directories and rights of employees," he said. "It's a management nightmare."
A mobile device management (MDM) strategy is essential to capturing the enterprise security prize.
"MDM is basic; managing the device is controlling what data [and applications] gets to the device," Frieberg said.
This was first published in November 2013