Page 44 - Mobile Data Loss
P. 44

38    Mobile Data Loss

          although this anti-malware approach proactively protects against
          malware, the reactive approaches outlined should be used as well.

             For data-in-motion, secure tunnels are recommended. While many
          organizations use VPNs on the mobile devices as a carryover from
          their PC and laptop management, application tunnels or container-
          specific micro-VPNs provide arguably better security in a mobile
          deployment. Full device VPNs typically allow all apps on the mobile
          device to access enterprise private network. This is a concern because
          it may inadvertently allow malware to infest the enterprise network
          behind the firewall.

             A fundamental approach across many of the mobile operating systems
          is a per-App VPN or Application Tunnel. This allows the administrator to
          be more selective in terms of what apps are allowed to access to enterprise
          network, and thus all other apps are blocked including malicious apps.
             Strong authentication in mobile is typically delivered using Certificates.
          Digital Certificates have made a comeback with mobile devices. These
          devices fundamentally support certificates, which can be used for strong
          authentication to enterprise resources. This helps ease deployments as an
          enterprise can avoid passwords that may change over time and cause
          confusion amongst users and result in helpdesk calls. Certificates can be
          pushed down with configuration profile (eg, corporate email), and allow
          the user to securely access email. For those organizations concerned about
          storing certificates on the device, certificates can be stored in the container
          for access to sensitive services. More broadly, identity and access manage-
          ment may be a consideration for your organization.

             Organizations also have concerns about users traveling and accessing
          the enterprise network over an insecure network, such as the Open
          Wi-Fi at a local coffee shop. The user could become a victim of an inter-
          ception or MitM attack. These attacks can target both unencrypted as
          well as encrypted data. Using the outlined controls of both per-App
          VPN and certificate-based authentication can provide proactive
          controls against mitigating these threats by providing confidentiality
          and integrity controls.


          REACTIVE CONTROLS AND PROTECTIONS

          Reactive controls should be real-time or near-real-time.
   39   40   41   42   43   44   45   46   47   48   49