Enterprises are struggling with the consumerization of Information Technology (IT). With the proliferation of mobile devices like smart phones, personal digital assistants (PDAs), tablets, net books, etc. within the enterprise, IT administrators can no longer ignore these devices as outside their scope of responsibility. Of note, smart phones, tablets, etc. are now as powerful as laptops. Employees can access corporate data and the Internet through wireless networks such as Wi-Fi hotspots or cellular 3G/4G that are not controlled by IT. With many corporate applications being hosted in the cloud, the risk is even higher. Ensuring the security of corporate data is no longer a matter of deploying adequate measures within the organization. It is imperative that security and policy travel with the employee wherever they are and whatever type of device they use. Furthermore, unlike the personal computer (PC) world that is dominated by a few main operating systems, the number of platforms and device form-factors for mobile devices is much higher, as is their churn rate. IT needs a solution that is easy to deploy, supports multiple mobile platforms and provides consistent user policy enforcement across computers and mobile devices.
There are two primary mobile device security challenges that affect IT organizations as the proliferation and adoption of mobile devices increases with enterprises. The first challenge is that the line between enterprise and personal usage is blurred on mobile devices. These devices run the gamut of applications, from Facebook, YouTube, Pandora, to enterprise applications like email and sales force automation. Since the enterprise typically does not own the device, enforcing policies for acceptable usage or installing application controls like a traditional IT administrator would on a corporate computer is often not viable. There is an increased risk of exposing corporate data on mobile devices since they roam and connect to multiple Wi-Fi and cellular 3G/4G networks. Traditionally, web security protections have been enforced either by way of a gateway web proxy at an enterprise's egress to the Internet or via signature-based anti-virus protections installed on the user's computer. With mobile devices, there is no obvious point of enforcement like an enterprise proxy. To complicate matters further, enterprise data is rapidly migrating to the cloud. As a result, an employee's mobile web transactions may never hit the enterprise network while accessing critical cloud-hosted data.
The second challenge is that security applications for mobile devices are expensive to develop and often ineffective. Unlike the computer world, which is dominated by Microsoft, there are several different mobile operating systems such as Apple's iOS, Google's Android, Windows Mobile, Blackberry, Symbian, etc. Each platform has its own software development environment and a security vendor developing mobile security applications will have to replicate the effort across various platforms. Further, some platforms such as Apple's iOS do not allow traditional anti-virus applications on their platform. Loading third party applications, not approved by the platform vendor, may lead to violation of contract and often requires “jailbreaking” the device—definitely not an enterprise option. Even if security applications are allowed, they are a headache to deploy, require constant updates, and are easy to circumvent, e.g. the user can simply uninstall them if they dislike it. Worst of all, they impact device performance and degrade user experience by stretching the already limited processor and memory resources on the mobile device.
Further, a significant challenge for mobile device security is that, by definition, these devices roam and connect to multiple different wireless networks. For example, a tablet like may connect to a cellular network and multiple Wi-Fi networks (e.g., home, hotel, branch office, service provider hotspot, etc.). In the fixed device scenario, the use connected from a known location (e.g. an office) with a fixed device (e.g., a computer). By inspecting traffic from that known location, malware could be filtered out and user based policy could be enforced. This is not the case with mobile devices. Another challenge with mobile users is that it is hard to enforce a common policy per user, as they connect with multiple devices, on different networks form a variety of locations. So if the company policy was to not allow questionable Internet content on company equipment, how can the administrator make sure that the policy is be enforced for a given user regardless of whether a user is on a computer, a smart phone, or tablet?