1. Technical Field
This disclosure relates generally to information security and, in particular, to a policy-based approach to secure enterprise data on mobile devices.
2. Background of the Related Art
The recent past has seen an enormous growth in the usage and capabilities of mobile devices, such as smartphones, tablets, and the like. Such devices comprise fast processors, large amounts of memory, gesture-based multi-touch screens, and integrated multi-media and GPS hardware chips. Many such devices use open mobile operating systems, such as Android. The ubiquity, performance and low cost of mobile devices have opened the door for creation of a large variety of mobile applications.
Enterprises are now providing their workforce with mobile devices to enable them to work from anywhere. In addition, enterprise employees also are using their personal mobile devices to connect to enterprise networks to enable them to work from remote locations. Under these scenarios, enterprises need to consider the implications of mobile devices on enterprise security and, more specifically, they need to ensure that sensitive enterprise data does not leak through these devices. This is a complex problem for which, currently, there are no adequate solutions.
Thus, for example, in a typical use scenario, an end user runs both enterprise and personal applications concurrently on a smartphone. This operating scenario presents many potential problems. Because these devices do not include on-device mechanisms for controlling resident data usage, and because users have no control over data once they authorize access by their resident applications, there is no way to protect sensitive enterprise data from arbitrary application and modifications. Further, because (from the device's perspective) all applications are assumed to be equal, there is no way to prevent information leakage between enterprise and personal applications. Indeed, this information leakage is exacerbated by open interface mobile operating systems (such as Android), which are designed to allow data sharing among applications. Further, because mobile device operating systems can be jail-broken or otherwise rooted to override existing security mechanisms and install malicious software, there is no effective way to manage the integrity of software running on the device. Indeed, because end users can download and install virtually any application without knowledge of the application's security behavior, it is very difficult to control applications (or their runtime behavior) once installed on the device.
As a result, when mobile devices support both enterprise and personal applications, there is a high likelihood that sensitive enterprise data leaks through the personal applications. In this scenario, the enterprise has no guarantee that its sensitive data will not be used by the personal application. The problem may be exacerbated if enterprise applications from multiple different enterprises are running on the device (such as where the user is a service provider for multiple such entities). In this scenario there is a further need to protect the enterprise applications from one another. Further, often there are no trust guarantees on the device, which presents the possibility that the device itself may be running rogue system software that has the potential to leak sensitive data outside the device.