Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Ojas Rege, Chief Marketing and Strategy Officer at MobileIron, explores the issues of trust in the bring-your-own-device era.

These days, it seems we all have our heads in the cloud. So many businesses are shifting to cloud that it is quickly becoming the new normal. Plus, employees are increasingly demanding flexibility from their work environments and wish to complete their daily tasks on devices of their choosing, not the PC of old. Yes, modern business is a complicated beast.

Mobile is the consumption vehicle for the enterprise cloud and, specifically, the mobile app is becoming the preferred interface of employees to all their cloud services. Many times, these apps don’t even run on a device owned by the company, as reflected in the 74 percent of businesses that either have or plan to adopt a Bring Your Own Device (BYOD) policy.

One challenge this immediately places on IT’s shoulders is dealing with the variability of mobile apps (millions available), mobile devices (phones, laptops and tablets across a whole host of brands), and mobile operating systems (iOS, Android, and Windows). This fragmented, ever-changing mix of technologies, all connected seamlessly to the cloud, makes the protection of corporate data increasingly difficult.

Central to this challenge is the evolving nature of trust. Historically, it was enough to trust the user, because the corporate PC was completely locked down and the primary interface to the cloud service was a web browser, which stored minimal persistent data. This is why identity and access management (IAM) systems have been central to traditional cloud security.

But we no longer live in the world of the web. Instead, we now live in the world of the mobile app. The mobile app stores data locally and can potentially share it with other apps, both authorised and unauthorised. This means user trust is not enough. If either the device or the app is untrusted, data is at risk and will almost inevitably leak.

Fortunately, there is an answer to this particular dilemma. By ensuring that only trusted apps on trusted devices with trusted users are accessing corporate data stored in the cloud, IT professionals can create a win-win situation where they can mitigate the risk of data loss, while still giving their employees choice of technology.

Trusted devices

The first step in ensuring mobile security in the cloud is to know what devices and OS platforms are going to be accessing it.

Without this knowledge, there is no way to test whether all devices are compliant. This is an issue that IT professionals widely acknowledge as important, but many enterprises are alarmingly complacent in adopting basic security hygiene around compliance.

The first step is to create an inventory of all devices used in the workforce, which provides the baseline to then begin to understand who is using what devices and how.

Once the inventory exists, each device must be continuously tested for compliance. Does it have the latest OS updates and patches? Is it jailbroken or rooted? Does it have the appropriate protections like password management and encryption? Does it have risky apps installed?

Automation of the compliance testing and centralisation of the policy and remediation actions is essential because the mobile threat landscape is very dynamic and the device can easily fall in and out of compliance. Only devices secured and managed in such a way should be allowed to connect to back-end enterprise cloud services.

The system of record for device trust and remediation is your enterprise mobility management (EMM) platform.

Trusted apps

Now that we have ensured the device is safe for business use, we need to ensure that the apps used on the device are also trustworthy. A bad app on a good device is just as big a security threat as a good app on a bad device.

Most cloud services expose a broad set of APIs to encourage their ecosystems of developers to build innovative apps, all of which access data from the cloud service itself. For example, salesforce.com has a large ecosystem of developers building a varied set of apps for forecasting, sales management, customer support and similar functions, all connecting to salesforce.com on the back-end and all authenticating securely.

But most of these apps are not authorised by IT and almost all will result in data loss. The reason is that if the app is not a secure app and it connects to the back-end cloud service, it will sync data to the device and store it in a manner that is outside of IT’s control. That means the data is effectively lost.

So what seems like an innocuous use of a best-of-breed app can turn into a major vector of data loss for the enterprise.

The solution is simple. Each authorised app should be deployed through an enterprise app store so the data is protected. Such apps are called “managed apps.” Only managed apps should be allowed to connect to the back-end cloud service.

The system of record for application trust and remediation is your enterprise mobility management (EMM) solution. In addition, it might be useful to leverage third-party app reputation services to pinpoint apps with inappropriate permissions or risky behaviour.

Trusted users

Now we come to the user. This is the third component of the mobile-cloud trust model and the one that enterprises are most likely to remember. It is obvious that an untrusted user should not have access to the enterprise cloud. My CFO should have access to company financial data. My marketing intern should not.

The system of record for user trust is your identity and access management (IAM) platform.

Putting it all together

Yes, I do trust my CFO … but not if he or she is accessing company financials on an untrusted device or with an untrusted app.

This is why identity alone is not enough for mobile-cloud security. EMM and IAM are, together, the two new pillars of security in the mobile-cloud enterprise. EMM verifies context and compliance while IAM verifies identity. EMM is also the enforcement arm of the equation, blocking access to enterprise data and services if there is ever a compliance break or unacceptable increase in risk.

Only trusted users on trusted devices using trusted apps should have access to enterprise data. While that is true for traditional datacentre services as well, it is especially important for the enterprise cloud because apps, not web browsers, are the preferred mobile user interface for cloud services.

If your head is in the clouds, that’s fine. Just make sure your feet are on the ground as you design your mobile-cloud security architecture.

Ojas Rege is Chief Marketing and Strategy Officer at MobileIron. His perspective on enterprise mobility has been covered by Bloomberg, CIO Magazine, Financial Times, Forbes, and Reuters. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He is co-inventor on six mobility patents, including the enterprise app store and BYOD privacy. 

Ojas has been with MobileIron for eight years as the company has grown from just an idea to a mobile security platform with over 10,000 enterprise customers. Ojas is also a Fellow of the Ponemon Institute for information security policy. Prior to MobileIron, Ojas was responsible for the mobile product teams at Yahoo! and AvantGo and started his career in 1988 as product line manager at Oracle. Ojas has a BS/MS in Computer Engineering from M.I.T. and an MBA from Stanford. Ojas is also Board Chair for Pact, a non-profit in Oakland, California that provides adoption services for children of color and their parents.