Overview
Mobile computing is no longer a “fad”—recent ESG research data shows that 87% of enterprise organizations say mobile computing is either “critical” or “very important” for supporting business processes and employee productivity.1 While
e-mail access and calendars are common mobile applications, many organizations are now developing and deploying new types of applications to bolster employee productivity or improve customer relations. In fact, ESG research indicates that 42% of enterprises are actively developing a significant number of mobile applications themselves (see Figure 1).
Figure 1. Development of Custom Mobile Applications
Source: Enterprise Strategy Group, 2014.
1 Source: ESG Research Report, The State of Mobile Computing Security, February 2014. All ESG research references and charts in this brief have been taken from this research report.
Yes, my organization is developing a significant
amount of its own custom applications specifically for mobile
devices, 42% Yes, my organization is
developing a modest amount of its own custom applications specifically for mobile
devices, 38% No, my organization is
not developing its own custom applications specifically for mobile devices but we plan to do so within the next
24 months, 10%
No, my organization is not developing its own custom applications specifically for mobile
devices but we are interested in doing so
in the future, 4%
No, my organization is not developing its own
custom applications specifically for mobile devices and we have no
plans or interest in doing so in the future,
5%
Is your organization developing its own custom applications specifically for mobile devices? (Percent of respondents, N=242)
Solution Brief
Check Point Capsule for Mobile Computing Security,
Operations Efficiency, and Business Enablement
Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst; Kyle Prigmore, Research Associate
Clearly, mobile computing devices such as tablet computers and smartphones have supplanted PCs as the primary user devices and are poised to dominate end-user computing in the future.
Mobile Computing Security Challenges Remain
In spite of a seemingly unlimited number of business benefits, mobile computing also comes with numerous security concerns as it introduces new devices and new threat vectors to enterprise organizations. These risks are already creating security havoc. According to ESG research, 47% of enterprise respondents indicated that they have experienced security breaches as a result of a compromised mobile device.
Why are these security breaches occurring? Mobile computing is still a nascent IT domain but it is evolving at a frantic pace. Furthermore, mobile computing is distributed and constantly changing by its very nature. Finally, mobile devices are often lost or stolen and thus breached.
Beyond security breaches however, security professionals also find mobile computing security particularly vexing. In fact, ESG research indicates that enterprise organizations face an assortment of mobile security challenges such as (see Figure 2):
Protecting sensitive data “at rest” and “in flight.” A significant number of security professionals (43%)
claim that it is challenging to protect confidential data when it is accessed from a mobile device while 41% say it is challenging to protect sensitive data when it is stored on a mobile device itself. This is certainly understandable as mobile computing can create blind spots where the security team can’t monitor or manage sensitive data once it is accessed and stored on mobile devices. To paraphrase an old management adage, “you can’t secure what you can’t see.”
Enforcing security policies. Many security policies were originally created with PCs and wired Ethernet ports
in mind. While the proliferation of Wi-Fi access networks stretched traditional security policies beyond their original boundaries, mobile computing adds additional challenging dimensions that fall way outside of the legacy policy spectrum. Why? Unfortunately, many organizations find that the only way to address policy enforcement is by implementing new tools and infrastructure for mobile computing security. This creates additional technology complexities and operational overhead for an already overwhelmed security team. Integrating mobile security into existing cybersecurity processes and technologies. As organizations create
Figure 2. Mobile Computing Security Challenges
Source: Enterprise Strategy Group, 2014.
2% 21% 28% 29% 31% 33% 34% 34% 34% 35% 36% 41% 41% 43% 0% 10% 20% 30% 40% 50%
None of the above Discovering mobile devices as they gain access to the network Dealing with scale issues caused by the sheer number (i.e., hundreds, thousands) of mobile devices to protect/secure Creating security policies for mobile devices Supporting new device types Dealing with lost/stolen mobile devices containing sensitive
data
Ensuring that staff members have proper training and skills on mobile device security
Managing malware/threat management on mobile devices Establishing the right workflows and processes between the
security team and other IT groups
Educating users on best practices for mobile computing security
Integrating mobile device security processes and technologies with other enterprise security processes and technologies
Enforcing security policies for mobile devices Protecting data confidentiality and integrity when sensitive
data is stored on a mobile device
Protecting data confidentiality and integrity when sensitive data is accessed by a mobile device over the network
Overall, which of the following would you say are the biggest challenges around mobile computing security at your organization? (Percent of respondents, N=242, multiple responses
What’s Really Needed for Mobile Computing Security?
CISOs are being asked to support BYOD, embrace new mobile applications for business process improvement, and make sure to mitigate new mobile computing risks. Regrettably, accomplishing these goals can be quite cumbersome when they require new skills, processes, and tools simultaneously.
Rather than layer-on discrete “mobile-only” security solutions, large organizations may be better off by extending their existing security controls that support “mobile-friendly” functionality. To accomplish this task, security professionals must look for mobile security platforms providing:
Unified policy management across all mobile devices. Tablet computers, smartphones, and PCs are
different types of end-user computing devices but, as the ESG data indicates, security becomes difficult when different devices are managed with different policies and enforcement points. To bridge this gap, enterprises need security tools that support a wide variety of mobile devices while offering device-specific options for policy creation, management, monitoring, and enforcement. With a unified policy management platform across device types, security professionals can create and enforce security policies based upon business processes and users rather than remain in the technical weeds at the iOS or Android level. Strong document-centric data security. When it comes to data, most mobile computing security remains
elementary, offering VPN capabilities, storage encryption, or partitioning methods like containerization. These security controls are critical to establish a secure business environment on mobile devices but mobile security should also enforce policies at the document level as well. For example, it may be okay to access and view sensitive data in a spreadsheet on an iPad, but unacceptable to share this document with others. Mobile security tools must provide granular access controls and digital rights management (DRM) for what can and can’t be done on a document-by-document basis throughout each document’s lifecycle.
Granular access policy enforcement. To balance business productivity and IT risk, authorized mobile users
should have seamless connections to key applications supported by granular access controls for high-value IT assets and sensitive data. For example, the CFO will always have seamless access to end-of-month reports from the corporate LAN regardless of the device she uses. Alternatively, some organizations may want to preclude this type of access when she tries to access documents from a public network, geographic locations, or various timeframes like the end of the quarter. The key here is being able to enforce these policies across several parameters like user, device, document sensitivity, etc.
Threat management. Mobile malware isn’t considered an enterprise threat vector today but it likely will be
in the future. Many organizations already block PCs from accessing malicious URLs or downloading
suspicious files so why not extend these best practices to mobile devices as well? Enterprises should prepare for this eventuality with the right controls and monitoring capabilities for threat prevention, detection, and response sooner rather than later.
While all of this security functionality is critical, leading CISOs also recognize that they need security tools that are intuitive, easy to deploy and integrate, and deliver immediate value. The goal? Help the overworked security staff work smarter—not harder. It’s a given that large organizations need strong security efficacy but security technologies that can accomplish this goal AND streamline operations will go to the head of the line.
Introducing Check Point Capsule
A lot of mobile security options have come from new vendors with a sole focus on mobile devices but this myopic coverage isn’t extensive enough for enterprise organizations and can create operational overhead as previously described. Check Point Software, a recognized leader in enterprise security, intends to alleviate these issues with the announcement of Check Point Capsule.
Check Point is focused on bridging the mobile security gap as Capsule offers:
Mobile threat management. Check Point Capsule allows organizations to extend corporate security policies
denying access to malicious files, blocking malicious websites, and preventing C&C communications with malicious hosts. In this way, Check Point can help CISOs implement best practices for threat management in the mobile world, just as most organizations do today for protecting employees, PCs, and sensitive data. Secure business environment. Mobile devices have two major functions: personal use and professional use.
Check Point Capsule segregates the business data and applications from the personal data and applications, allowing users to seamlessly access business apps without sacrificing ease-of-use or device performance. This also helps mitigate risk because it protects corporate networks and assets from nefarious consumer-oriented software.
Protect business documents. Check Point Capsule allows organizations to customize how they secure their
documents, regardless of where they go. Features include native password-protection, specifying a list of authorized recipients, and document encryption that stay with the document throughout its lifecycle. In this way, Check Point takes mobile data security beyond basic encryption by introducing business-centric DRM into the mix.
Check Point’s announcement is well timed as many organizations are in the early stages of the mobile security maturity curve and CISOs want mobile security—rather than IT operations—technologies to mitigate risk. Just as important, Check Point Capsule brings Check Point’s security management and operations prowess to mobile security, aligning ease-of-use with strong security. Given these business, operations, and security benefits, Check Point Capsule could be in the right place at the right time.
The Bigger Truth
The onslaught of mobile devices has made security more difficult for enterprise organizations and, unfortunately, the security industry addressed this increasing security challenge with an army of add-on point tools. This has created a mobile security gap along with an operations nightmare. Furthermore, mobile security tools provide basic data confidentiality and integrity protection but they lack granular access policies or DRM-like capabilities at a document level.
Check Point clearly recognized those concerns and is now introducing a unique top-to-bottom mobile computing solution that can help organizations bolster mobile security, lower IT risk, and align business-centric security policies with granular controls. Given these advantages, CISOs would be well served by investigating Check Point Capsule and assessing how it aligns with their mobile computing business and security needs.
