Editor’s Note: With 2015 now upon us, RCR Wireless News has gathered predictions from leading industry analysts and executives on what they expect to see in the new year.
As 2014 came to an end, it’s clear we closed out: “The year of the epic data breach.”
The IT security industry was buzzing about the mammoth Target data breach in late 2013. But no one predicted the escalating parade of hack attacks throughout 2014. The flood of breaches eventually made front-page news in mainstream media and cost hacking victims and credit card-issuing banks billions of dollars in breach cleanup, response expenses, lost valuation, lawsuits and damaged reputations. A recent entertainment company breach has raised the stakes further still, with the alleged theft of major motion pictures and celebrity data.
So, as we enter 2015, what do these ongoing IT security issues mean for mobile devices in the enterprise?
We predict 2015 will feature a “perfect storm” of forces that will start to move “bring-your-own-device” programs and mobility management into an important new phase. We expect IT managers will start to shift from simply securing end devices to integrating mobile users into an enterprisewide security posture that controls user access to applications, regardless of location or device.
BYOD at critical mass
Each year, surveys show more companies permit employees to use their own devices for accessing corporate applications. In November, a global Spiceworks survey of IT professionals commissioned by Certes found that two-thirds of companies worldwide allow employees to use personal devices for accessing corporate applications and conducting business.
We expect to see continued “consumerization” of corporate IT in 2015. In many cases, the holdouts still resisting BYOD are doing so out of security and compliance concerns. But IT managers in even the most security-sensitive industries, like health care and financial services, know or suspect that employees use personal devices to conduct business in violation of corporate policy.
Furthermore, even when companies reject BYOD and continue to supply and control mobile devices, these smartphones and tablets have access to app stores, the Web and other sources of unauthorized applications.
The choice facing these managers is to either ignore the issues and pray that no major breach occurs, or to accept the inevitable and proactively manage the security risk posed by BYOD and modern mobile devices.
The mobility silo
Companies have deployed mobile-device management and enterprise-mobility management products to manage devices such as smartphones and tablets. While these products do a great job of controlling use and storage of corporate data on the devices, they usually are operated in a silo from the rest of the security infrastructure.
In most cases, the MDM or EMM system will integrate with a VPN server or other security element to provide an encrypted connection to the enterprise. But the siloed nature of mobility management usually means that this encrypted connection halts at the enterprise perimeter. Hence, you have access credentials residing on a personal device that’s easy to lose and typically does not have antivirus or antimalware software, plus has an open app store to download unauthorized applications. If those access credentials are compromised, an attacker can gain unfettered access to internal systems.
This is a security threat because internal networks in typical enterprises continue to be erroneously considered “safe” or “trusted.” As a result, enterprises often use insufficient controls to segment data traffic and secure or isolate internal applications containing sensitive servers.
In 2013 and 2014, we witnessed multiple cases in which a compromised access credential for an external party resulted in major data breaches, such as at Target. We predict 2015 will bring more breaches stemming from hackers using mobile devices and the accompanying siloed security posture to gain access to corporate systems.
Encrypting everywhere
Hackers are having a field day exploiting poorly implemented network security and inadequate traffic segmentation for sensitive applications in enterprises. For example, many recent retail breaches were perpetrated by attackers who initially gained access to relatively innocuous internal corporate servers. The attackers then navigated and hopped to point-of-sale systems and other networks containing much more sensitive, mission-critical applications and data.
This has not gone unnoticed. The Spiceworks IT survey showed 56% of companies identified improving data network security as a top budgeting priority for 2015. In fact, we predict that 2015 will see more enterprises choosing to deploy encryption on internal traffic to fully isolate and protect sensitive data communications.
Regulations and industry compliance guidelines generally focus on encrypting traffic that traverses external or public networks, while relying only on logical network segmentation for internal networks. But a growing number of enterprises recognize that this stance does not address attacks by insiders or hackers who penetrate extended corporate network perimeters. Cryptographic segmentation and isolation of sensitive data on internal networks is starting today in many banking and health care enterprises where privacy and confidentiality are essential.
These enterprises recognize that they cannot wait for industry guidelines or compliance rules to catch up, but must take action now to reduce the risk of losing many millions of dollars in data breaches.
Users, not devices
Related to this, we predict enterprises in 2015 will start to adopt new security architectures that are user-centric, not device-centric.
The focus will shift away from simply securing a given device, to focusing on enabling users to access applications regardless of location or device. So, for example, traffic between an app server and a user’s smartphone will be encrypted and protected the same way regardless of whether the user is inside or outside the enterprise.
If the user switches devices, same security posture will follow the user and extend to the new device. In other words, mobile device security will be integrated into a comprehensive security architecture that is agnostic to devices and networks, and is consistently applied across users and applications.
Ultimately, this shift will be driven by urgent business needs to simplify the entire security architecture for enterprises. Now that companies face billions of dollars in costs and damages because of poorly implemented security, the incentives are in place to make 2015 “The year of the IT security revolution.”
Adam Boone is CMO of Certes Networks, leading the company’s marketing, demand generation, product management and product marketing initiatives.
