As enterprises scramble for some semblance of control over all the smartphones and tablets employees are bringing to work, their options for protecting against mobile device security risks are expanding into the security SaaS realm.
IBM recently announced a cloud-based service that the company said will help enterprises mitigate the risk of personally owned devices accessing sensitive corporate information. The new IBM service is designed to enforce corporate policies on a variety of mobile devices, help track down a lost device, secure data if a device is lost or stolen, protect against malware and monitor user activity.
Also this fall, Symantec Corp. announced that it plans next year to offer a cloud-based service to communication providers that will allow them to offer security services to their mobile users. The service will enable companies to control mobile access to websites and also check Web downloads for malware.
Meanwhile, Web and email security SaaS provider Zscaler Inc. has been beta testing its service for mobile device protection with about a dozen enterprise customers and plans to put it into production in the first quarter of next year.
The market for content security SaaS for mobile devices is just emerging with several vendors developing services that will become available in 2012, said Rick Holland, senior analyst at Forrester Research.
There’s some hype around mobile device security risks, but the reality is that attacks against mobile devices are inevitable, he said. “These content security solutions are going to help us with that,” he said.
The cloud-based model for mobile device security can provide a better user experience by reducing latency issues, Holland said. With a traditional, on-premise content security product, protecting a mobile user that is working remotely can require backhauling traffic to the corporate headquarters. With the cloud model, a remote user can be connected to the nearest cloud node, he said.
With any type of cloud-based mobile security service, companies should look at what platforms are covered, said Diana Kelley, a partner with Amherst, N.H.-based consulting firm SecurityCurve. “Not covering all platforms in mobile is particularly problematic because of the popularity of ‘Droid and iOS,” she wrote in an email.
Sunnyvale, Calif.-based Zscaler currently is focused on protecting Apple devices in the enterprise, said Amit Sinha, chief technology officer at Zscaler. “The traffic forwarding mechanisms in Android and other devices are still a little premature,” he said. “As they get more Web-based and start supporting standard networking like VPN tunnels in a reliable way, we can extend that protection to all these devices.”
Ultimately, Zscaler’s cloud-based approach is device agnostic, Sinha said. “We don’t care if traffic comes to us from a laptop, Android tablet or iPhone. We’re the gateway for the traffic,” he said.
While an on-premise, appliance-based model runs into traffic backhauling challenges, the traditional endpoint agent-based approach also runs into problems in a mobile context because the local agents must be updated, Sinha said. Zscaler is clientless and simply leverages Apple’s standard IPSec VPN client, he said.
Another security SaaS provider, Proofpoint Inc., doesn’t provide mobile device management or specific mobile security applications, but has optimized its cloud-based services for mobile platforms.
Sunnyvale, Calif.-based Proofpoint, which specializes in secure communications and email archiving, this year added the ability for users to easily decrypt messages on mobile devices. The company also expanded its archiving service to allow mobile users to access multiple years’ worth of email instead of the three to four weeks’ worth that’s typically available on devices, said Andres Kohn, vice president of technology at Proofpoint.
Looking ahead, Kelley said she expects the technology for controlling and securing mobile devices will mature to provide more robust control and policy enforcement. At the same time, she expects companies to look more closely at ways to control sensitive data, perhaps by not allowing it to be copied anywhere or only viewable through a virtual desktop infrastructure.
“At some point, I think companies are going to have to clamp down on sensitive data replication,” she said. “I know a lot of people disagree with that because it’s too restrictive, but I think it’s the best approach for highly sensitive data.”