Mark Sunday: Let's start with an overview of today's mobile security market. What are the critical issues that CIOs must address?
Amit Jasuja: The most critical issue for CIOs involves dealing with the personal devices now being used in organizations. Recent studies show that 89 percent of employees use their personal devices for work and 50 percent of those are doing it against the consent of their employers. The BYOD [Bring Your Own Device] trend is here to stay. In many cases these personal devices include personal applications and data, and are shared by other family members. The employees who use them also need corporate connectivity, which complicates security and privacy issues.
One trend is that employees want to use their personal devices to access e-mail, calendar, and other productivity apps. They also want to access sensitive documents, such as Word files and Excel spreadsheets. Innovative companies are using mobile to really transform the way they do business and interact with customers. Employees are using applications to actually quote and sign for a deal in the field or moving point of sale from behind the register to out onto the sales floor. The same consumer devices are being used to access customer-facing applications over the internet—everything from banking and retail applications to personal health records.
Mark Sunday: How do these issues impact enterprise IT departments?
Amit Jasuja: Enterprise IT departments face three important issues. First, how do you develop mobile apps that support multiple platforms, from Apple iOS and Google Android to new versions of Windows? By 2017, 25 percent of organizations will host their own application stores to make it easy for people to download corporate apps. Second, how do you expose back-end applications, such as Oracle E-Business Suite and [Oracle's] Siebel CRM, or even legacy applications, which were not initially designed to be exposed to a mobile front end? Finally, how do you uphold corporate security policies? For example, what happens if a personal device that contains corporate data is lost or stolen? Today, 35 percent of adults have reported having a device lost or stolen. What do you do when employees leave the company and take their phones and corporate data with them? Can you expose sensitive content over public networks? Can you handle multiple users per device? Can your company be liable for knowing too much about how its employees use their personal devices?
Mark Sunday: Indeed, these are pressing concerns. How are vendors responding? Tell us about some of today's popular mobile security solutions.
Amit Jasuja: Technology vendors have numerous solutions to these problems. Some solutions use Mobile Device Management (MDM) technology to lock down the entire device. By installing MDM software, the company basically owns the device. Because these are "heavy-weight" solutions, they negatively impact performance on the device and turn many users off due to privacy concerns. MDM solutions typically wipe all personal data when employees leave the company. They gain visibility into all the apps that are on those devices—including the personal apps. And they generally install VPN technology to secure the flow of data from various applications. Running these VPN tunnels decreases battery life and reduces reliability, leading to dropped calls when you are moving from place to place. If rogue malware gets installed on the device, it automatically has access to the corporate data and can infiltrate the corporate network over the VPN.
Mark Sunday: I've heard that containerization is a good alternative for companies that want to segregate corporate and personal data. What is a container and what should CIOs look for when choosing a container vendor?
Amit Jasuja: Instead of taking over the entire device, containerization isolates the corporate applications and data in a secure sandbox or logical "container." Sometimes this technique is also referred to as Mobile App Management (MAM). The vendor installs a managed, secured container on each device. Corporate applications and data are placed in the container and are governed by corporate security policies. Personal data and apps are left alone. The container allows only corporate-designated applications to communicate to back-end services and it enforces policy controls to stop data leaks from the device. For example, a security policy can stop a user from transferring a sensitive file via Dropbox.
Some containers are proprietary. They force all traffic through the vendor's data center, which is problematic for customers. In addition, most container solutions introduce new silos of technology for common tasks such as authentication, session management, and token exchange as well as new self-service applications to reset a device, request an app, and obtain an authorization or approval. Customers that use these proprietary container solutions have to duplicate many fundamental identity management tasks.
Mark Sunday: What is the Oracle Mobile Security Suite and how is it different from what other vendors are offering?
Amit Jasuja: Oracle Mobile Security Suite is an enterprise security system that extends enterprise identity management policies to mobile apps. By 2020, 80 percent of access to the enterprise will be via mobile devices, up from 5 percent today. This disruptive trend will require organizations to quickly rethink mobile security inside out. The fragmented MDM solutions offered today are short-lived and will not scale to address this trend. Oracle's identity-based approach to mobile security is differentiated because it allows organizations to scale by securing mobile applications and data independent of the device. The solution has three main capabilities:
Our Identity Management creates a robust platform for mobile application and data security. It provides the control organizations need to scale. And it enhances the user experience so corporations can unlock the potential of personal devices. I invite CIOs to learn more about this innovative mobile security solution by perusing the information we have posted here.