ENTERPRISE ARCHITECTURE RESEARCH GROUP INTELLIGENCE BRIEF Enterprise Intelligence Brief Mobile Security Q3 2019 NSS LABS RESEARCH NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0 Overview Some say the hyperconnected world has arrived; others say we are only at the beginning, visualizing an ecosystem with billions Anti-threat capability, privacy options, of interconnected, often mobile, systems. Today’s mobile regulatory compliance, strong encryption, and devices have many form factors and distinct use cases, which end user impact are reported priorities for makes defining a mobile device surprisingly difficult and makes evaluating mobile security products. efforts to understand mobile device risk even more so. It follows, then, that building a management and security strategy for these devices—one that does not introduce needless risk nor restrict employee productivity—is challenging. An astounding variety of mobile devices have been introduced to the corporate infrastructure. Obvious mobile device examples include laptops, tablets, and smartphones. Newer, not-so-obvious devices are wearables (e.g., watches, with or without 4G/LTE) and IoT (e.g., embedded OS-based systems integrated into Microsoft Office365 or Google G Suite, such as a smart Wi-Fi-based wall-mounted calendar). All of these expand threat surface area, add uncertainty, and introduce risk. IT consumerization (e.g., BYOD) has added an overwhelming number of unknowns for an enterprise. Enterprise IT security teams tasked with managing mobile risk must answer important questions prior to selecting a mobile security product. Should mobile security policies target device control, application control, data security, or should they take a multi-faceted approach? Should access to corporate data be restricted by mobile operating system? What are the minimum needs for multi-factor authentication (MFA), and how can mobile technology enable broader requirements? Will threats found on mobile devices be prioritized, and how will alerts be communicated? Which teams will manage IoT and cross-platform operating systems? Should existing network security products (e.g., next generation firewall, intrusion detection system, traffic analysis) be leveraged, and if so, how? Organizations pursuing mobile management and security software as a path to reduced risk find themselves in the middle of a rapidly evolving industry. Product consolidation is constant, and the line between mobile device management (MDM) and newer product categories has blurred. Endpoint mobility management (EMM) was the first product category to combine centralized management, configuration, and security functionality into an “all-in- one” technology. Unified endpoint management (UEM) is the most current iteration of this product, incorporating client management and endpoint security product toolsets, productivity apps, more mature authentication and authorization features, and broader OS support for systems including Microsoft Windows 10, Apple macOS, Linux, and even, in some cases, IoT. An enterprise intolerant to risk must choose the product that aligns with mobile device assets present in its environment, efficiently integrates with existing security products, and enables a streamlined, low-impact workflow for users that discourages circumvention of mobile security policies. Many CISOs focus their efforts on high-risk areas that they can control, such as requiring network isolation for mobile devices, establishing geofence-based access policies, and prioritizing threats found on devices with network carrier technology. They may also implement strategic but sometimes unpopular policies, such as restricting highly targeted or open operating systems, enforcing the use of secure mobile applications instead of more commonly available (and often easier to use) options, and enforcing strict authentication and access control. Enterprises inevitably balance policy with risk acceptance, often relying on a combination of tools and user training to reduce exposure. This report is Confidential and is expressly limited to NSS Labs’ licensed users. 1 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0 Key Findings • More than half of all respondents reported that mobile threats were a higher risk to organizational assets than other cyber threats. • 49.4% of respondents reported poor user awareness as the greatest challenge to mobile security strategy. • 32.1% of respondents strongly agree and 45.5% agree that their companies respect privacy on mobile devices. • For respondents with mobile security, the average rating of their protection was 76.1 out of 100; respondents without mobile security rated their protection as 70.1 out of 100. • IoT is the fourth most often identified device capable of accessing corporate assets. • 12.3% of respondents reported user bypass of security policies as a very frequent occurrence and 25.1% reported it as a frequent occurrence. • Respondents reported deployment of the following mobile device technologies at their organizations: MDM (57.0%), MAM (45.7%), MTD (44.9%), EMM (39.6%), MCM (39.3%), MIM (38.5%), and UEM (37.2%). • Application control and regulation compliance are the top drivers for deploying a mobile security technology; “mobile security is not a pressing need” and privacy are the top drivers for not deploying. • The technologies reported as most commonly affecting mobile security are security information and event management (SIEM), secure web gateway (SWG), distributed denial-of-service (DDoS) prevention, next generation firewall (NGFW), and threat detection and analytics (TDA) products. Observations • BYOD, e.g., IT consumerization, affects enterprises of all sizes. • UEM represents a chance for enterprises exploring mobile security to revisit their endpoint security strategy. • The definition of security varies by mobile vendor; the term can, for instance, reference encryption, or URL- filtering, or full anti-threat capabilities. Recommendations • Enterprises should focus on user training, as it remains a key component to reducing mobile device risk. • Identification and authentication workflows are critical for successful mobile security, and organizations should focus product selection efforts on products that minimize user impact while decreasing risk. • An organization must define what a “mobile device” is in its environment, as this will affect which security tools it chooses; the IT team must adopt the same terminology for consistent execution of strategy. • Mobile security technology is evolving; in the interim, risk-intolerant enterprises should maintain a strict defense-in-depth approach to their IT security architectures. • For Wi-Fi-based mobile devices that must connect to corporate networks, organizations should rely on deep packet inspection for anti-threat using devices such as NGFWs, breach prevention systems (BPS), TDA products, and intrusion detection systems (IDS). • At a minimum, organizations concerned with risk from mobile devices should provide network isolation and control access to corporate email and data through secure applications. • Environments with Microsoft Windows 10 and strict application control and security requirements should deploy multiple agent types and should test compatibility carefully during proof of concept (PoC). • PoCs for mobile device security should test anti-threat capabilities, privacy options, regulatory compliance, strong encryption, and impact to the end user. • Mobile device risk tolerance and employee business enablement should be evaluated with same priority level. This report is Confidential and is expressly limited to NSS Labs’ licensed users. 2 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0 2019 NSS Labs Mobile Security Study Methodology Summary In the spring of 2019, NSS Labs conducted its study on mobile security to gain an understanding of the current utilization of network security products in US enterprises. The project consisted of a two-armed qualitative and quantitative study with six primary objectives: 1) Obtain enterprise priorities for the functional aspects (security efficacy, performance, management, deployment, interoperability) of mobile security products; 2) Map mobile security program maturity by enterprise use case; 3) Determine enterprise perceptions of mobile security threat vectors and mitigating technologies; 4) Identify the applications and data accessed via the mobile devices that change enterprise risk; 5) Determine enterprise security professionals’ experience with OS-based threat migration to mobile OS; and 6) Obtain ITSEC management’s rating of their organization’s current mobile security posture. The study was conducted with the participation of 383 qualified, full-time US enterprise IT security professionals representing 35 industries from the US, England, Germany, France, and Ireland with a mean IT security budget of US$10M – $49M. Details can be found in the section 2019 NSS Labs Mobile Security Study Methodology. This report is Confidential and is expressly limited to NSS Labs’ licensed users. 3 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0 Table of Contents Overview ............................................................................................................................... 1 Key Findings .................................................................................................................................................. 2 Recommendations .......................................................................................................................................