Work wherever you want – but stay secure
Mobile work concepts, such as BOYD, are the trend. This means that companies have to securely integrate mobile terminal devices into the IT infrastructure.
Digitisation allows people to work in a flexible manner without being tied to a permanent workplace. Thanks to digitised business processes, company data can be accessed any time, any place. Although this offers many advantages, it also poses a number of considerable risks. Be it from home, at a café or on a train, it must be ensured that mobile terminal devices are secured and that only authorised users can access sensitive data.
Mobile work calls for integrated IT security concepts
If an employer provides notebooks, tablets, smart phones, etc., the company's IT department is usually responsible for the administration and security of the devices. This means that security risks are minimised, even for mobile work.
However, many employees prefer to work their own private mobile devices, using familiar applications, such as e-mail account, messenger services or social networks, i.e. Facebook or Twitter. Although this is often in conflict with the applicable company rules, which are designed to ward off cyberattacks and to protect company information, many companies have still responded to this trend by introducing what is known as the 'bring your own device' (BOYD) concept. With this concept, employees can use their own mobile terminal devices for work and to access IT resources. More than anything else, this saves companies money.
Be it company or private devices, both variants boost employees' flexibility and mobility. But irrespective of the variant chosen by a company, the advantages and disadvantages should be weighed up in advance in the interest of corporate data security and a secure IT infrastructure. The decision must also be made while taking the purpose and the resultant security risks into account.
But what technical options are available to warrant IT security for mobile work?
BYOD: convenient, but has its risks
The 'traditional' solution with one device for private use and one for work usually meets the security requirements of companies. This solution, however, is often inconvenient for the user. For many employees, the private device is the device of choice, even for work. There are many different applications and services installed on these private devices, from e-mail applications to electronic notepads, and even game and shopping apps. Applications like these, however, are often not safe and are frequently infected with viruses, trojans and other malicious codes. If a user unknowingly installs an infected app on their private device, there is a risk that this app can gain access to the device and hence to all of the private and work data or infect the device with malicious software.
What is clear is that systems that are used for work must have the required protection mechanisms to secure sensitive corporate data both on the devices and during transmission. Encryption software is a protection measure that is often used. Data can then be digitally encrypted on drives or on mass storage devices or transmitted via secure connections. However, if a mobile device is used for both private and work purposes, one pure encryption solution for the mass storage device and communication is no longer sufficient. The threats are, after all, simply too great. It is here, for instance, that application controls become more important because they ensure that certain programs can only access certain information and documents. But ensuring comprehensive data security for mobile work calls for other technical measures.
Baseline protection for data with containers and virtualisation
So-called container solutions are used for extended protection for corporate data on mobile devices. In this case, software encrypts data and stores it in a specially secured area, i.e. the container. Only the corresponding container programs can access this data. Since the applications themselves run in an untrusted environment, attackers may still be able to get to the data. A frequent point of attack is the keyboard. Using a keylogger (software) that secretly records every entry on the keyboard, attackers can gain access to passwords or PINs.
Virtualisation solutions go one step further. In this case, confidential company data together with its application software is encapsulated in a virtual machine, i.e. it is located in its own designated area on the mobile device. This means that the company data is stored separately from the private applications on the device. But there is still a residual risk. Virtualisation solutions were primarily developed to boost the utilisation of hardware resources but not for the strict separation of data and applications on mobile devices. There have been repeated incidents in which information was moved unintentionally from one virtual environment to another.
Outstanding security thanks to separation technology
The strictest separation of the private and work area on a terminal device can be achieved using so-called separation technology based on microcore systems, i.e. extremely compact operating systems. This creates two separate work areas on the notebook: One for applications with security risks, such as Facebook, etc., surfing on the Internet or videostreaming. The second area is solely used to process sensitive business data and internal e-mails. Another area is used for security systems, such as encryption, a firewall and a VPN gateway which establishes connections to the company network during mobile use.
This separation ensures that hacker attacks via the browser cannot penetrate into the area with the sensitive data or into the security systems. The encryption of the drive ensures that the data can only be accessed in the secured areas and that it cannot fall into the wrong hands if the device is stolen or lost. The security settings are centrally allocated and updated by the administrators. This high level of security goes almost unnoticed by users who can work in their familiar environment and can also use in the 'unsafe' area services that would not otherwise be permitted by the company's strict security rules and regulations.
The more flexible IT structures are in the modern working world, the more security systems must be adapted to these changes. Reliable protection must begin, first and foremost, at technical levels and must take into account the requirements of mobile work. The Federal Office for Information Security (BSI) is currently examining whether separation technologies meet with the highest security standards. This public authority is currently conducting an accreditation procedure for notebooks with this safeguard which could be used to process data that is classified in Germany as top secret (VS-NfD). This would even allow employees with security clearance to work anywhere with a secure mobile terminal device.
Mobile and secure into the digital future
Mobile work concepts will become increasingly important in the digital future and in business life. Companies will have to take on this development. One of the main tasks moving forward will be to securely integrate all kinds of mobile terminal devices into the IT infrastructure. But security concepts for mobile technology should not be viewed as a separate measure. An integrated approach is needed if companies are to be able to use digitisation in a profitable and, more importantly, secure manner.