Mobile devices such as smart phones and tablets have been called “the weak link of security” for enterprise networks, and for good reason. While any one of these handheld devices is more powerful than the computers NASA used to put man on the moon in the 1960’s, it still isn’t powerful enough to run the continuous security controls that are commonplace on networks and PC platforms. The limited processing power and battery life of smart devices prohibit the local use of security tools such as web filtering, content filtering and sophisticated forms of anti-virus and anti-malware screening.
Many organizations that allow BYOD on their network are truly fretting about mobile security. Two of the most common approaches to security today are mobile device management (MDM) and containerization, or keeping business activity separate from personal activity on a user’s device.
MDM is not so much about security as it is about enforcing policies and being able to do remote wipes if necessary. MDM typically doesn’t provide URL filtering to keep people from going to bad websites where they can pick up malware, or content filtering to prevent sensitive data leakage.
Containerization, also known as sandboxing, is a complex and controversial approach to security (see Gartner’s piece, Containerization is no BYOD panacea). It’s complex because the solution chosen is very much dependent upon the device’s manufacturer and operating system, and it’s controversial because end users don’t necessarily agree with such intense control over their personally owned devices. What’s more, there’s no clear divide over what’s personal and what’s business, making it practically impossible to separate the features and apps that have mixed uses. For instance, is text messaging a business or personal function? Which container should the messages be stored in? Both the user experience and the enterprise management experience leave a lot to be desired with containerization.
One company offering a different approach to solving the mobile security dilemma is Mojave Networks, formerly known as Clutch Mobile. The company recently announced the availability of SaaS-based mobile security at the network level. Rather than try to do security screening and processing on the device, Mojave Networks proxies all of the data traffic from the mobile device in its globally distributed network. There the vendor can do a variety of things, from web filtering and content filtering to more sophisticated data loss prevention for sensitive data like patient records, credit card numbers and Social Security numbers.
This solution uses a lightweight agent on the mobile device. An administrator provisions a company’s employees – supposedly in minutes — by providing their names and email addresses to Mojave Networks or by allowing Mojave to synchronize with an identity service such as Active Directory or Google Apps. An end user gets an email with a link to download the agent. After that, the tool is totally unobtrusive to end users.
Mojave takes the data that is sent to and from the device and puts it through its own data centers to analyze it for the enterprise, enforce policies, identify anomalies and to block any type of malicious activities. The company says it can also help prevent data loss because it can see if the user is sending sensitive content to applications like Dropbox or Box even when that content is being sent over SSL. If there are Social Security numbers or other sensitive content being sent to cloud services, Mojave can see it, flag it and prevent it as defined by the enterprise’s policies.
According to Garrett Larsson, co-founder and CEO of Mojave Networks, one of the company’s differentiators is its approach to anti-virus. “With the way the mobile OS architecture was built, it’s really hard to put an agent on the device and completely understand what is going on,” says Larsson. “It is part of the sandbox nature of Apple and Android where an application can’t see events at the OS level and really diagnose it if there is something malicious going on. We think an agent is part of the approach but it is not a complete approach and we believe you need to have the network piece that Mojave provides.”
Larsson notes that in a traditional network environment, a company would have firewalls or secure web gateways that would help detect threats and block them. These hardware-based approaches can work for companies with an on-premise data center, but as companies move away from having their own data center, having a cloud-based solution is important. “With our SaaS-based solution, you don’t have to have the infrastructure or IT resources for the network,” says Larsson. “We can do powerful AV scanning that can’t be done on the device alone.”
Recognizing that end users want to maintain their privacy with their personally-owned devices, Mojave has privacy policies that the IT administrator can set. For example, all of the web traffic can be anonymized so the administrator can’t identify it down to an actual person. Moreover, the end user can see what policies the administrator has enabled in order to provide transparency to the user in the case of BYOD.
Mojave Networks provides a subscribing enterprise with information that has traditionally not been available, such as how much bandwidth is consumed based on carrier bandwidth, Wi-Fi bandwidth and total bandwidth; the number of Android malware apps encountered; and phishing attacks and web malware that have been blocked. An IT administrator can personalize the information for his own company and look at data that is most relevant for them—things like the OS distribution, the top mobile applications installed, where data is going to from managed devices. There is a lot of granular data available and Mojave Networks has a goal over time to make this data more actionable for IT administrators.
Mojave Networks has data centers on five continents. The company’s network is said to be optimized for a mobile network, and it claims throughput is affected by less than 10%. If a user normally gets 30 MB of download per second, he might get 27 MB per second by passing through Mojave’s network.
Bessemer Venture Partners recently invested in Mojave Networks. Bessemer partner David Cowan, who specializes in infrastructure SaaS and cybersecurity. “It was clear to us that the only way you can protect a mobile device is in the network, which is actually how companies have come to implement most of their security for enterprise computing,” says Cowan. “We believe the best approach is to build the equivalent of a network perimeter on the global Internet so that anywhere you go with your mobile device, you can be protected by the same sort of security stack that enterprise networks utilize. That’s what we found in Mojave Networks. We believe in a few years it will be the dominant approach to mobile security.”
By Linda Musthaler, Network World