Android in the Enterprise: A Secure Path for CISOs

For far too long, CISOs have been caught between two competing agendas. First, they need to protect their critical business data and meet ongoing (and ever-changing) compliance requirements. Second is the resounding drumbeat from Android™ users who want serious enterprise support for their favorite mobile devices and apps — with no excuses. Since Android is now the dominant global consumer platform, CISOs are finding it harder to put off persistent employee demands to add Android to their BYOD mix.

Some CISOs have tried to support business productivity on Android, but all too often users make their own IT decisions that can put corporate data at risk. How would these examples impact your business objectives?

1. Last-minute Android security patches. Android fragmentation has not made life for CISOs any easier. Employees not only carry several different device models, they also have different versions of the Android OS running on those devices, leaving multiple security gaps that defy a unified management approach. Until now, a proactive and comprehensive solution for managing Android devices and apps has eluded most CISOs. Instead, they've simply tried to maintain OS security with critical hotfixes and last-minute updates to ward off the worst attacks. CISOs may also deploy mobile device management (MDM) solutions that provide only basic management for email and WiFi, and perhaps offer some control over certain OS versions.

While some CISOs may try to exert more control or even block Android devices for business use, this approach often has the opposite effect: it drives users underground to conduct business outside of the view of IT. "Shadow IT", as it is known, can leave organizations even more vulnerable to data loss and exfiltration because IT has no visibility into the data and apps on these devices.

2. Block access to critical data on Android devices.  Secure app deployment has always been a tremendous challenge for organizations that genuinely want to support Android. In high-security industries such as finance, healthcare, retail, and the government sector, CISOs are always concerned about a large mobile data breach. No company wants to be the next victim of malware exfiltration or suffer the legal and financial consequences resulting from it. That's why secure app deployment and data loss prevention (DLP) is about more than compliance; it's about corporate survival and competitiveness. The need to ensure iron-clad data security is why so many CISOs have tried to simply block access to critical data on Android. Until now, it's been one of the few approaches they've had.

The New CISO Advantage: Android Lollipop and Android for Work

Google is well aware that Android has faced an ongoing acceptance issue with IT departments for all the reasons noted above and more. To address these security issues, the release of Lollipop expanded upon existing security countermeasures, such as block-level encryption by default. It also bolstered sandboxing with SELinux enforcing mode, added proven best practices such as auto-updates for critical security vulnerabilities, and included FORTIFY_SOURCE protections to prevent buffer overflows.

In addition to the OS upgrades, the introduction of Android for Work enables secure, containerized app deployment to a range of Android devices through an ecosystem of . Android for Work addresses many of the key CISO concerns about Android by allowing IT to separate work and personal data on the device, enable secure enterprise app distribution, and ensure users can't circumvent security controls or access configuration information. Android for Work has two versions that cover a range of devices running Ice Cream Sandwich through Lollipop, which should help CISOs ensure more unified security across the enterprise.

These new offerings from Google should provide a welcome sigh of relief for both CISOs and enterprise Android users. For CISOs, the next step is to research how Lollipop and Android for Work may help them meet critical compliance and security requirements. To get started, read the MobileIron white paper, "Android for Work: Top 8 Security Considerations Every CISO Should Know. "

No security, no privacy. Know security, know privacy.

Android is a trademark of Google Inc. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.



David Schwartzberg

Sr. Manager, Security & Privacy for MobileIron

About the author

David Schwartzberg, CISSP, GMOB, is Sr. Manager, Security & Privacy for MobileIron. He has 23 years of information security and information technology experience. Specializing in mobile device management and security, David works closely with technology executives and security professionals to help them protect corporate secrets and remain compliant. In his spare time, he co-founded Hak4Kidz,, and has blogged for Dark Reading, Naked Security and Baracuda Labs. David has spoken at conferences including: RSA, ISC(2) Congress, Black Hat Arsenal, BSides, Converge, DerbyCON, GrrCON, OWASP AppSec, THOTCON and Wall of Sheep Village, among others. You can learn more about David from his Linkedin profile and follow David on Twitter @Dschwartzberg to see what he has to say on the industry and conferences.