You often hear the terms “security layers” or “defense in depth”  but what do they mean and how do they apply in the mobile ecosystem?

Both of these terms relate to the same concept of putting in place a number of overlapping security controls from different vendors. So if your organization is attacked, the attacker must breach multiple controls (generally from multiple vendors) to steal information or damage the organization.

In the world of Mobile, there are a number of layers present, although items within the layers vary significantly between iOS and Android (and various flavors of Android) the general principle remains the same.

Hardware – Step number one is to ensure that the device is running trusted hardware and that the hardware has not been tempered with. Often devices have specialized hardware for storing secrets and improving encryption mechanisms.

Operating System – Step number two in this model is validating operating system integrity, to ensure that the operating system has not been compromised and still offers out of the box security controls. It is also vital to ensure that you are keeping your mobile OS up to date to avoid exploits that have been made public.

Endpoint Management – Third step is to enroll the device into Endpoint Management in order to configure the device, enforce policies, gain visibility of device health and the ability to remotely wipe corporate data from the device. 

Application – Step number four is protecting applications, at this layer we start dealing with corporate data. Poor implementation of application security may lead to loss of public health information (PHI), personally identifiable information (PII), or trade secrets which can result in significant financial damages.

Data Loss Prevention – Step number five overlaps with step number four, leveraging a number of different controls that protect your corporate data to ensure that it cannot be extracted by unauthorized sources from the device.

Analytics – The last step of this model is analytics, gathering data at large scale and looking for risks, issues, threats or anomalies so that threats can be detected before damage is caused.