What To Do?
I recently read that Xiaomi is coming out with high-end phones in the U.S. at a fraction of the cost of Apple and Samsung. While these phones have proven their worth overseas, in the U.S. there is a ton of opposition to using these devices.
Of course, a cost-conscious COO (and, inevitably, CEO) will see the same features, apps, and options in a $150 phone that currently costs them $1000 and push, HARD, for the cheaper option. They will not care about the security and will tell you to “figure it out”.
So what do you do?
The Options Are Not Great
The problem with phones is that they are mobile and can be hacked anywhere, store and transmit sensitive data at any time and, therefore, conventional security measures fail. Mobile Device Management (or its new flavor Enterprise Mobility Management) work to some degree but they are extremely hard to implement, tend to be incredibly disruptive to users and quite often drain batteries and degrade phone performance. Probably not what you need from your users – more complaints.
The recent reality of IoT being more than a bunch of sensors has led to new innovations in remote-based protection but many of these options are not readily applicable. In many cases, the “new” security option is a regurgitation of older, conventional options. Included here are the smart routers/hubs which are eerily similar to the same hardware options prevalent in the early 2000’s. Others try to provide application-level protection (really, how is that new?) and containerism which is the best possible path to angering your user base.
There are other options coming out that are much more transparent but these have their own risks. Most applicable to this case are the efforts by the mobile manufacturers to build in their own low-level protection. Yet, especially in the case of Xiaomi, how do you trust the security from a vendor you do not trust?
What you really need is a security solution that is transparent to your users, provides you with complete control and does so in a manner that reduces complexity to readily understood options. You do not need to know port numbers, packet lengths, and bit encryption strength. You need to be able to set rules that say “do not transmit data to China” and be done with it.