Why mobile security is a systemic problem
- 01 March, 2013 20:15
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
There has been considerable hype around each mobile threat vector that has emerged in the last year, but what's often overlooked is how mobile security is currently approached. What's particularly troubling is how reactionary responses have been to these threats, whether it be from Android apps with major flaws in their SSL implementations or the recent airport VPN Trojan.
One simple truth: the only secure way of handling mobile devices is in a managed way.
But corporate breaches from mobile devices will continue as long as the management warning is considered optional and the likes of Google and Apple are slow to open up their operating systems. As an industry, we must realize that mobile security is a systemic problem. Unfortunately, many mobile technology companies have their initial focus on the consumer market, not the enterprise market.
Simply put, endpoints like personal laptops, PDAs or smartphones remain the weakest points within a security infrastructure. This is precisely why it's downright mind-boggling that organizations allow unmanaged devices on their networks especially considering how many basic security protocols have failed to appear on today's mobile devices.
Consider Android. For a long time it lacked an API for vendors to make calls to the kernel for IPsec VPN clients. This is just one example of how the protocols of secure usage have been ignored. Another concern with Android, in particular, is that different devices are running different versions of the OS. This can cause problems in managing the devices as there are sure to be discrepancies in how certain security functions are implemented or supported. But, many of the mobile vectors that have emerged, or are predicted to hit, could pertain to any and every OS.
After all, it's possible to distribute malicious software on any system, as this malware is typically delivered via social engineering or within a corrupt software package or active web code like Java or ActiveX. On top of this, stealthy exploits, such as session hijacking and identity attacks, easily pave quick paths to gain access to mobile devices. Ultimately, this means there is no substitute for fundamentally robust network security components. Ideally, this should include everything from client device firewalls to IPsec VPNs.
Of course, an important caveat to include here is, even these rigorous security mechanisms aren't failsafe against users ignoring common safety precautions, such as blindly clicking on links or opening suspicious e-mail attachments. This means companies should not take for granted that everyone within the organization is equally savvy about basic technology and security protocols they must continuously educate and reinforce best practices.
[TECH DEBATE: Security training: requirement or boondoggle?]
We're in a period of significant mobile device proliferation at all levels. Yet, the security solutions designed to combat threat vectors can, at best, be described as siloed solutions that fall short of necessary intelligent threat defense not to mention critical security function integration and management functionality. This is not to say these solutions lack sophistication because, in many cases, they are built with superior engineering and the latest technologies. Rather, the issue is that threat detection, mitigation and response requires an integrated and managed approach that is often difficult to obtain, considering the way we currently tackle mobile threats.
For instance, because mobile devices are constantly exposed to different and often hostile public networks, the best of security technologies are barely just enough to deliver a security baseline. Therefore, in the absence of a one-size-fits-all security product, the better approach is to interconnect the siloed, best-of-breed security products and technologies in intelligent ways, focusing on defense-in-depth strategies and powerful threat responses.
IF-MAP, for example, is an open standard that is well-positioned to deliver in this area. IF-MAP provides the possibility to interconnect different IT security systems for an accurate representation of the health status of an IT network. In fact, several security vendors are currently involved in the ESUKOM research project that aims to use IF-MAP to automate security responses to network threats and enforce security policies without human intervention.
Taking a broader view, however, the problem with mobile devices remains a systemic one. In turn, this means everyone needs to be involved in shoring up the security of these devices, all the way from the moment of conceptual design to its implementation, and finally, its use. This shifts the sole burden from IT administrators and shares the responsibility with everyone, from designers, software architects, company management and end users. But more importantly, this prioritizes security in every step of the way, rather than relegating it to a reactionary, retroactive add-on.
Read more about anti-malware in Network World's Anti-malware section.