How the mobile security landscape is changing [Q&A]
As our mobile phones become increasingly central to both our personal and working lives, securing them and the data they hold has become paramount. The nature of the mobile space means that threats are more dispersed and change fast, so traditional security solutions are struggling to cope.
How does this change in the security landscape affect businesses who may be faced with supporting a range of different devices and operating systems thanks to BYOD policies? We spoke to Gert-Jan Schenk, VP for EMEA at mobile security specialist Lookout, to get his view.
BN: There are lots of really affordable Android devices available now, many of which don't use Google Experience. What challenges do these pose for business?
GJS: Because of BYOD, enterprises' mobile footprints are no longer homogeneous -- it's not a Blackberry-only world anymore. Now, the devices that an IT department must take into consideration include Android, iOS, and Windows. But things have gotten a bit more complicated recently with the development and growing popularity of non-Google Experience devices and OSs like Cyanogen and Xiaomi.
These devices and OSs offer flexibility and customization along with a low-cost rate -- with this appealing proposition, you can only expect user numbers to increase. Already, an estimated 50 million users are using the open source Cyanogen OS on their smartphones.
If you're an enterprise, this changing landscape means one important thing: these new devices, which you're not used to seeing, are soon going to start popping up on your network as employees bring them through the front door, and they present new security challenges.
For example, on a Google Experience device, because there is such brand recognition, there is more expectation that the devices and the apps running on them are vetted by Google, the manufacturers, the carriers, or some combination of the three. The majority of apps downloaded on these devices are also by default funneled through Google Play. Non-Google Experience devices introduce much more fragmentation. When using these devices, apps can be downloaded from a variety of sources including unvetted third-party app stores. These stores are generally much less-regulated environments where "shadier" apps can exist unchecked.
BN: Shouldn't the onus on security of business data be with the network rather than the device?
GJS: Look no further than the recent example with XcodeGhost for proof that security needs to be implemented at the device level as well as the network.
Knowledge is key and having visibility into whether a potentially risky app or vulnerable device has entered your corporate network gives you the power to make fast remediation decisions. Within 24 hours of XcodeGhost being discovered, Lookout enterprise users were protected.
Visibility will become even more instrumental as new devices begin to enter the workplace, as we are seeing with Cyanogen. Traditional network security, device security, application security, and app vetting, all need to work toward one common goal: a safer corporate network and protected personal data.
BN: What do enterprises need to do to assess the risk of embracing BYOD?
GJS: One of the biggest risks that enterprises actually create is not embracing BYOD. We call this 'Shadow BYOD,' when a company doesn't think they have a BYOD program but in fact, employees are doing corporate work on their smartphones anyway. This becomes an issue of unmanaged personal devices connecting to the network and accessing corporate data.
I know I sound like a broken record, but visibility and protocol are really key here. Organizations must have sight of the devices connecting to their network. That means having a simple but clear BYOD policy, and ideally tools like MDM so that patches can be rolled out quickly and easily. Secondly, and this is the area that still needs work today, organizations must understand that it's impossible to track and have visibility of all threats yourself, which is why it's important to have a security partner.
BN: How can admins spot potentially risky apps or vulnerable devices, such as jail-broken phones, especially as the OS space becomes more fragmented?
GJS: Let's dig into jailbreaking as an example of how IT admins can deal with security in the fragmented mobile market.
Did you know that an estimated 7.5 percent of all iPhones -- amounting to more than 30 million devices worldwide -- are jailbroken? Jailbreaking a device is very tempting to many; who wouldn't want access to a whole new world of apps, easier international travel, and more control over their phone?
Jailbroken devices create a major enterprise risk given their ability to run apps developed outside of Apple's review, which may be malicious or contain vulnerabilities. Jailbreaking removes the normal signing certificate checks that prevent these apps from executing and gives them unrestricted access to the device, including the ability to use undocumented APIs that Apple otherwise prohibits. These private APIs can empower apps with a wide range of dangerous capabilities on jailbroken devices, such as the ability to install or launch additional code or collect location data without notification.
One of the other security implications with jailbreaking is that it often requires a person to downgrade some of the security settings in the stock version of iOS in order to make the jailbreak work. People who don't know what they're doing may not know how to reinstate some of those security settings to ensure their jailbroken device is protected post-jailbreak.
If a device has been jailbroken or rooted then your existing security investments can be rendered ineffective. While most MDM/EMM solutions claim to provide jailbreak/root detection, they are not always effective due to the nature of the attack targeting the kernel of the OS.11. Lookout's Mobile Threat Protection identifies devices that have been rooted or jailbroken, even if they bypass MDM detection.
BN: Doesn't part of the solution rely in educating users rather than relying on technology?
GJS: You need both, but you can't rely completely on employee education. You need to supplement it with technology.
Employees are obviously in control of what they click on, download, or install. If you educate them to be highly security-conscious and suspicious of everything, there would be a significant reduction in the number of security breaches.
But the bad guys will keep innovating and finding new and more clever ways to target users. A sound security or BYOD strategy should never take a leap of faith that the end-user will operate with caution 100 percent of the time, or be able to keep up with attacker innovation as quickly as the security technology providers.
BN: Will there always be a trade-off between security and the convenience of mobile access?
GJS: Forward-thinking organizations have today recognized the need to embrace mobile devices in the workplace, due to enhanced worker productivity, increased revenues, and reduced device and data expenses.
At the same time, if employees are not provided access to the mobile tools they want, they are likely to adopt their own productivity tools, which can put sensitive data at risk. We have all come to expect a great user experience on our mobile devices. If IT-provided solutions are too hard to use or too obtrusive on user privacy, you can bet that employees will not be utilizing them.
As businesses look to securely enable their organization's mobile productivity, it is especially important that they also select mobile security solutions that meet the high standards of today’s mobile consumer. Overall, one of the biggest hurdles we see when it comes to having employees actually adopt these technologies is usability. If you make the protection or enforcement too complex or if it requires heavy lifting at all for the end user, you greatly increase the risk that the employee won't use the protection or that they'll figure out a workaround.