Love it or hate it, mobile computing is here to stay. Be it smart phone, tablet, netbook or ultra-portable, society as a whole seem stupidly addicted to information being at the tips of out fingers.
Mobile device sales now seem to outpace population growth, a cool statistic that Padmasree Warrior ( @padmasree ) wheeled out at a recent Cisco event was that every second 4 babies are born in the world, but in that same second 40 mobile devices are sold! Take a quick look around, how many iPhones, iPads, Android devices, eReaders, etc are in your household (I’ve got 3 iDevices alone in my house and both my kids are under 3).
Brought on by the modern need to be always connected and “there’s an app for that” approach to mobile computing (Social networking, collaboration tools, and other resources being some of these drivers), there is little wonder what “the next target” will be.
Criminals in general will target the best return for their investment, i.e. hit the biggest deployment base via the easiest means in the hope that a percentage of attacks will be successful. It’s called return on investment.
Whilst there are a variety of reasons why this happens, essentially it all boils down to money.
The growth of the smart phone deployment base, and the popularity of app stores in general, it makes perfect sense that we are seeing a rise in mobile platform exploits hitting the news. This form of exploit, embedding malicious code in applications that otherwise appear harmless, is certainly low hanging fruit that is ripe for the picking.
Whilst there is a relatively strong Desktop security software market along with a general heightened awareness when it comes to viruses, malware and even information classification in general, the mobile computing platform everyone seems to have a laissez-faire attitude.
While many say 2011 is the year of the Cloud, I’m going to suggest it is also the year of the mobile device exploit. I’m willing to bet that a lot of the bigger players out there are thinking along the same lines; as can be seen through some acquisitions and announcements.
- McAfee bought Trust Digital who in turn was acquired by Intel;
- Trend Micro bought Mobile Armour;
- Kaspersky announced their mobile suite;
Always-connected comes at a price. Everyone wants these devices and wants them connected to the corporate network so they can access email, intranet pages, documents and even remote manage infrastructure.
I see there being a number of different issues.
- People will bring them in regardless of policy, so how are you going to change your policies?
- How do you provide secure access to the information and resources people need?
Policy – the fix all?
Before you say, but corporate policy disallows the use of XYZ device on the network so people won’t be connecting or using them, guess again! I can guarantee that in your organisation people are using the likes of Dropbox and Evernote to get access to the files and information that they need to do their job.
As I’ve said previously
How do you provide secure access?
With the move to any device anywhere model in organisations this could be a real issue. What happens when a device, corporate or personal, gets compromised?
At this stage this is all up for debate as the industry hasn’t taken mobile device security seriously enough for long enough. The easiest way is to start by providing the tools that give both control to you as a business and your people the access they require.
Open or Closed?
Now there is the debate between open and closed platforms coupled with open or closed marketplaces, but even closed platforms have vulnerabilities that are exploitable, be it in hidden features or bugs in the code. It does, however, make sense that an open platform with an open marketplace would offer an easier target to that of a closed one, but as mentioned previously the user-base also plays a large part in the overall equation; again, these are early days.
Best choice is providing the platform so you can control, to some degree, what goes on. Else look at other measures that will allow functional, secure access to services.
Ultimately the open vs. closed system is one that has been raging for years, regardless of the platform. Only time, and statistics, will tell.
What does this mean to Joe Average and the Enterprise? There needs to be a strategy. How will you address this, and one that is flexible enough to take in to consideration that this is a fast changing area.
A good start; your mobile device is a computing device and at a minimium the same security precautions need to be taken as for traditional computing devices, arguably, given the device is more susceptable to both “locking down” or being “lost” than that of a desktop or laptop, some additional device specific considerations should be considered.
Thanks to Ben for critique and edits.