SAN FRANCISCO — Mobile phones, tablet PCs and other new technologies are poised to take over the workplace, but organizations that hope to secure them before they do so face an uphill battle, according to a symposium on mobile security.

Experts at the half day mobile security event on Monday  warned that security, management and data protection are likely to be pressing problems for organizations of all sizes, as consumer driven adoption of multi function mobile devices outstrips the ability of IT organizations to manage and monitor the devices within the workplace.

The event, Mobile Security Symposium 2011, was held in the shadows of the RSA Security Conference and sponsored by consulting firm SRA International, brought together leading experts on mobile device security from the worlds of academia, government, industry and the technology sector. While malware targeting mobile devices is still a relatively minor concern, other security issues are vexing organizations awash in a sea of unmanaged smart phone and tablet devices, the experts warned.

Mobile device applications are an up and coming threat, said Rob Smith, the Chief Technology Officer of Mobile Active Defense. The applications offered on even reputable application marketplaces aren’t vetted for features that could constitute security threats to enterprise data, he said.

“Whitelists and blacklists for mobile devices are useless,” he said. Figuring out the exact functioning of a mobile application is harder than determining whether or not a Web page is malicious. “When you buy Angry Birds, you’re just trusting that there weren’t any ‘angry developers’ working on it,” he told the audience in a panel discussion of Mobile Data Security. In fact, mobile marketplaces encourage users to think that the applications they are downloading have been vetted and are reliable, when the opposite is often true. At stake is, potentially, access to corporate assets and data, he warned.

Security vendors are increasingly recognizing the same issue. Veracode last week expanded its application testing program to include Apple iOS and Google Android devices, while firms like ViaForensics have been sounding the alarm about insecure data management practices in popular mobile applications.

Security vendors have long warned about threats to mobile devices, but the last decade has seen little momentum behind mobile malware – especially when compared with the flood of Windows- and Web-based malware and attacks. But that may be changing.

Cisco Systems predicted that threats and attacks will migrate from Windows and the Web to mobile devices such as Google Android devices and Apple iPhones and iPads in 2011. Such devices increasingly hold sensitive and valuable financial, personal and corporate data, Cisco said.

Organizations need tools to inventory and track mobile devices, as well as enforce policies on them in the same way that they do now for desktop and laptop computers. But those tools, for the most part, don’t exist, says Ward Spangenberg, the Director of Security Operations at social gaming giant Zynga.

While most mobile device operating systems are far more resistent to attacks than the Windows desktop operating system, there’s a shortage of tools to manage them.

“Laptops have mature technology to manage the device, but we’re still playing catch up with mobile devices in terms of being able to manage them,” he said. Zynga, like other employers, has to balance the desire of employees to use the latest mobile devices, like iPads, with the company’s need for security.

“I can’t manage iPads on our network, so they don’t get access,” he said.

Among the issues facing employers is how to manage corporate data like e-mail and files that employees have stored on their mobile devices. In the event of a lost or stolen mobile devices, organizations are looking for ways to erase the device in question before thieves can get access to the data.

An even thornier problem arises when employees leave their job or are terminated: companies want to erase their data from that employee’s device, but the employee will be (understandably) reluctant to have the entire device erased.

Smith, of Mobile Active Defense, said that even technology giants like Apple learned that the hard way. An employee of that firm famously lost a pre-release version of the iPhone 4 in a bar, dashing the company’s plans for a surprise unveiling of the new product.

A new breed of firms offer enterprises tools for tracking and enforcing policies on smart phones and other mobile devices, as well as managing data encryption, remote wipe capabilities and more, said Ahmed Datoo, VP of Marketing for Zenprise, which introduced its first mobile management product in 2007. But there are challenges: vendors like Apple and Google insist on managing firmware updates themselves, meaning that mobile device management firms have to turf patching to those vendors.

At the same time, mobile carriers may sport their own flavor of operating systems like Google’s Android – further complicating the job of managing those devices within an IT environment.

Carriers could play a greater role in securing the mobile ecosystem and helping firms manage mobile devices – but that would require them to abandon their proprietary ecosystems of devices and support heterogeneous environments, Datoo said.

Ed Amoroso, CSO of mobile carrier AT&T, agreed that carriers should shoulder greater responsibility for security with mobile devices, but said they face little pressure on the issue in what is still a market driven by consumer demand for cool devices, features and convenience.

“Security is not a differentiator in the mobile market,” Amoroso said. “It’s hard for us in the carrier space, at this point, to make strong statements about security,” he said.

Panelists at the event generally agreed that attention to mobile security will increase along with adoption and threats. The coming months and years will reveal the need for better coordination among carriers, platform vendors and organizations as attacks target and highlight weaknesses in the current mobile ecosystem.

Categories: Compliance, Cryptography, Data Breaches, Government, Malware, Social Engineering, Vulnerabilities

Comments (3)

  1. Mike
    1

    I read a study a while back that stated the average cost to replace a missing or stolen laptop neared $50,000.00.   This took into consideration replacement costs, downtime, legal and adminstrative issues, as well as the potential loss of sensitive corporate information.

    Another study found that during a 6 month period, over 3000 laptops were left in taxicabs in London.    Now, compare that to the 55,000 left in the cabs over the same 6 month period. 

    As smart phone technology increases, as smart phone adoption increases, as access to sensitive enterprise data with these devices increases, the potential for loss become staggering. 

    Organizations MUST have strong policies in place in order to combat this potential loss.  

  2. Ada Ho
    3

    This is a wonderful rundown of the importance of
    mobile device management tools. With the growth of mobile, companies will need
    to secure the devices in the same way that they secure business computers and
    laptops.

    Assuring these devices remain safe is in the best
    interest of the enterprise, especially with the growth of the cloud and the
    ability to access information from anywhere at any time. If one employee has a
    phone that’s not secure and up-to-date, company information could fall into the
    wrong hands very quickly. The ability to protect that data will fall onto the
    IT manager at companies, and providing a solid mobile device management tool
    will help that person keep everything secure.

    Ada,
    Absolute Software

    http://blog.absolute.com/

Comments are closed.