SAN FRANCISCO — Mobile phones, tablet PCs and other new technologies are poised to take over the workplace, but organizations that hope to secure them before they do so face an uphill battle, according to a symposium on mobile security.
Experts at the half day mobile security event on Monday warned that security, management and data protection are likely to be pressing problems for organizations of all sizes, as consumer driven adoption of multi function mobile devices outstrips the ability of IT organizations to manage and monitor the devices within the workplace.
The event, Mobile Security Symposium 2011, was held in the shadows of the RSA Security Conference and sponsored by consulting firm SRA International, brought together leading experts on mobile device security from the worlds of academia, government, industry and the technology sector. While malware targeting mobile devices is still a relatively minor concern, other security issues are vexing organizations awash in a sea of unmanaged smart phone and tablet devices, the experts warned.
Mobile device applications are an up and coming threat, said Rob Smith, the Chief Technology Officer of Mobile Active Defense. The applications offered on even reputable application marketplaces aren’t vetted for features that could constitute security threats to enterprise data, he said.
“Whitelists and blacklists for mobile devices are useless,” he said. Figuring out the exact functioning of a mobile application is harder than determining whether or not a Web page is malicious. “When you buy Angry Birds, you’re just trusting that there weren’t any ‘angry developers’ working on it,” he told the audience in a panel discussion of Mobile Data Security. In fact, mobile marketplaces encourage users to think that the applications they are downloading have been vetted and are reliable, when the opposite is often true. At stake is, potentially, access to corporate assets and data, he warned.
Security vendors are increasingly recognizing the same issue. Veracode last week expanded its application testing program to include Apple iOS and Google Android devices, while firms like ViaForensics have been sounding the alarm about insecure data management practices in popular mobile applications.
Security vendors have long warned about threats to mobile devices, but the last decade has seen little momentum behind mobile malware – especially when compared with the flood of Windows- and Web-based malware and attacks. But that may be changing.
Cisco Systems predicted that threats and attacks will migrate from Windows and the Web to mobile devices such as Google Android devices and Apple iPhones and iPads in 2011. Such devices increasingly hold sensitive and valuable financial, personal and corporate data, Cisco said.
Organizations need tools to inventory and track mobile devices, as well as enforce policies on them in the same way that they do now for desktop and laptop computers. But those tools, for the most part, don’t exist, says Ward Spangenberg, the Director of Security Operations at social gaming giant Zynga.
While most mobile device operating systems are far more resistent to attacks than the Windows desktop operating system, there’s a shortage of tools to manage them.
“Laptops have mature technology to manage the device, but we’re still playing catch up with mobile devices in terms of being able to manage them,” he said. Zynga, like other employers, has to balance the desire of employees to use the latest mobile devices, like iPads, with the company’s need for security.
“I can’t manage iPads on our network, so they don’t get access,” he said.
Among the issues facing employers is how to manage corporate data like e-mail and files that employees have stored on their mobile devices. In the event of a lost or stolen mobile devices, organizations are looking for ways to erase the device in question before thieves can get access to the data.
An even thornier problem arises when employees leave their job or are terminated: companies want to erase their data from that employee’s device, but the employee will be (understandably) reluctant to have the entire device erased.
Smith, of Mobile Active Defense, said that even technology giants like Apple learned that the hard way. An employee of that firm famously lost a pre-release version of the iPhone 4 in a bar, dashing the company’s plans for a surprise unveiling of the new product.
A new breed of firms offer enterprises tools for tracking and enforcing policies on smart phones and other mobile devices, as well as managing data encryption, remote wipe capabilities and more, said Ahmed Datoo, VP of Marketing for Zenprise, which introduced its first mobile management product in 2007. But there are challenges: vendors like Apple and Google insist on managing firmware updates themselves, meaning that mobile device management firms have to turf patching to those vendors.
At the same time, mobile carriers may sport their own flavor of operating systems like Google’s Android – further complicating the job of managing those devices within an IT environment.
Carriers could play a greater role in securing the mobile ecosystem and helping firms manage mobile devices – but that would require them to abandon their proprietary ecosystems of devices and support heterogeneous environments, Datoo said.
Ed Amoroso, CSO of mobile carrier AT&T, agreed that carriers should shoulder greater responsibility for security with mobile devices, but said they face little pressure on the issue in what is still a market driven by consumer demand for cool devices, features and convenience.
“Security is not a differentiator in the mobile market,” Amoroso said. “It’s hard for us in the carrier space, at this point, to make strong statements about security,” he said.
Panelists at the event generally agreed that attention to mobile security will increase along with adoption and threats. The coming months and years will reveal the need for better coordination among carriers, platform vendors and organizations as attacks target and highlight weaknesses in the current mobile ecosystem.