“A huge benefit of mobile devices is the user interface…This is simply how people want to interact with IT systems nowadays…”
–Dr. Martijn Dekker (SVP, CISO, ABN Amro)

There are a number of trends around mobility that make it a distinctly different and new security challenge to consider:

Read the rest of this syndicated post on the EMC Reflections Blog at:
http://reflectionsblog.emc.com/2012/11/securing-the-mobile-enterprise.html

• 

For those interested in reading the entire article, here it is (but don’t dare click away until you have finished this compelling blog): Poor pre-launch showing plagues Windows 8

What we are seeing with the mobility movement is not just about the next shiny new device, and the worry of that device being left in a cab or a restaurant. We are really seeing a fundamental shift in the way IT is consumed, and subsequently secured, and it’s mostly driven by mobile. The graphic above shows the amount of Windows PCs that currently have Windows 8 installed on it compared to Windows 7 at the similar time in its life (Windows 8 ships October 26^th). Now, a difference between a 1.6% share and a 0.33% share may not seem like that much on the surface, but you need to think about the kinds of people that typically deploy early releases of these operating systems.

People upgrading early are not likely to be the consumers of IT services. More often than not, early upgrades are for the development community to build the applications that we all know and love on the next operating system (like how a number of apps were ready for the Retina display when I bought my MacBook pro this summer). Sure, some of this shift between Windows 7 and Windows 8 is due to Apple continuing its dominance in the laptop market and more applications moving to OSX. But a lot of this discrepancy is also due to the mobility movement and the shift of IT consumption to iOS and Android devices rather than traditional PCs.

The new SBIC report, “Realizing the Mobile Enterprise: Balancing the Risks and Rewards of Consumer Devices”, highlights these shifts. Consider these quotes:

Roland Cloutier (VP, CSO, ADP) – “Mobile apps have the power to increase organizational agility…No matter where someone is in the world, they can manage their workflow around anything…”

Dr. Martijn Dekker (SVP, CISO, ABN Amro) – “A huge benefit of mobile devices is the user interface…This is simply how people want to interact with IT systems nowadays…”

This shift in how IT is consumed can have a dramatic effect on the security world. It also pushes the importance of mobile beyond just protecting the endpoint from a lost/stolen scenario, and actually makes it an even bigger problem around how you authenticate users and federated identity in a non-Windows, web-based world.

Considering this, there are a number of trends we have come up with around mobility that make it a distinctly different and new security challenge to consider:

BYOD: This is a marketing term, but the fact that devices are either personally owned (or treated as personal devices) has serious implications. First and foremost, enterprises have lost control of the endpoint image, which creates an issue around enforcing agents or installing security patches. Many enterprises are struggling just to get users to install MDM on their devices, let alone deeper agents like anti-virus or malware forensics agents to protect against advanced threats. In addition to the lost endpoint control, BYOD also creates a problem about when and how enterprise policy is applied. Obviously when a device belongs to an individual there is an expectation that enterprise rules are only being applied when working, but this is starting to be the case even when enterprises provide devices for users, especially in phones. For example, EMC purchases our phones for us, but I still treat that device largely as a personal device. It’s my only cell phone (my only phone at all, in fact), and I have a number of personal apps loaded on it. The simple fact that I carry it all day everyday means that a large percentage of the time it will be in use for personal reasons. This forces enterprises to think about applying security policy in only enterprise scenarios, not on the entire device. This is one example where MDMs tend to come up short.

Off Network: Network visibility is a drug to security teams. Its needed more than anything else to understand what users are doing and when they are doing it. That is the reason why so many advanced threat tools today are network-based monitoring tools. Unfortunately, in the mobile world, enterprise networks don’t have to be touched all that often. For phones, just about all of the network connectivity goes across carrier networks, and its only when the phone asks the enterprise for some information that the enterprise can monitor it. As soon as the data gets to the device – you’ve lost visibility from a network perspective (picture a sensitive piece of content being uploaded to Dropbox from a mobile device). The use of cloud services only exacerbates this problem, because then you have disconnected endpoints (that enterprises don’t own) connecting to cloud services (that enterprises don’t own). Nowhere in that interaction does the enterprise network see the traffic.  That lack of visibility can be troublesome for security teams.

“Chatty” Interaction Model: This is always a tough trend to explain, and the term “chatty” has been the best way I have been able to describe it. Basically, what it boils down to is the fact that mobile users have very frequent context shifts between work and play. The best way to illustrate this is email and calendar. Just a few years back, if I wanted to check my email at night or see what time my morning meetings were, I needed to boot up my laptop (which likely was a 10 minute process), open my VPN client, usually respond to a two-factor authentication challenge, and then open Outlook. The Blackberry (remember that?)  changed all of that. It gave quick access to email and calendar without the need for VPN. That began the blurring of work/play. iPhone and Android brought in more play to these devices, and what we are left with is a consistent flip between work/play throughout the day. You might check email, make a quick response, and then hop onto your Facebook app right after that. That switching does not provide good areas for strong authentication, and blurs the line as to when enterprise security policy should be applied.

Web/Federated Access Model: This one is mostly driven from the “app” economy Apple created and the chipping away of Microsoft’s dominance in the enterprise. More and more cloud services are being used for enterprise purposes (Google Apps, Salesforce, Box, Office 365, etc), and each of them make use of web-based authentication standards. As enterprise app development evolves, more and more things will be developed in the mindset of  “mobile first” (see Microsoft graphic above). That will push more traditional enterprise authentication and identity management into a web standards world.

Fighting against these trends isn’t the wisest idea. Apple has shown that consumers have an awful lot of control around enterprise IT policy. But you still need effective ways of delivering security. Fundamentally, you still need to secure data, secure identities, and get threat visibility, but you need to do it while working within these trends and not trying to push the old model on the new.

The SBIC report on mobility that I mentioned earlier gives a great overview of the security options available to enterprises today, including MDM, application containerization, enterprise authentication, and application malware detection. Specifically, the report calls out the need for MDM, but cautions against the over reliance on MDM as a security solution. Consider the quote from Marene N. Allison (Worldwide VP of Information Security, Johnson & Johnson), “…If you talk to security professionals at this point we just settle on MDM. It’s not like we can get all of the features we want yet. MDMs are still too immature.”

The overall mobile management market is maturing beyond just device management into application and data management, which allows for granular policy enforcement and network connectivity into enterprise apps. These management products will ultimately encompass the next generation security infrastructure in mobile, similar to the way VPNs made up the traditional remote access infrastructure. Strong authentication methods, especially those that rely on risk-based methodology, as well as data security and threat forensics will be layered on top of these infrastructure components to create a true mobile security stack that can take much of the mystery out of BYOD.

• 

Clearly in the past it was the mobile carrier. Phones were essentially customized at will by the carrier and they were able to control much of the service pipeline related to that mobile user. The first real blow to that environment was RIM with the Blackberry. RIM’s architecture allowed them to act as an intermediary on the network and provide a number of business and security-related services to enterprise customers. For this, service enterprises paid large amounts in data fees to carriers, who passed some of that along to RIM for paving the way. Then along came Apple, who as they usually do, flipped the model on its side by not allowing the carrier any access to customize their device. Apple would be in charge of everything on the phone, especially which applications and services are exposed to the user. As we know, that model became pretty popular, and the carriers have never been the same since.

But Apple doesn’t control the entire world (I think). It’s worth taking a look at a few layers to see who really has the advantage in a mobile world.

Applications

Applications make the mobile world go round. The vast popularity of smartphones lies in their ability to run applications well. Even the Blackberry became popular because of its delivery of an application near and dear to every enterprise user: email. Mobile carriers like to tell you they own a portion of the application ecosystem. And they do, it’s just a small, insignificant portion. First off, they aren’t even allowed to host app stores for iOS devices. Second, even in areas where they are (like Android), they are well behind the Android Market and other third party application marketplaces like Amazon. Customers just don’t think to go to the carrier for applications anymore, which is a bit surprising since only five years ago they were the only place you could go. So even though carriers have the ability to pre-load their own apps as Android devices walk out the door, the first thing most users do is toss those apps aside and download the coolest thing from the Android Market. Advantage: OS Providers (Apple, Google, Microsoft)

Hardware

A lot of things can’t be done without access to the hardware of the device. As much as we rely on our devices for multi-purpose use, they still are phones and providing a true rich application experience on them requires special knowledge of optimizing the hardware. In addition, layering in certain value-added services like mobile payments or security requires some ownership of the underlying hardware. The chip manufacturers certainly have an advantage here, since they can begin to layer in a number of features directly into the chips (especially security: see Intel and McAfee), but the carriers also have a footprint by having some input over specific device characteristics. Unfortunately for them, that footprint is rapidly eroding as well. Apple already owns the entire hardware pipeline as I mentioned before, and I have to imagine Google will start going down that path with the acquisition of Motorola. Sooner or later Microsoft will make a big move (above and beyond their partnership with Nokia) in the mobile hardware space if they start to see traction with their mobile strategy. Again, I’m afraid the carriers are losing ground. Advantage: Apple and Google

 Network

This is where the magic happens for the carrier. There is one true differentiator that no one else can touch in this space, and that’s the fact that the carrier owns the data network around these devices, and the more they get used for things other than voice the more strategically important that network becomes. Enterprisecustomers are becoming increasingly reliant on mobile networks for business use, which drives up the value of the carriers themselves and also gives them access to all sorts of data about user patterns and behavior. Google has certainly become successful leveraging data like this. The problem for the carriers is that they have certain regulations restricting their use of subscriber data, which limits their overall capability in this space. Either way, since they own the pipe they have the ability to layer in a number of services that are traditionally provided by the enterprise network (especially security). All of this becomes even more critical now that Blackberry is falling out of favor and enterprise users are no longer going through RIM’s secure NOC for access to data. Advantage: Carriers.

Bottom line: Carriers are scrambling a bit because they have lost a ton of user mindshare in the smartphone space. OS vendors like Apple, Google, and Microsoft are much better positioned to offer and monetize services to end customers without carrier involvement. However, in the enterprise space, the network is a critical enforcement point, and I fully expect the mobile carriers to leverage their footprint here more and more in the future.

• 

We are witnessing a technology revolution much like what we saw in the late 90s, when businesses and consumers were first learning the power of the Web and everything that it can be used for. Within this massive shift in endpoint devices there is also a rolling thunder of change to the traditional security landscape. And not surprisingly, mobile security is often a few steps behind the curve as the industry rushes to catch up with business requirements.

Mobile changes security in a myriad of ways, including how enterprise users are authenticated, how devices are treated as secure corporate assets, how personal use can be siphoned off from corporate usage, and how payment security is handled, just to name a few. All of this has an impact on existing security architectures, and for sure a number of new techniques will emerge to solve these challenges.

Throughout this blog I’ll be touching a number of subjects related to mobile security, including providing as much detail as I can in regard to RSA’s approach and strategy. This will no doubt touch the various security products that RSA is known for (i.e. authentication), but also move into a number of areas on the fringe that could present new and emerging opportunities in mobile. 

Stay tuned for more on mobile…

•