Mobile security threats come in many forms, and they are rapidly evolving. Many enterprises now have mobility at the center of their IT strategy, and it will serve you well to put new emphasis on your mobile device security strategy.
This is perhaps easier said than done, however. There are a good number of issues that require consideration which take on new relevance when the device of choice isn't a PC, but rather a handheld device. Today's smartphones really are PCs, with operating systems, storage, applications, and wireless access to enterprise networks. IT is actually replacing some of its users' PCs with a smartphone equipped with wireless broadband, a desktop-class browser, the ability to read and even edit office-suite files, and lots of storage for any kind of data. Getting the security element right the first time is more important than ever in this mobile environment.
Let's consider how mobile security threats figure in the world of smartphones by looking at a few common threats:
- Mobile malware and viruses: Given the complexity of modern mobile operating environments, the same criminal apps that we've seen for many years on PCs can now plague handsets. Fortunately (so to speak), the socially challenged techno-nerds that produce this nonsense have seen fit to focus mostly on Windows. But as mobile device platforms become more common, this threat is clearly real. And it's not just a question of platform stability – the real issue for the enterprise is theft of sensitive information. In this era of Sarbanes-Oxley, the challenge here should give pause to everyone, from users in the field to the CEO.
- Eavesdropping: Carrier-based wireless networks have good (but not, of course, perfect -- there is no such thing) link-level security, but, as is the case with PCs, end-to-end, upper-layer security is required for sensitive data. This means that data that an enterprise wants to protect should appear in the clear only to authorized users. Given that data on smartphones is seldom encrypted, and few actually secure (authenticate) access to their devices, this is another threat that needs to be taken very seriously.
- Unauthorised access: This isn't a problem unique to wireless, of course, but as an ever-greater number of enterprise users make access from the road their primary means of staying connected, careful attention needs to be paid to AAA – authentication, authorization, and accounting. But setting up this capability on smartphones can be daunting, and two-factor authentication, which we always recommend, is not widely available today. And yes, even firewalls and intrusion-prevention techniques are important on today's smartphones.
- Physical security: Finally, while many notebook computers are indeed lost or stolen every year, it's a lot easier to simply misplace a mobile device. Just for starters, hundreds of thousands of these have been left in the back of taxis around the world. A few unauthorized offshore phone calls could really irritate your CFO, to say nothing of the potential for the compromise of corporate secrets.
And all of these are further complicated by the double-duty personal/business use that is typical of today's smartphones. More often than not, in fact, enterprises allow -- perhaps most often by not explicitly prohibiting -- the use of personal devices for corporate functions. Since a personal smartphone isn't managed by the enterprise, it is clearly an invitation to trouble. As the saying goes, you can't manage what you can't secure, and you can't secure what you can't manage.
Fortunately, the tools for dealing with these threats are finding their way to the smartphone. Again, your work is never done here, but it is possible to define and deploy the elements necessary to make handsets as secure as their PC counterparts. Next time, we'll look at the key classes of solutions to these mobile security threats.