Mobile Communications

Anil Parambath (Global): Mobile Security - Control the Data, Not the Device

At the end of 2011, there were 6 billion mobile subscriptions, estimates The International Telecommunication Union (2011). That is equivalent to 87 percent of the world population. And is a huge increase from 5.4 billion in 2010 and 4.7 billion mobile subscriptions in 2009. Mobile subscribers in the developed world has reached saturation point with at least one cell phone subscription per person. This means market growth is being driven by demand developing world, led by rapid mobile adoption in China and India, the world's most populous nations.

Industry analysts tell us that within the next five years more people will connect to the Internet via mobile rather than a PC.

Which raises the question: How is security different on mobile devices than on computers? This has been a wakeup call to mobile security experts, who now realize they are operating in a new world. The days when the enterprise could feel comfortable behind vague security assurances are over. Employees are demanding – or simply finagling ways – to use devices such as iPads and Android-based phones to log into the corporate network. IT administrators are being left to deal with this, whether they know how to handle the devices or not.

The security of mobile devices opens up a new paradigm of challenge for Enterprise IT.  In order to keep-up with fast moving nature of threats in the PC world, IT administrators use tools to try and lockdown devices and networks.  A fair modicum of security is managed through multiple levels of physical, network and device security controls.  These controls break down or are no longer possible in the case of mobile devices as discussed below.

•    Control of the network: Mobile devices have multiple modes of network access and can access the internet over the wireless provider network which is not controlled or tracked by IT, at the same time being connected to the local network over wifi.  A rogue application on the device can potentially be connecting to a external site transferring sensitive information, and can never be tracked by regular detection mechanisms. 

•    Control of the device: Enterprises are forced to allow employees to bring their own devices or even in case the devices are owned by the organization, it is difficult to control the device due to limitations imposed by the device manufacturers.  These issues may be worked around by expensive MDM tool implementations, but the control provided in still limited.  Being a personal productivity and communication device, it is difficult to limit the user from installing third party applications.

Platform Sprawl

In the case of PCs, management was made easier by the fact the OS platforms were limited to primarily Windows with Mac having a minor share.  The Smartphone world has at least two major platforms in addition to Blackberry and upcoming Windows platform.  The Android platform is further fragmented by various device manufacturers. Tracking updates to these platforms and supporting them is an enormous challenge and is not even fully supported by the MDM tool manufacturers. For enterprises in Asia, this is made more challenging by the fact that quite a large percentage of devices are jail broken or made by small-time manufacturer where the OS has been customized but not necessarily well tested. 

The risks go beyond mobile phone devices. Terminal-based mobile devices predicate a slew of vulnerabilities. These devices range from the inventory trackers that drivers use to touch base with logistics centers, or mobile credit card scanners that are increasingly popping up at shops to allow customers to buy on-the-spot rather than lugging shopping carts into check-out lines.  It is necessary to custom harden  devices to ensure security, if the organization manages the device directly.  In the case of mobile payment systems, most of the devices owners would be SMBs, and hence requires multi-layered security control which includes user education, fraud monitoring, instant transaction summary feedback & reporting, multi-level authentication, location and app control mechanisms.

In areas where Organizations transacts with their customers such as mobile banking, member services etc.  challenges are different.   Anti-virus/firewall products for mobile phones are yet to mature  or not available on some platforms.  Hence the consumers are left to their own methods to manage their device security.  Here again a multi-layered approach of educating the consumer, tracking and fraud detection mechanisms, location and app monitoring  is required.  Avoid storing data on the device and have multiple levels of authentication, which includes non-intrusive factors such as device ids, location etc. Two-factor authentication and ability to block a stolen device is critical in case of consumer applications.

To summarize, managing security and controlling mobile devices requires a different approach. Rather than trying to control the device which is not practical at the present level of maturity of both the platforms and device management tool, try to control the data and the functionality accessed by the device.  Ensure that only required data is exposed after multiple levels of authentication, and the data is either wiped clean after use or encrypted on device. This means that development teams will have to take responsibility of security controls while building mobile applications and also have a testing strategy to ensure security. IT administrators will have to build oversight and monitoring mechanisms to ensure this. 

In the new mobile enabled enterprise, security and IT administrators will need to redefine their roles and be innovative about managing mobile devices.

By Anil Parambath, Vice President - Development and Testing Services at CSS Corp


« Lee Myall (Global) - Cloud Computing: Broker or Bust?


Dan Swinhoe (Asia)- Opportunities in India: Spoilt For Choice »


Do you think your smartphone is making you a workaholic?