Often, it's what we don't know that gets us in the most trouble.
Conventional wisdom regarding mobile security in many enterprises is that it's not an urgent requirement. Many enterprises have convinced themselves that it's sufficient to implement policies to ensure that users don't root or jailbreak their phone, and that they only download apps from an official app store. With such policies in place, the CISO's mental image of their mobile security posture might look like this:
In actuality, their mobile security policy probably looks more like this:
The good news is the gate is closed--and locked! And, per security best practice the policy is publicly posted (Keep Gate Closed). Luckily, due to the security of Android and iOS, the mobile device is probably secure, as is the data on the device--despite the incompleteness of the mobile security controls.
But what about the data that leaves the device? How well is it protected by the locked gate?
Not very well, unfortunately. Most mobile device and their apps send considerable amounts of data into the cloud, and it's not obvious to most enterprises what data leaks from mobile devices into the wild--and how effectively the data is secured in the cloud. App developers have a financial incentive to report location and other personal data to ad networks, marketing frameworks, and apps' back ends when aggregation or persistent storage is required. Personal data might include device identifiers, phone number or email address, calendar and contact info, and app-related usage information. Ad networks are relentless in collecting as much data as possible to support the real-time bidding (RTB) process for mobile ad placements. And while most of this data leakage is privacy related, some can be used to inform an enterprise attack.
Meanwhile, we obsess over whether Face ID is better than Touch ID, and lament that the iOS 11 control center doesn't fully disconnect Bluetooth and WiFi. We breathlessly follow headline after headline making us scared over malware campaigns in Asia that truth be told represent little threat to the enterprise--in the unlikely event an employee's phone is infected (the employee, though, has plenty of reason to worry).
Multiple vendors have developed Mobile Threat Defense (MTD) solutions that address mobile security issues, each with their own unique focus. The MTD market is still in its infancy, and only a small percentage of enterprises have adopted and fully operationalized a solution. MTD solutions don't readily fall into typical enterprise security paradigms, and of course they compete for scarce dollars and security staff resources. As the world shifts to a "mobile first" focus, it will be interesting to see the degree to which MTD emerges as a major factor in enterprise security.
Conventional wisdom regarding mobile security in many enterprises is that it's not an urgent requirement. Many enterprises have convinced themselves that it's sufficient to implement policies to ensure that users don't root or jailbreak their phone, and that they only download apps from an official app store. With such policies in place, the CISO's mental image of their mobile security posture might look like this:
In actuality, their mobile security policy probably looks more like this:
The good news is the gate is closed--and locked! And, per security best practice the policy is publicly posted (Keep Gate Closed). Luckily, due to the security of Android and iOS, the mobile device is probably secure, as is the data on the device--despite the incompleteness of the mobile security controls.
But what about the data that leaves the device? How well is it protected by the locked gate?
Not very well, unfortunately. Most mobile device and their apps send considerable amounts of data into the cloud, and it's not obvious to most enterprises what data leaks from mobile devices into the wild--and how effectively the data is secured in the cloud. App developers have a financial incentive to report location and other personal data to ad networks, marketing frameworks, and apps' back ends when aggregation or persistent storage is required. Personal data might include device identifiers, phone number or email address, calendar and contact info, and app-related usage information. Ad networks are relentless in collecting as much data as possible to support the real-time bidding (RTB) process for mobile ad placements. And while most of this data leakage is privacy related, some can be used to inform an enterprise attack.
Meanwhile, we obsess over whether Face ID is better than Touch ID, and lament that the iOS 11 control center doesn't fully disconnect Bluetooth and WiFi. We breathlessly follow headline after headline making us scared over malware campaigns in Asia that truth be told represent little threat to the enterprise--in the unlikely event an employee's phone is infected (the employee, though, has plenty of reason to worry).
Multiple vendors have developed Mobile Threat Defense (MTD) solutions that address mobile security issues, each with their own unique focus. The MTD market is still in its infancy, and only a small percentage of enterprises have adopted and fully operationalized a solution. MTD solutions don't readily fall into typical enterprise security paradigms, and of course they compete for scarce dollars and security staff resources. As the world shifts to a "mobile first" focus, it will be interesting to see the degree to which MTD emerges as a major factor in enterprise security.
No comments:
Post a Comment