For starters, it’s not a stretch to suggest that mobile security spans about as many facets as the derivatives market has evolved to become over the past decade. And now even with wearable technology having converged upon wigs – thanks to our style-first friends at Sony – not only do we need to collectively plan for, execute, manage, and optimize for BYOD (Bring Your Own Device) security, but perhaps “BYOW(ig)” might even squeeze itself into the lexicon in the not-too-distant future.
Now, whether you’re an über-in-the-know CISO, security architect, CIO, head of an operating unit, or the like, let’s begin by laying out a few fundamental assertions, upon which subsequent considerations shall build:
- Assertion #1: All devices are, or have the potential, to become compromised. Sure, iOS is secure relative to Android, but attackers always find a way. That way may not necessarily be purely technological, but instead rely on some blend of deception and social engineering.
- Assertion #2: Focusing primarily on locking down, and then trying to clean, infected devices is a Sisyphean pursuit. It is what we as organizations do in the face of acknowledging that either customers or employees have the potential to be compromised – as well as once we detect an infected user – that will set us up for greatest success moving forward.
- Assertion #3: As long as particular user functionality is desired, curbing access to it is not a viable tack. For example, employees will continue using Dropbox to share sensitive information because of its convenience. That is, unless they are presented with a similar alternative that is just as convenient, but more importantly, more secure. The same applies to mobile devices: it is preferable to provide a secure and monitored approach to enabling additional functionality, rather than simply forbidding it, and causing it to then go “underground”.
- Assertion #4: Protecting critical data itself, across its lifecycle, coupled with deep behavioral analytics – to discern between genuine and malicious user activity – is the endgame. At least the endgame for the rest of this decade. These are the only particularly effective approaches employed thusfar that best enable functionality being demanded by users, while maintaining a necessary level of control and security.
So then what? Let’s wrap up with a few directional paths upon which we can – and should – embark over the coming weeks and months.
- Ensure that whether you’re protecting internal stakeholders or external users, you build systems to profile normative behavior, research malevolent behavioral patterns, as well as enable real-time intervention against such malicious activity.
- Assess your best options to protect the critical data itself. While MIM (“Information”) is a growing area, there are a few particular firms that are doing great things to protect all data in motion, how and where that data can move, and so on.
- If you have controls in place to protect critical data across its lifecycle – while concurrently discerning between malicious and legitimate behavior – then you will have the ability to provide users with the functionality they desire, and with better risk management, than simply locking down the device.
Jens Hinrichsen is Vice President of Business Development for NuData Security, having most recently served as VP of Marketing & Business Development for Versafe (acquired by F5 Networks). His background in the online threats and fraud space includes having headed up global marketing for the FraudAction (Cyota) suite of services at RSA, the Security Division of EMC, during which time its Anti-Trojan and Intelligence were brought to market. He is a frequent speaker on the topics of malware, social engineering, and proactive security approaches across the web and mobile channels.