By Bill Conner
As any business leader knows, it is more important to focus on facts than on rumor and speculation.
During earnings calls, CFOs don’t speculate about profits five years in the future. Lawyers don’t file lawsuits based on a hunch. So why then, when considering mobile security organizations, is the first instinct often to act out of fear – relying on rumor and speculation rather than addressing the facts head on?
In some cases business leaders are overwhelmed by rapid advances in both mobile technology and malware; with new threats coming in hours or days rather than in weeks and years, simply keeping up can be an arduous task. Maybe it’s because there’s a sense of lost control when allowing employees to carry their own devices rather than a company issued smartphone. Or maybe it’s the sheer number of headlines like: “Lookout Predicts 18 Million Android Malware Infections by End of 2013,” “iPhone4S hacked at Mobile Pwn2Own,” “Eurograbber PC-to-mobile virus loots EUR36 millions from Consumer Accounts,” the list goes on and on.
It’s an intimidating new landscape – there’s no question about that. But the reality is the consumerization of the enterprise is happening now. Employees have already started bringing their own devices to work. Today, CEOs from company’s large and small need to be ready to move beyond BYOD or Bring Your Own Device. Companies must be able to secure all of the many mobile devices the average user now brings, and be equipped with facts on how mobile devices can provide a new line of defense in logical and physical environments.
Before exploring some important facts about mobile security, here are three rumors to get out of the way up front.
First, not all devices are created equal. A jailbroken device (which is a device whose operating system has been altered to run unauthorized software), is not as secure as other devices because it’s security architecture has been compromised In essence, any jailbroken device offers easy entry for criminal hackers to attack a company. Second, it is absolutely not true that employees must use company issued devices to ensure mobile security. Using digital certificates, enterprises can secure any device using any operating system – Android, iOS or even BlackBerry. And second, malware that targets mobile devices is typically far less harmful to the organization than malware attacking standard laptops or desktops. In fact, the applications on mobile devices are sandboxed from one another, which means malware from one application cannot automatically connect to another application.
With some common misperceptions cleared, next is securing devices inside the enterprise and using mobile devices to enhance overall security.
The first fact to understand is securing devices essentially boils down to securing identity. To take a step back, an identity in the world of digital security is slightly different than how one may currently think about the word. Identity allows knowledge of who or what is on either end of a digital transaction. Everyone has multiple digital identities – the identity associated with a work PC, a home PC, a smartphone, a tablet. There is a digital identity associated with every app used – from social networking sites to mobile banking platforms. In fact on every mobile device right now, there are likely multiple digital identities.
The second fact is identity can be protected. Issuing a mobile device certificate is simply a way to authenticate the identity of each and every device that needs to connect to a company’s wireless network or VPN. In simple terms, certificate software provides a way to prove the identity of each device before it connects to a network. Additionally, employees will appreciate that a mobile certificate is transparent – meaning once it’s installed, there is no additional work to be done – no need to enter multiple passwords, one time passcodes or maneuver through a Q&A security screen to access the network. And the benefit is this technology is safer than any password or combination of passwords.
And finally, the third fact is today’s mobile technology can also be leveraged to help companies protect both logical (laptops, desktops, internal applications, cloud applications etc.) and physical environments. Authenticators such as passwords or hard tokens simply don’t provide the same level of protection one can find by using smart credentials on a mobile device. By using mobile smart credentials, it’s possible to essentially deploy a virtual smartcard to each employee device.
For many employees, smartphones are different than a building access card or even a hard token (which both have a tendency to get lost or left at home) – our phones are always there. Imagine being able to use a smartphone equipped with smart credentials to walk into the office, and instantly log on to the computer. And what if everyone were logged out of their computer system as soon as they (and their phone) walked away? It’d be a lot more productive.
Where to Next?
Building on that, there is increasingly more and more malware that can execute transactions users may not even know about. By using a mobile device with a smart credential, companies can protect sensitive transactions of all kinds by stopping the transaction midstream and sending it to a mobile device for verification. While this mobile security innovation has primarily been used by banks and other financial institutions, it is easily transferable to any industry working with sensitive data such as energy.
Ultimately, the challenge when determining how to secure this new terrain is to focus on facts, rather than sensational headlines and rumor; because the truth is, mobile is not a problem to be solved. It’s an opportunity!
Bill Conner is President and Chief Executive Officer of Dallas-based Entrust. His is among the most experienced security and infrastructure executives worldwide.