Mobile security can't follow PCs 'shameful' footsteps
SAN FRANCISCO--Enterprises still retain the mentality that securing employees' mobile devices can be done the same way as personal computers (PCs) but, in light of the bring-your-own-device (BYOD) trend, this mindset needs to be changed.
Instead, securing their networks and compartmentalizing data according to work and personal information via virtualization could be the way forward, say industry insiders.
Edward Amaraso, senior vice president and CSO of AT&T, said that people still think that the way to protect their mobile devices is the same as protecting their PCs because they view these devices as "little computers" that performs most, if not all, functions of a PC.
However, this is not the mentality to adopt, he added during his presentation on Friday at the RSA Conference.
He remarked that the way PCs are secured currently is "pretty shameful", and regardless if the user was using a computer to go online with no antivirus protection--something he referred to as "skinny dipping"--or not, they are still vulnerable to security threats. As such, a new security model must be invented for mobile devices, Amaraso urged.
"You can't just drop a piece of software on your mobile device and think it is protected. It's not going to work," the CSO added.
Ari Juels, chief scientist at RSA, the security division of EMC, and director of RSA Labs, also agreed that the approach taken by the security industry with regard to PC security has been a "massive failure".
Speaking to ZDNet Asia at the conference sidelines, Juels said even with security software, PCs are still being "riddled with bad stuff". Additionally, the burden of making critical security choices to safeguard the device has been left to end-users, who are not equipped to know which software is appropriate, he said.
The same is now beginning to happen in the mobile device arena too, as consumers are simply downloading whatever interests them without thinking about security implications, he noted.
That said, he pointed out that it's still early enough to use this opportunity to adopt a different security model to protect mobile devices, and learning from mistakes made during the PC era.
Mitigating threat of BYOD
Within the enterprise space, the pace of IT consumerization and the BYOD phenomenon has also caught out many companies which have yet to come to grips with employees adopting and using mobile devices for work, noted Michael Mosher, director of security strategy of T-Mobile, in a separate panel session on Friday.
His observation echoed that of Symantec CEO and Chairman, Enrique Salem, and RSA Chairman Art Coviello, who in their Conference keynotes, warned that employees will use their devices to bypass existing security policies and will value having instant access to information over security considerations.
As such, setting IT policies governing the BYOD trend is the "most immediate thing to do" for organizations, Mosher stated.
Protecting one's network "at all fronts" is one way suggested by Mike Convertino, Microsoft's senior director for network security.
The executive, who was in the same panel discussion as Mosher, stated that the company network serves as a channel for malware, spyware and threats to enter and reside in employees' mobile devices, which is why more effort should be put in to secure these fronts.
However, Juels argued that even if enterprises implement security features on its network, the protection is no longer afforded when an employee brings the device home.
"By matter of fact, the enterprise often doesn't have control over the device, and it doesn't have control of the communication channel between the device and the outside world. It thus opens itself up to substantial risk of data loss," he explained
Virtualization, which aids in the compartmentalization of work and personal activities within one's mobile device, is a promising approach for enterprises to cope with BYOD, he suggested.
It may, however, pose some challenges because people's lives--both work and personal--are not as neatly compartmentalized as how technology envisions it to be so, Juels noted.
He cited one's mobile phone contact list as an example. It is "awkward" for employees to have two separate lists for work and personal use, especially when some friends may also be their colleagues. There is then the challenge of whether to maintain a single list that is synchronized across both work and personal compartments of the phone, or not.
"This is one example of the messiness of crossover between our personal lives and business lives," the RSA executive said.
Such compartmentalization might prove necessary though, and enterprises might ultimately require users to install applications, which acts as a secure tunnel, to access corporate networks via their mobile devices, he added.
Ellyne Phneah of ZDNet Asia reported from the RSA Conference 2012 in San Francisco, USA.