Best Argument: Device
Audience Favored: Network (55%)
There's no other choice
Listen, I'm not going to sit here and argue that network security isn't crucial to a robust mobile risk management strategy. It is. But if you ignore security at the device layer, you're in for a rude awakening.
In this BYOD world, corporate data is flying through open WiFi networks in coffee shops and sitting in the back of taxi cabs when smartphones and tablets get lost. If you can't protect the device, you are ignoring significant entry points for attackers.
The best defense is multi-layered, but unless you have strict plans and policies around device security, identity management, provisioning, log-in credentials, you are ignoring significant risks. When mobile devices leave the traditional "perimeter," you really need to address that risk at the endpoint level. There's no other choice.
To keep everyone safe
Mobile devices, far more than desktop computers, are extensions of the personalities of the individuals using them. Here's the fundamental problem. If we rely on the device as the sole means of mobile security, we're relying on people.
Mobile device users range in knowledge from very technically skilled to barely able to answer a call. They also vary in willingness to take the time and extra effort to secure their devices. Some users will purposely violate device security, either by jailbreaking or downloading apps from questionable sources.
The simple fact is that the vast majority of mobile users just don't understand security, don't care, and aren't willing to take the time to learn. Since the device itself is under their direct control, we just can't rely on it alone.
Any good security strategy relies on tiers (or layers) of security. Certainly, having some security on the device is a start. But that's far from enough. The network is the common means by which all these devices communicate, and so it's up to the network to keep everyone safe.
Sometimes, that means relying on the internal corporate network or VPNs. Other times, that means relying on carriers, who also don't want malicious traffic on their network. But whether it's IT or the carriers, both have a far more vested interest and dedication to security than the device users themselves.
Great Debate Moderator
Mic check, gentlemen:
Are my debaters standing by? We start at 11am ET / 8am.
And readers -- thanks for joining us. Once the rebuttal timer starts, this page should refresh automatically
I'm all set...
...joining you from Mobile World Congress in Barcelona.
Bring it on, Jason. And good luck, Ryan.
Great Debate Moderator
OK, first question...
When it comes to mobile security, can we agree that the old models of IT security won't work? Explain why or why not.
It’s a BYOD world
Like I said in my opening statement, the expansion (disappearance?) of the traditional perimeter renders old models of security obsolete.
It’s a BYOD world and the insecure nature of the app store model and difficulty of keeping corporate data in its own silo means we can’t rely on the old model. But, there’s another thing at play and it’s the death of the monoculture. For the most part, traditional models of IT security catered to securing the Windows ecosystem and the risk of cascading failure was significant and scary.
Today’s world is fragmented with different mobile OSes and, in the case of Android, different handset manufacturers all shipping different version of the same operating system. Trying security that with the traditional approach. Impossible.
Layers of security are still necessary
Well, the very old school model of tiered or layered security is still as valid now as it ever was. No one security strategy or mechanism can be counted on to block all threats. To some degree, that's why even the question of whether we have security on the device OR on the network is a bit silly. We need to have security on both, as well as at all the interlink points.
My contention is not that security shouldn't be on the device. Rather, my contention is that the end-user can't be counted on to do what's in his or her best interest, especially when you're talking about potentially billions of end users, all with vastly different skill sets, interests, amounts of time, levels of understanding and degrees of willingness to do what's good for them (or even abide by the law of whatever land they're in).
Great Debate Moderator
Is the network perimeter dead?
Explain whether or not you agree that the "network perimeter is dead" in enterprise IT, and what that means for mobile security.
The perimeter has been dead for a while.
Go back and read what I just wrote. It’s impossible to standardize in a mobile world with so many different operating systems, devices, hardware platforms, app stores and insecure connections everywhere. The mobile worker isn’t even in coffee shops and airports anymore. They’re at home and they’re even in the office with their own devices, moving corporate data around, living in a network without a perimeter.
The industry has already accepted that the traditional perimeter has disappeared and newer models have already emerged to cope with this rapid change.
It's not dead yet....
... it's just porous. It's kind of like the immigration issues the United States is now facing. We clearly have national boundaries and while we have always welcomed immigrants, we (as a nation) prefer to do it according to a standard set of procedures, rather than just have people walk across the border without any form of registration. But because we have so many thousands of miles of border, it's almost impossible to protect with traditional means.
This is true of the enterprise network. All enterprises have perimeters, both physical and logical. Even when you have a widely-distributed enterprise, with many offices and even with many interlinked constituents, there are clearly definable boundaries. The problem is that there's no longer one, rectangular zone that needs to be blocked. There are now lots of perimeters, lots of boundaries, and some of them move and live in employee pockets.
The challenge for mobile security is that these tiny nightmares often move in and out of much more secure environments and bring their security flaws with them. I talked to a federal agency that had very secured firewalls, but allowed employees to come and go with their smartphones and music players. Suddenly, those secured firewalls were almost meaningless.
Our challenge is creating elastic security fields that expand and contract to provide snug, safe security no matter whether topology of the environment is contiguous or not.
Great Debate Moderator
With the rise of BYOD, how do companies manage security on devices that they do not own and cannot control?
The key is MDM
The key technology is MDM (mobile device management), which attempts to give an IT department some control of data flowing through personal devices. An organization without a robust MDM strategy is dead in the water.
I really like the BlackBerry’s approach with the “Balance”, which restricts access to corporate data by personal apps. I believe this approach is going to be the standard on all mobile operating system platforms. In addition to MDM, companies are adopting things like endpoint encryption and multi-factor authentication to cope with the BYOD chaos.
Virtualization may be the answer
Well, that's certainly a hefty problem. I always recommend companies start with the low-hanging fruit: good, clear policies and education. While not all employees will behave themselves just because there's a policy in place, if you've taken the time to think through the problem and develop clear, tangible guidelines, it will reduce your problem by a measurable percentage.
But there are other issues as well. If the company doesn't own the device, what happens when an employee is terminated? What happens to all the private company data on the device? What happens to all the various federated logins, VPN authorizations, and so forth? If the device is company-owned, you could legitimately demand it back and zorch it back to bare metal. But you can't do that with someone's private smartphone.
This is where I think Jason Perlow's contention that virtualization will be needed on mobile devices is so spot on. If you could install virtual images that are, essentially, virtual corporate smartphones, on employees' BYOD personal devices, then at the time of employee termination you could simply securely delete the corporate virtual image without damaging the rest of the privately-owned phone.
But BYOD is a good reason that the network has to take responsibility for security. If you have no idea what clunkers employees will be bringing into the corporate environment, you certainly have no idea what kind of security will be on the devices. It's up to the network to mitigate as many of the threats of these devices as possible, since you certainly can't count on the users or the devices to do the heavy lifting.
Great Debate Moderator
Can virtualization and mobile thin client computing be part of the solution?
Why haven't we seen more of these solutions take off?
Part of the solution...
There are some who make the argument that virtualization is the future of mobile security. Again, the BlackBerry approach I referenced earlier could be seen as providing this “virtualized” segmentation.
One day we may get to the point where there are enough computing resources to allow multiple operating systems or virtual machines to run simultaneously on a mobile phone or connected wireless device. On today’s mobile OS platforms, this isn’t entirely practical but, to answer the question, it can be part of the solution.
Apple can be difficult, but the tech is finally here
Yes, as I mentioned above, I think that virtual environments on mobile devices will probably be part of the solution in the long term. Virtualization is an interesting beast, because it's often hard for end-users to understand it. It's also a technology that brings with it its own challenges (as well as enormous opportunities). I think we're at a cusp point where virtualization is possible, now that we have mobile devices with more power and RAM available to run virtual instances.
The challenge will be whether a virtual environment is supported on the mobile device. I can certainly see virtual environments on Android phones and tablets, as well as Windows-based environments. But I find it hard to believe that Apple would allow a virtual hypervisor (or even a VirtualBox-like app) to run on iOS when they're so concerned about what they allow to run.
So, I see mobile virtualization as somewhat in conflict with BYOD, although the problem can be mitigated somewhat by specifying models of devices employees can choose from and use.
As for thin clients, the iPad, Surface RT, and Chromebook are, to some degree, thin clients and these have taken off tremendously. Desktop virtualization on these mobile thin clients still becomes something of an issue because of network bandwidth. Even though many devices are equipped with 4G/LTE, the cost per megabyte is still quite high, and coverage outside of major metropolitan areas is low. Available WiFi might help with this.
Certainly, though, at least for the larger-screen format mobile devices (i.e., tablets), desktop virtualization over VPN is a potentially viable solution going forward. But, there again, you're putting the security responsibility squarely on the network and not nearly as much on the device.
Great Debate Moderator
Third party solutions?
What are the most useful and effective third party solutions in helping companies deal with mobile security in the BYOD age?
Still very nascent
All the traditional IT security vendors are embedding MDM technologies and features into their product sets so businesses are having their pick of the litter. We will also get to a point where the mobile OS vendors are adding these capabilities so companies will rely less and less on third-party solutions.
It’s still very nascent in the mobile security world and the industry as a whole is struggling to figure out what’s ideal. Computing moves very quickly and today’s technologies could be meaningless tomorrow.
Aggressive intrusion detection and prevention
I try to avoid recommending specific brands, but I'll cover some of the technology categories you should consider. Clearly, enterprise-grade firewall technology is important. The gotcha here is that BYOD devices just waltz right past the firewall and inside the secured perimeter.
One way to counter that is by configuring aggressive intrusion-detection and prevention appliances or servers inside the firewall. This technology actively monitors the "inside the perimeter" traffic, looking for patterns of disruption that have made it past the protected front gates.
I'm always concerned about letting USB devices inside a secured perimeter. A very low-tech solution would be to block all the USB ports (with a few limited and controlled exceptions), so that malware and other nastiness can't be easily uploaded (and vast amounts of secured corporate data can't be as easily exfiltrated).
Great Debate Moderator
Briefly explain the differences between taking a network versus a device approach in mobile security?
This struggle isn’t entirely new
The network approach relies on the traditional perimeter being in place. The device approach may require agents
on endpoints, which can be tricky.
This struggle isn’t entirely new. For decades, employees have been adopting new technologies on corporate desktops, circumventing company policy to run insecure programs like IM clients. (Remember Kazaa and the spyware nightmare?) IT has dealt with these demands for years and security via the network approach has worked best. This is not practical in today’s world.
Law and order vs. anarchy
Well, simplistically, it means relying on the device to protect itself (and anything it connects to) from penetration, malware, and content theft, including blocking whatever leaves the device and travels to whatever networks the device connects to. A network-centric approach means that the network takes primacy in that defense, inspecting and blocking any packets that may contain troubling payloads.
If you use a car and highway analogy, the car is the device (and the driver is the device owner). Clearly, the driver has some responsibility to drive safely and keep to the rules of the road. But the system of laws, traffic signals, and law enforcement does a lot to make sure most (not all, but most) citizens behave themselves when behind the wheel. A vivid example of what happens when there's no rule of law or enforcement (essentially, no network approach to
security) can be seen in this video of drivers in Russia. I caution you, it's as can't-tear-your-eyes-away as any kitten video, but far more disturbing.
Great Debate Moderator
Now sum up why you see the network or the device approach as preferable.
The absence of the (Windows) monoculture on mobile platforms has helped thwart the risk from cascading failure. Hackers can’t simply compromise a single platform and wreak havoc on the mobile computing ecosystem. We won’t deal with worm attacks and the botnet crisis on portable devices so it’s important to adopt a hybrid appoach.
I’m not going to argue that the network approach is unimportant -- but we need to think about encryption, two-factor authentication and practical MDM to make sure data is safe on corporate devices. One can’t exist without the other.
We can't let the inmates run the asylum
If we rely solely on our mobile devices for security, we'll have the digital equivalent of the Russian driver anarchy shown in the video.
The bottom-line is simple: users can't police themselves. I like to give our users credit, but the security reality is that many users will not take the precautions necessary to keep themselves safe. In a recent webcast I did with malware expert Phil Owens, Phil pointed out that tens of millions of users had jailbroken both their iOS and Android devices. Jailbreaking (which vastly increases the security and malware vulnerability of a device) is a highly insecure activity and if tens of millions of users are doing it, it's clear that users can't be counted on to practice safe mobile security.
Now, that's not to say that our networks and carriers are the most reliable, although I do have to give kudos to the security forces at the big carriers, who are doing a tremendous amount of heavy lifting to try to secure their networks (and, by extension, all their users). But there's a far better chance that IT and security professionals, working together, will do their best to secure networks where users will just try downloading malware laden copies of Angry Birds off of whatever discount too-cheap-to-be-true app store they can find.
Great Debate Moderator
Is there a middle ground...
...between the network and device approaches, and how can companies do both without breaking the bank?
Middle ground is necessary
You are asking the same question in ten different ways :). Yes, this middle ground is not only available, but it’s absolutely necessary. Securing corporate data via the network remains important, but the hybrid protection model is ideal.
We will never get to nirvana because IT will always struggle to get budget to implement every available solution. With multiple platforms and even multiple OS versions on a single platform, it can be prohibitive from a cost standpoint. But, in this world of targeted attacks now focused on mobile entry points, it’s impossible to choose one approach over the other.
Everything needs security
Not only is there a middle ground, but there has to be. This really isn't a device-or-network thing (although you will vote for me, right?). Rather, security has to be a consideration at every point in the overall computing environment.
Device makers can help by designing more robust and secure operating environments and adding a built-from-the-metal-up hypervisor technology. This could make company-managed BYOD much more reliable to implement. Companies can help themselves by implementing good (simple, and clear) security policies and employee
training. Users can help by avoiding questionable sources of apps and updating their devices and software regularly.
On the network side, all the usual best-practices apply. Good firewall, intrusion detection, system monitoring, and network-wide anti-malware technology is necessary.
One thing to note: the newest trend in network incursion is to use hacking (passwords are now notoriously easy to break) to get inside a network, and then launch malware to open up the network to outside control. Mobile devices are a very easy way to bring that malware inside the network. Once it's there, it can simply "phone home" and your network becomes pwned.
Great Debate Moderator
Beyond the technology solutions...
...do you agree that the most important principle in establishing good mobile security is doing a risk management assessment?
Everything starts with risk management.
No competent IT department can properly manage security budgets without a comprehensive risk management strategy.
Some questions for every CSO:
- Do you have a security program that addresses security related concerns by identifying, assessing, and mitigating risks within your products, applications, and infrastructure?
- Have you integrated appropriate programs so that you can be proactive about security on mobile platforms. Do you have security awareness training, secure code training for developers?
- Do you have appropriate change management processes in place?
- Do you have appropriate process in place to detect and respond to future attacks?
If you can’t answer these basic risk management questions and apply them to your mobile security profile, you are way behind.
Policies and training
No. Risk management and assessment are valuable tools for developing a roadmap, but a risk assessment will not stop a malware incursion. But good policies and training (which may well be derived from a risk management assessment) can have a big impact on behavior inside the network.
Great Debate Moderator
Time for one last question:
How can companies get started with an effective risk management assessment to determine where they need to focus their resources in mobile security?
A complete audit
Ah, another question that I can answer with a few important questions for a cash-strapped CSO.
Proper risk management requires a complete audit of your infrastructure, especially your mobile assets.
- So, do you know what you own and where they are?
- Do you know how these assets are being used and who is in charge of policing misuse?
- Do you have documentation and an architecture to support these mobile assets?
- Do you really understand the inherent risks for each mobile device out in the field?
- Are you up to date on every attack vector on mobile devices?
If you don’t understand your risk profile, you can’t properly focus resources in the right places.
Start with five steps
The Health and Safety Executive of the UK government has set down some good starting guidelines for risk assessment that I like to recommend. See? I don't always quote the U.S. government. Sometimes I look to other nations as well.
They recommend starting with five steps:
(1) determine the hazards,
(2) understand who might be harmed and why,
(3) evaluate risks and decide on precautions,
(4) record findings and implement solutions, and
(5) review and update.
We've essentially covered most of these steps during this debate (kudos to the moderator!), so we have a pretty good idea of the hazards involved in mobile technology, how we might be harmed (we're talking espionage, hacking, intrusion, monetary and IP theft, destruction, diminished reputation and PR embarrassment, and more). We've discussed risks and discussed how I believe that many of the precautions need to center on the network. And, over time, we'll all learn from this, and update our defenses as the arms race continues.
My bottom-line to everyone is this: network security is essential. So is device security, but you can't count on consumers to protect themselves. That's our job in IT and security, and we have to watch out for our charges and do our best to keep them safe. It's not just a job, it's our responsibility and our civic duty.
Great Debate Moderator
Excellent exchange, gentlemen.
Ryan and David, please deliver your closing arguments to me later today. And readers -- look for those arguments here tomorrow - and for my final verdict on Thursday.
Emphasize the endpoint
David scored major points in this debate by reinforcing the point that we can't let users run the asylum. It's true that we can't rely on the users to make proper security decisions, whether on mobile platforms or traditional computing systems.
I spent a few hours on a panel discussion here at Mobile World Congress talking about the challenges of security data in motion and heard first-hand the nightmares faced by IT security departments with an active mobile workforce. Users will always opt for convenience over safety, regardless of the consequences. Corporate security policies are circumvented in the name of getting work done, and smartphones are 'jailbroken' to make life easier with no regard for the security posture of the device. These are truths that aren't going away.
We all agree that this exciting mobile world introduces gaping holes for attackers to penetrate the network. Then why is mobile device security such an afterthought? Network security and device security must co-exist but, with users as the weakest link, we need to place the emphasis on the endpoint.
Secure your network
Ryan and I essentially agree on most of this debate. Neither of us would recommend you entrust your organization's protection solely to devices in unpredictable users' hands. And neither of us would tell you to avoid any good security facilities available at the handset level.
Interestingly, device manufacturers are finally beginning to recognize the need for better security. BlackBerry now offers the Balance system and Samsung announced Knox at MWC this week. But both security kernels are optional purchases, so most device users won't have them.
What's particularly relevant for my side of the argument is that even the very existence of these device-level security features showcases the expectation of a network defense. After all, if a company mandates that only devices with Balance or Knox features are allowed on the network, then -- almost by definition -- there is central management of security and an organization-level set of policies.
Ultimately, that's what network security is. It's using the full resources of the organization (as well as the physical set of networks) and providing security services at a professional level.
The bottom-line is really simple. The best-best-best defense is a mix of device and network security. But you must never rely solely upon your devices to provide security. Employees, customers, consumers, and partners can't, universally and without any deviation, be counted on to follow all your security recommendations.
After all, a discount, malware-infested copy of Angry Birds Star Wars is going to be far too appealing to at least one user on your network. All it takes is one user. Unless, of course, you secure your network. But that would make the network the best defense, wouldn't it?
Heck, you know I'm right.
Ryan's case for device holds up better
The reality is that mobile security needs both the network and the device layers as well as the middle ground between them. Both Ryan and David made good cases. Overall, Ryan's case that you still need the device held up better. The network can't do it all. I'll give the nod to Ryan by a slight margin.