Mobile security: What's the best defense?

Moderated by Jason Hiner | February 25, 2013 -- 07:00 GMT (23:00 PST)

Summary: Is it the device or the network? Ryan Naraine and David Gewirtz weigh the options for protecting your organization's precious data.

Ryan Naraine

Ryan Naraine

Device

or

Network

David Gewirtz

David Gewirtz

Best Argument: Device

45%
55%

Audience Favored: Network (55%)

The Rebuttal

  • Great Debate Moderator

    Mic check, gentlemen:

    Are my debaters standing by? We start at 11am ET / 8am.

    And readers --  thanks for joining us.  Once the rebuttal timer starts, this page should refresh automatically

    Posted by Jason Hiner

    I'm all set...

    ...joining you from Mobile World Congress in Barcelona.

    Ryan Naraine

    I am for Device

    Ready here

    Bring it on, Jason. And good luck, Ryan.

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    OK, first question...

    When it comes to mobile security, can we agree that the old models of IT security won't work? Explain why or why not.

    Posted by Jason Hiner

    It’s a BYOD world

    Like I said in my opening statement, the expansion (disappearance?) of the traditional perimeter renders old models of security obsolete.

    It’s a BYOD world and the insecure nature of the app store model and difficulty of keeping corporate data in its own silo means we can’t rely on the old model. But, there’s another thing at play and it’s the death of the monoculture. For the most part, traditional models of IT security catered to securing the Windows ecosystem and the risk of cascading failure was significant and scary.

    Today’s world is fragmented with different mobile OSes and, in the case of Android, different handset manufacturers all shipping different version of the same operating system. Trying security that with the traditional approach. Impossible.

    Ryan Naraine

    I am for Device

    Layers of security are still necessary

    Well, the very old school model of tiered or layered security is still as valid now as it ever was. No one security strategy or mechanism can be counted on to block all threats. To some degree, that's why even the question of whether we have security on the device OR on the network is a bit silly. We need to have security on both, as well as at all the interlink points.

    My contention is not that security shouldn't be on the device. Rather, my contention is that the end-user can't be counted on to do what's in his or her best interest, especially when you're talking about potentially billions of end users, all with vastly different skill sets, interests, amounts of time, levels of understanding and degrees of willingness to do what's good for them (or even abide by the law of whatever land they're in).

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Is the network perimeter dead?

    Explain whether or not you agree that the "network perimeter is dead" in enterprise IT, and what that means for mobile security.

    Posted by Jason Hiner

    The perimeter has been dead for a while.

    Go back and read what I just wrote. It’s impossible to standardize in a mobile world with so many different operating systems, devices, hardware platforms, app stores and insecure connections everywhere. The mobile worker isn’t even in coffee shops and airports anymore. They’re at home and they’re even in the office with their own devices, moving corporate data around, living in a network without a perimeter.

    The industry has already accepted that the traditional perimeter has disappeared and newer models have already emerged to cope with this rapid change.

    Ryan Naraine

    I am for Device

    It's not dead yet....

    ... it's just porous. It's kind of like the immigration issues the United States is now facing. We clearly have national boundaries and while we have always welcomed immigrants, we (as a nation) prefer to do it according to a standard set of procedures, rather than just have people walk across the border without any form of registration. But because we have so many thousands of miles of border, it's almost impossible to protect with traditional means.

    This is true of the enterprise network. All enterprises have perimeters, both physical and logical. Even when you have a widely-distributed enterprise, with many offices and even with many interlinked constituents, there are clearly definable boundaries. The problem is that there's no longer one, rectangular zone that needs to be blocked. There are now lots of perimeters, lots of boundaries, and some of them move and live in employee pockets.

    The challenge for mobile security is that these tiny nightmares often move in and out of much more secure environments and bring their security flaws with them. I talked to a federal agency that had very secured firewalls, but allowed employees to come and go with their smartphones and music players. Suddenly, those secured firewalls were almost meaningless.

    Our challenge is creating elastic security fields that expand and contract to provide snug, safe security no matter whether topology of the environment is contiguous or not.

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Managing BYOD?

    With the rise of BYOD, how do companies manage security on devices that they do not own and cannot control?

    Posted by Jason Hiner

    The key is MDM

    The key technology is MDM (mobile device management), which attempts to give an IT department some control of data flowing through personal devices. An organization without a robust MDM strategy is dead in the water.

    I really like the BlackBerry’s approach with the “Balance”, which restricts access to corporate data by personal apps. I believe this approach is going to be the standard on all mobile operating system platforms. In addition to MDM, companies are adopting things like endpoint encryption and multi-factor authentication to cope with the BYOD chaos.

     

    Ryan Naraine

    I am for Device

    Virtualization may be the answer

    Well, that's certainly a hefty problem. I always recommend companies start with the low-hanging fruit: good, clear policies and education. While not all employees will behave themselves just because there's a policy in place, if you've taken the time to think through the problem and develop clear, tangible guidelines, it will reduce your problem by a measurable percentage.

    But there are other issues as well. If the company doesn't own the device, what happens when an employee is terminated? What happens to all the private company data on the device? What happens to all the various federated logins, VPN authorizations, and so forth? If the device is company-owned, you could legitimately demand it back and zorch it back to bare metal. But you can't do that with someone's private smartphone.

    This is where I think Jason Perlow's contention that virtualization will be needed on mobile devices is so spot on. If you could install virtual images that are, essentially, virtual corporate smartphones, on employees' BYOD personal devices, then at the time of employee termination you could simply securely delete the corporate virtual image without damaging the rest of the privately-owned phone.

    But BYOD is a good reason that the network has to take responsibility for security. If you have no idea what clunkers employees will be bringing into the corporate environment, you certainly have no idea what kind of security will be on the devices. It's up to the network to mitigate as many of the threats of these devices as possible, since you certainly can't count on the users or the devices to do the heavy lifting.

     

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Can virtualization and mobile thin client computing be part of the solution?

    Why haven't we seen more of these solutions take off?

    Posted by Jason Hiner

    Part of the solution...

    There are some who make the argument that virtualization is the future of mobile security. Again, the BlackBerry approach I referenced earlier could be seen as providing this “virtualized” segmentation.

    One day we may get to the point where there are enough computing resources to allow multiple operating systems or virtual machines to run simultaneously on a mobile phone or connected wireless device. On today’s mobile OS platforms, this isn’t entirely practical but, to answer the question, it can be part of the solution.

    Ryan Naraine

    I am for Device

    Apple can be difficult, but the tech is finally here

    Yes, as I mentioned above, I think that virtual environments on mobile devices will probably be part of the solution in the long term. Virtualization is an interesting beast, because it's often hard for end-users to understand it. It's also a technology that brings with it its own challenges (as well as enormous opportunities). I think we're at a cusp point where virtualization is possible, now that we have mobile devices with more power and RAM available to run virtual instances.

    The challenge will be whether a virtual environment is supported on the mobile device. I can certainly see virtual environments on Android phones and tablets, as well as Windows-based environments. But I find it hard to believe that Apple would allow a virtual hypervisor (or even a VirtualBox-like app) to run on iOS when they're so concerned about what they allow to run.

    So, I see mobile virtualization as somewhat in conflict with BYOD, although the problem can be mitigated somewhat by specifying models of devices employees can choose from and use.

    As for thin clients, the iPad, Surface RT, and Chromebook are, to some degree, thin clients and these have taken off tremendously. Desktop virtualization on these mobile thin clients still becomes something of an issue because of network bandwidth. Even though many devices are equipped with 4G/LTE, the cost per megabyte is still quite high, and coverage outside of major metropolitan areas is low. Available WiFi might help with this.

    Certainly, though, at least for the larger-screen format mobile devices (i.e., tablets), desktop virtualization over VPN is a potentially viable solution going forward. But, there again, you're putting the security responsibility squarely on the network and not nearly as much on the device.

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Third party solutions?

    What are the most useful and effective third party solutions in helping companies deal with mobile security in the BYOD age?

    Posted by Jason Hiner

    Still very nascent

    All the traditional IT security vendors are embedding MDM technologies and features into their product sets so businesses are having their pick of the litter. We will also get to a point where the mobile OS vendors are adding these capabilities so companies will rely less and less on third-party solutions.

    It’s still very nascent in the mobile security world and the industry as a whole is struggling to figure out what’s ideal. Computing moves very quickly and today’s technologies could be meaningless tomorrow.

    Ryan Naraine

    I am for Device

    Aggressive intrusion detection and prevention

    I try to avoid recommending specific brands, but I'll cover some of the technology categories you should consider. Clearly, enterprise-grade firewall technology is important. The gotcha here is that BYOD devices just waltz right past the firewall and inside the secured perimeter.

    One way to counter that is by configuring aggressive intrusion-detection and prevention appliances or servers inside the firewall. This technology actively monitors the "inside the perimeter" traffic, looking for patterns of disruption that have made it past the protected front gates.

    I'm always concerned about letting USB devices inside a secured perimeter. A very low-tech solution would be to block all the USB ports (with a few limited and controlled exceptions), so that malware and other nastiness can't be easily uploaded (and vast amounts of secured corporate data can't be as easily exfiltrated).

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    The differences?

    Briefly explain the differences between taking a network versus a device approach in mobile security?

    Posted by Jason Hiner

    This struggle isn’t entirely new

    The network approach relies on the traditional perimeter being in place. The device approach may require agents 
    on endpoints, which can be tricky.

    This struggle isn’t entirely new. For decades, employees have been adopting new technologies on corporate desktops, circumventing company policy to run insecure programs like IM clients. (Remember Kazaa and the spyware nightmare?) IT has dealt with these demands for years and security via the network approach has worked best. This is not practical in today’s world.

    Ryan Naraine

    I am for Device

    Law and order vs. anarchy

    Well, simplistically, it means relying on the device to protect itself (and anything it connects to) from penetration, malware, and content theft, including blocking whatever leaves the device and travels to whatever networks the device connects to. A network-centric approach means that the network takes primacy in that defense, inspecting and blocking any packets that may contain troubling payloads.

    If you use a car and highway analogy, the car is the device (and the driver is the device owner). Clearly, the driver has some responsibility to drive safely and keep to the rules of the road. But the system of laws, traffic signals, and law enforcement does a lot to make sure most (not all, but most) citizens behave themselves when behind the wheel. A vivid example of what happens when there's no rule of law or enforcement (essentially, no network approach to
    security) can be seen in this video of drivers in Russia. I caution you, it's as can't-tear-your-eyes-away as any kitten video, but far more disturbing.

     

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Summarize please?

    Now sum up why you see the network or the device approach as preferable.

    Posted by Jason Hiner

    Beyond monoculture...

    The absence of the (Windows) monoculture on mobile platforms has helped thwart the risk from cascading failure. Hackers can’t simply compromise a single platform and wreak havoc on the mobile computing ecosystem. We won’t deal with worm attacks and the botnet crisis on portable devices so it’s important to adopt a hybrid appoach.

    I’m not going to argue that the network approach is unimportant -- but we need to think about encryption, two-factor authentication and practical MDM to make sure data is safe on corporate devices. One can’t exist without the other.

    Ryan Naraine

    I am for Device

    We can't let the inmates run the asylum

    If we rely solely on our mobile devices for security, we'll have the digital equivalent of the Russian driver anarchy shown in the video.

    The bottom-line is simple: users can't police themselves. I like to give our users credit, but the security reality is that many users will not take the precautions necessary to keep themselves safe. In a recent webcast I did with malware expert Phil Owens, Phil pointed out that tens of millions of users had jailbroken both their iOS and Android devices. Jailbreaking (which vastly increases the security and malware vulnerability of a device) is a highly insecure activity and if tens of millions of users are doing it, it's clear that users can't be counted on to practice safe mobile security.

    Now, that's not to say that our networks and carriers are the most reliable, although I do have to give kudos to the security forces at the big carriers, who are doing a tremendous amount of heavy lifting to try to secure their networks (and, by extension, all their users). But there's a far better chance that IT and security professionals, working together, will do their best to secure networks where users will just try downloading malware laden copies of Angry Birds off of whatever discount too-cheap-to-be-true app store they can find.

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Is there a middle ground...

     ...between the network and device approaches, and how can companies do both without breaking the bank?

    Posted by Jason Hiner

    Middle ground is necessary

    You are asking the same question in ten different ways :). Yes, this middle ground is not only available, but it’s absolutely necessary. Securing corporate data via the network remains important, but the hybrid protection model is ideal.

    We will never get to nirvana because IT will always struggle to get budget to implement every available solution. With multiple platforms and even multiple OS versions on a single platform, it can be prohibitive from a cost standpoint. But, in this world of targeted attacks now focused on mobile entry points, it’s impossible to choose one approach over the other.

    Ryan Naraine

    I am for Device

    Everything needs security

    Not only is there a middle ground, but there has to be. This really isn't a device-or-network thing (although you will vote for me, right?). Rather, security has to be a consideration at every point in the overall computing environment.

    Device makers can help by designing more robust and secure operating environments and adding a built-from-the-metal-up hypervisor technology. This could make company-managed BYOD much more reliable to implement. Companies can help themselves by implementing good (simple, and clear) security policies and employee
    training. Users can help by avoiding questionable sources of apps and updating their devices and software regularly.

    On the network side, all the usual best-practices apply. Good firewall, intrusion detection, system monitoring, and network-wide anti-malware technology is necessary.

    One thing to note: the newest trend in network incursion is to use hacking (passwords are now notoriously easy to break) to get inside a network, and then launch malware to open up the network to outside control. Mobile devices are a very easy way to bring that malware inside the network. Once it's there, it can simply "phone home" and your network becomes pwned.

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Beyond the technology solutions...

    ...do you agree that the most important principle in establishing good mobile security is doing a risk management assessment?

    Posted by Jason Hiner

    Everything starts with risk management.

    No competent IT department can properly manage security budgets without a comprehensive risk management strategy.

    Some questions for every CSO:

    • Do you have a security program that addresses security related concerns by identifying, assessing, and mitigating risks within your products, applications, and infrastructure?
    • Have you integrated appropriate programs so that you can be proactive about security on mobile platforms. Do you have security awareness training, secure code training for developers?
    • Do you have appropriate change management processes in place?
    • Do you have appropriate process in place to detect and respond to future attacks?

    If you can’t answer these basic risk management questions and apply them to your mobile security profile, you are way behind.

    Ryan Naraine

    I am for Device

    Policies and training

    No. Risk management and assessment are valuable tools for developing a roadmap, but a risk assessment will not stop a malware incursion. But good policies and training (which may well be derived from a risk management assessment) can have a big impact on behavior inside the network.

     

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Time for one last question:

    How can companies get started with an effective risk management assessment to determine where they need to focus their resources in mobile security?

    Posted by Jason Hiner

    A complete audit

    Ah, another question that I can answer with a few important questions for a cash-strapped CSO.

    Proper risk management requires a complete audit of your infrastructure, especially your mobile assets.

    • So, do you know what you own and where they are?
    • Do you know how these assets are being used and who is in charge of policing misuse?
    • Do you have documentation and an architecture to support these mobile assets?
    • Do you really understand the inherent risks for each mobile device out in the field?
    • Are you up to date on every attack vector on mobile devices?

    If you don’t understand your risk profile, you can’t properly focus resources in the right places.

    Ryan Naraine

    I am for Device

    Start with five steps

    The Health and Safety Executive of the UK government has set down  some good starting guidelines for risk assessment that I like to recommend. See? I don't always quote the U.S. government. Sometimes I look to other nations as well.

    They recommend starting with five steps:

    (1) determine the hazards,

    (2) understand who might be harmed and why,

    (3) evaluate risks and decide on precautions, 

    (4) record findings and implement solutions, and

    (5) review and update.

    We've essentially covered most of these steps during this debate (kudos to the moderator!), so we have a pretty good idea of the hazards involved in mobile technology, how we might be harmed (we're talking espionage, hacking, intrusion, monetary and IP theft, destruction, diminished reputation and PR embarrassment, and more). We've discussed risks and discussed how I believe that many of the precautions need to center on the network. And, over time, we'll all learn from this, and update our defenses as the arms race continues.

    My bottom-line to everyone is this: network security is essential. So is device security, but you can't count on consumers to protect themselves. That's our job in IT and security, and we have to watch out for our charges and do our best to keep them safe. It's not just a job, it's our responsibility and our civic duty.

     

    David Gewirtz

    I am for Network

  • Great Debate Moderator

    Excellent exchange, gentlemen.

    Ryan and David, please deliver your closing arguments to me later today. And readers -- look for those arguments here tomorrow - and for my final verdict on Thursday.

    Posted by Jason Hiner

Talkback

24 comments
Log in or register to join the discussion
  • Wiggle Your Finger Cyber Identification

    Hi Guys, I believe you will find that a new version of biometric identification called MovementMetric Identification will replace all current measures that are used to grant and deny cyber access.

    Since MovementMetric Identification™ can, with 100% accuracy, identify any person, then cyber security problems should soon become a concept from the past.

    MovementMetric Identification™utilizes changes that occur with the movement of any part of your body.

    One example of use would be to observe the wrinkles at any one of the knuckles of any of your fingers, the patterns that occur in these wrinkles during the movement of your finger can never be replicated for use by any other person or any device.

    So... in the near future, we will simply wiggle our finger in front of a camera if we wish to be accurately identified. No tokens, no passwords, and no other tricks will be needed to keep others out of our cyber stuff, the wrinkles in just one knuckle will soon be the only key we will ever need.

    Information about the use of MovementMetric Identification™ to improve upon our current computing resources and computing environments can be found at PlanetEarth-Online.com

    Welcome to the Future!
    Jeff@...
    Reply Vote I'm Undecided
    • Half baked trademarked security technologies

      Movement metric is hardly reliable and easily fooled
      there more to security than just the password level
      warboat
      Reply 1 Vote I'm Undecided
  • Both/and

    It's not really either/or - it's both/and . . .

    If you become too lax on either end, it spells trouble.

    But should be an interesting debate nonetheless.
    CobraA1
    Reply 6 Votes I'm Undecided
    • It needs to be a mix

      Personally I'm for network first, device next.
      I would expect the network to provide a minimal effective amount allowing me to enhance or add to it as needed / wanted.
      rhonin
      Reply 1 Vote I'm Undecided
    • Ryan has this technological haughtiness I don't really like . . .

      Ryan has this technological haughtiness I don't really like:

      "The perimeter has been dead for a while. "

      I have to disagree. Ignore the perimeter, and hackers will go back to attacking the perimeter. Hackers know full well that if modern technological snobbery makes people ignore protection against "old" style attacks, that means that the "old" style attacks are effective again.

      Why do you think social engineering is so popular? It's not particularly new, and has been done by scam artists even in ancient history. It's not new or novel - but it's still effective. And yeah, hackers know that.

      Ignore older risks at your own peril.

      Because of this, I'm siding with David. Protection has to be at all levels, and you can't ignore old, classic attacks just because of some sort of technological snobbery against old stuff. You're putting yourself at risk if hackers discover you've been slacking in older areas of security.
      CobraA1
      Reply Vote I'm Undecided
  • First step is at Device level

    Lets looks at Andorid, more malware than apps, and for Windows Phone there are zero malware.
    So its possible to design something very safe, even though there is nothing like 100% fool proof.

    There may be things that could be done at network level, but I am going for device.
    Owlll1net
    Reply 3 Votes I'm for Device
  • The best security is user education

    Security needs to be handled at different levels.
    the most vunerable attack vector is the user and the one that needs the most improvement.
    this is a useless debate, it's like arguing whether air or fuel is more important to make a fire.
    warboat
    Reply Vote I'm Undecided
    • Users are a problem, But.... (This is far from a useless debate!)

      @Warboat - True, the typical net user has NEVER learned the importance of proper passwords, despite repeated warnings and advice (I can name and shame at least 20 people amongst my social circle & I am on about it all the time!). However, users are not an excuse for poor system design. In the real world, asking the average user to remember even a tiered password system with just three base passwords and variants is virtually impossible. However, all the good password/PC management means nothing if the device is flawed. SECURITY HAS TO START AT DESIGN LEVEL.

      As an aside, the number of websites that limit passwords to only 8 characters max and/or do not allow extended characters is truly shocking! (I avoid them on principal). Personally, I have unique 20 character minimum complex passwords for every site I use on the web & need an encrypted USB device to generate, store & apply them that cost over £100. Are we to expect the average user to follow a similar approach. True security (if it exists) costs and the only way we will ever see it reasonably applied is in device development with one or a combination of new & existing technologies, such as retina, fingerprint amongst many others in development.
      Rauvin
      Reply Vote I'm Undecided
      • the best password

        is useless if the user gets phished.
        security awareness is more than just passwords.
        warboat
        Reply Vote I'm Undecided
  • Users are part of the problem but that can be overcome with rigid IT rules

    I make an attempt, I have a 36 number & letter password and MAC address system to access my network. My browsers clear their history as soon as I close them (its a pain but I'd rather look for content again than be hacked) I have spybot S&D and antimalware running, because of my browser control I have to re initiate the rules for most pages. As long as network security is tightly governed including monitoring such as USB sticks & mobiles and user rules everything "should" be fine. IT do have a lot of responsibility and ours do a good job for little thanks tbh.
    Kevin Morley
    Reply Vote I'm for Network