Mobile security is really about risk and identity management

If you're still thinking in terms of your organisation's mobility strategy, you're already too late. You need a digital workplace security strategy across your workforce.
Written by Stilgherrian , Contributor
Image: Getty Images/iStockphoto

Two years ago, mobile device management (MDM) was the buzz. Mobile security was an essential part of a mobility strategy, and every enterprise needed one. Today, not so much.

"About 18 months ago at least, businesses across the whole market realised that the issue wasn't around mobility. Mobility was subsumed by this idea of 'any device, anywhere'," according to Joseph Sweeney, an advisor with IBRS who specialises in end user computing, including mobility, future workplace strategies, and enterprise solutions.

"We're now starting to treat the desktop and the tablets and all these other devices as one and the same thing. Most of the strategies I'm working with do not distinguish between mobile device and desktop," Sweeney told ZDNet.

"What's changed is that instead of trying to say that here's a bunch of untrusted devices, and here's a bunch of trusted devices, people are realising that everything is an untrusted device, including the stuff in the office."

The core concept of MDM, that every device is transient and untrusted, has "flooded back" from the mobile world to the desktop world. MDM is no longer a big, separate thing, but a smaller cog in a much more complex machine.

All together now

Sweeney calls this new paradigm the "digital workspace strategy".

"It's happened quickly, and it's happened without people knowing about it," he said.

"What you've now got is an end-user compute security framework, and that's a great thing ... You have to bring all this stuff together now. If you treat it separately, you're not going to get it past the executive committee."

The speed of the change is reflected in Google Trends data. Searches for 'mobile device management' and 'mdm' started climbing rapidly from the beginning of 2016, peaked in September 2016, then dropped back to their original low levels over the last couple of months.

Meanwhile, IBRS hasn't had an enquiry that was exclusively about securing mobile devices as part of a mobile strategy in around two years.

What's also changed over the last two years is the mobile threat landscape. New malware threats are still appearing, but their purpose is changing.

For the last ten years, Verizon has produced an annual Data Breach Investigations Report (DBIR). It's based on the real-world data of actual breaches, with input from Verizon's own customers, security product and service providers, and law enforcement agencies.

In 2015, data from sister company Verizon Wireless was added to the mix, revealing the true scale of the mobile threat.

"It was astonishing to us how much Verizon Wireless could see about malware infections in mobile devices, and they were just very common. Much more common than any of us knew, in fact," said Bryan Sartin, executive director of Verizon's Global Security Services.

Nearly all the infected devices were running Android, and most of the suspicious activity logged from iOS devices was just Android exploits that had, obviously, failed to work. Actual iOS infections were so rare that there wasn't enough data to analyse it further with any statistical significance.

But even within the pool of infected Android devices, most malware activity was still relatively harmless.

"Once you actually dissected that, if you stack-ranked it from a risk perspective, almost everything was way down here," Sartin told ZDNet, pointing to the floor. "It was like 'adnoyance' type stuff," he said, referring to potentially unwanted apps whose prime purpose is to barrage the user with advertising.

As the 2015 DBIR put it, "While adware is not in itself harmful, it often aggressively collects personal information from the mobile device it's installed on, including name, birth date, location, serial number, contacts, and browser bookmarks. Often, this data is collected without users' consent."

Indeed, while there were hundreds of thousands of adnoyance apps for Android at the time, anything more malicious was still so rare as to be negligible.

"An average of 0.03 percent of smartphones per week -- out of tens of millions of mobile devices on the Verizon network -- were infected with 'higher-grade' malicious code," said the DBIR.

The oft-predicted waves of truly malicious mobile malware simply haven't materialised.

According to Verizon, for the enterprise market at least, mobility isn't currently a mainstream avenue being used by cybercriminals. That trend has continued since the company first examined the data in 2015.

What has continued, though, is the use of phishing, and especially more highly-targeted spearphishing, to gain entrance into enterprise networks. That risk is independent of the type of device involved.

Who's who

This comes back to Sweeney's point about an integrated security strategy, and that in turn quickly becomes a conversation about federated identity management.

"The really big question that I'm getting asked used to be around MDM. It's now about identity management, and how that plugs into the rest of it ... It was never going to be sustainable having locked-down PCs versus BYOD [bring your own device] versus a mobile app fleet," Sweeney said.

"If we're protecting organisational assets by device, then the ID is the device. But with all devices transient, the identity has to be the person, which is where it should be in the first place."

Identity management shouldn't be an IT project, though, nor even a security project, according to James Turner, IBRS's security advisor, and convenor of CISO Lens, a peer networking group for cybersecurity executives in large organisations.

"The thing that comes through loud and clear is, if this is an IT project, you're dead. If you've started with [choosing security and ID] products, you're already dead," Turner told ZDNet.

"People are delineating now between a customer identity project and an internal identity project -- but either way, neither of them is something that security can lead," he said.

"Security is a response to risk. Identity is a response to a need, and unless that need is clearly understood, and actually expressed as something that the business wants to address, then you're screwed."

This whole conversation changes yet again when an organisation outsources, say, 30 percent of its workforce to contractors -- something that's becoming an increasingly popular economic strategy.

Of course, technology can't remove all of the risk associated with mobile devices. According to Sweeney, the loss or theft of unattended mobile devices continues to be a real problem.

"I have seen some significant 'embarrassment breaches' from that. People don't talk about them. But interestingly that's just such a basic hygiene thing. That's not about technology, that's about training," Sweeney said.

The human factor

A few months back Sweeney was in an airport lounge, and saw a guy who was "obviously from the minerals industry" put his notebook computer down, pull out a 4 terabyte hard drive, and start working. After a while, he went to the bar, and after a good 10 minutes away from his unattended devices, he returned.

"What's on the drive?" Sweeney asked.

"Aw mate, that's all the stuff from our central server I just copy onto that thing, 'cos when I'm on-site I can't get any of the stuff," he replied.

Gigabytes worth of data, presumably of some value to the organisation, left unencrypted on a table in an airport lounge. "Now that's the sort of stuff that goes on. I'm sorry, MDM is not going to stop that. These are the sort of breaches that I think are really the result of people being more mobile and more distributed," Sweeney said.

"Good identity management can lock that down, by locking down the files, and encrypting files, so you actually have to have the credentials. But it's not 100 percent perfect if someone will just go and break all those rules. It's a data governance issue."

The message Sweeney is getting from CIOs is clear.

"If you're still thinking about a mobility strategy then you're already too late, because it's not about MDM. It's not about mobility. It's about the whole workforce, and I think that's the key thing to change," he said.

"Given the fact that we take very, very few enquiries about mobility strategy and MDM, and the vendors seem to be saying the same thing, I think that that trend is now well and truly in place."

Read more

Editorial standards