A few major security reports came out recently, and as a result once again I find myself contemplating the role of different mobile security technologies: Despite years of dire predictions, and despite new entrants to the market, there’s still not much of an established common practice around using specialized third-party mobile security products in the enterprise.
Mobile device security
First off, we should acknowledge that mobile devices put us in a fundamentally different and much better position than before: They’re newer than desktop OSes, so they’re actually designed to be mobile and always connected; the apps and the OS are sandboxed and protected from each other; there are far more controls around app distribution; and so on.
Of course mobile devices face plenty of real threats too. The OSes are made by humans and have vulnerabilities; there are malicious and potentially harmful apps out there; they’re susceptible to network-based attacks (especially when users connect to unsecure public WiFi networks); and the users are human, too—they can be socially engineered and generally do unsafe things.
Naturally there’s a significant group of vendors that sell mobile security products that are marketed heavily against these potential threats. To clarify, I’m not talking about general EMM platforms, rather I’m talking about other products like mobile threat defence/detection/prevention products.
The reality on the ground
What’s the sum of mobility’s advantages and threats? Let’s look at those recent reports.
The Verizon 2016 Data Breach Investigation Report, released last week, said this:
“For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things (IoT) is coming to kill us all, you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations."
The authors are realistic, inviting conversation and warning that this doesn’t mean we can get complacent about mobile security, but still you get the point.
The Google Android Security 2015 Year In Review report, released on April 19th, said this:
“Successful exploitation of vulnerabilities on Android devices continued to be extremely rare during 2015. The largest threat was installation of Potentially Harmful Applications (PHAs), or applications that may harm a device, harm the device’s user, or do something unintended with user data. On average, less than 0.5% of devices had a PHA installed during 2015 and devices that only installed applications from Google Play averaged less than 0.15%.”
So it’s not that everything is perfect, however our mobile devices are generally keeping us quite safe without us having to do much at all. Thanks Apple and Google!
Enterprise practice today
What is the enterprise doing about mobile security today?
EMM has many roles and functions, but one of the things it does is contribute to security by encrypting data at rest and in transit, enforcing data sharing controls, providing root and jailbreak detecting, and controlling other MDM configurations on managed devices. Furthermore, some MAM products in particular focus on the concept of app “hardening” to further protect from attacks and breaches.
However what we don’t see yet is the widespread common practice of using other third-party mobile security products beyond EMM—at best it’s just beginning to emerge. (App reputation, which goes beyond malware detection to look for legitimate apps that could nevertheless still put enterprise data at risk, seems to be most common, but remember that on a lot of devices you don’t get to control what apps a user installs.)
Overall, the controls that are built into EMM platforms and enterprise apps seem to be sufficient for most organizations. As the Verizon report found, there are bigger fish to fry when it comes to the causes of data breaches: companies need to prevent phishing, patch vulnerabilities, and protect credentials better.
Mobile security innovation
Despite the lack of a common practice, there are some seriously cool mobile security products coming along. Besides app reputation, there are products that can look for malware or signs of malicious activity, both from within and outside of the device, as well as products that can look for network-based threats. These technologies are getting more experience under their belt, and many have better battery performance then they used to.
Now I certainly can’t say that I agree with all of these vendors’ marketing practices. There’s a lot of doom and gloom that doesn’t jive with the common practices of companies today or with the landscape as outlined by more neutral organizations. Unfortunately that’s just the nature of the beast.
Another important development are the many integrations that are happening between third-party security vendors and EMM platforms. (I wrote about Intel and AirWatch as one example, but there are many others.) These integrations mean that security vendors don’t have to build EMM from the ground up, and can instead concentrate on their core IP. More importantly, this makes them easier to evaluate and differentiate.
On one hand, we have a lot of potential threats and many interesting products to combat them. On the other hand, we don’t have much evidence that these threats are a that much of problem, and most companies are apparently fine with just EMM for now. (Or nothing at all, as the case may be.)
So what do we make of this? It’s hard to say. Wait and see what happens?
We will see more security technology get integrated directly into EMM and enterprise apps—for example, “self-defending” apps will continue to get more powerful and more common. But again in that case, what happens to third-party security products?
What do you think? If you’re using something beyond EMM already, I’d love to hear about it. If you’re not, are you planning to? Or are you going to wait and see?