Whenever mobile malware is in the news (which is pretty often), questions always come up about the role of anti-malware in enterprise mobility management environments. The problem is there’s not very much consensus on mobile anti-malware, and there are more questions than answers. For today’s article I want to do some thinking out loud and take a look at some of these issues.
First of all, there’s not much consensus about enterprise mobility management in general. There’s even less agreement about whether or not it’s necessary to use mobile anti-malware, how to use it, or if mobile malware is something we should even be spending our time worrying about at all.
Traditional security vendors talk about mobile anti-malware more than pure-play EMM vendors
No doubt you’ve noticed that mobility vendors tend to fall in one of two camps. There are traditional security vendors who talk a lot about anti-malware and antivirus, publish reports about malware threats, and sell products with the words like “security,” “shield,” or “protection” in the name. Then on the other side there are the pure-play EMM vendors who talk less about anti-malware and more about mobile device management, mobile app management, other new M-X-M acronyms, and enabling mobile access to corporate data and applications. Which do you go with? It depends! (Probably a lot on whether you ask the desktop folks at your company or the security folks.)
Mobile devices place us in a good starting point
To look at the wider picture for a second, at least we have a better security starting point for mobile than we have for desktops. Mobile OSes benefit from sandboxed apps, limited permissions, and apps that by default only come from curated sources. There’s no question that mobile devices create a far more friendly and forgiving environment than the internet and desktop computers of 10 or 15 years ago. (Though on the other hand, mobile devices could be considered less secure because they’re portable, always connected to the internet, and the data on them is very “personal.” Plus we have all the traditional threats we’ve been facing for years: physical access, compromised networks, social engineering, etc. But you get the point—mobile OSes are a whole different ballgame than desktop OSes.)
Yes, mobile malware exists
This part is pretty simple. Yes, mobile malware does exist. Even if there’s not consensus about how much of a problem it really is, it’s there. That even includes apps in the Apple App store. Having said that, by all accounts the vast majority of mobile malware is for just for Android, the majority of that exists outside of the Google Play store, and a lot of the really nasty stuff only works on rooted devices.
We really have to worry about ALL the apps, but that’s why we have app reputation
Besides apps that are outright malicious, we still have to worry about the fact that almost any app can intentionally or unintentionally be used to leak corporate data. This is where app reputation services com into play—they use a variety of techniques to learn about the risks posed by various apps.
In most cases, there are higher priorities than anti-malware
Consider three points: First, even though the tools exist to blacklist mobile apps, I’ve never met any IT pro who wants to be in the business of policing what apps users have installed on their smartphones and tablets unless they absolutely have to. Then you have the fact that a lot of people don’t want to—or can’t—(for various reasons) get into managing devices in the first place. And if you’re not managing the device, then anti-malware is a moot point, because there’s nothing you can do about user-installed apps. Finally, a more pressing issue for those dealing with mobility is enabling access to email, documents, and other enterprise resources so that users don’t have to go rogue in order to work from their mobile devices. Taken together, these all point to mobile anti-malware being a lower priority.
Security vendors will have to be more like EMM vendors
All this means that traditional security vendors have to make sure they also do a good job of providing other aspects of EMM, and not just anti-malware. Fortunately some are starting to do this already, though they still tend to be behind what the pure-play EMM vendors are doing.
EMM vendors have to answer to the malware threat
This doesn’t mean that the pure-play EMM vendors can rest. We’ll need apps that can keep corporate data secure on hostile, unmanaged devices and anti-malware and app reputation when it’s needed. There’s some crossover here, too, as several EMM vendors have partnerships with anti-malware and app reputation vendors.
What do you make of this?
Like I said, for today I’m just thinking out loud about mobile anti-malware and app reputation. For sure this is something to keep an eye on, but for now it seems like we have more pressing issues to worry about first. What do you think—is this where you are today? Am I way off base? Where does anti-malware and app reputation fit into your plans?