KuppingerCole Analysts' View on Mobile Enterprise



Privacy Issues in Mobile Security

Alexei Balaganski

It is estimated by the International Telecommunication Union that the total number of mobile devices in the world has already exceeded the number of people. Mobile devices are becoming increasingly advanced as well. In fact, modern smartphones are as powerful as desktop computers, but “know” much more about their owners: current and past location, contents of their private text messages, photos and other sensitive information, as well as their online banking credentials and other financial data. They are also always connected to the Internet and thus are especially vulnerable to hacking and malware exploits.

Growing adoption of cloud services has brought its own share of privacy concerns: more and more sensitive data is now managed by third parties, so users are losing visibility and control over their information. However, it is social computing that has made the most profound impact on our society. Ultimately, it has led to a significant erosion of public expectation of privacy and made nearly impossible to undo accidental sharing of private information. Some people have gone as far as to claim that privacy is no longer relevant. This, of course, cannot be further from reality: various studies clearly indicate that users value their privacy and strongly object to sharing of their personal data with third parties without consent. However, many users still do not have a clear understanding as to what extent mobile devices can affect their privacy.

With mobile technologies becoming more sophisticated, general public awareness about the associated risks simply cannot keep up with them. Every day, mobile users can easily fall victim to another new method of tracking, stalking or privacy abuse. Stolen personal information has become a valuable product on the black market. It includes not just financial or medical information, but and kind of PII that can be used as a key to your other assets. It’s not just hackers that are after this kind of loot: telecommunications providers, search engines and social network operators are collecting as much of this information about their users as possible to use it for targeted advertising or just to resell it to third parties. And, after Snowden, do we even need to mention government agencies?

For enterprise IT departments, growing adoption of mobile devices has brought their own share of headaches. One of the biggest current challenges for the IT industry is undoubtedly the Bring Your Own Device (BYOD) problem. While technological challenges of the problem are massive, a proper BYOD strategy must address privacy issues as well. Many organizations may easily overlook them, because issues like liability for leaked or lost private data from company-managed devices still vary per country; they are often considered to be in the grey area of current laws and regulations. These regulations are changing, however, and to stay on the safe side companies should always carefully study and address legal aspects of their mobile device policies: a mistake can cost you a fortune. KuppingerCole provides this kind of expertise as well.

However, regulations alone cannot solve the fundamental cause of so many privacy-related problems of current mobile platforms. As mentioned earlier, modern smartphones and tablets have the same computing power as desktop computers. Yet, both consumers and device manufacturers still fail to realize that mobile devices need at least the same level of protection against malware and hackers as traditional computers.

Modern mobile platforms are based on Unix-like operating systems, incorporating various low-level security features like hardware isolation or code signing. Yet, they are still far behind desktop or server systems when it comes to more sophisticated security tools like firewalls or application control. Even worse, no modern mobile platform includes any built-in vendor-neutral security APIs that would allow 3rd party developers to create such tools. Although there are several solutions available on the market now (like Samsung KNOX), they are all limited to a small number of supported devices and have their own security issues.

Modern mobile platforms are much more closed than desktop operating systems, and this is a source of privacy-related concerns as well. Consider a typical situation for iOS: we learn about data leaks or other violations in a standard app, and it takes months for Apple to even acknowledge the problem, let alone to release a patch for it. The open nature of Android’s ecosystem, on the other hand, leads to platform fragmentation and often vendors simply stop supporting old devices completely. Despite of their differences, the result is still the same: because of fundamental deficiencies in their platforms, both vendors fail to provide adequate means of protecting user’s privacy.

Thus, it is clear that long-term solutions to these problems require a major paradigm shift. Privacy cannot be protected by government regulations or “bolt on” security products – it has to become an integral part of any mobile platform and application. Unfortunately, this stands in stark contrast to the goals of many hardware and software vendors, with only a few already realizing the business value behind “privacy by design”. To break the current trend of hoarding as much personal information as possible, consumers, enterprises and government regulators have to join their efforts and bring everyone to a clear realization that long-term losses from violating customers’ trust will always be greater than short-term gains.

For more information and concrete recommendations to enterprises, mobile device manufacturers and application developers please refer to KuppingerCole’s Advisory Note “Dealing with privacy risks in mobile environments”.



So, Is the Perimeter Dead?

Amar Singh

Yes and No! The traditional perimeter as we have known it, is dead. I repeat. The traditional model of “protect the castle walls and everything inside will be secure” is dead. To be honest, this model has been dying a slow death since the development of the laptop computer. The dawn of the smart devices (often also referred to as BYOD or BYOX) has only but accelerated the demise of the long held castle perimeter paradigm.

Let me explain why I believe this is so with a real life scenario I see repeated in organisations across the world.

Organisation ABC is a large multinational company (a fictional company, any and all resemblances to real world companies is purely coincidental). ABC’s IT Department, run by the COO, has just completed a new and urgent security upgrade to ensure that the corporate network perimeter is protected by latest next generation firewall technology.

To celebrate the successful implementation of its product the firewall vendor has invited the COO to speak about his successful implementation at a seminar. The COO describes how his organisation now has the most advanced perimeter protection firewalls around. They are application aware, understand every protocol, have this really impressive way of sniffing all that encrypted traffic.

They can improve employee productivity by slowing down Facebook, LinkedIn, YouTube and Twitter traffic, so the employees can get back to work! Even better, these 3rd generation perimeter firewalls have the latest malware database and can stop most advanced malware in their tracks! No more APT attacks in my network!

With the audience hanging on his every word, the COO added, “The perimeter is everything. We are fully protected! No one can get in! Oh, we are also protected against all the mobile malware for Android and Apple - any user who is on the corporate network is never going to get infected. And finally, the firewall even does SIEM and can detect all types of intrusion attempts! We are safe!”

Sounds familiar? That’s right folks! The same next generation technology that serves other organisations so well!

Midway into the firewall project, ABC organisation appointed a CIO, Sarah, who decided to go fully cloud and mobile. Everyone loves her - well, likes her. She embraced the cloud and made access to email much easier and importantly an enjoyable experience! In addition, every employee was offered a 30% discount to purchase their own smart mobile and tablet device that could be used for corporate and personal use. The CIO sat with her legal counsel and updated the Acceptable Use Policy and created a Mobile policy to ensure that employees understand the who, what, why, etc.

Sarah encouraged the increased adoption of mobile technology to improve working condition so that engineers and developers could complete major project deliverables on their mobile devices from anywhere.

What happens next?
The company CFO, like the rest of the senior executives, was using his own brand new mobile device and had clicked on an emailed attachment while surfing at a neighbourhood coffee shop! The email contained an infected PDF that appeared to offer an amazing deal to the CFO’s favourite holiday destination, Iceland.

Long story cut super short: the mobile was infected via the PDF that then started stealing the CFO’s contact details, call logs, email, browsing data and, yes, password details. It then spread to the rest of the finance department laptops stealing their data and finally settled on the finance data servers. The malware copied all the confidential data and anything else that it could ‘see’.

ABC company only discovered this leak when inappropriate email communications between the CFO and his PA started to leak on the Internet. The start of a very messy cyber breach that resulted in a massive data leak. The CFO’s personal emails, photos and browsing habits for the last 2 years were also disclosed, much to the deep embarrassment of the company. The most catastrophic aspect of the breach? The company’s unaudited financial results! You can guess the shareholders were not very happy when they had access to the real results!

What Happened to the All Singing All Dancing Perimeter Firewall?
The COO had a lot of answering to do to the board. His multimillion dollar security program was unable to detect or prevent what appears to be a straightforward phishing attack that led to the most embarrassing reputation damaging security breach in the company’s history. Practically useless.

How did this Happen?
The CFO’s multiple laptops and browsing from unprotected wireless connections in coffee shops meant that the traditional perimeter was practically of no use in prevent this type of attack. The virus was willingly downloaded, albeit by trickery, by the CFO, because he thought he was going on a holiday! Once the malware was deployed, the lack of proper access controls around the data stores and basic security hygiene made the security compromise a walk in the park.

Why did this happen? First don’t blame the firewall. It has a purpose and place. Next:

  • Practically no one in the COO’s company ‘lived’ on the corporate network!
  • The work force had been empowered by the CIO to be mobile. They were encouraged to be more productive and adaptive.
  • The traditional castle perimeter was dead! The perimeter was everywhere and there was nothing protecting that everywhere perimeter.

The perimeter must move

The perimeter must move closer to what you want to protect. Not just close but in close proximity to what is important to your organisation. Some objects of interest include

  • Information: Protecting access to your financial data store with an eight character password is not sufficient;
  • People: Yes, us humans are major object of interest. It’s not good enough to expect us humans to understand cyberspace’s complexities and threats without sufficient training and knowledge.

This step is just the beginning. Defining or rather redefining your parameter is just one of a strategic set of actions that must be taken to prevent security breaches. However, one of the most important steps is to (1) acknowledge that the fundamental concept of the perimeter has changed and (2) to delivery appropriate security measures to the new perimeters.

It must be stressed here that the concept of layered security or defines in depth must be discarded as a result of moving the perimeter closer to the object of interest. To the contrary, it is even more important to have several different layers of controls and technologies to ensure that if one defence is breached the others stand firm.

50 Billion Perimeters - Secure That!

Cisco predicted that by 2020, just five years away, there will be 50 billion connected devices on planet earth (all right, a few might be in space, too). You get the drift? That’s right, what’s the new perimeter or rather where is the new perimeter? Every one of those 50 billion devices has its invisible perimeter around its operating system and hardware controls. Knowing the pace of innovation, many of these devices types will include some contraption of the current mobile device, wearables and not sure what else!

Go try containing these always on, always connected (Internet of Things) devices with your traditional firewalls! Good luck, but I do not want to be the CISO or CIO of the company that does not understand this fundamental paradigm shift.

Oh! By the way, let’s not forget the volume of data that these 50 billion devices generate!



The Right BYOx Strategy

Dave Kearns

For the past few years BYOD – Bring Your Own Device – has been a hot topic, often leading to shouting matches between IT and users who want to use their own mobile devices to access corporate assets. Lately, it’s been a more generic “BYO” (Bring Your Own) them with the aforementioned D (device) but also A (apps), I (identity) and P (platform) as well as countless others churned out by a vendor’s marketing machine.

In fact, little of this is new. Over 30 years ago users were bringing their own device (PCs) and apps (Visicalc, Lotus 1-2-3, etc.) into the office for better control over the corporate data. And IT (called IS, or Information Services in those days) was just as irate then.

IS lost the fight then, IT is losing that fight now. IT is always going to lose these fights.

Departments that generate revenue (sales, marketing, etc.) are always going to have more clout than those seen as a cost center, such as IT. Clients and customers will always have their issues addressed, no matter what IT says. Some issues, such as compliance (with a risk of fines or jail for senior execs) or security (with its risk of loss to both assets and reputation) can provide a temporary boost for IT’s arguments but, in the end, revenue and customer service will win out.

The rise of smart mobile devices, the coming dominance of cloud computing, the Internet of Everything and Everyone (IOEE) and ubiquitous published APIs for access to all those things requires different thinking on the part of IT.

Too often IT thinks like in terms of fighting “the last war”; they want to build “bigger and better” firewalls without realizing that getting around a firewall is child’s play these days.

Instead, IT should be concentrating on providing platforms that most can reach while concentrating on Access Control (AC), the means of Authentication and Authorization that allow the right people the right access to corporate data at the rate time and place, whether it’s employees, contractors, vendors, clients, customers or partners. Dynamic Access Control and Attribute-based Access Control (see Leadership Compass: Dynamic Authorization Management - 70966), Context- and Risk-based Access Control (see Getting the security you need) are what IT should be concentrating on.

Traditionally, IT liked (and in many cases, still likes) to provide static AC – network login accounts with hard to change attributes, permissions based on Access Control Lists (ACLs) that are also difficult to keep updated and firewalls with hard-and-fast rules for who (and what) can pass through. Spending time with those things is like trying to design better buggy whips for automobiles.

When properly implemented, RiskBAC (Risk-Based Access Control) collects context data from the transaction (Who, What, When, Where, Why, Which, How) and then can either:

  • Approve authentication;
  • Deny authentication;
  • Request further authentication factors.

If the authentication is approved, the RiskBAC system assigns – or causes to be assigned - authorizations dynamically consistent with the risk associated with the authentication and the context. If the authentication isn’t approved, then a different reaction can occur depending on the perceived threat.

For now, we recommend that you define a BYOx strategy that is open but risk-based, allowing graded access based on the level of trust and risk. This is where risk- and context-based, versatile authentication and authorization comes into play. We cannot overstress the importance of hybrid solutions which account for all platforms, even those not yet delivered. And while often overlooked, they should have choices available for your users that are better – perhaps more integrated with the enterprise – than those available as BYOA.

Related KuppingerCole Research

Related KuppingerCole Podcasts