Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Is Mobile Messaging in Danger?
Widgets & RSS FeedsDepending on whom you speak with, smartphone users either are or are not incredibly vulnerable. As there is always a kernel of truth in every tabloid tale, do we assume dark forces are afoot? “Everyone is waiting for something big to happen and I do share that belief,” says Patrik Runald, chief security advisor of F-Secure Corporation. “It’s hard to estimate when—this year or in three years—but I think everyone agrees that it is going to happen, because it’s such an unexploited market for the bad guys to go after.”
Jonas Markstrom, sales engineer, wireless solutions for Check Point Software Technologies, Ltd. believes that the “Big One” has already happened. “The big one is and will continue to be data leakage to unsupported devices by enabling push email to a consumer device not supported by IT, or data loss through the loss of any unprotected device.” Whether or not users are in imminent danger he says really depends on what type of dangers you are talking about. “Anti-virus vendors will scare you with long lists of viruses, malware, threat levels and so on. While these traditional security threats matter in the smartphone realm, with ever more capable devices and ever more bandwidth and device interfaces, this should not be the greatest concern, nor is it any reason to be scared at the present time.”
What is real and what most users and IT departments can relate to, continues Markstrom, are the security concerns surrounding a lost or stolen smartphone. “I’ll give you an example, over a six-month period in 2008 more than 85,000 devices were lost in Chicago alone. We find in our research that the great majority of devices lost or stolen don’t have security enabled. If we consider that a smartphone pretty much carries the same amount of sensitive data as a laptop, (introduced perhaps over push email or tethering), and consider the small form factor of the smartphone (making it prone to loss or theft), as well as the usage pattern of a smartphone (unlike your laptop, it’s with you 24-hours a day, seven days a week) you’ll see that the risk is so much greater and yet it’s rarely recognized. Most IT departments simply do not know how to address anything that doesn’t connect over a TP cable. The result of loss ranges from exposure of sensitive or private data to damage to company image/reputation and the potentially huge costs associated with this.”
Doris Yang, product manager of mobile products for PGP Corporation, agrees, “I think if you look at the statistics surrounding how often a mobile device is lost, it’s pretty apparent that human behavior factors into mobile data loss. Mobile devices are smaller and easier to lose and misplace than laptops, making it easy for sensitive information to potentially end up in the wrong hands. Deploying file and email encryption on mobile devices is easy and automatic, and can ensure that if a mobile device is lost or stolen, none of the data on it is compromised.” Yang feels that data security for mobile devices is about being cognizant of what information is at risk, and having the right policies and practices in place to secure that data. She explains that while most mobile platforms provide users with the connectivity needed to access information enabling productivity outside of the office, they all offer varied security measures, if any, to protect your information. “By sheer virtue of connectivity and other improvements in mobile device hardware, enterprise mobile users today are at more risk for data loss and/or theft than ever before,” explains Yang. “Devices today are accessing and storing the same confidential data as corporate issued laptops, so companies need to start securing them accordingly.”
Most vendors agree that a large percentage of security vulnerabilities are introduced by the user—almost always through ignorance or accidental means. “That’s just the thing though, it shouldn’t have to be that way,” says Markstrom. “If security is enabled when the device is provisioned to the user and if security is implemented in a manner where it is non-intrusive and enforced, then users can go about their ways and still be secure.”
[ header = What’s the Device Got to Do With It? ]What’s the Device Got to Do With It?
When discussing security, Research in Motion (RIM) and Symbian top the experts’ list as being the most secure mobile devices for enterprise users. Most cite the fact that these devices were developed from the ground up with enterprise security in mind—push email, as well as block and wipe functionality were non-negotiable. Despite their reputation as heavy hitters, it is Apple’s iPhone that has taken the world by storm—a device notable for many things, including its lack of security. Although the iPhone target market is unarguably consumer, its appearance across the enterprise is a cause for concern.
“I haven’t seen any data on what the use numbers are, corporate vs. consumers, in regards to the iPhone, but I can imagine that the corporate part of it is growing very rapidly, especially since they introduced the push email function,” says Runald. “I personally feel that there are certain features missing on the iPhone—particularly the encryption part—for it to be a real enterprise phone. I think they’re halfway there. They have the remote block and wipe, but they still don’t have the encryption, which I think is a key feature.” Runald believes that in order for the iPhone to be secure enough for enterprise users, it should leverage at least 256-bit encryption. “Right now, it really is wide open on the iPhone which I don’t feel comfortable with. You don’t have that on the Blackberry or on certain Symbian- based devices, and Windows Mobile also leverages encryption so I think that is something that is required for the iPhone to get to the next level.”
Yang suggests instead of relying on device manufacturers to protect your data, organizations use a trusted encryption solution provider to encrypt the content of device messages from the moment a message is sent to the moment it’s received.
“I find that traditional (platform) vendors such as Nokia and Microsoft are doing more work in security today than only a year ago,” says Markstrom. “We also see carriers such as AT&T and Vodafone Global Enterprise stepping up and offering hosted pay-as-you-go mobile device management and security (based on Check Point) for SMB customers. On the other hand, ‘new players’ (iPhone, Android, WebOS) entering the smartphone or business mobility field may be wrecking all of this. For example, even though the iPhone is now seeing broad enterprise adoption, Apple is doing too little to secure it (as of OS version 2.x) and this will in turn hurt overall enterprise security. Even though I have both a 2G and a 3G iPhone, I recommend that all my customers disallow iPhone’s from connecting to enterprise resources or email until adequate security can be presented.” Markstrom goes on to point to increased performance of devices on networks as creating more risk, coupled with the fact that most companies support multiple platforms or even multiple OS versions on a single standardized platform, all having different capabilities (security and otherwise).
Centrally Managed Security
Yang says that most companies agree that the corporation rather than the individual should drive implementing and deploying security solutions. “When individual users have to make independent security decisions on a daily basis, inconsistent application of policy is the result. That said end-users should always act responsibly with the information that they do have control over, but having a centrally managed solution ensures that corporate encryption policies are automatically applied and enforced without requiring interaction from the end-user. At the end of the day, end-users and IT both need to take stock of what information is being transmitted via email and other mediums, and whether or not it poses a security risk for the company.”
