TiE Boston Mobile Security Panel Event February 10, 2012

TiE-Boston’s “Securing your Critical Mobile Applications” event was held on January 12, 2012. It featured: Hot topic, very knowledgeable panelists, and an extremely lively discussion with a focus on data security on mobile devices.

We all know the primary drivers of the problems: Bring Your Own Device (BYOD), untrusted apps on the Android marketplace and the fact that iOS is not 100% secure either – just to name a few. And what are they after? Well the obvious answers are: enterprise data, user data, payment data (bought anything on your mobile device recently?) and then there is the whole question of just plain privacy.

There are startups and big companies focused on the problem space. There are companies wrapping apps within a secure wrapper i.e. containerization, ones that separate the data and the user from the device and those that address the problem with a personas based approach (aka VMWare Horizon) to just name a few approaches. So, what remains within the problem space that still needs to be solved? Well, turns out there are plenty and the panelists with full of ideas on what next to solve. Let us talk first about some opportunities addressing specific use cases:

• Containerization of email attachments. The most used app on mobile devices is email. Email attachments constitute one of the most common threat vectors for malware entry on to a device. As it stands today, there is no widely adopted or embedded method to open all email attachments within a secure or permissions restricted container so that the actions that any potential malware can effect are limited or curtailed
• Password unlock: Today the most common way to lock a mobile device is with a pin. Innovative ways to enter the pin other than just plain from a keyboard would make it harder for malware such as key loggers to read the pin. For example, Microsoft recently announced a method by which a picture is presented to the user and a sequence of touches of specific points on the picture constitute a password that unlocks the device

Then there are the larger, broader topics that enterprises are scrambling to tackle and represent some of the larger opportunities for startups:

• Solve problems around compliance : What kinds of enterprise data can reside on the device? If it is resident on the device then is the user allowed to access it all times? What if the user is accessing the data from a public network? And what does all this mean for compliance?
• Solve problems around APTs: The user is now the new perimeter of security defense and not just the enterprise network. The footprint that an Advanced Persistent Threat (APT) can attack is now your whole employee base multiplied by the number of devices they own on average! This is a new class of attacker who is sophisticated, extremely well funded, typically with a very targeted goal and is willing to wait as long as it takes to get there. But remember, the attacker is not rewarded for finding the hardest way in but rather the easiest way in. No security measure is 100% secure. So, what can you offer that can increase the cost of intrusion?
• Device Traffic monitoring for security: What is coming in and going out of every single user’s device? What is the level of visibility that the enterprise has to this? What is the level of visibility the user has to this? What traffic behaviors can be analyzed to protect against known and zero day malware?
• Mobile+Social+Cloud : All of this exists on your device today already – Facebook Mobile+Zynga is probably the most recognizable example. How do we protect against the threat vectors that this combination opens up?
• Gamification of Enterprise mobile security: Yes, I know – this one is a little bit out there but this really could be an out of the box way to think about not just mobile security but enterprise security? What can we learn from game industry in terms of user and autonomous agent behaviors as well as incentivization and bring to the security space? Gaming+Mobile = hot space. Gaming+Mobile+User Incentivization= Security could be an interesting equation. Ash Devata might be on to something here and this may be a wonderful topic for a follow on discussion

And then as I sat there listening to the panel, I realized – wait a second, I bring MY device to the enterprise to improve MY productivity FOR the enterprise. The solution approaches are being thrust on to MY device! So, why should I not be allowed to Bring Your Own Security (BYOS)? Who is tackling the consumer mobile security problem? Something to chew on …

Panelists:
• Puneesh Chaudhry, CEO Copiun
• Todd Christy, CTO Verivo Software
• Ashok Devata, Marketing Manager Data Security, RSA Security
• Andrew Borg, Senior Research Analyst, Aberdeen Group
• Moderator: Rodney Brown, Mass High Tech

By: Vikram Venkatasubramanian

About the writer: Vikram is a TiE Boston member and security industry professional based out of the Boston area who is very interested in the mobile and virtualization security problems.