Product Group Tests
Mobile device securityJuly 02, 2012
This month, we look at products that can secure mobile devices and we look at the basis for security in general: encryption.
Securing mobile devices is a touchy proposition. It is, perhaps more than most computing environments, an environment in need of defense-in-depth. While that has long been the mantra of information assurance pros, it has become critical in an age of computing devices that are as easy to lose or steal as a pack of cigarettes or a pad of paper.
This month, we look at products that can secure mobile devices and we look at the basis for security in general: encryption. Encryption usually is our last resort. If all security measures fail, as long as the data is encrypted we are at least moderately safe from data compromise. It doesn't matter whether we are talking about data at rest or in motion. Encryption saves the day when all else fails. But, that does not mean that we can ignore the other protections.
Recently, I have had the unenviable task of writing a policy on mobile device security for the university where I teach. I say "unenviable" because this is a complicated area exacerbated by the bring-your-own-device (BYOD) trend now so prevalent. There are key protections in most competent policies. When you look at a mobile device security application, you should bear these protections in mind.
Before we address that piece, there is one other thing that complicates mobile device security even more - the wide variety of device types, applications, operating environments and implementations of those environments. That variety is almost out of control. Apple has reigned in the app developer so that there is some, at least, consistency in iPad/iPhone/iPod implementations. However, Android is anything and everything the developer or the device manufacturer wants it to be. There is almost no consistency in how Android is implemented across manufacturers of phones and tablets.
We see this when performing mobile device forensics. It takes several forensic tools to cover the Android territory, whereas Apple products can be handled competently by most mobile device forensic tools. We see a similar issue when trying to secure these tools. Add to that the ease with which mobile devices can be rooted or jail-broken and securing the mobile landscape is a huge challenge. I question whether there actually is a "best practice" yet.
This means that most policies should include full encryption, forced password/PIN, remote wipe, automatic password expiration and prohibition against rooting and jail-breaking. And, remember, a policy is not worth much if you cannot enforce it with appropriate security tools. Your tools need to be able to enforce at least this minimum set of requirements.
As well, remember that mobile devices often also are multimedia devices. That means that they are managing documents, telephone calls, web surfing, photos and videos, as well as a host of other applications that use multiple combinations of those fundamental functions. Subsequently, a complete solution to the challenge of securing mobile devices needs to cover all of those bases. Unfortunately, most don't. But, in terms of the evolution of this market space, it's early yet. The batch of products we are looking at this month is heading in the right direction. And, don't forget that the market itself is far from mature. For the most part, the security products in our Group Test are taking on new problems as fast as they emerge.
We tested each product for its functionality. We had a baseline of functions for which we looked, and we especially were concerned about the security impact on the user. In the BYOD world, users do not take kindly to being told that all of their family photos are gone because the remote wipe didn't work as expected. That said, if the organization is to allow sensitive data on a personally owned device there must be a way to ensure the protection of that data. As we evaluated these products - the tip of the spear, so to speak, given that there are very few such products in the market yet - we looked for that important combination of security and user-friendliness that will ensure success and staying power for the product.
Frank Ohlhorst assisted with these reviews.
All products in this group test
SC Magazine Articles
- Yahoo breach; State-sponsored actors suspected, at least 500 million accounts affected
- Cybercriminals already able to hack ATM biometric readers
- Education sector bullied by ransomware and can barely defend itself, report
- IoT assault, connected devices increasingly used for DDoS attacks
- Cisco warns of exploitation of new flaws linked to Shadow Brokers exploits
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Hard Rock Hotel & Casino Las Vegas hit with POS breach
- X-ray and MRI machines among devices used as springboards for data breach attacks
- Hacker purportedly selling over 650,000 stolen medical records on dark web marketplace
- Wi-Fi warning! Study finds U.S. unaware of public Wi-fi risks
- RIG EK rigged to steal tricks from Neutrino in fight to fill Angler's void
- SWIFT adds additional protective measures for members to ensure cybersecurity compliance
- 185M incidents bypassed perimeter defenses - report
- Pagers found leaking patient health information
- OVH suffers massive 1.1Tbps DDoS attack