Mobile devices call for security solutions that don't apply to the PC world
Michael Sutton, vice president of security research, Zscaler
Information security is an ongoing game of cat and mouse between IT organizations and hackers. The way that organizations consume and protect information changes as frequently as the methods hackers use to attack it.
Currently, three major trends are driving one of these fundamental changes. Cloud computing, social networking and mobile devices are empowering employees to be more productive, but simultaneously removing control from IT organizations.
Cloud computing services and social networks are pushing data to external networks, but mobile devices are circumventing corporate networks entirely. When a mobile device connects to a public or 4G network, security teams lose visibility because appliances cannot see the traffic. As a result, traditional security solutions, such as in-line URL filtering, are rendered ineffective.
Today, mobile security solutions are limited. In part, due to the relative immaturity of the platform, but also because of the fundamentally different architecture of the mobile operating system. Enterprise security staples such as host based anti-virus (AV) are no longer an option – not only due to resource constraints, but because platforms such as [Apple's mobile operating system] iOS prohibit background applications and limit access to the file system.
The reason that mobile malware infection rates are so different from PC infection rates is because mobile devices are so different from PCs. PCs function as client-server devices with many services listening for and responding to external requests, enabling malware to attack services and more easily move from machine to machine.
Mobile devices tend to function more as true client devices in a more closed environment and also tend to implement greater restrictions on the ‘reach' of an individual application within the operating system. Today, most mobile malware tends to be found in unofficial mobile app stores, arriving in the form of cloned or fake apps.
Recently, however, the “BadNews” malware was disguised within 32 Android applications on Google Play, indicating the official app store gatekeepers aren't perfect either and could be doing more to protect their users.
The privacy implications of mobile apps should be another major concern for enterprises. This is an issue that is not getting nearly the attention that it deserves. Zscaler research has found that it is frighteningly common for poorly coded applications to leak personal information or more directly track user behavior. Unfortunately, even the official app stores are doing very little to weed out such applications.
IT organizations concerned with mobile malware should institute a corporate policy forbidding the download of applications from unofficial app stores; however, it can be difficult to enforce such a policy since traditional appliances provide no visibility into mobile devices connected to public and 4G networks.
Mobile device environments are completely different than PC environments and require completely different solutions. Appliances cannot see off-premise mobile traffic and host-based anti-virus is resource intensive – or in the case of iOS, simply not allowed.
Organizations need to seek a security architecture that can provide the visibility and control to ensure that employees are equally protected, regardless of the location that they or working from or the device that they are using.