SAN FRANCISCO -- How do mobile security concerns relate specifically to the cloud?
Vic Morris, CEO of cloud and mobile management firm Vordel Inc., directed that question to a panel of security experts at the 2013 Cloud Security Alliance (CSA) Summit, part of the RSA Conference 2013. Their answer? Mobile doesn't exist without the cloud.
Mobility crushed the perimeter; the perimeter is dead. If you take the same approach from the past decade, you are dead.
Tyler Shields, senior security researcher for mobile, Veracode
"These things [mobile devices] don't connect to your corporate network; they spend 95% of their life out in the cloud," said David Lingenfelter, information security officer at Fiberlink. "If you're still saying it has to connect to the corporate VPN, you've completely missed the game because the game has changed to something else.
Morris moderated the panel and kicked off the proceedings by referring to the CSA's recent report Top Threats to Mobile Computing, which ranked the top eight security threats in the mobile sphere. Not surprisingly, data loss topped the list.
"Security hasn't changed; we're still trying to secure the data. The speed of things has changed though," Lingenfelter said.
Panelists spent much of their time discussing how to tackle this classic security problem in the mobile realm, with most of their focus falling on the need to secure the application layer. Tyler Shields, senior security researcher at Veracode, commented, "At the end of the day, it comes down to code flaws. Where have the most successful breaches come from? It is the application layer. ... We're seeing a quicker jump to the app layer because it was successful in the desktop realm."
From left: Vizay Kotikalapudi, Group Product Manager, Symantec; David Lingenfelter, Information Security Officer, Fiberlink; Tyler Shields, Senior Security Researcher, Mobile, Veracode; Patrick Harding, CTO, Ping Identity
Photo credit: Eric B. Parizo
This is a reversal of the trend in the last decade, when so much time was spent securing browser-based apps. For the panelists, mobile app security is a return to the days where organizations had their own custom-built apps running on desktops.
Mobile device management technology is seen by some organizations as the answer to the problem of mobile security, but as Lingenfelter suggested, MDM only solves one aspect of the security puzzle. "It certainly is not the panacea; it is just the beginning," he said. "You still need to go and add components to secure the data above that."
Shields elaborated, "The problem is the attacks are coming in at a higher level of the stack; you have to get above that and look at the application."
So, if MDM isn't a cure-all, what can organizations use to supplement their mobile security policies? For Patrick Harding, chief technology officer at Ping Identity, identity and access management (IAM) controls need to be part of the answer. "How do I ensure and control access to the point that I am sure who the user is? It seems to be quite acceptable to cache passwords on phones; we see a lot of apps that say, 'Give us the password once and we'll just store it locally.' IAM, and particularly some standards that are emerging there, is very helpful with dealing with that," he said.
IAM is particularly useful as multi-user devices begin to take hold in more settings. Lingenfelter pointed to the example of medical personnel in hospitals using the same tablets. If one user has a certain level of access and another user logs on to the same tablet, that user should not be able to view the same data as the higher-access-level employee. If a user sees information above their classification level, that could be a HIPAA violation.
Another potential problem posed by Morris is that of aging devices, but again, panelists felt the real question was how data was being handled when organizations dispose of outdated devices.
Lingenfelter listed a litany of concerns: "What are people doing with them when they are done with them? Where are they going? And does corporate know where they are going? Have they been cleaned properly?"
In any conversation about mobile security and the cloud, the perimeter is bound to be mentioned. For the panelists, discussing the perimeter was akin to military leaders discussing muskets: They no longer exist. "Mobility crushed the perimeter; the perimeter is dead. If you take the same approach from the past decade, you are dead," Shields said.
With so much time spent addressing concerns like app security and data loss, an audience member was left to ask, "Are we making the same mistakes that we made before?" Harding summed up the feelings of the panelists with the exasperated response, "We're always bolting security on; we've been doing it for 30 years, and it never works. ... We have to build security in in a standardized way."
Emerging mobile threats
Though much of the panel was devoted to fixing classic security problems in the mobile world, panelists did take some time to discuss the No. 8 threat listed in the CSA's report: near-field communication (NFC). For now, panelists agreed that it is mostly a minor concern for mobile users, but that attackers will likely look to exploit NFC as more mobile devices are equipped with it. Shields also mentioned that attackers are prone to following the money; as NFC is increasingly used as a mobile payment option, it will gain more attention.
Panelists also discussed the role that rogue marketplaces play in infiltrating mobile devices. For Vizay Kotikalapudi, group product manager at Symantec Corp., no mobile marketplace provides complete security, "When you look at rogue marketplaces, are Apple devices the only answer? If you're talking about data loss, it is going to be the same whether it's iOS, Android or Windows Phone devices. … Is Dropbox a malware app? No, it's not, but data loss can happen there."
After nearly an hour discussing problems with mobile security and cloud connectivity, the panel turned briefly to the idea of offline mode for mobile devices, with the panelists agreeing that it is basically dead outside of the few moments at takeoff and landing on a plane. Morris, for one, wouldn't mind having a little more time being disconnected: "I cherish those few moments when I'm offline on an airplane; I hope we still get that five minutes."
View all of our RSA 2013 Conference coverage.