There has been considerable hype around each mobile threat vector that has emerged in the last year, but what's often overlooked is how mobile security is currently approached. What's particularly troubling is how reactionary responses have been to these threats, whether it be from Android apps with major flaws in their SSL implementations or the recent airport VPN Trojan.
One simple truth: the only secure way of handling mobile devices is in a managed way.
But corporate breaches from mobile devices will continue as long as the management warning is considered optional and the likes of Google and Apple are slow to open up their operating systems. As an industry, we must realize that mobile security is a systemic problem. Unfortunately, many mobile technology companies have their initial focus on the consumer market, not the enterprise market.
Simply put, endpoints like personal laptops, PDAs or smartphones remain the weakest points within a security infrastructure. This is precisely why it's downright mind-boggling that organizations allow unmanaged devices on their networks especially considering how many basic security protocols have failed to appear on today's mobile devices.
Consider Android. For a long time it lacked an API for vendors to make calls to the kernel for IPsec VPN clients. This is just one example of how the protocols of secure usage have been ignored. Another concern with Android, in particular, is that different devices are running different versions of the OS. This can cause problems in managing the devices as there are sure to be discrepancies in how certain security functions are implemented or supported. But, many of the mobile vectors that have emerged, or are predicted to hit, could pertain to any and every OS.
After all, it's possible to distribute malicious software on any system, as this malware is typically delivered via social engineering or within a corrupt software package or active web code like Java or ActiveX. On top of this, stealthy exploits, such as session hijacking and identity attacks, easily pave quick paths to gain access to mobile devices. Ultimately, this means there is no substitute for fundamentally robust network security components. Ideally, this should include everything from client device firewalls to IPsec VPNs.
Of course, an important caveat to include here is, even these rigorous security mechanisms aren't failsafe against users ignoring common safety precautions, such as blindly clicking on links or opening suspicious e-mail attachments. This means companies should not take for granted that everyone within the organization is equally savvy about basic technology and security protocols they must continuously educate and reinforce best practices.
Sign up for CIO Asia eNewsletters.