It's Time to Revise Your Mobile Policy
The last few days I spent some time to digest the latest Symantec Internet Security Threat Report Volume 17. This comprehensive report provides an overview and analysis of the year 2011 in global threat activity. The report is based on data from the Global Intelligence Network, which Symantec's analysts use to identify, analyze, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam.
I am an active member of the Cloud Security Alliance Mobile Working Group, where we actually do research on secure mobile endpoint computing, which will result into valuable guidelines to be published this year. Therefore my Threat Report reading was likely shorten through the lens of this particular area.
In 2011, mobile threats are somewhat evolving as we have already seen in the PC world, and you can see this by looking into three factors:
First, there has to be a widespread platform, which has been already fulfilled with the advent of Android operating system. Second, there have to be readily accessible development tools, which is - unlike closed Apple's iOS - also established for the Android platform. Third, there has to be sufficient attacker motivation, and we all know that this usually means financial gains, but also gathering intelligence and personal information for further processing.
So let me take a closer look into the motivation part. The Threat Report shows that currently more than half of all Android threats collect device data or track users' activities. Almost a quarter of the mobile threats identified in 2011 were designed to send content and one of the most popular ways for phone malware authors to make money is by sending premium SMS messages from infected phones.
To be clear, this hasn't reached the same scale as we already see in Windows platforms. But it clearly shows that threat creators are getting more strategic and bolder in their efforts, using server-side polymorphic techniques to increase the number of variants of mobile malware attacks.
The evolving threat landscape impacts your mobile computing strategy. Therefore it is the right time to revise or build (if you haven't done it yet) your mobile computing policy as a critical prerequisite. A well defined policy is all about the right enablement for your workforce and their mobile needs. It provides management direction to the workforce on the one hand side, and defines the right support for IT and information security on the other hand side, regardless if your strategy focus is on company-owned devices, or on some "degree of freedom" by allowing people to "Bring-Your-Own-Device" (BYOD), or even both.
It starts with the assessment of the needs of your workforce. In both scenarios - company-owned devices and BYOD - you should come up with a segmentation planning around user roles, responsibilities (which includes liability, ownership and support), data, network and applications, as well as the decision for tight user control needs or not. It also includes the definition of capabilities provided such as corporate email, web services, support, multimedia, specialised applications and services such as corporate databases or CRM systems. A proper risk assessment and risk management methodology will help you to clearly (and consistently) articulate the risk, and will help you to implement the right controls to bring the risk to an acceptable level so that seamless access to IT resources or services can be enabled from mobile devices.
Defining the policy is the critical first step, the next steps of distributing and enforcing the policy is even more vital.
The enforcement of the policy impacts various areas of your strategic business and IT operations. It impacts your classification and inventory of sensitive and confidential information, including the way you separate corporate and private content on the devices. It impacts your identity infrastructure for authentication and context-based authorisation. It impacts the way you provide federation services to your workforce. It impacts the way you control data at-rest and in-motion - including encryption strategies - regardless of the data stored or shared in the cloud or on-premise in your environment.
With other words, you should be very clear about the architectural design that enforces your policy. This is not all about technology, it also includes people and processes. A good example of such an architectural design is Symantec O3. It is s a cloud information protection platform that provides three layers of protection for the cloud: identity and access control, information security and information management. I would like to encourage you to watch the 4 minute video on the Symantec O3 page to get a good insight into the design.
I hope you find this information useful. As always, don't hesitate to send me a message for any further question.