The rapid advancement of mobility in the enterprise has often outpaced the development of mobile data security best practices, and this obstacle is made more complicated by the fact that mobile devices now include emerging technology such as the internet of things. The trend has left companies — and their IT leaders — scrambling to develop mitigating mobile security technology and processes necessary to protect data.
For Bob Turner, CISO at the University of Wisconsin-Madison, a big challenge is that every student owns multiple mobile devices that could potentially connect to the UW network. Mobile security technology controls and user education need to be implemented to ensure the network is defended, but also in a way that enables the mobility that the students covet, Turner said during a panel discussion at the 2017 Fusion CEO-CIO Symposium produced by WTN Media.
“What we need are mobile device management systems; we need the ability to have users check in their three to five mobile devices, and then we can monitor them,” Turner said. “We know what they are, we know what they look like, we know what they are doing.”
When it comes to corporate mobile security, Turner said it’s all about instituting the right controls: Deploying antivirus software best suited for the network, for example, or implementing identity access management tools to ensure the person using a mobile device is who they say they are.
“It’s not the mobile device that connects to your network; it’s the user that connects to your network,” Turner said.
‘Redefining’ network access
Kurt Roemer, chief security strategist at Citrix, said some companies are “redefining access” to networks to offset these types of data security risks. For example, instead of just a straight login to gain entry to everything in a company’s network, identity management can be automated to take into account whether the employee has the right to access the specific information based on security clearance, role in the company, responsibilities, etc.
It’s not the mobile device that connects to your network; it’s the user that connects to your network. Bob TurnerCISO, University of Wisconsin-Madison
“By doing that, you have a much higher assurance that you are meeting the level of trust, you’re mitigating the risk and you are making sure that people are doing the right things,” Roemer said during a panel session at the 2017 Fusion CEO-CIO Symposium. “It’s automated for them.”
But despite the allure, considering mobile security automation a “set it and forget it” solution is a mistake, said David Ulevitch with the Cisco Security Business Group during his keynote at RSA Conference 2017 in San Francisco.
Ulevitch said companies have to be wary of what he calls the “automated stupidity” problem: Robots could make bad decisions based on bad context, creating false positives and other factors that could hinder people from doing their job.
“There are reasons why we haven’t automated security,” Ulevitch said.
Another problem with security automation is complacency, according to Gib Sorebo, chief cybersecurity strategist at Leidos, a defense company that provides scientific, engineering, systems integration and technical services. During an RSA Conference 2017 panel discussion titled “The Future of Ransomware on the Internet of Things,” he said people are getting used to relying on tech running automatically, making it more vulnerable to hackers.
That attitude simply will not fly for when it comes to protecting IoT and other mobile technology, he added.
“The message is really that people need to appreciate that automation doesn’t always work right,” Sorebo said. “It’s really a matter of making sure we thought through what we [did] if they don’t work, for whatever reason.”
The future of mobile security technology
But according to Aaron Turner, VP of security products research and development at Verifone Systems Inc., the biggest obstacle to mobile and IoT security is not technology, but outdated U.S. policy. Turner pointed to the Communications Act of 1934 designed to regulate interstate and foreign commerce in communication conducted via wire and radio.
“In the United States of America, the laws that govern the spectrum were written in 1933,” Turner said during a discussion at RSA Conference 2017.
Among the many technologies not invented at the start of the Great Depression was Bluetooth, Turner noted. That omission has serious consequences for retailers with Wi-Fi networks that handle payment data. To protect customer and company data, businesses need the ability to monitor aspects such as what service set identifiers are out there, what Mac addresses are considered access points and who is connecting to them.
“What is your liability if you’ve got somebody scraping every single credit card number out of your airspace?” Turner asked.
These outdated policies will only become more magnified as mobile technology — and how it is defined by the enterprise — continues to evolve. For example, Forrester’s 2017 report on the “The State of Enterprise Mobile Security” found that 39% of online adults in the U.S. reported they are interested in using biometric verification to access financial accounts. Forrester recommends that security professionals capitalize on this trend, and implement advanced bio-authentication measures into the identity management efforts of mobile security initiatives.
But as biometrics becomes the norm, it creates further complications for corporate mobile security. Because biometric data is very unique to individuals, it makes it that much more enticing for criminals looking to use mobile devices to tap into it for hacking purposes.
“It’s not just about security; we have to extend our notions so it’s security, compliance, privacy and safety — and the safety aspects are huge as we get into machine learning, AI and IoT,” Roemer said.