As UK enterprises begin to use mobile cloud services, mobile cloud security issues will take center stage. In this interview Quocirca mobile cloud security analyst Bob Tarzey explains the importance of both securing the mobile client and implementing centralised mobile cloud security tactics.
Are UK enterprises now adopting true mobile cloud services with data storage and processing?
Bob Tarzey: It is fair to say that the biggest take up for mobile cloud services is from consumers rather than enterprises rushing to use them for their own ends; although they are starting to do this. This means that the enterprises at the bleeding edge are those that provide consumer services, such as retailers and others with a strong online presence that are increasingly interacting with their customers via smartphones.
One of the key things that the mobile services companies have to do in the UK is address the security issues. This year, we have been looking at application delivery controllers that you put in place almost like a proxy in front of an application that helps handle that and shapes and encrypts the traffic. There is quite a lot of investment going on in these places.
What are the major mobile cloud security issues?
Tarzey: There are three main security threats -- malware, privacy and authenticating access. There is no doubt that people are starting to target mobile devices using malware. One of the key [challenges] is that there is much more diversity amongst mobile platforms, particularly at the operating system level where these guys need to find a way in. If you want to target PCs by just focusing on MS, Microsoft’s operating system is the majority of the market and you have a huge opportunity. It is hard to know where to focus the attack with the mobile cloud.
There are other attack vectors people could potentially use. For instance, one that will work on any mobile device is an SMS message that can get to the device and persuade it to part with information. Of course it costs money to send an SMS message whereas an email can be sent for free, but they are starting to work on that.
How can enterprises protect the mobile cloud against malware?
Tarzey: There are two approaches to protect from malware. You need to keep your security up to date for email. Another problem is a lot of the threats are being perpetrated using the Internet, so they are trying to persuade you and me to click on links. That is harder with mobile devices because the Internet access is going to be a lot more ad hoc. It is going to be via a mobile network, and it is harder to do what you can do on PCs, which is to force the user back via a proxy, and therefore make sure a centralised policy and protection applies to them.
The reality is that as we move forward, organisations are going to have to look at putting in host-based security just as we do for PCs.
How can UK enterprises secure mobile access to the cloud to ensure data privacy in the light of the Data Protection Act?
Tarzey: Again, it is harder to put in place methods for protecting centralised data on mobile devices than it is on PCs. You have to have on-device protection and make sure your users are using password protection to get into the device. If you are going to have any sort of sensitive data on there you need to look at encryption. And of course these devices are much more likely to be lost, so you need to make sure that the device can’t be compromised. As well as encryption, you might want to make sure you have remote disablement and wipe capabilities.
What steps are UK enterprises taking to secure the mobile cloud?
Tarzey: There are two approaches, host-based (like on PCs) and centralised security -- which is harder to implement for smartphones than it is for PCs, although filtering content is key for both. There is a huge amount of investment to provide such protection by the carrier networks.
One of the issues is consumerisation as employees demand to use their own devices. CISOs accept that as a reality. There is one big benefit with it. Consumerisation links your care for your own device and it being available to access corporate resources. If you accept that, then you have to have the tools in place to manage security installations on a wide range of devices. Also, when an employee leaves, make sure that access is deprovisioned.
A fast growing market is mobile device management. Companies like Sybase and others are doing this to make sure the tools are in place to enable that mode of delivery of services to enterprise users.
--Tracey Caldwell is a professional freelance business technology writer.