Smartphones, devices spark IT security "mobile melee"

While devices such as the iPhone, iPad, Blackberry and Android are in most cases welcomed into the corporate world, there's uncertainty about how to fit them into enterprise IT security practices that have been concerned so long by Microsoft Windows.

Do wireless carriers like Verizon and AT&T crimp mobile security?

"We're excited about enabling our financial advisers to use ] in lieu of a traditional laptop," says Pat Patterson, enterprise information security architect at Raymond James Financial, where employees are clamoring to use smartphone and tablet devices they own as part of their job. But excitement was tempered when the financial services firm, which wants to be able to exert management and security controls over iPhones, for instance, found the software agent it used for that purpose was so cumbersome and had the effect of slowing device use, that employees were complaining that it should be removed.

While it's still the early days of smartphone security, Raymond James has not found an agent-based approach yet that isn't cumbersome for its user base.

"A lot of the early forays into mobile devices have been agent-based," says Patterson, who preferred not to name some of the software he's tried on smartphones. At this point, he says he's looking at trying something totally new, Sophos Mobile Control, that Sophos is introducing later this year as an agentless approach to enforce some basic security controls such as password length, device lock and remote wipe.

Raymond James would like to open the doors to the Android device, especially since the version Android 2.2 platform introduced last year appears more security-friendly for the enterprise.

"My goal is to be a business-enabler," Patterson says. "We're excited about the potential this has. The problem is, can we meet our own security requirements?"

The debate about the pros and cons of an agent or agentless approach to the new breed of smartphones and tablets will likely grow over the coming year.

There needs to be at least a "mini-agent," as Trend Micro CEO and co-founder Eva Chen called it, on the device to exert security controls. Without some kind of agent, "you can't do it," she firmly says.

Patch management for smartphones and tablets remains problematic — even for experts in patch management at security firms which traditionally focused on the apparently unending Patch Tuesdays of Microsoft Windows.

Shavlik Technologies is letting its employees bring in the myriad iPhones, Androids and iPads to use at work, says Mark Shavlik, CEO of the firm. But Shavlik execs acknowledge the company, though it has expertise in Windows-based patch management, as of yet has no way to approach doing the same job for the iPads, iPhone and Androids that have come in the door.

There are auto-update mechanisms from Apple, for instance, with wireless carriers playing a role approving these updates in the middle, and thousands of third-party apps for these devices that might possibly one day need to be patched, says Rob Juncker, vice president of technologies at Shavlik. "It's a tectonic shift" from the world of Windows-oriented patching, he says, but Shavlik hints it may introduce its own approach to this mobile-device segment later this year.

The sheer plethora of mobile devices and the speed at which they are being introduced is also a factor putting huge pressure on traditional security vendors whose main preoccupation in the old days was risk posed by flaws in Microsoft operating systems and applications.

"It's absolutely harder," says Dave Cole, senior director product management for Symantec Norton Everywhere and Mobile. "It's more complicated."

The world of the PC generally revolved around a longer life cycle, while the "mobile melee" includes not just the makers of the operating systems and devices pushing their innovations out at a faster pace but also the wireless carriers involved in making decisions related to security, he noted.

While few believe security threats against iPhones, iPads, Android and their many cousins have reached the level seen in the Web-based Internet environment against the PC, there's acknowledgement that attackers are increasingly likely to see mobile devices as attractive targets for malware and social-engineering exploits as device adoption grows.

According to IDC, manufacturers shipped about 100.9 million smartphones to stores globally in the last three months of 2010, in comparison to 92.1 million PCs.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkinginfrastructure managementhardware systemsPhoneswirelessAndroidpatch managementBlackberrymanagementconsumer electronicsMicrosoftat&tsecuritysmartphoneslaptopstablet PCs

More about AppleBlackBerryGoogleIDC AustraliaLANMicrosoftNortonRaymond James FinancialShavlikShavlik TechnologiesSophosSymantecTrend Micro AustraliaVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place