CSO: the art of catching the board's ear
- — 18 June, 2012 11:53
The deceptive simplicity of the Cloud and managing mobility
Google has a different perspective on enterprise security: hand data and applications over to Cloudoperators who, in some cases, are better resourced than the typical small to medium enterprise (SME) to protect information.
Eran Feigenbaum, director of security at Google Enterprise, says there are two trends driving business to the Cloud: bring-your-own-device (BYOD) and low-level threats, like compromised credentials that are the most damaging to business.
“A lot has been said about perceived new vulnerabilities, especially as they relate to increasingly popular buzz words like advanced persistent threat (APT) and clickjacking,” Feigenbaum told CSO Australia.
“The benefits of mobility far outweigh the risks because you can wipe devices remotely and the device is physically close to you, but I think the real risk from mobility is the risk of carrying so much information with you all the time. You have personal and corporate information on a device”
Security vendor Trustwave’s 2012 Global Security Report backs up Feigenbaum’s claim. Hackers scanning the Web for remote access applications with default configurations were behind 61 per cent of infiltration cases in 2011.
Google has offered “two-step verification” for Gmail and Google Apps since October 2010.
Google’s two-factor system requires users to enter a code that Google sends via text or voice message upon signing in with their username and password.
Feigenbaum says two-step verification “drastically reduces” the chances of having Google Account information stolen, and “really helps combat many of the security vulnerabilities emerging today.”
Despite its cost effectiveness, compared with say tokens, SMS twofactor has been criticised by Gartner analyst Avivah Litan for having been defeated by banking Trojans like Zeus which enable so-called “man in the browser attacks”. Another factor is actual adoption. Google’s chief technology advocate, Michael Jones, commented at a recent security conference in Australia: “We beg people to do it but they won’t do it.”
However, SMS two-step verification enabled banks three years ago to ramp up mobile banking, aided by security education programs and free antivirus now common to most Australian banks today.
But when it comes to corporate mobile device access to internal applications,the technical security of the device is not the problem, says Girn.
“The benefits of mobility far outweigh the risks because you can wipe devices remotely and the device is physically close to you, but I think the real risk from mobility is the risk of carrying so much information with you all the time.
“You have personal and corporate information on a device, so how do you make sure the device gets wiped straight after you have lost it? Without a password the device effectively becomes an unshredded encyclopedia on your life. So the challenge is to educate people to make sure there’s a password, and they know how to wipe it remotely.”
While Girn says many companies are implementing mobile device management (MDM) technologies which allow them to wrap policies around the device, there’s still the human factor.
“The main issue is the person who loses the device has to ring the help desk and say, ‘Wipe it, I’ve lost it’.
“If you lose your wallet or your credit card, you’re going to phone very quickly and get it cancelled. But at this stage the behaviour of people, oncethey have lost their smart device, doesn’t have the same urgency as losing a wallet. As phones are increasingly used for cashless, near field communication (NFC) style transactions, clearly this behaviour will change rapidly.
” Resolving this is a matter of education “where you say, ‘Look, this is worse than losing your credit card, you’ve got payment capability, you’ve got your information.’”