Entrust CEO: Mobile more secure than desktop for protecting systems against malware

Bill Conner said "malware is in the network, you can't stop it"

Entrust CEO Bill Conner is pushing enterprises to recognise that desktop's are no longer the most secure way to assure an employee's identity and that instead they should be looking to mobile devices for sophisticated protection against malware.

Conner and Entrust argue that mobile phones and the software they run on have been engineered in a way that makes it far more difficult for malware to infiltrate all applications, due to a lack of shared memory. In addition, analytics can be used to ensure that access to critical systems is only granted in certain situations.

In an interview with Computerworld UK, Conner said that companies and governments need to recognise that malware is always going to get into the network and that they need to focus their efforts on securing the identities of individuals through mobile.

"All these malwares are attacking identity - if I can get through the perimeter, what am I going after? I'm going after your digital identity. Our assumption is that the malware is in the network, you can't stop it, if they want in they're getting in," he said.

"Once they are in they have compromised your identity. Is that your employee doing it or is it some malware guy? You administrator will not see them doing things because he or she thinks it's you."

He added: "We are trying to get away from naming the malware and figuring out what it does, and move to figuring out how they are coming in and what we do to secure your systems."

Conner said that the media is convinced that mobile is the most insecure platform on the planet, but he is adamant that it is far more secure than desktops and laptops. He recognises that there are elements of mobile that you can break - SMS, directory, photos - because these all utilise shared memory.

Bill Holtz, Entrust SVP and COO, agreed with Conner and explained why mobile should be recognised as the superior platform for identity assurance.

"The mobile device is architected very differently to a Windows desktop or laptop. Each mobile application lives within a sandbox and at the moment there is no way for malware to jump from one application to another, which isn't the case for Microsoft applications, where you can use malware to elevate your privileges," said Holtz.

"The only vulnerability that lies within mobile applications are the ones that use shared memory - and we know which ones those are. The other apps aren't in shared memory and they are isolated, sandboxes."

Entrust also believes that because of the functionality on mobile phones - such as GPS, Bluetooth, biometrics - they act as a great tool for enabling enterprises to recognise who an individual is through the use of analytics.

"We think of a mobile device as a pretty good credential - just like my behaviours in a normal online world, I'm going to have different behaviours in the mobile world. The more I track what I do, the more I can deal with enabling you as a business, customer or citizen," said Conner.

"If you think about it, my mobile phone goes with me more than any other digital credential I've got. My phone could be my physical credential into my building, it could be my logical access to the desktop - if I get up and walk away from my desk and it logs me off."

Holtz added that enterprises should be coupling their high value and high risk operations to identity assurance via a mobile phone. He said: "If you could identity assure those high risk, high value transactions, we know you'd defeat the malware."

He added that Entrust's solutions have little impact on systems for companies looking to implement identity assurance.

"If you run critical infrastructure we can drop our solution in there, we are not touching your stuff, leave it running - it's a 'zero touch solution'. When an employee is trying to activate something high-value, we can use the phone to ask: 'Are you trying to turn access this system, yes or no?'" said Holtz.

"Then you can also build in analytics on top of the infrastructure that states that that system can only be accessed if you are sitting at a certain terminal in a certain control room - using the mobile. If you are not in the room and your Bluetooth tells us you walked out the building, there's something fundamentally wrong with that transaction."

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile & Wirelesssecurity

More about BillEntrustMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Derek du Preez

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts