Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
I fell hook, line and sinker into the mobile Internet with my first iPhone nearly three years ago. And I haven’t felt a need to look back. Then the other day I thought about all the personal information I have saved on my smart phone, and the ease of access it provides to my enterprise e-mail and corporate systems. And I wondered if we all got more than we bargained for in this new love affair.
Smart phones, tablets, netbooks and other mobile Internet devices that enable us to access vital information whenever and wherever we want became new targets for the malcontent and the criminal to exploit.
As our sensitive data moves about, wirelessly connected to the Internet, in the pockets and bags of our employees, partners and clients, the architecture and methods of classic IT safeguards such as firewalls, VPNs and anti-malware applications deployed on client devices can fall short in two ways. They can become overly burdensome on the user experience and inhibit the practical benefits of the mobile Internet. Or they can harbor latent, hidden gaps specific to the mobile Internet that expose our data to loss and exploitation.
That’s a scary possibility with huge implications for commerce and society generally. Fortunately, new means of defending your mobile devices and your data are being developed and deployed to meet these new threats.
Cybercrime is no longer characterized by “hackers” and “hooligans.” Today it is dominated by sophisticated global criminal gangs that trade and sell personal, corporate and government information.
They sell software kits, complete with warranties and hotline support to criminal enterprises that use them to infect, and sometimes surreptitiously take remote command of Internet-connected devices to steal confidential or otherwise sensitive information for criminal exploitation. Each day new forms of dangerous, ultra-sophisticated “polymorphic” and “persistent” malware threats emerge, often embedded into “mule” websites sites, photos, apps and e-mails that appear to be “trusted” and “safe.” With characteristics that mimic biological mutation, disguises and other stealth techniques, this malware can evade or “fool” all but the latest releases of the best threat detection methods, even allowing their software bots to commit their cyber crimes, cover their tracks and delete themselves with nary a trace.
And, as Wikileaks has highlighted, many enterprises today lack comprehensive means to spot, prevent and retain forensics on the exchange of confidential information between trusted insiders and unknown third parties, particularly via mobile devices. As companies make greater use of contracted labor forces who use their own personal laptops and smart phones rather than “company issued” IT assets, the challenge of protecting against sensitive data loss becomes impractical to mandate and manage data security solely at the mobile client computing device.
So how do we trust our smart phones and other mobile Internet devices not to betray us? As with most security solutions, a layered or “defense in depth” approach is best. There are unique security considerations and differences in a mobile Internet solution vs. a traditional “behind the corporate firewall” solution.
The constant evolution and pervasiveness of malware requires that anti-malware apps deployed on a client device must be updated frequently. That’s difficult enough with desktops and laptops, but it’s a particular nuisance with smart phones and tablets. Connecting wirelessly to receive constant updates as well as the local processing needed to scan all data coming into a smart phone typically slows its performance and accelerates the consumption of battery power.
Similarly, solutions that require a secure VPN via wireless that trombone mobile data back to a home/host location add latency and have their own performance and user experience challenges.
Weighing these factors, one of the best emerging answers to mobile data security lies in cloud computing. Data that is flowing to-and-from mobile devices can be scrubbed with far more powerful anti-malware engines and techniques than a mobile device can do on its own. And the latest anti-malware updates can always be applied to the security apparatus in the cloud without ever burdening device processing power or battery life. The cloud also overcomes the need to trombone data back and forth from a home/host that may be halfway around the world, by virtue of cloud architecture that provides “always nearby” access to processing.
This is where service providers have an opportunity to establish themselves as more than a provider of data transport. They can provide a higher grade of secure cloud data service by architecting purpose-designed security capabilities throughout their global cloud infrastructures. This approach is likely to require some amount of network re-architecting to optimize performance, minimize latency and achieve the resiliency required for a “high trust” cloud-based security solution. Done well, the result will be consistently high-quality, high-security, mobile user experiences, whether the user is in Tokyo, Johannesburg, Chicago or Prague.
Service providers can do more than provide malware protection and detection. By putting security into their own branded cloud solutions, they can add data loss protection to the value proposition. A combination of content management policies and the inspection of inbound and outbound data enables flagging of content marked “confidential” and prohibits it from being sent to any host that is not within the corporate firewall. And, service providers processing these transactions in the cloud can capture forensics and provide reporting and analytics to their enterprise and government users.
This is a slam dunk for service providers, especially when they are already providing other cloud-based services. Cloud computing has been extolled for its efficiency, convenience and cost-savings aspects, and those are powerful arguments. Protecting our data security in a mobile world is being added to that list, and it may help ensure that our love affairs with our smart phones don’t turn into our worst relationship nightmares.
Tim Ayers is vice president services strategy in the CTO group at Tellabs. In this role, he focuses on “what’s next” in advanced cloud, software-as-a-service and managed services to help ensure Tellabs continues to bring highly innovative services value to our customers. Previously, he developed and managed the Tellabs Global Consulting and Professional Services organization providing high-end network architecture, design, migration and optimization services to mobile and cable operators worldwide. Prior to Tellabs, he held similar roles at IBM Business Consulting Services, 3Com and Digital Equipment Corp.
