Mobile Security- An Oxymoron?

4/29/2012

By Jane Zamarripa

Mobile devices. We use them every day for storing data and executing tasks, from any location, through personal email, social networks, location services, and online banking. As mobile technologies revolutionize our daily lives, greater numbers of employees have requested them in the workplace. Fifty-eight percent of employees now use smart phones provided by their companies.

Image Source: http://www.esecforte.com/

But while mobile brings the potential to transform traditional business processes and increase productivity, it presents major risks and challenges to the enterprise. Are such devices truly securable, and can they be secured without sacrificing the functionality and convenience which make them so desirable?

Jim Routh, Global Head of Application Security at JP Morgan Chase & Co, recently visited the Global Enterprise Technology (GET) Program to address this question in a lecture on Mobile Security. Jim’s experience in overseeing the organization’s numerous mobile offerings drew students interested in such topics as identifying mobile risk to formulating security strategy.

A few of the highlights…

Growth of Mobile

Smart phones are rapidly becoming the computing device of choice for both employees and customers. Mobile adoption rates show that from 2008 to 2010, the number of smart phone users grew from 23 to 59 million, a number which is expected to grow to 138 million by 2015. Other surprising statistics noted by Jim included:

There are 5.3 billion mobile subscribers worldwide, amounting to 77% of the world’s population.
Nearly half of global mobile subscribers- in both developed and developing countries- will pay by mobile for physical and digital goods by 2014.
Mobile payments currently represent $475 trillion annually.
65% percent of adults sleep with their cell phones next to their beds, which rises to 90% for young adults aged 18-29.
58% of employees are provisioned smart phones by their companies.

The data illustrates three undeniable trends: users are spending more time on the phone, more transactions are going mobile, and more sensitive data is now being stored on mobile devices.

Dimensions of Mobile Security

With more sensitive data being held on smart phones, new security threats have emerged. Mobile users list remote access by hackers, interception of calls or data, device theft or loss and the installation of malware and viruses, among their greatest concerns. Many of the threats that originated online are also moving to the mobile environment, including Distributed Denial of Service (DDoS) attacks, Zeus botnets, and “hactivist” groups such as Anonymous.

To lower these inherent risks, companies are evaluating the threat landscape on three dimensions:

Application Development: What is the threat model and how should it be classified in terms of risk? Classification determines which tests- dynamic scanning, script testing, manifest analysis, pen testing- to utilize in identifying security problems.
Distribution of Software: Who is the device manufacturer and what are their methods of distribution? Assessment and vetting of mobile applications determines potential copyright, security, usability, and legal issues.
Device Configuration: Can security policy be enforced through specific phone settings (i.e. authentication tools and application “wrapper” options)? Geo-location notices, which prompt users to “opt in” in order to share certain information, are well-known examples of device configuration.

A “New Architecture” for Mobile

Mobile devices have enhanced authentication capabilities– lacking in traditional web interfaces- which share information about who is using the device. Emerging authentication methods include:

Voice Signature: Voice recordings which are stored by a central risk engine, which verifies the user’s identity and triggers action (i.e. mobile payments).
Digital Image Verification: User’s images stored in a risk engine, which utilizes facial recognition technology to verify the user’s identity and trigger action.
Device Attributes: Device’s attributes (i.e. calling and browsing history) that can be mapped and verified by a risk engine.

Though the inherent risk of mobile is high, authentication technologies have the potential to make mobile residual risk lower than it is for conventional work stations. The challenge for companies will be continuing to reduce the residual risk of mobile-without invading the privacy of users.

As a mobile user, how much of your personal privacy would you be willing to lose in order to ensure that your device and sensitive data are secure? Tell us your thoughts in the comment section!

Jane Zamarripa is a first year Masters student in the Information Management program at Syracuse University. As a result of her experience working as a constituent services representative, she is passionate about exploring the ways in which technology can be leveraged to improve citizen interaction with government. She holds a B.A. in International Affairs from the George Washington University in Washington, D.C.