Mobile technologies are raising the stakes | KPMG | NL

Mobile technologies are raising the stakes. A look into the State of Mobile Security – Mobile World Congress 2016

Mobile technologies are raising the stakes

The State of Mobile Security – Mobile World Congress 2016 wrap-up

1000

Related content

Mobile technologies are raising the stakes. A look into the State of Mobile Security – Mobile World Congress 2016

Mobile is Everything. That was the subtitle of Mobile World Congress 2016 – the world’s biggest mobile industry event – which I attended last week. The latest breakthroughs and developments related to mobile technologies and mobility were on display, ranging from the Internet of Things (IoT), virtual and augmented reality, 5G networks, mobile devices and wearables, connected cars, and graphene. Even sensor fitted shoes for analyzing and improving your golf posture were part of the show – if it was mobile, it was on display in Barcelona! Some rough figures to give you a sense of the size of the event: the congress took place in 8 massive halls (not counting various supporting locations such as networking gardens), over 100,000 people attended, who originating from 204 countries, 2,200 companies exhibited and 3,600 members of the press and media were present to capture it all.

Mobile security played on important role for many of the companies and visitors at the show. I met with many different mobile security related vendors, some of which primarily offer security solutions, others of which are incorporating security in their product and service offerings. Furthermore I attended various (security related) conference presentations and round-tables. Based on these experiences, I describe below the three main take-aways I have from the show with regard to the state of mobile security, and I describe five tips to consider for implementing or improving mobile security within your organization.

1: Mobile technologies are raising the stakes

Today -and even more so tomorrow- mobile technologies are doing more and more impressive things, gradually merging into our physical worlds, fading the boundaries between the “real” and the digital. Because of this, mobile technologies will also more and more affect our physical well-being. Consider for example digital healthcare applications or connected (or autonomous) vehicles; having pacemakers and car engine control units hacked would most likely turn out catastrophically. By integrating technology into our “real world” we are raising the stakes, such that the security of mobile technologies shifts from important to paramount. I believe that we as an industry have a big responsibility here, in order to ensure the safety of the users of mobile technologies.

2: Companies offer different strategies for mobile security

Based on my experiences in mobile security consulting and the companies I’ve met with at MWC16, I believe that mobile security solutions can be grouped into three main categories (or approaches):

  • Application security, where the goal is to secure individual applications, through techniques such as secure app development/secure coding and application security testing (i.e. penetration testing);
  • End-point security, where devices are being secured by enforcing security policies, segregating and protecting sensitive information on the device and scanning for suspicious and/or risky applications, configuration systems and behaviors on the mobile devices;
  • Network security, where network traffic is monitored and analyzed and suspicious behavior and traffic may be secured or blocked.

Enterprise Mobility Management (EMM, also commonly referred to as Mobile Device Management) solutions have from the early beginnings of smartphones and other smart devices provided a baseline of security on said devices. EMM solutions offer capabilities to for example enforce security policies and perform secure data communication and storage, root/jailbreak detection, (some form of) monitoring and remote locking and wiping of devices. As such, EMM solutions primarily provide preventative end-point security.

Even though EMM has been the primary form of mobile device security of the past years, not many EMM vendors were exhibiting on MWC16. I think this is partly because the EMM technology has reached maturity over the last years and also because many organizations have already implemented some form of EMM. There were many mobile security vendors that offered complimentary solutions to EMM at MWC16 though, providing various innovative solutions to mobile security threats. Solutions like (mobile) network analysis, malware and application vulnerability scanning (performed remotely) and device configuration scanning were on wide display from a variety of solution providers.

An interesting point to note here is that almost all of these vendors provide technologies to detect and respond to mobile threats; monitoring is the name of the game! As such these solutions rely on a security strategy in which traditional IT security has also been heading over the last years – we assume things will go wrong, so we make sure that when it does we can react to it quickly, as to minimize damages and losses. This trend is highly interesting to me, as it seems to indicate that mobile security technologies are maturing, as they are converging with more traditional IT security technologies.

 

Technology is not the problem – Sven Schrecker, Chief Architect for IoT Security Solutions at Intel.


3: Technology is not the problem

As Sven Schrecker, Chief Architect for IoT Security Solutions at Intel, put it: “Technology is not the problem”. The technology for secure mobility is available, it’s just that it’s not always being (correctly) applied . This could be the result of a lack of knowledge and skills, human errors, insufficient time or budget, or it could be a deliberate choice. In any case it creates an (ever increasing) risk that we as an industry or perhaps even as a society should not be willing to take. Mobile devices that have been designed and manufactured with security in mind provide, together with additional preventative measures such as EMM solutions, a solid platform for secure mobile information access, storage and processing. Furthermore there is an increasingly growing array of solutions available for monitoring of mobile devices and networks for suspicious and malicious traffic and behavior, which provide advanced detection and response capabilities. When implemented correctly, these technologies together enable secure and reliable mobility. It’s up to system integrators, vendors, users and everyone else in the mobility market to make this happen.

Tips for enhancing mobile security at your organization
In order to secure mobile technologies in your organization, we recommend that you consider the following five tips:

  1. Know your risks! By knowing and understanding your information (technology) landscape, your critical information assets, and threats and vulnerabilities that may affect them, you can protect your organization in a more effective and more efficient way.
  2. Choose an appropriate mobile platform for your business needs and protect it adequately. Make sure you understand the various business and security pros and cons of mobile platforms (i.e. iOS, Android, Windows Phone, Blackberry) and what additional security measures you might require.
  3. Consider device and information ownership, roles and responsibilities within your organization. Will you support Bring Your Own Device? On what devices may corporate information be accessed and processed? May user’s private information be stored on corporate devices? Who is responsible for protecting that? Make sure to capture mobile technology governance in your (mobile) information security policy.
  4. Always implement an Enterprise Mobility Management solution. Having an EMM provides basis (remote) management and security capabilities, which no organization can go without in order to secure their corporate information on mobile devices.
  5. Implement additional mobile security controls, based on your risk profile. Consider technologies and process improvements for increasing application security (including security testing), end-point security and network security. When doing so, make sure you balance preventative, detective and responsive control measures in order to ensure you adequately protect yourself from threats beforehand, but are also able to quickly respond in case something does go wrong.

 

Author: Paul van Iterson, senior consultant at KPMG Information Protection Services

Connect with us

 

Request for proposal

 

Submit