The State of Mobile Security – Mobile World Congress 2016 wrap-up
Mobile is Everything. That was the subtitle of Mobile World Congress 2016 – the world’s biggest mobile industry event – which I attended last week. The latest breakthroughs and developments related to mobile technologies and mobility were on display, ranging from the Internet of Things (IoT), virtual and augmented reality, 5G networks, mobile devices and wearables, connected cars, and graphene. Even sensor fitted shoes for analyzing and improving your golf posture were part of the show – if it was mobile, it was on display in Barcelona! Some rough figures to give you a sense of the size of the event: the congress took place in 8 massive halls (not counting various supporting locations such as networking gardens), over 100,000 people attended, who originating from 204 countries, 2,200 companies exhibited and 3,600 members of the press and media were present to capture it all.
Mobile security played on important role for many of the companies and visitors at the show. I met with many different mobile security related vendors, some of which primarily offer security solutions, others of which are incorporating security in their product and service offerings. Furthermore I attended various (security related) conference presentations and round-tables. Based on these experiences, I describe below the three main take-aways I have from the show with regard to the state of mobile security, and I describe five tips to consider for implementing or improving mobile security within your organization.
1: Mobile technologies are raising the stakes
Today -and even more so tomorrow- mobile technologies are doing more and more impressive things, gradually merging into our physical worlds, fading the boundaries between the “real” and the digital. Because of this, mobile technologies will also more and more affect our physical well-being. Consider for example digital healthcare applications or connected (or autonomous) vehicles; having pacemakers and car engine control units hacked would most likely turn out catastrophically. By integrating technology into our “real world” we are raising the stakes, such that the security of mobile technologies shifts from important to paramount. I believe that we as an industry have a big responsibility here, in order to ensure the safety of the users of mobile technologies.
2: Companies offer different strategies for mobile security
Based on my experiences in mobile security consulting and the companies I’ve met with at MWC16, I believe that mobile security solutions can be grouped into three main categories (or approaches):
Enterprise Mobility Management (EMM, also commonly referred to as Mobile Device Management) solutions have from the early beginnings of smartphones and other smart devices provided a baseline of security on said devices. EMM solutions offer capabilities to for example enforce security policies and perform secure data communication and storage, root/jailbreak detection, (some form of) monitoring and remote locking and wiping of devices. As such, EMM solutions primarily provide preventative end-point security.
Even though EMM has been the primary form of mobile device security of the past years, not many EMM vendors were exhibiting on MWC16. I think this is partly because the EMM technology has reached maturity over the last years and also because many organizations have already implemented some form of EMM. There were many mobile security vendors that offered complimentary solutions to EMM at MWC16 though, providing various innovative solutions to mobile security threats. Solutions like (mobile) network analysis, malware and application vulnerability scanning (performed remotely) and device configuration scanning were on wide display from a variety of solution providers.
An interesting point to note here is that almost all of these vendors provide technologies to detect and respond to mobile threats; monitoring is the name of the game! As such these solutions rely on a security strategy in which traditional IT security has also been heading over the last years – we assume things will go wrong, so we make sure that when it does we can react to it quickly, as to minimize damages and losses. This trend is highly interesting to me, as it seems to indicate that mobile security technologies are maturing, as they are converging with more traditional IT security technologies.
Technology is not the problem – Sven Schrecker, Chief Architect for IoT Security Solutions at Intel.
3: Technology is not the problem
As Sven Schrecker, Chief Architect for IoT Security Solutions at Intel, put it: “Technology is not the problem”. The technology for secure mobility is available, it’s just that it’s not always being (correctly) applied . This could be the result of a lack of knowledge and skills, human errors, insufficient time or budget, or it could be a deliberate choice. In any case it creates an (ever increasing) risk that we as an industry or perhaps even as a society should not be willing to take. Mobile devices that have been designed and manufactured with security in mind provide, together with additional preventative measures such as EMM solutions, a solid platform for secure mobile information access, storage and processing. Furthermore there is an increasingly growing array of solutions available for monitoring of mobile devices and networks for suspicious and malicious traffic and behavior, which provide advanced detection and response capabilities. When implemented correctly, these technologies together enable secure and reliable mobility. It’s up to system integrators, vendors, users and everyone else in the mobility market to make this happen.
Tips for enhancing mobile security at your organization
In order to secure mobile technologies in your organization, we recommend that you consider the following five tips:
Author: Paul van Iterson, senior consultant at KPMG Information Protection Services