Biggest Enterprise Risk? Mobile Devices
Real life and and digital life are converging, manifesting as connected mobile devices that are accessing, transporting, and often exfiltrating corporate information, with almost no means of tracking. With the influx of mobile devices into the enterprise, and more specifically BYOD (Bring Your Own Device), the "security perimeter" is dead.
Case in point - Sony's mobile backup software on Google Play was compromised this week. Google's application verification service did not catch the bad app, proving that organizations who embrace BYOD cannot blindly trust official mobile app stores to police malicious applications.
To their credit, responded fairly quickly:
Sony Mobile takes the security and privacy of customer data very seriously. We are currently investigating these reports. More information will follow as soon as we have fully assessed the situation.
For Sony, it was mostly a shot across the bow, as the hacked application was reportedly failing to install on most devices, and the application was removed from the app store within hours. But it doesn't take hours to compromise your network. It takes one rogue application, with the right blend of attack vectors, to poke a hole into your enterprise which adversaries can leverage to mount a long running attack, ultimately costing you millions.
Mobile is the New Adversarial Ingress Point
Every single mobile device can be used as an ingress point for adversaries that are continuously performing persistent cyber attacks on your organizations. Welcome to the new normal, where existing technologies are entirely failing to deliver a scalable security solution for mobility. The traditional approach of encryption, and the shiny approach of containerization, do not provide the basis for a holistic mobile security strategy.
Encryption tackles confidentiality, but not the veracity of data. It doesn't provide the ability to tag, track, and locate your data, validate configurations or policies, or enable data governance rules for employees accessing sensitive information. It's a crutch that that community is using to hold itself up, and we need to wake up to the fact that most attacks do not involve breaking encryption. There's a lot of reasons why encryption isn't working.
Containerization, for all its perceived benefits, is just an arms race. For the most part they are not natively supported on mobile operating systems, and thus every update to a device OS can potentially break the containerization model. This presents a false sense of security, and a glaring security hole for organizations that want to use the latest shiny gadget.
All of these mobile security technologies are adding increased complexity to an already insecure base, thus dramatically magnifying the overall attack surface for organizations.
Keyless Signature Infrastructure for Mobile Integrity
Solving this problem is not necessary difficult, but will take a dramatic shift in current security technologies and mindsets. Keyless Signature Infrastructure (KSI) provides the means for this shift.
Imagine a world where the integrity of mobile systems could be definitively proven; from firmware loaded on the hardware, to applications downloaded from app stores, to enterprise data accessed and stored on the device. Guardtime's KSI provides the means to deliver proof of time, integrity and provenance, admitting this into to the Mobile Enterprise Block Chain for attribution and 3rd party verification.
Trust is a powerful thing, but we've trusted our existing mobile security mechanisms for too long. By instrumenting the entire mobile stack with KSI, we can open the curtain of trust and mathimatically prove the absense of corruption or tampering. Trust but verify.
It's time to move the security perimeter to the data - specifically to the integrity of data - to verify and validate when mobile assets deviate from a known good state. The result? Real-time Incident Response via Integrity-backed Continuous Monitoring. Now there's an interesting concept.