Enterprise mobility is expanding to an array of devices, such as connected cars, smart TVs, smartwatches and others. Protecting this new ecosystem with traditional endpoint management models is incompatible with this new world.
John E. Girard is a VP and Distinguished Analyst in Gartner's Endpoint and Mobile Security practice. He spoke at this year’s Security and Risk Management Summit, held in Sydney.
Girard started by describing a recent incident. A system administrator was talking about how much easier his job had become now that he could administer system using an app he recently downloaded to his Android smartphone. It turns out many of the remote management apps offered through that app store had some sort of security vulnerability.
Even if the app is not intentionally malicious, its design might circumvent your existing security measures.
“I can just sit outside, Kevin Mitnick style, and get access to the system,” says Girard.
The risks that we see with mobile represent the tip of the iceberg he says. With the emergence of IoT and M2M (machine-to-machine) communications, the threat surface has expanded considerably and there is less visibility as to what’s going on.
So what external forces will shape mobile security in 2020?
As systems collect, interpret and act on data autonomously, we put more trust in those devices. But what are the conditions that are sufficient to allow us to trust them?
New business designs blend the physical and digital worlds: This means a digital breach can cause physical damage. Even though we are reliant on digital technologies for many things, there will always be mechanical components.
For example, a flaw that was discovered in one line of “smart” lightbulbs could result on an entire building being blacked out, causing a safety issue where forklifts or other devices could cause an accident.
“A couple of years ago, Jay Heiser [Gartner researcher] put out a prediction on loss of life because of mobile devices and IoT. I don’t think we’ve hit that point yet but we’re getting awful close,” says Girard.
People and physical devices exchange information equally: Smart devices can become autonomous and be used maliciously.
For example, a resume sent by a prospective employee had codes embedded within it that altered the printer’s firmware, turning it into a listening device that allowed it to tap into a company’s VoIP phone system, and allow a third party to listen in on phone conversations.
“You’re going to have to rely on more protection based on data-centricity. We really ought to start assigning rights to every piece of information we’ve got so we’re classifying from the beginning. You never know when something in your environment is going to start grabbing information”.
This is why tracking anomalous behaviour becomes important.
“If a light bulb is trying to act like a printer and printer is trying to act like a network proxy, then you’ve got a problem,” he says. “It’s a level of granular security on a scale we haven’t done before”.
So what can be done?
Girard presented a plan straight from the Gartner playbook, suggesting actions that can be taken immediately, within the next 90 days and in the next year.
The most immediate steps to take are to conduct an audit of devices and use-cases to identify policies that either need to be written or updated, and look at how digital business will impact the current and evolving mobility policy.
For the next three months, translate the technical risks into business language evaluate the company’s risk appetite. Also, lock down “dumb” devices, put containment processes in place for smart sensors and focus on getting the basics right.
By this time next year, identify the overlap of controls and tools such as cloud access security brokers and enterprise mobility management and continue to review and refine your mobile security strategy and processes.