Unfortunately, when it comes to mobile security it looks like things might get a lot worse before they get better.
In an ideal world, says Cesare Garlati, senior director of consumerization for Trend Micro, there would be a standard container on each mobile computing device that would isolate applications from the underlying operating system. However, in a world full of proprietary mobile computing operating systems the probability of that occurring any time soon is virtually zero. And just to make things even more complex, a lot of the HTML5 code that many mobile computing applications will be relying on in 2012 hasn’t been well-vetted for security issues.
Further complicating matters, Garlati adds, is many of the mobile computing devices being attached to corporate networks are owned by employees. Those employees generally have different attitudes about security, which means the onus for securing the IT environment that allows these devices to attach to the corporate network falls on the shoulders of the internal IT staff.
Ultimately, mobile computing is redefining the definition of the network perimeter. Instead of being an absolute line of defense at the edge of the network, the perimeter of the enterprise is now a fluid place where endpoints come and go. No one can be sure what Web sites those devices are accessing when they're not attached to the corporate network, but each time they reattach to the network they must be scanned for any malware they might introduce to the IT environment.
That requires IT organizations make sure not only that each endpoint has antimalware installed, but also that a policy-based security management system is in place to constantly push updates out to those endpoints. As far as mobile security is concerned, it’s still early days. Google Android, for example, is an open operating system that is starting to attract a lot of attention from cybercriminals, already resulting in a major spike in malware aimed at mobile computing platforms and malware infestations in the Google App Store that might have already infected more than 5 million devices.
But at the end of the day, IT organizations should really focus on securing the data, Garlati says, which means more use of encryption both on the endpoint and inside the enterprise. The challenge, he says, is finding an enlightened approach to applying policies and their associated layers of security technologies.
Banning mobile computing devices from the corporate network isn’t going to work -- such a move would drive mobile computing underground, which leaves the internal IT staff in the dark about the potential security risks created by the “consumerization” of IT. Instead, IT organizations must develop unobtrusive ways to secure their IT environment without significantly compromising the perceived productivity gains end users associate with mobile computing.
Such a task may be a lot easier said than done, but the alternative is the inevitable security breach that at best consumes valuable IT time and at worst results in major financial loss by the organization.