Call in to speak with the host
We live in a world of 7 billion people, 2 billion computers and nearly 5 billion mobile devices. And all that generates 50 terabytes of new data everyday. Does that mean that data, the associate applications that are sensitive personal or strategic information requires constant vigilance with the right strategy. This is the information security podcast, where we talk about IC security by design. My name is Caleb Barlow and I am interacting of application with data security at IBM. The information security podcast starts right now. Welcome to the show.
You are listening to get another one of the applying members of the Tech Podcast network. If it's set, it's here. Find more of the member shows at techpodcasts.com.
Hi, it's Caleb Barlow and today is Friday, November 9, 2012. Just a reminder to everyone, if you enjoy the show please subscribe to us on iTunes, add a comment and rate the show. We greatly appreciate that. Also a reminder that the show is indicated on BlogTalkRadio, techpodcast.com, podcaster as well as a whole bunch of other places in the internet and we greatly appreciate the folks that kind of add us to their subscribe list. The other thing I would ask is if you enjoy the show, if you like what the guests had to say, find them on LinkedIn, connect with them and please also kind of endorse them on LinkedIn. It's always helpful for us as we kind of grow the following here on the show and allocate our budget to it as well. So today we are talking about translating mobile security into action and I am joined by IBM zone mobile security guru, Vijay Dheap. How are you doing Vijay?
I am doing well. Yeah, thanks. How are you doing?
Good. Good. So let's talk about you know, the idea here is to talk about a holistic approach to mobile security and you know I think what a lot of people think about mobile security we have got BYOD, we have got corporate liable devices, we have got iPads, we have got android, we have got you know folks that are still on Blackberry figuring out what do we do next? How do people translate from kind of an ad hoc approach of things and tools all over the place to put in together a kind of a sustainable strategy for their mobile security?
That is very exciting, Caleb. The next question that a lot of our customers are asking about, so what I think to whenever you look at in these topics or new challenge or problem, it's good to get an entire view of what you are up against or what you need to tackle. And a framework would help you guide your decision making and get visibility of what you need to address. For mobile and mobile security in specific, organizations often start with mobile device. Either that you catch the devices that are in the organization and they require their level of attention. But as you progress in your understanding of the multiple phase, you recognize as an organization that these devices no matter how much data or capability they have on the device, they invariably, they perform interesting interactions or transactions. They interconnect with backing systems. So you need to start looking at traffic over the network and access to keep it back in the system. Next, you have to look at the vehicles in which capabilities are delivered the applications themselves, the mobile apps. Today, we know that mobile apps are the primary interface of interacting on mobile devices, they are task orientated and most of our browsing behavior has pretty much been relegated to the app stores themselves. So there are three main fillers in the framework that you can start diving into and making sure that you have a holistic approach to your mobile security. Now, while these three fillers are very important when an organization rolled out solutions that each of your three fillers, how do you mean to make sure that you have completeness of coverage and security is often described as a skin, right? Across multiple completion. And that's where we wanted to deliver continuous monitoring and continuous visibility over our security posture.
Well,... How do you seek the -- you know how do you think people start to consolidate like the tools that they have got in place. I mean you today people have got, most of them have got RIM devices which you know they have got the best server and they are managing those things that way. They have got android devices coming in. They have got you know iPods, iPads and everything in between. How do you think people bring this all together? Are there tools that are merging to help you manage all this?
So a lot of people need a starting point and starting points are often governed by what you want to achieve, right? If you look at some organizations, they just want visibility over their devices. Hospitals just want to make sure that they can account for all those devices. Some organizations wanted to make core productivity applications like email and others accessible to their mobile employees. Others are going to deliver specific applications to their mobile sufficiency whether that sufficiency is a consumer, etc. So now, as you look at what you are trying to do, you end up collecting the technology that you employ. Blackberry in the past was very good for corporate email, but nowadays because there is greater choice in the mobile device spectrum and consumers are bringing their devices for work, that grows the requirements from the security management perspective of what you are able to deliver and security tools, you want to be able on these consumer devices or probably you didn't generally had one of the corporate devices that you need to start separating corporate applications and corporate data from personal calendar.
You know, something that -- I actually had a customer positioned to me this way about two weeks ago. I thought it was a very interesting way to look at it. Be curious if you would agree with it. It was... You know they said... Look. For the last you know five plus years, for the most part that corporate mobile devices are Blackberry. And you know RIM did a great job of providing security transactions around messaging and for the most part, you know and again this is his words, they didn't have to really think about how they secure mobile because RIM took care of that. And now we are in a world where you know it's not this monolithic culture. We have, you know, lots of different devices coming in and most of these other devices and I am, you know, predominantly speaking about android and IOS here grew up out of consumer offerings. Where you know the security wasn't one of the top things. It is not that these devices can't be secured, but it wasn't the top thing on the list. And this now causes both because its multiple strategies, its multiple devices, but also because some of these devices grew up out of consumer, it's almost like the security folks that the organization need to dust things off and, you know, actually get reengaged. And this is where, you know, they kind of had a path on this for several years because it was all being handled by using a single vendor that had a secure infrastructure. Would you agree with that?
Yes. So there is another element to that and that IT was able to vet everything, the device, the applications before they delivered it to their users. And now, it's the users bringing it in and IT has a validated act in a reactionary form.
You know that is a great point Vijay. I mean, I think about, well it takes 5 to 10 years ago right, if you think about what was on your laptop every application there, you know first of all you installed it with the CD or disk drive or very unlikely you downloaded it. You had a license you know probably in paper form you most likely had it sanctioned by the IT department and they had a support number that you could call if you had a problem, I mean you remember the early days of software, we only got the software we got the you know phone number, you could call with an actual human on the other end of it, right?
And these were all sanctioned you had a relationship, if there was a problem there were people on the other end that would go and solve the problem. You know now the way you get the majority of your apps is you go out to a store and you pay $1.99 and no one has any idea of the you know what was the supply chain associated with that? Who built it? Where were they? Is it an important place? Were there reasonable security practices around it and combine that with the fact that you know there is a great report, I think it was either Verizon or trend, how to report out, you know, hey looking at the top hundred android apps and all of them had rogue equivalent for malware out there.
Yeah, so it is -- and it was not just relegated to android. It was IOS applications themselves so through either data injection or code injection you can pick kind of innocuous application into a malicious one.
Well, you know I always like to tell people and I do this a little bit you know just give you my attention, but I always like tell people I think angry birds should be a corporate application. You are not because it is a really cool game, but because it is pervasive. So everybody has got on the phone, let's make sure you have got the one that is absolutely real from the real publisher and you know go have fun with the game, but let's make sure it is not one of the rouge versions that are out there that chuck full of malware that is going to actually fray your data.
That is actually another, that brings me to another point where it is not just employees bringing me the rise of the work now. I think this has become a two-ways street where organizations recognize the value of mobile productivity response time, etc., so some of them are issuing iPod their android devices. What they recognize is that their employees are not just using it for work, they are using it for a dual purpose as well, so recently a professional sports group in the United States usually teams were giving out iPod but the players were installing different types of apps which work over extension.
I can only imagine. Yeah. Well, you know I mean if you take the iPad may helpful right. It gets handed in the backseat for the kids to play with all the time and that actually precipitated the kids getting their own iPads because I couldn't have corporate documents and corporate email on a shared device. You know they inadvertently can cause all kinds of havoc in there, right? So what do you think are the, you know, when you are out there with customers all the time. What do you observe is kind of the top operational priorities people are dealing with now?
So being able to work remotely and work often involved email, email counter contact. We are seeing that become more and more prevalent as a starting point for enabling mobile in putting consumer's faith. In the B to C environment, a lot of organizations have this ad hoc application. They are turning it to a more strategic initiative, but secure acts that whether it is painting or retail, etc. They are focusing on secure acts that view loyalty program back and information, etc and the applications themselves have to be if they are targeted specific programs whether it is mobile work force, whether it is a retail application peer-to-peer shopping for example. All of these are what iPad categorized as targeted mobile initiative and they are very application trip so new app email counter contact and secure acts that are three main operational priorities that we are saying is looking forward.
And what kind of control to people putting in place around those priority issues outlined?
So around email and counter contacts, a lot of organizations want to have some degree of separation, making sure that there is no data leakage especially around the context of a delivered endpoint device and there are many approaches to addressing that so that you can manage the device leverage operating system capabilities to an IOS, there is a concept for manage profile so separated data there. There are some capabilities around mobile application management and where you are trying to group a set of enterprise app including the email, etc. And for secure acts that it is about the inherent understanding that context influences risks, the location, the network, the kind of day, all of these things. Taking that into account when you are providing a specific functionality. You may not want to allow a million dollar transaction, one of the firsts in it is Metacafe.
I think that is a great thing people have to think about right? I mean the historical approach when the CEO shows up with a brand new iPad, the historical approach is when they ask to get connected to the network, they get connected to the network and I just think that is a really bad idea in the grand scheme of things because you know then that a whole method of connecting can be used to potentially infiltrate data. Why not look at it and say alright I have got a doctor, the doctor is on-call. They need to be able to access patient's records while they're on-call, but do they need to be able to access billing information that they need to be able to query 5,000 patient records from the Starbucks? Of course not, right? So just thinking through some real basics around this use case, I think can have a dramatic impact on improving folk security.
Yeah and it also extends to the application as well that when you are building an application some basic stuff like encrypting the local storage of the data and in order to make that very easily incorporated into the application, you know, I want to facilitate mobile app to go. They are not generally as security aware as you would desire them to be actually from a corporate standpoint.
Alright, so what about BYOD, which, you know, for those who do not know is Bring Your Own Device, in other words where the company does not own the device, but maybe they are paying for all or a portion of your airtime, but ultimately you brought the device to work and you wanna connect to it.
Yes, and so around BYOD, an organization has to understand that there are different flavors of BYOD. The first thing to do is to recognize that it is happening. If you do not have, if you mandate blindly that we do not support BYOD, two things will happen, one you do not attract the talent that you can possibly desire or you get non-participation, or two, it happened underneath all of your activities and that is a much higher risk exposure. So once you recognize that is going to happen, organizations can look at, are you going to make everything really available, really acceptable, any type of device and that is an option some organizations take and they can leverage a technology like a mobile device management solutions. There, at least visibility of what or who those devices are owned by, what the security profile of those devices etc. and guide those __17:36__ either by pushing updates, recommending white listing or black listing application, etc. Another approach is to restrict the set of device and that is an approach a lot of larger organization is taking place even IBM where you get a selection of devices that are somewhat __17:55__ and the important thing that the organizations can do is remain transparent in every way of the program.
Tell your people what your plans are, and some people who are in your demographic might actually wait until others that the platform and its security profile for your organization. So some of these organizations in highly regulated industry want complete bifurcation of corporate personal space. So, they want greater level of separation allowing guarantees on data encryption, guarantees on preventing copy and paste and those -- there are multiple technologies to address that. You can use a mobile application platform when you're building out your corporate applications to prevent copy and paste, etc. or you can embrace like a mobile application, management solution, it's kind of called app robbing today in the industry or containers.
So these are things that would allow you to segregate those applications from the private data on the phone?
And -- I mean you talked a lot about -- in past conversations, we have had about really three pillars, right? The need to protect the device, the need to protect the network on which the traffic is flowing and then I think there is this unique thing to mobile off. You have also got to protect the application itself, right?
Yup. That's with the three layers of the framework that I recommend customers think about as they approach multiple security.
So if we think beyond just the device, what else is different about mobile security?
So, we had a customer in India. They wanted to scale up their scales actually very quickly. In order to do that, the sales agent needed to connect to the corporation, but the sales agent will work for other organizations as well. How do you set up secure connectivity with these entities and guarantee that it -- the data does not leave you.
So you need to prevent leaking not only between personal and corporate, but between various roles or customers that they may have.
Kind of like a consulting out, consulting with multiple customers and needing access to all those customers right?
So how do you do it?
And that -- so today if you look at most androids or iPhone, a lot of organizations use device level VPN, but with that what you're doing is you're tunneling all the traffic through your organization. One, for privacy concerns, you don't want to do it even for security matter if you don't want malware that may exist on the device piggybacking on that traffic and going back to that just in case, you don't want your information if they have a tunnel with another company to go through that.
Well, I don't want some other company's data and private information flowing through my company either that may open my app to all kinds of legal ramification so I'm saying...
Yeah, litigation deposits. So what we are seeing is a growth of application level VPN where there is the church tunnel that is being built and the application and that prevents cross pollination of data on that device.
So in this case, the VPN is actually in the app.
So every app could have inferior tone VPN going to different places depending on different customers or what the particularly used case was.
Oh that's pretty cool. What you -- so we kind of boil this down. What are -- give me two things you would recommend people do. What are couple actions people can take right away to improve their security posture on Mobile.
Most organizations are rapidly getting started with mobile application and you know the applications, if you want to make sure that they are not vulnerable. We have over 10 years of experience building web applications and a lot of the same technologies are being re-employed in constructing and developing mobile app. Vulnerability testing especially given that mobile development is taking place in different part of your organization or you're outsourcing it to get to a level of standard on your security posture of these applications. I recommend vulnerability testing and with vulnerability...
I want you to explain a little bit about what that is, by the way.
Yeah, so it is being able to analyze the code inside of the application to understand the data flow. Where the data originates and where the data is moving to and that requires full tracing out. What I mean by that is to make sure you follow the data within your application and that should use patterns to see if there is a certain pattern and that your code employs because that results to a lot of false positive. Your developers don't really learn for the next generation when they are coding. So, if you follow the data and you validate the place that the data is going to, that the data itself is legitimate, etc., and that will remove vulnerability and the trick here is that traditionally in security, we look at exploits, we look at attacks and we build counter measures for every single attack or exploit. With vulnerability, to be sure of the vulnerability, you might be mitigating a risk from multiple exploits and there is a smaller set of vulnerabilities that you need to address to raise the bar so that's one main thing that I would ask customers to focus on. And the second thing is, again, focus on application. You want to develop and provide a consistent infrastructure that promotes security from the design phase whether it is encrypting data, whether it's validating the app, one of the risks that we talked about earlier with rogue application. If the mobile application platform can itself validate the app every time it interacts and reset it, if it has gone rogue, it reduces the overhead that the developers themselves have to think about when they have six to eight weeks cycle to turn that code.
Alright. Well, that is a great overview of, kind of, what is going on with mobile. Vijay, anything else you want to add in conclusion?
I think mobile is here to stay and we see that the third screen that mobile is often referred to becoming the primary screen, not just in the developed market, but around the world. So as every organization needs to take it seriously and while in pursuit of the business value that mobile is going to get you. You don't want to sacrifice the trust relationship you've already built, so manage and secure it well.
Alright and if you want to learn more about our offering for mobile security, you can go to www.ibm.com/mobile-security, all one word, again, www.ibm.com/mobile-security. Vijay, thanks again for joining us and we will catch you on the next one.
Thank you for having me Caleb.
Thank you for joining the Information Security Podcast. The information contained in this material is provided for informational purposes only. Nothing contained in this material is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or altering the terms and conditions of any agreement you have with IBM. The opinions then in the site discussed are those of __26:09__ and do not necessarily represent those of the IBM Corporation. All product plans are subject to change without notice. References to IBM product, programs or services do not imply that they will be available in all countries where IBM is offered. The information contained in this podcast is not intended to apply in any actions taken by you or result in any specific result or benefit. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company product, or service names may be trademarks or service marks of others. Copyright IBM Corporation 2012. All rights reserved.
It's good to talk.