Mobile security ‘requires’ controls
Security policies should be developed to mitigate risk, says IBM’s security CTO
Mobile security policies should be developed to mitigate risk, but must also relate back to specific controls which are implemented in order to do so, according to Dr Tamer Aboualy, CTO of security services, IBM MEA.
Speaking to Arabian Computer News, Aboualy said that corporations are taking the mobile threat seriously, and that IBM sees security controls and policies which were once applied to computer endpoints now being made applicable to all endpoints, including mobile devices.
"For instance, many corporations are worried whether high-profile people have been targeted and possibly compromised with malware. For corporations who also only use tablets and phones for email, they have a need to validate if there is malware or other malicious elements which could compromise security and privacy," he explained.
However, when it comes to approaching mobile security, Aboualy said that enterprises should take a unified approach to endpoints, with mobile devices treated as endpoints just like computers. He said that these security policies and controls ultimately need to applied, validated and checked for non-compliance.
"For example, if a mobile device is to access the corporate email system or certain files within the corporation, then that device needs to have security controls such as encryption, malware protection, endpoint security protection, and in many cases certain containers which are corporation specific. Other examples include complex passwords, patching requirements, and many other security policies and related controls," he said.
Aboualy added that corporate users are the target of many threats. As a result, according to best practices, endpoints should have their own controls which mitigate malware being downloaded via the browser or by other means, he said. And if that layer is circumvented, he said that other security controls such as endpoint security technologies, which monitor for malware and configuration chances, should detect any malware or abnormal behaviour.
"Security monitoring these events should be sent to a SIEM and abnormal behaviour coming from a specific endpoint should also be monitored. In essence, many layers and controls need to be put in place to take into account various scenarios and the uniqueness of an environment," he said.
"Other controls, such as scanning to ensure a mobile device is compliant, should be considered. This is to minimise the risk of the device and restrict its reach to a certain area. Monitoring and managing the endpoints to ensure they have been patched and configurations are as per policy is further required. Lastly, training users is paramount, as they will be subject to a plethora of attacks and scenarios."
When asked about BYOD the rise that this has given to the Android operating system in the enterprise, Aboualy said that operating systems tend not to matter when it comes to mobile security. While Android is more targeted by cyber-criminals due to it being a less secure system, he said that all mobile devices, regardless of the operating system, could pose a risk.
"Without controls, all mobile devices and endpoints will introduce risk. For example, there are many attacks which target the Microsoft operating system used by many laptops and computers, but we mitigate these risks by using controls," he said.