Mobile. It’s the new normal. Never in the history of the world has a technology changed the way we work, live, and play in such a short period of time.
Think back 20 years. In 1993, we faxed important documents, checked answering machines, paid bills with paper checks, dialed 411 to find a number we needed, tuned into the local TV news at 6:20 p.m. to get the weather forecast, and took our roll of film to the local pharmacy to be developed. And astonishingly enough, back in my day growing up near Boston, we even called each other on landline phones to talk about the great deal we got that day on the new Nirvana “Nevermind” CD at Strawberries (sadly, a now long-defunct local music and cassette tape retailer).
Today, we can complete all these tasks (and much, MUCH more) on our smartphones and tablets. And we can perform all these tasks without uttering a single word.
This explosion of mobile technology makes us more productive than ever, yet conversely, keeps cyber-criminals very busy. We find ourselves in a “Wild West” period for mobile technology: opportunity abounds amongst danger at every turn. It’s estimated that by the end of 2013, nearly 90,000 new strains of mobile malware will have been released, and that figure will quadruple to over 403,000 new strains by the end of 2014. Clearly, the convenience of mobile technology comes complete with an unprecedented, exploding new threat surface, which must be secured and protected.
Over the last decade, a multi-billion dollar market has emerged around mobile security. The mobile security market is expected to total approximately $1.88 billion by the end of 2013 and to grow to $2.9 billion by 2017. Nearly all, major enterprise security solution vendors provide products and services that address threats to mobile communications, productivity, and commerce.
Among these solutions, Mobile Device Management (MDM) has emerged as a “must-have” for many organizations. MDM vendors promote easy-to-implement solutions, which secure mobility without interfering with users’ experience. Most solutions, such as those from Citrix and Zenprise, offer some type of “top 10 must-haves” for secure enterprise mobility.
In an effort to create a more secure mobile enterprise, MDM solutions integrate with mobile certificate authorities (CAs), simplifying the process of requesting and receiving certificates to secure mobile communications. Today, most companies issue multiple certificates to authenticate users, devices, applications, and virtual private networks (VPNs) to the corporate network.
Cyber-attackers exploit weak certificates to exist in mobile environments
The use of mobile certificates is growing, and the attack surface is growing along with it. Without a good understanding of your legitimate mobile certificate inventory, you allow glaring weaknesses to exist in your mobile environment, including orphaned certificates, fraudulent certificates, and weak-crypto certificates. Cyber-attackers can easily detect and exploit these weaknesses.
Mobile and user certificates must be secured and protected as aggressively as any other part of the infrastructure. At a high-level, to effectively secure and protect mobile trust, enterprises need to:
Prevent mobile certificates from being misused
Detect mobile certificate anomalies
Respond with immediate remediation when a threat is detected
Securing and Protecting Mobile Certificate = “Mobile Trust”
Take the common case of a user losing a smartphone: The resolution policy is typically to remotely wipe the smartphone via the MDM and issue a new one. However, a remote wipe alone doesn’t guarantee that your organization is safe from attack. All certificates on that lost smartphone can be copied and manipulated. And if the certificates associated with that user are not immediately revoked, you have a hidden vulnerability. Multiply the number of employees by the average number of devices and certificates each employee has, and you can see how an organization’s risk can spiral out of control. Having a “kill switch” not only for the device but also for ALL certificates ON the device is paramount to success.
Adding the security and protection of mobile certificates to your mobile security strategy slams the door on a wide-reaching component of the mobile attack surface. As with traditional infrastructure, there is no silver bullet for mobile security. But controlling which mobile users and devices you can and cannot trust is a good first step and can be completed today. It took more than 100 years for the Wild West to be won. Let’s work together to ensure it doesn’t take that long to better secure mobile ecosystem.