2012-07-01
Abstract
‘It seems logical that, in the future, security must move closer to the information.' Greg Day, Symantec.
Copyright © 2012 Virus Bulletin
In 2011, we finally saw some of the long predicted growth in mobile threats. While the numbers are still infinitesimal – thousands as opposed to the hundreds of millions of threats discovered on PCs last year – mobile device security is now a topic of discussion in the boardroom.
With this in mind, there is a question that I would like to hear discussed more widely: what is the right way to manage mobile threats?
The cost of a laptop computer has dropped significantly over the last decade[1]. It is predicted that the cost of smartphones will also drop by a third over the next couple of years [2], with some substantial decreases having already been seen this year (take RIM dropping up to 26% off some of its devices [3] for example).
But what is the relevance of the cost of devices? I increasingly find myself contemplating whether we will reach a point where the value of the device means that it simply isn’t worth protecting. I’m not in any way suggesting that we no longer need security. My question is: what are we actually trying to achieve?
When I started working at Dr Solomon’s in the early 1990s, recovering from a virus on a PC was a significant undertaking. Imaging was not common, and back-ups were poor, so systems would need to be built again from the ground up, and data could be lost permanently. We sold anti-virus software to mitigate the cost and effort involved in recovering from infection.
With a modern smartphone, it is possible to reset both the device itself and, in most instances, the apps installed. Increasingly, it will also be possible to restore data through services such as iCloud [4]. Furthermore, smartphones typically have a lifespan of just six to nine months from a manufacturer’s standpoint [5], and most providers’ contracts generally last from a year to 18 months. Given these facts, is it possible that the device has become a disposable shell that can be reset or replaced more quickly and cheaply than actually removing the infection/attack?
I increasingly wonder whether the existing security model is the right approach going forward.
As the device is becoming more or less disposable, or quicker to reset and recover than to repair, what is it that we actually need to secure? In the world of Social Mobile Cloud and information explosion, it seems that the two most pivotal factors are the integrity and confidentiality of the information we hold and use.
The disposable nature of the smart device and the resilience of the cloud go a long way towards ensuring availability. As a result, the priority is less about keeping the device up and running and more about keeping the information available and secure.
Whilst we still look to innovate with concepts such as security in the hardware, it seems logical that, in the future, security must move closer to the information. This means better integration with the vast array of information structure types. Take a look at the likes of Google, which is perceived to be the leader of Internet information management; it has made a number of security acquisitions as it recognizes the significance of security at the information level.
The mobile threat landscape and the most effective way to secure against it is undoubtedly a discussion that is here to stay. In my opinion, security needs to be as innovative as the devices, and needs to put information, rather than just the device, at the forefront.
