Mobile Security Starts To Grow Up
By Steve Wallage, Wed Oct 27 08:45:00 GMT 2004

Mobile security is always talked about as a key obstacle to corporate usage, but still there was very little done about it. Now things are finally changing.


Imagine the scene -- a top Wall Street banker leaves his mobile handset in a cab. Bit inconvenient, but no more than that? Well, what if he or she has passwords, confidential information, client contact details and so on stored on the device?

Imagine you're the CIO of a large corporation. You have clearly defined usage and security policies, with a central security administrator. You are particularly aware not just of the risk of security breaches, which are still more likely to be an internal rather than external threat, but of regulatory concerns. You have standardized software, network access and “look and feel” across all your company's equipment -- except, typically, mobile devices. Most CIOs don't even know what employees are doing with their mobile devices, who is accessing the corporate network, what files and company information they hold, and whether they have any sort of security in place.

These two increasingly common scenes have the mobile security players purring. Mobile security was always a bit of a paradox. It came #1 in survey after survey on the obstacles to mobile data uptake, yet few companies seem bothered to invest in it. It was often felt that mobile devices weren't really used for anything too sensitive, and the security solutions out there seemed expensive, limited and standalone products.

This is finally starting to change as increasingly complex mobile deployments are leading to growing security concerns, and mobile security solutions are quickly evolving. Fear is, of course, a great boon for the security industry, and scare stories on the impact of losing mobile devices or, even better, the outbreak of mobile viruses are all great news for it. But regulation is also a great motivator for businesses. Take the financial industry in the US: if a company in it loses any details related to a customer, it has to contact that customer and offer new safeguards. At an estimated cost of around $100 per customer, it's a great incentive to protect data!

So What Is Mobile Security?

The two bedrocks of mobile security are authentication and encryption. Authentication provides protection from unauthorized access to the data or device. Basic device authentication is often a four-code PIN which is relatively simple to hack. More advanced authentication includes longer passwords, two-factor authentication and centrally controlled and regularly updated passwords. A related feature is remote device quarantine and data wipe if the device is stolen.

Encryption is providing security for data on the device and potentially data transmitted from the device. As with authentication, this is an area in which device vendors are now working hard on high-end devices, for example Nokia is working with Pointsec on its two new Communicator models. Any data residing in files and folders is automatically encrypted in real time, with no user intervention required. E-mail and SMS data can also be encrypted and decrypted on the fly. Another mobile security specialist, Credant, is now embedding its security client in the iPaq.

The mobile security vendors can now provide the sort of sophistication in encryption and authentication that meets US military standards. They are also offering mobile equivalents of traditional fixed security features. A startup vendor such as Bluefire Security offers a mobile firewall, intrusion detection and secure VPN access.

The Vendor Charge

One of the challenges for the mobile security startups was their standalone nature. A CIO does not want to treat mobile security as a separate issue. Their ideal scenario would see corporate security guidelines and central security and management consoles including mobile devices. To move towards this goal, the startups have worked on partnering and offering standardized links to other platforms.

However, the lure of the mobile security market is also attracting a lot of major vendors to take a direct interest. These include at least four areas: security vendors, mobile management vendors, mobile infrastructure and middleware companies. Take a company like Symantec -- it has no intention of allowing the mobile anti-virus market to get away from it. Some of these players have been happy to sit on the sidelines and wait for clear signs that mobile security is a significant opportunity – this is changing, as recent M&A activity illustrates.

The User Concern

Security and usability have always been opposed. Security means changing passwords regularly, making them difficult to guess and keeping them different -- none of which users like doing. For individual users, this will be difficult to change although some of the device vendors are trying to make higher security a default option.

However, in the business world, things will change. Mobile devices will no longer be an individual or department responsibility. Increasingly, they will come under the wings of the IT department and centralized security policies.

Timing

The first major mobile security deals are starting to come in. For example, Pointsec recently did a deal for more than 2,000 US Government users.

Basic mobile encryption and authentication are becoming a standard element of management platforms. The vendors are bracing themselves for an explosion in mobile security demand in 2005, and, remember, security is also a key element of other high-growth mobile areas such as Digital Rights Management. They are right to be optimistic.