NATIONAL HARBOR, Md. -- Wintel's dominance on enterprise endpoints may be eroding at the expense of a multitude of new devices and platforms, but thankfully for enterprises, the job of securing endpoints might be getting easier.
Treat all those mobile devices as suspect, and don't deliver data you can't afford to have there.
research vice president, Gartner Inc.
Speaking Tuesday at the 2013 Gartner Security and Risk Management Summit, Gartner Inc. Research Vice President Peter Firstbrook guided attendees through the evolving endpoint security landscape. Even though 75% of tablets and laptops are purchased by consumers, many will show up on enterprise networks, he said. Enterprises are encouraging the consumerization of IT for increased productivity benefits, he added, while security pros are left to manage the risks.
Stamford, Conn.-based Gartner forecasts that the number of endpoints secured by enterprises is expected to increase 25% from the end of 2012 through 2017. Though Windows devices will still make up the majority of enterprise endpoints in 2017, Firstbrook cautioned attendees that a wave of iOS and Android devices will have an increasingly positive effect on enterprise endpoint security. Foremost among the security benefits, he said, is that both platforms' vendors -- Apple Inc. and Google Inc. respectively -- emphasize security in their products and offer certain advantages over Windows, included embedded security features such as encryption and remote wipe.
Firstbrook also heaped praise on the locked-down app store model employed by iOS, which essentially utilizes a whitelisting-style system to allow in apps deemed secure and keep out apps that might be malicious or otherwise unsafe. The success of the Apple app store model, according to him, makes a return to the blacklisting technologies of yesteryear "insanity."
Despite the perception of Android as a platform plagued by malware, Firstbrook noted that Android application security has improved over time, thanks to Google's increased monitoring of its official app store. "The reality is, if you stick to Google Play" as a single source of application downloads, he said, "there is a really small percentage of malware in there."
Firstbrook also pointed out that these prominent mobile platforms hardly suffer from any notable malware infections compared to Windows machines, and that mobile device users typically must download malware directly, unlike in Windows environments, where self-propagating viruses are common.
While the whitelisting paradigm has worked well for app store security, Firstbrook indicated that application security vendors, including Veracode Inc. and Appthority Inc., are advancing application security further by classifying mobile apps by category -- such as business, education, entertainment, finance and gaming -- making it easier for an enterprise to allow or block use of certain types of mobile apps based on its mobile device security policy. He said he expects mobile device management (MDM) providers to add similar app categorization as well.
"It's not going to be possible to manage that 'good' list without categorization," Firstbrook noted.
Challenges posed by mobile platforms
Despite the security capabilities built into modern mobile platforms, Firstbrook said plenty of problems still exist. For example, Android and iOS devices also present the unique issue of being able to "sideload" apps via custom ROMs and jailbreaking, he said. Such techniques will affect the ability of enterprises to enforce application control, which could negate the benefits of curated app stores, both those offered by Apple and Google as well as enterprise app stores, he added.
This issue is especially prominent with Android, where manufacturers like Samsung and HTC pump out dozens of devices each year, all with different and customized versions of the open source OS. Firstbrook advised enterprises to stick to one vendor to minimize the security ramifications of this Android platform fragmentation. For those choosing among the OEMs, he pointed to the security features Samsung has added to its Android devices.
Additionally, Firstbrook said, Android and iOS together accrued more than 100 known vulnerabilities in 2012, and as enterprises increasingly allow mobile devices onto their networks, those devices will become a more enticing target for cybercriminals. "The bad news is, no question, attackers are going to focus on these platforms," he commented.
The new generation of powerful Web browsers now available on mobile devices ranks among the preeminent mobile security challenges facing IT security teams. Mobile browsers can often fall prey to the same potentially malicious sites targeting desktop users, Firstbrook noted, but enterprises often can't restrict mobile browsing as they can with desktop browsing. As a result, he said, enterprises should define acceptable use policies for mobile devices to protect users from Java, Flash and other exploitations.
Protect what's important
As part of the shift from Windows devices to mobile, Firstbrook advised enterprises to stop focusing on mobile malware defense and move resources to securing data and transaction systems. From a strategy standpoint, he said, enterprises should consider mobile security similar to how banks and other financial firms approach security: focusing on high-value transactions and understanding that they are unable to protect everything.
Enterprises also can categorize their data and transaction systems by their sensitivity and value: For example, Firstbrook said, all personally identifiable information should be encrypted. He highlighted secure Web gateways as a starting point for enterprises that need to inspect mobile device traffic to ensure sensitive IP isn't leaking out, and emphasized the importance of extending corporate Internet use policies to mobile devices.
Ultimately though, Firstbrook said some types of sensitive corporate data shouldn't be placed on mobile devices, so each enterprise should assess its risk appetite and decide whether the benefits of mobile outweigh the threat of data leakage.
"Treat all those mobile devices as suspect, and don't deliver data you can't afford to have there. You have to be realistic about what you're going to be able to protect," he said. "You have to focus in on critical data and transaction systems, and focus on protecting them."