Android devices recently suffered a spate of attacks. Similar attacks have been made against Apple devices and nearly every other brand of smart device. Does this mean that this is the end of Android or of mobile devices? Or does this mark the rise of mobile device management (MDM) and other software specifically designed to secure end user computing (EUC) devices? EUC security has two failure points: the handheld device and further in the network. But does an insecure device imply loss of data? Perhaps. Loss of credentials? Once more, perhaps. But do we really care? That is not known. So, let us look at a typical use case.
If you look at the typical use case of EUC, you see that the application passes through quite a few different networks. Data remnants then become available within each network: sometimes a lot of data, and other times not much. However, those remnants can be used by the bad guys to determine more about your internal network, so anything left on your handheld means that there is data for the bad guys to get.
This includes identity data, such as fingerprints. However, if the data is not on the mobile device but is pushed into the internal network, and false data is left instead—perhaps a picture of a unicorn—then the data left behind is not an issue. Where do we need to put our data to make it secure if the identity on the device is compromised? Why move the data anywhere outside your internal network or cloud service? Leave it where it is; the EUC device is nothing more than a display and data entry point.
What we need is not mobile device management, but a way to increase the definition of identity to include not only username and password, but also device, location, calendars, handshake, picture, biometrics, etc. Identity can no longer be just username and password and biometrics: it must be expanded to include a broader picture of the user. We need to take that identity and correlate it against well-known external sources. One example is to take the location of the device and compare it to the user’s calendar. If the calendar says the user should be in Washington State, yet the device is being accessed from France, we know there is a major issue to be addressed and the data should not be accessed.
Neither MDM nor mobile content management (MCM) nor any other mobile security measure does this yet. Some companies are working toward it, but unless we can get a broader scope of identity with correlation from external sources, a compromised EUC device could lead to a compromised set of data.
Ah, but what do you say about file sharing, etc., where the device has the information already? I would say that MCM needs to do the same thing but on a continuous basis, and at the first sign of compromise by ever-broadening levels of identity, lock the data on the device. The data to do everything we need to increase identity is within the device itself.
Identity is becoming more important. It spans devices and handhelds. Security issues should not jump devices, and sometimes they can via unacceptable definitions of identity.
Identity needs to grow with device use, enough so that if a device is compromised, the data on the device and further access within the organization is not allowed. EUC devices need mandatory and continuous access controls where identity is not just username, and password or fingerprint. It needs to include the rhythm of use of the device as well as other definitions of identity.