Mobile Device Management: It will grow – but should it?

18.12.2012 by Martin Kuppinger

Some weeks ago I stumbled upon an article, which said that the MDM (Mobile Device Management) market will grow massively within the next five years. I don’t doubt that the market will grow. However I’d raise the question whether it should grow that much – or, in other words, whether MDM is really the solution of choice. I don’t doubt that there is some need for MDM technologies. However, this might be more about understanding MDM as an element of other technologies or a tactical piece of a bigger puzzle.

Let me explain why.

The problem organizations are facing today is that there are more users, more types of devices, and more deployment models they have to deal with. They need to give their users access to the information they need (and thus the information systems they need), regardless of the device and the deployment models – but with enforcing information security and regulatory compliance. It is about the impact Cloud Computing, Mobile Computing, and Social Computing have and how to deal with it in a secure and compliant manner.

This “Computing Troika” means that we have to strategically change the way we are dealing with identities and access. We have more identities and we have to support more ways of gaining access – to resources which are sprawled across multiple deployment models.

Notably, this is not only about users with smartphones or tablets, the devices primarily in scope of MDM technologies (even while some grow beyond that to Microsoft Windows 8 or Apple OS X support). It is about a multitude of devices, from the classical desktop PC in the company, in the home office, or in an Internet Café; it is about notebooks of employees and all the different types of externals; it is about all the smartphones, tablets, and potentially devices we cannot even imagine today. And I’m not even speaking about the Internet of Things and M2M (machine-to-machine) here, which also is about some identities requiring access.

Can we solve this by managing mobile devices? Obviously, that can help. But it is far away from solving the strategic challenge. Furthermore, any approach which focuses on disparate management of a group of devices is questionable. Why not focusing on the solutions which help managing all types of devices, including the “traditional” ones?

Obviously, a device-centric strategy and differentiating between some different types of devices is not sufficient to solve the challenges of today. The same is true for network-centric approaches – if there is not *the* perimeter anymore, protection focusing on that perimeter is insufficient.

The future is about understanding the risk of information access and comparing it with the risk of the access request. The risk of the access request is based on the context, a topic my colleague Dave Kearns focused on at his EIC keynote some four years ago. Context is about the device, the location, the type and strength of authentication, the role of the user and thus also its relationship to the organization, the health status of the device, and many other aspects. If there is sort of a positive balance of information risk and access risk – fine. If not, the access risk either can be mitigated, for example by step-up authentication, or the access might be refused or at least limited.

That requires technologies like versatile authentication, risk-/context-based authentication and authorization, and Dynamic Authorization Management. The latter is required to enable applications to do dynamic authorizations based on policies and on the context, instead of hard-coding authorization rules or at best relying on coarse-grain decisions. It is about putting a risk- and context-aware approach to information security at the centre, instead of artificially protecting devices (instead of information) or perimeters.

MDM might help in mitigating risks for some devices. So it is a concept within that bigger picture. However, without understanding the bigger picture and addressing this, MDM is more sort of an alibi than a real solution. Furthermore, MDM in that bigger picture and with all the devices in mind which can be used to access corporate information (systems), there is a good reason to look for solutions which integrate MDM into a bigger scope – like Client Lifecycle Management solutions which manage all types of devices.

Nevertheless, the MDM market will grow for some time. However, it also will change, maybe quicker than many expect today. And, most important, there are other technical building blocks you should look at first, to address the cause and not the symptom.

How a botnet has stolen 36 million Euro from European bank customers

13.12.2012 by Martin Kuppinger

In a recently published study Versafe and Check Point Software Technologies, two software vendors, analyze the recent Eurograpper attack based on the Zeus botnet and ZitMO (Zeus in the Mobile). This attack reportedly diverted up to 36 million € by intercepting financial transactions.

The most interesting aspect of this is that the attack bypassed the out-of-band authentication of financial transactions. The banks use this approach to send TAN codes (transaction numbers) to the mobile phone of the user. It is out-of-band if (and as long) as the user uses another device like his PC for accessing the online banking application.

This approach has been considered (more or less) secure. However, in the scenario described, the attackers targeted both devices. They first attacked the PC. There they tracked and manipulated online banking sessions and asked for phone number and device type of the mobile phone used. Using that information, they send an “important security update” to the mobile phone which contained the malware for that device. Based on that they could intercept transactions and steal mobile TANs.

It is very likely that this has just been the beginning of such attacks, challenging the security of out-of-band mechanisms. As of now, the attack requires Windows on the PC and Android or Blackberry on the mobile device. However, it is just a question of time until iOS, OS X, or Windows Phone will also become “supported” by the attackers.

There is no simple solution to prevent such type of attacks. The most important security measure is good anti-malware protection on every PC and ideally on every mobile device – as long as there is such a solution for the mobile devices. Besides that, fraud detection at the backend, i.e. in banks, is mandatory to identify such issues as fast as possible and to alert customers.

But clearly this type of attack shows that out-of-band authentication, as (relatively) convenient as it might be, is not the holy grail of security in online banking. Maybe this issue will initiate the comeback of other, more expensive (procurement and logistics) and sometimes less convenient solutions like OTP hardware tokens. Maybe it is time that financial institutions start focusing on a reusable approach for such OTP hardware tokens because that always was one of the major inhibitors for acceptance of these devices.

The employee – still security risk Nr. 1

10.12.2012 by Martin Kuppinger

Recently, there was news here and here that a disgruntled technician of the Swiss spy agency NDB (Nachrichtendienst des Bundes) had stolen terabytes of counter-terrorism information shared between the NDB, the CIA, and MI6 (the UK spy agency). The person has been temporary arrested. It is still unclear whether he has already sold some of that information or not.

This case, together with many others like the theft of data from Swiss banks, which then is sold to German tax offices, again highlights that the biggest security risk for most organizations comes from internals. There is no doubt that the number of external attacks is increasing. There is no doubt about a massive risk for critical infrastructures. There is no doubt that also manufacturing and, in general, SCADA devices are at far higher risk than before.

However, there are two important aspects to consider:

  • Many internals have privileged access, frequently with a lack of control. They potentially can steal large amounts of data and cause massive harm.
  • Many of the external attacks are in fact hybrid attacks, involving internals.

For organizations, this means that they should not focus only on external attacks. The concept of perimeter security is an illusion anyway. There is no such thing as “the perimeter around the organization” anymore. What organizations have to do is to move forward to protect information, regardless from where it is accessed, where it resides, which device is used, and whether it is accessed from internals or externals. Point solutions which claim to solve this issue won’t help without the bigger picture in mind. They just increase the risk of bad investments.

However, there are some things you have to do: Access Governance and Intelligence are one of these things. Privilege Management is another one. However, Privilege Management should be well-integrated with Identity Provisioning and Access Governance/Intelligence instead of being a point solution. The most important thing to do now is to understand the big picture of information security. That’s what you should put on top of your agenda for 2013.

To learn how to best establish Information Stewardship as a principle, you should have a look at our new report “From Data Leakage Prevention (DLP) to Information Stewardship”, #70587, which has been written by my colleagues Mike Small and Dave Kearns.

© 2014 Martin Kuppinger, KuppingerCole