On Monday, February 24, I’ll be speaking on a panel at the RSA Security Conference in San Francisco on a panel about Mobile Security. This talk is part of the Trusted Computing Group (TCG) Association Seminar series. Additionally, I recently have had the good fortune of being elected to be a Contributing Board Member of the TCG.
Topic of our panel’s discussion is titled “Mobile Device Security: Fact or Fiction”. The title of the discussion is ironic in itself in that there is a presumption that mobile devices can’t be secured. I believe this confusion arises because folks aren’t asking the right question: “secure from what?” Sadly, mobile security has been driven in the same way computer and network security have been historically handled, in that it’s very “vendor driven.” Vendors develop products to “protect” the device, and customers install the technology, declare they are secure, and move on with their day. This is tragic to a risk management professional like myself. Real security is based on determining what the risks are to the device, the risks of the device to the enterprise, and the risks of the users with the device to the enterprise. Some organizations may have more of a risk of protecting sensitive data as it transmits to a mobile device, and as data is stored and used on the device. Others might have a risk of timely and accurate data access for users to conduct their business. Then there are potential combinations of some of each scenario. The bottom line is there is no “one size fits all.”
I will be talking specifically about mobile application security. This is a topic that gets little discussion in the press and among mobile professionals. I think most folks believe that we have solved the mobile application security with all the web application testing we’ve done. And mobile apps are really web apps, either with the browser or a native client (that just emulates a browser, but without the feedback loop). But, there are critical considerations such as authentication requirements, data storage (caching), and server pinning (making sure you are talking to the correct web application server. I will be discussing these in more depth, and look forward to interactions with the audience. I will also be releasing a whitepaper on this topic, stay tuned, it will be coming soon.