Friday, August 24, 2012

Are Mobile Carriers Killing Business Security?

Mobile service providers, including Verizon Wireless, AT&T, and Sprint, know something about your smartphone that you don't.  What is this little nugget of information?  Service providers have no problem with selling you a supercomputer (a.k.a. smartphone) that they have no intention to protect.  It's not that they make it a secret or that the information isn't readily available, it's just that they know that you don't care, and they're right.  That's killing the ability for organizations to protect themselves.

Let's begin with a history lesson.  I would argue that the modern security era, one that I define as beginning with the advent of the consumer Internet, essentially began in 1996 with Microsoft's release of Windows 95 Service Pack 1 (Wikipedia). That was the first broadly used consumer operating system to include an Internet browser, Internet Explorer, in the basic installation.  It also represented the watershed moment when attackers could automatically, rapidly, and effectively infect computer systems without any significant user intervention.  Some of you might point to the advent of America Online or CompuServe in the early 1990's (Wikipedia) as the true start to the modern security era as I've defined it, but data transfers were generally constrained to individually shared files that was only a minor enhancement over "sneakernet" movement of floppy disks.  It also really doesn't matter for the sake of this argument, so I suggest that naysayers get over it and just give me a little latitude.

According to our friends over at Wikipedia, system requirements for Windows 95 included an Intel 80386 DX processor of any speed (maxing out at 33 MHz!), 4 MB of RAM (yes, that's megabytes), and 50-55 MB of hard drive storage.  By comparison, my Samsung Galaxy Nexus rocks a dual-core 1.2 GHz processor with 1 GB RAM and 16 GB of storage.  In hardware terms, the phone likely rivals the fastest computers on the planet when Win95 came out and is more capable than most consumer computers built in the mid-2000s.  Indeed, it's bigger and badder than my self-built computer sitting next to me (currently configured as a RAID 10 NAS).

In software security terms, though, the Galaxy Nexus, and just about any other smartphone not sold by Apple, still lives in the mid-1990s mindset.  Whereas Microsoft's security failures with Windows 95 and 98 that characterized the beginning of the modern security era gave rise to a frequent patch cycle that all businesses have since grown accustomed to, modern mobile devices are getting left behind due to carrier disregard to business and consumer security needs.  This means that when Google releases an Android update (about two or three times a year), the carrier decides whether phones on its network get it or not.  So, if Google updates the software to fix a defect or security vulnerability, devices may not receive the update until long after attackers have had an opportunity to exploit the weakness.

Everyone is to blame for the problem.  From the software developer that allows manufacturers to change the operating system (Google for Android), to the device manufacturer that fails to devote resources to supporting current devices, to the carrier that refuses to push the updates.  All of them have excuses, some of those excuses may almost be reasonable, but businesses and consumers lose in the end.

Folks like me thought that Google had an answer to the problem in the Nexus line of Android devices.  In theory, Nexus devices are "Google" devices that sport the best hardware, the best support, and the most recent software versions.  So, while the Galaxy Nexus is manufactured by Samsung, it contains no code changes or specialized software that would impede future software updates.  But, the theory collapsed under the power that the carrier currently wields over mobile devices it allows on its network.

Verizon Wireless appears to be the worst offender right now.  We should have seen the writing on the wall when the Galaxy Nexus was released on Verizon in December 2011.  When released, Verizon users discovered that the carrier had disabled the Google Wallet application that leverages the new Near-Field Communications (NFC) capability to enable Nexus users to pay for goods and services with a wave of their device.  Cool idea if the carrier had allowed it.  

The situation has since gotten worse.  Shortly after the phone's release, Google released an update to correct major defects in device performance and usability.  While other carriers pushed the update to their Galaxy Nexus subscribers, Verizon subscribers had to wait five months to receive the same update. 

In July, Google then released a major new Android version for its Nexus device line, Jelly Bean.  Among other fantastic enhancements, Jelly Bean includes enhancements to address security weaknesses in the prior version, Ice Cream Sandwich, that made Android devices much more vulnerable to attack.  According to the Android Jelly Bean What's New page, the update also includes better encryption reliability, a feature that businesses can use to protect data on Android devices.  While all Nexus devices have received the update and it is now getting pushed to non-Nexus devices, Verizon subscribers are left with a more vulnerable platform.

Other software companies face similar challenges.  Apple generally doesn't have a system security issue due to its agreement with carriers to allow updates through, but carriers do demonstrate their power over the devices by blocking features such as device tethering and, as in the case of the new iPhone 4S, disabling the ability to move the device from one carrier to another.  I'm curious to see how the new Windows 8 phones fair.  Given that they do not appear to be as heavily anticipated as a new iPhone, I doubt that Microsoft and its partners will have much better luck with the carriers than Google and its partners.

Because of the obstacles that users face in maintaining secure smartphone platforms due to so many outside dependencies, businesses face significant challenges towards implementing Bring-Your-Own-Device (BYOD) strategies that will protect business processes and information.  While I argue that the whole mobile ecosystem would need to change to sufficiently support BYOD policies (perhaps I'll deal with that in the future), here are some suggestions for what businesses could do to enhance their use of mobile computing platforms.
  1. Only Allow Apple iOS Devices. I really struggle with this suggestion since I don't believe in restricting device choice.  However, like BlackBerry devices of the past, the iPhone and iPad are probably the most widely used single ecosystem mobile solutions on the market.  iOS represents the most stable and potentially secure operating system on the market due to Apple's ability to rapidly update it when it identifies defects.  Recent iOS updates have also greatly enhanced enterprise Mobile Device Management (MDM) capabilities, giving businesses much greater control over individual device protection, regardless of carrier.
  2. Root Mobile Devices and Manage Software Internally. I admit to being an advocate for outsourcing IT management so businesses can focus on their core objectives.  However, businesses cannot trust the existing mobile device ecosystem enough to rely on the device manufacturers and the carriers to protect their devices.  Much like many enterprises currently maintain static "images" of workstation systems to simplify their IT management environment, enterprises should consider taking control of mobile systems attached to their information resources.  This will likely defeat BYOD transition efforts but organizations with very sensitive information resources should be avoiding BYOD strategies altogether.
  3. Deploy MDM Capabilities. Businesses proceeding with BYOD strategies should strongly consider implementing MDM functions that will allow them to lock sensitive resources within a protected sandbox environment that resists device-level defects.

But, I'm willing to bet that all of these suggestions will fall on deaf ears.  I admit that they will probably be too hard and too expensive for most organizations to manage and they assume that businesses really care.  They don't. 

The carriers are right.  Until businesses work together to hold software developers, manufacturers, and service providers responsible for protecting the mobile ecosystem and eliminate the "Defect Acceptance" groupthink that the industry has succeeded in making the IT standard, change will be a fantasy.