Security Vendors: Think Of Mobile As A Lifestyle, Not Just A Platform

There’s been a minor flurry of activity in the mobile security space lately. On the vendor side we have McAfee’s acquisitions of tenCube and Trust Digital and Symantec’s investment in Mocana (Symantec’s acquisition of VeriSign’s security business has mobile implications as well). In other developments, we have the new ruling that it’s legal to jailbreak your (i)phone and AT&T’s breach of iPad owners’ personal data, and you can see that the mobile security space is getting interesting.

Many of the vendor moves in this area – including, but beyond, the acquisition and investment activity mentioned above – are merely extending anti-malware to the smartphone. We’re still in the early days for mobile malware, and it’s premature to expect much traction by providing malware protection on the smartphone (as I blogged about here).

But mobility means a lot more than “yet another device,” one you happen to carry with you that can be compromised by similar techniques to those affecting personal computers today. Mobility implies multiple devices and anywhere access, among other things. These have implications for the kinds of security solutions to deliver: sanctioned access, not sanctioned devices; services, not just products; synchronization, not backup; and so forth.

I still see too much focus on remote lock/wipe/disable as the only unique element of a mobile security play – useful, to be sure, yet this is a feature that will quickly be subsumed by carriers and manufacturers, leaving little room for independent vendors.

Where do you see mobile security going? What aspects – for the enterprise or consumer – would you like to see Forrester research further?



This is an excellent topic,

This is an excellent topic, as mobile security is very quickly becoming just as essential as desktop security (funny to be calling it that, isn't it?). I know that at VeriSign we've been quick to announce when mobile browsers become extended validation ssl (and regular ssl) compatible -- to my knowledge, the only one currently with this encryption functionality is the iPhone Safari browser. Do we need to develop a special kind of encryption cert specifically for mobile browers? Perhaps. Do mobile software providers need to find ways of ensuring that regular encryption and anti-malware software works on pdas? Definitely. Still, I'd like to eventually see a mobile equivalent of the VeriSign Trust Seal - a security mark/malware scan service specifically for sites don't encryption. The VeriSign Trust iSeal, or something of that nature made specifically for mobile sites and apps -- cuz let's face it, the lines between desktop and mobile are only semi-permeable at best.

Evolution of the mobile device / application trust marks

Great comments and points, Joseph. Thanks. One of the more significant aspects of mobile trends is that the non-laptop mobile devices is becoming more and more like a laptop from a functionality standpoint: specifically, having a highly functional browser, and being able to install applications. So, yes, those lines are disappearing quickly. Wouldn't that imply that any "special" certs for mobile platforms would be short lived? Perhaps trust marks (seals) might be different, given the UI differences between smart phones and laptops -- though I'd love to see something more automated on both platforms, given that most users don't check these seals anyway. I do expect more security software to be placed on mobile devices, though I expect a lot of it will be brought in through other software that people install for convenience and management purposes.
We probably are at the point where we need trust marks for applications: mobile applications, Facebook applications, plug-ins, etc., given the fact that such applications are a common vector for attack these days.