Mobile Application Security - The Fight Results

Tyler Shields

A few months ago I posted a blog entry entitled: "Containerization vs. Application Wrapping: The Tale Of The Tape." Well... the bout is finally over and a winner has been decided. Using a virtual tape measure, I analyzed the mobile application technology spectrum to determine which technologies are better suited to deployment in the enterprise and why. The results were about what I expected. The fight went right down to the wire and nobody scored a knockout with the winner being decided with a slim margin over the 8 rounds. Here is the judge's score card:

You can read all about the data behind the analysis and the justification for the results in my latest report: "In The Mobile Security Bout Of the Year, App Wrapping Beats Containerization On Points." 

Slide To Unlock - The New Face of Home Security

Andrew Rose

I recently visited a trade show dedicated to physical security.

Almost every vendor was advertising IP-enabled ‘smart’ technology, with accompanying apps, that would log and alert on access or motion, prevent tail-gating, recognise smartphones or RFID tags, or track faces or number plates automatically. The sheer number of CCTV vendors alone was stunning, although, truth be told, as a physical-security novice, I struggled to spot any discernable difference between them all!

There were firms who were crossing over into ‘smart home’ technology – selling a series of sensors to control temperature and light; detect issues such as movement, flooding or smoke; and remotely unlock the front door of homes, or secure areas. Although mainly sold on a ‘home security’ premise, these systems were also cleverly brought together into packages which could be used to monitor the activity of an elderly relative, sending alerts if regular patterns of behaviour, or safe limits, were transgressed (i.e. Has the shower been on too long suggesting a fall? Has the box containing essential pills been opened at around the right time? Has the front door been opened at 2am? Etc.) 

I spoke to six or seven vendors of similar technology sets and asked how they managed the logical security around their product. Almost every response began with a pause.... then came, “well, you know that nothing can ever be totally secure”, and then they abruptly ended with “we have encryption!”. It became abundantly clear that few, if any, vendors, had thought through the logical security issues and none were including it in their sales training.  Other responses, somewhat worryingly, included “our engineers look after that”, “they wouldn’t let us sell it unless it was secure”, and the classic “I’m sure it’s fine….”

Read more

CISOs, CMOs: What's It Like Working With The Privacy Pro In Your Organization?

Heidi Shey

Business needs and requirements demand expertise and coordination for privacy programs and practices. As a result, chief privacy officers, data protection officers, and other designated privacy professionals like privacy analysts are a fast growing presence within the enterprise today. The International Association of Privacy Professionals (IAPP) is 16,000 members strong today (compared to 7,500 back in 2010) and growing!    

In many organizations, a dedicated privacy professional (e.g., a full-time employee who focuses on privacy and not someone who has privacy responsibilities attached to another role) is a new role. Privacy professionals come from a variety of backgrounds from legal to IT, and the details of their role and focus can vary depending on the organization and the size of the privacy team. Yet they all have one thing in common: they must work together with multiple privacy stakeholders – IT, security, legal, HR, marketing, and more! – across the enterprise. And honestly, it’s not always easy. Like any relationship, there are ups and downs.

Read more

Don’t Blame Target’s Audit Committee For The Sins Of Technology Management

Renee Murphy

Yesterday, Institutional Shareholder Services (ISS), a third-party advisor to Target Corp. investors, recommended ousting Target’s Audit Committee because they failed to do appropriate risk management, resulting in a breach of customer data. According to Twin Cities Business Magazine, ISS stated that “… in light of the company’s significant exposure to customer credit card information and online retailing, these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value.”  This suggests a fundamental lack of understanding of both the nature of the breach and who should be held responsible for the outcome.

First, let's understand what really happened here: Target updated their point of sale (POS) systems before the holiday season. There was a known vulnerability in those POS systems that let credit card data travel between the POS system and the register before it was encrypted and sent off to the clearinghouse for approval. Target’s technology team was warned of the vulnerability and DECIDED that the risk was worth accepting – not the board, not the auditors; it was the people involved in the project who accepted the risk of losing 70 million records. When departments accept that level of risk, they in essence, end the conversation.  The audit committee and board of directors would be none the wiser. When was the last time you notified your board about how you were disposing of hard drives? 

Never, right?

Read more

The Connected Car As A Microcosm Of The New Threat Landscape

Andrew Rose

The Internet of Things (IoT) is a hot phrase right now, and every vendor is talking about the huge potential of continual connectivity and interaction with smart devices to optimize the asset and transform the customer experience. The potential is undeniably huge and developers are right to be excited, but it’s not all "hugs and puppies."

As S&R professionals, we have to balance the excitement of innovation with pragmatism and caution, and the IoT is a turmoil of innovation right now. With so much change, it can be difficult to focus in on the key issues, so let's choose an area where there has been a lot of discussion and hype for years (or even decades) but not much in the way of actual consumer adoption; let's use the "connected car" as an example to crystalize a few of the risk scenarios.

 

Picture courtesy of Dave Gray on Flikr

Today’s cars operate on computers, and mechanical functionality breaks down when the computer is not there to manage it. It’s not quite an aerodynamically unstable plane, such as the B-2, or indeed most modern fighter jets, which are kept in the sky by instantaneous computer feedback and corrections, but it’s not dissimilar. As we move toward the connected car, think through these scenarios:

Read more

Google Acquires Divide -- Shaking Up The Mobile Security Landscape

Tyler Shields

On May 19, 2014, Google announced that it is acquiring containerization and dual persona vendor Divide. Divide's technology is designed to create a security and user interface division between the personal and the enterprise content, applications, and data on a single mobile device. This model meets the goal of separating the highly sensitive work data from the games and other potentially malicious content of a consumer nature. The big question is what is Google going to do now that it owns a technology leading containerizaiton play.

Selling Divide as a standalone solution isn't going to be lucrative enough, in the long term, to make the acquisition worthwhile. It makes a whole lot of sense for Google to embed Divide into the Android operating system. Just as rising tides raise all ships, containerization in Android will help the entire Android ecosystem shed the market perception of a technology that isn't quite yet enterprise appropriate. If this acquisition is any indication, Google has just put some power behind its push into the enterprise market and I don't expect it to subside any time soon.

All enterprises and vendors in the mobile security space should reconsider their future purchases and road maps based on this acquisition. Even if you are creating or buying mobile security technologies that don't play at the application layer, mobile security technologies are inseparably intertwined and this acquisition will have ripple effects that must be considered.

Read more in my full report here: Google Acquires Divide And Shakes Up The Mobile Security Landscape.

Introducing Forrester’s Targeted-Attack Hierarchy Of Needs

Rick Holland

We recently published part 1 of a new series designed to help organizations build resiliency against targeted attacks. In the spirit of Maslow, we designed our Targeted-Attack Hierarchy Of Needs. One factor that significantly drove the tone and direction of this research was Forrester client inquiries and consulting. Many organizations were looking for a malware sandbox to check off their targeted attack/advanced persistent threat/advanced threat protection/insert buzzword needs. Malware analysis has a role in enterprise defense, but focusing exclusively on it is a myopic approach to addressing the problem.  

Part 1 of the research is designed to help organizations broaden their perspective and lay the foundation for a resilient security program. Part 2 (currently writing at a non George R.R. Martin pace) will move beyond the basics and address strategies for detecting and responding to advanced adversaries. Here is a preview of the research and the six needs we identified: 

Read more

Containerization Vs. App Wrapping - The Tale Of The Tape

Tyler Shields

If you have implemented or used either application wrapping or containerization technologies, please COMPLETE THIS SURVEY.

Application wrapping versus containerization: Which technology provides better security to an enterprise mobile deployment? What are the use cases for each technology, and which technology has a longer shelf life when it comes to being the de facto standard for enterprise mobile security? Are there times when containerization provides a better user experience than application wrapping? And more simply speaking . . . what the heck is the difference between these two technologies, and which one should you purchase?

In the sport of boxing, "the tale of the tape" is a term used to describe a comparison between two fighters. Typically, this comparison includes physical measurements of each fighter as taken by a tape measure before the bout, thus the term "the tale of the tape." I'm currently conducting research for a "tale of the tape" report between mobile containerization technologies and mobile application wrapping. There has been a significant amount of discussion lately regarding which of these technologies is better suited for enterprise deployment. In order to settle this dispute, I'm going to get out the virtual tape measure and analyze the fighters!

Read more

BlackBerry Jakarta Edition Success Is Irrelevant To US Enterprises

Tyler Shields

Jump straight to my latest Quick Take report: "S&R Pros Desperate To Ditch BlackBerry Should Rethink Their Strategy -- BlackBerry Finally Opens BB10 OS To Third-Party Management.

This morning, BlackBerry announced the release of the BlackBerry Z3 Jakarta Edition. This new device is targeting the lower end of the market in Indonesia with lessened technical specifications and a reduced price point. It is unclear if the new device will be successful with the Southeast Asian buyer; however, I don't think it matters much to the US-based enterprise.

In the United States, BlackBerry has lost its hardware brand cachet. Over the last five fiscal quarters, BlackBerry total revenue has decreased by 64% from $2.7B to $976M. If we break out the revenue into separate streams -- hardware, software, and services -- we see that all three segments slowed in that same time period. The hardware revenue stream continues to be the boat anchor that is pulling down the other revenue segment, with a loss of 78%, while the software revenue stream only lost 15%.

Read more

Announcing The Social Risk & Compliance (SRC) Solutions Wave

Nick Hayes

Today we published a new Forrester Wave: Social Risk & Compliance (SRC) Solutions, Q2 2014. This report evaluates 10 vendors emerging to help organizations enable companywide use of social media while providing the necessary controls and oversight to mitigate associated risks and enforce compliance.

 

Why now

Use of social media today is rampant.

It’s no longer just your marketing team that uses social media for business purposes. Employees across the entire organization use social media for personal and professional reasons, leveraging social to drive real business for your company. The opportunities to enhance your brand, deepen customer relationships, and glean new customer insights are all too valuable to ignore -- but the risks are real too.

Moreover, the legal and regulatory landscape is evolving rapidly, complicating the ways in which you can manage social media and the myriad reputational, security, and privacy risks (among others) that expose your organization. To take advantage of these opportunities and still protect your company, you need new tools and technology to do this effectively.

 

What they do

Read more