Vulnerability Management: The Missing Link In Mobile Device Security

Enterprises, vendors struggle to find methods for detecting security flaws in increasingly popular portable gadgets
Special to Dark Reading

If you're not in the office these days, then chances are you've brought the office with you. From laptop computers to smartphones, mobile devices are becoming standard issue in business. But the security of those devices is a lot less certain.

According to market analysis firm Gartner, global smartphone sales in the first quarter of 2009 were 36.4 million units, an increase of 12.7 percent compared to the same quarter in 2008. For many organizations, though, enterprise adoption of smartphones as an application platform has been slowed by concerns about basic security -- and the absence of clearly defined methods for performing vulnerability management on the small devices.

"We have seen huge interest from customers who are interested in protecting smartphones so they can deploy them as IP phones or terminals -- and the only reason they aren't [deploying the devices] is vulnerability management," says Ravi Varanasi, vice president of engineering with security system vendor Sipera.

Varanasi, who was one of the developers of Cisco's network access control (NAC) technology, says vulnerability management is the missing piece in mobile device security. "If we can solve the problem, I think it will be a free-for-all in the marketplace," he says. If technologists can improve solutions for mobile device user identity, authentication, and encryption, Varanasi adds, then the smartphone market could skyrocket even faster.

For most organizations, one of the issues in vulnerability management is that a relationship with a network service provider is usually required for deployment. Jonathon Gordon, director of marketing for Allot Communications, notes "providers are starting to be able to provide clean lines, cleaned of spam and viruses, and behind a firewall. This is starting to be offered to corporations, and down the line, these will be available with a [service-level agreement] attached."

Gordon says a growing reliance on smartphones, in particular, will lead to more comprehensive security partnerships with the network providers.

"There is a case for pushing some security features up the line, so the enterprise doesn't have to deal with them itself. They would be ubiquitous, whether [the service is] on the mobile or the fixed side," he says. "If [enterprises] rely on mobile devices as much as fixed devices, they assume they get the same service whether it's fixed or mobile. That's the underlying assumption going forward -- the expectations for mobile are that more and more people will expect it to work just as fixed wired networking does."

Choosing Their Battles

For now, however, most organizations are more worried about protecting the data on their devices than about the devices themselves, says Derek Brink, vice president and research fellow in the IT security practice at market research firm Aberdeen.

"From previous studies, I've seen it be much more about the data than about the vulnerabilities on a platform basis," Brink says. "These mobile devices are platforms in their own rights, and I think in the long term they'll be just as vulnerable to attacks as the desktop. The data that flows out to the device and is stored on the device is the highest priority."

Ultimately, though, Brink says traditional concepts of vulnerability management will become an important part of managing mobile devices. "The vulnerabilities are starting to appear, and it's not as big as the traditional platform market, but the data issue is here today, and people are concerned," he says. "In the future and ongoing, it will be the same group of issues dealt with -- whether the network is wireless or cable-connected."

Sipera's Varanasi says as the concerns of mobile and fixed assets converge, there will also be special security issues for mobile devices.

"It's not just the status of security software, but an application awareness that we need to know before we allow the phone on the network," he says. "If [the user is] running Skype, for example, we want to know about it before we allow the phone onto the network. The span of the application is very critical for the network asset. Essentially we call it CAC [call admission control], and we assess the posture of the phone, make sure it runs the proper SIP stack, and make sure it's enabled for secure and authenticated communication."

The process of managing vulnerabilities in mobile devices will become increasingly complex, just as it did in the wired world, experts say. The question for many organizations today is whether the process will grow to cover a fleet of devices that expands slowly -- or explodes as employees are allowed to bring their own phones into the corporate fold.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.