If you think about it, practically every type of security product in the market provides security through surveillance. Surveillance is the act of keeping a close watch over someone or something in order to prevent or detect. In law enforcement it’s looking for crime but in an IT sense it’s monitoring for cyber activity. Either way, for the surveilled it totally invades privacy.
IT security products work just like the FBI watches you from a sedan or the NSA listens to your phone calls. Web application firewall products read all of your web traffic. Your desktop antivirus installs itself with privileged administrative access to all of the systems. It sees every single thing stored on your disc and everything going across the network. Your email/web malware detection software is reading all the emails that are coming back and forth and looking at all of your web traffic. This is essentially security through surveillance. These systems then scan these payloads for malicious activity and then interpret results. They work just like surveillance from our government agencies. They read everything to and from your device in order to prevent or detect malicious activity.
Is security through surveillance even really feasible or appropriate in the mobile world?
There are two problems with surveillance-based security on mobile devices. First, these are hybrid use devices so privacy is a big concern. Second, surveillance-based security does not provide sufficient coverage to be effective on mobile devices. Let’s take a closer look at both of these problems.
Employees realize when they are on the company’s desktop using the company’s web browser and connected to corporate resources then the company has to be able to scan email and web traffic. Employees understand that they give up their privacy at work. The company has to limit an employee going to an inappropriate site or downloading malware which may end up affecting a bunch of corporate systems. There is no expectation of privacy in the corporate environment while sitting at your desk. Employees know they are being watched.
Mobile is a hybrid use device.
Employees don’t take desktops in their pockets and go home for the weekend with them. If one does or happens to have a BYO device, they don’t want to be surveilled on Saturday afternoon when browsing for personal reasons or paying bills online. However, if we use the security through surveillance model, the company is still reading all of your emails and seeing all of your web traffic during your personal use on the weekends.
A surveillance security model is insufficient for mobile.
The desktop is wired to a corporate network and the only way traffic gets in and out of that device is an input device like a USB or keyboard or its network connection. Companies restrict the use or scan USBs when they connect, presume the keyboard is safe and scan the network for intrusions and malware. Done, secure. Now let’s take the same practice and apply it to our mobile devices.
Applying the same procedures to mobile devices isn’t as effective. Mobile devices don’t just have two input methods. There is Bluetooth. They have IR and NFC. They have Wi-Fi, and cellular. Plus, the the cell chip has has more radios in itself. So the problem is you can’t provide enough surveillance on a mobile device by observing its network traffic.
If you solely observed network traffic to secure a mobile device you won’t detect a number of attacks. You won’t see Stagefright. By observing the cell phone service traffic, you won’t see a man-in-the-middle attack on Wi-Fi. By only looking for malware by scanning email traffic, you wouldn’t see the fact that an SMS spear phishing campaign sends users into a browser with malicious JavaScript content. Another Bluetooth device could come within a few feet of a device and begin to communicate and you won’t see this attack or any of the preceding examples.
How do you secure mobile without invading user privacy?
There needs to be a different approach for mobile devices. Companies aren’t equipped to surveil either corporate or BYO devices from cyberattacks since there are so many privacy issues and communication methods on smartphones.
That’s why Zimperium has a completely different approach. Zimperium is not security by surveillance. Zimperium’s proprietary z9 engine runs on the device to detect threats at the device level without needing an internet connection. This unique approach creates the most private and unobtrusive way to secure mobile devices. Since the detection resides on the device there isn’t any personally identifiable information sent to a cloud service in order to facilitate detection. Furthermore, the level of threat information collected is configurable and customizable to a company’s unique privacy requirements.
For more information on how your mobile policies affect your mobile security strategies, please join Zimperium’s next webinar featuring 451 Research on “How to Balance Mobility, Security and Privacy” on May 11.