RSA Conference: Android in the Enterprise and the Future of Mobile Threats

On Tuesday I had the privilege to lead a peer to peer discussion at the RSA convention entitled Android in the Enterprise and the Future of Mobile Threats. My role as moderator was to ask questions rather then provide answers. I ended up learning a lot in the session, so I would regard it as a resounding success, for me at least! Before the meeting, I would have said that the open nature of the Android operating system made it more of a security threat to the enterprise than the iPhone. However, there were a couple of experts there who changed my mind. The fact the the Android is open means that you can lock it down hard if you are willing to put the time and resources into that, whereas with the iPhone, you get the level of security Apple provides, and if that is not good enough for you (which it certainly wasn't this week) then you are out of luck. One security expert there had managed to restrict all his enterprise Android devices to only accessing the Internet via his VPN, so he was able to monitor and control all Internet access. Others had not been able go this far, but suggested that only making corporate email available within the VPN would at least encourage VPN use, and should any malicious emails make it through the corporate spam filters there would be a second layer of defense against links to bad websites. There was a lot of nostalgia for the heyday of the Blackberry. In the corporate environment it gave a lot of control to the IT department over device capabilities and access. However, today's users are not willing to accept the limitations and inflexibility of the Blackberry devices, and the Blackberry corporation is repositioning themselves a vendor of Mobile Device Management (MDM) software that works across multiple platforms. Whether from Blackberry or not, the security experts agreed on importance of MDM software in managing Android in the enterprise. However, one person complained that when he had all the MDM and security software he felt was needed on an Android it took the battery life down to about three hours, so he then had to find less power intensive ways of getting an acceptable level of security. We discussed the controlling the apps that were installed on Android devices. The most security conscious shops were running their own app stores, in which all software was certified and digitally signed before being made available to users for download. However, they did not really want to be in the app store business. I think there may be a hole in the market there for a company which can provide an Android app store with software certified to military standards, for licensing to government and high security commercial organizations. The result of having a locked down mobile device for business purposes means that many people are carrying two phones, one for work and one for personal use. Several people thought it would be good to have two devices in the same phone, either implemented in software using a VM environment, or by having two physical devices in the same handset. I asked the experts with the most secure systems if they thought they had solved the problem of Android security. There were wry grins, and shaking heads. "What we have is good enough for our purposes, not perfect." "What can shops without your resources do to ensure they are secure?" "Do a risk assessment, and come up with the solution that is cost effective for your business." So, there is no silver bullet for Android security, but it had the potential to be as secure as your business needs it to be, provided you put some work into it.