Mobile Security, Present and Future
Yasir Aziz, Senior Director on Samsung’s Knox Regulated Markets, gives his take on the current state of security, effective mobile security policy, and the future of mobile security.
What is the current state of mobile security?
There are three vectors and each is continually evolving. The first is vulnerability. Hackers are getting smarter in figuring out how to get into mobile devices and steal information. The second is organizational needs and requirements. Government agencies’ use of mobile technology is changing, as are their mobile security policies. Finally, there are the devices themselves. These are continually advancing to provide better and more pervasive security, particularly at the hardware layer.
What is going on in the area of identity and access control?
The government still relies heavily on actual Common Access Card (CAC) access, where they authenticate on an actual device using two-factor authentication. Some agencies, especially in the Defense area, are working on a program called Derived Credentials. This will take credentials off the CAC and implement them as a certificate on the device. That way they won’t have to walk around with an extra mechanism to authenticate because it will already be on the device. They aren’t there yet, but there have been some successful proofs of concept so it’s on the way.
How could biometrics improve mobile security for government?
The industry has embraced biometrics, and the government is working on it. Right now, it’s a matter of finding the right standards and specs. Fingerprints were a great start for biometrics, but now new advancements such as iris scanning are allowing even more robust biometric readings and exponentially increasing the unique factors to further strengthen the speed, reliability, and security.
What role does policy play in mobile security?
Agencies have to determine what’s most important in terms of the data, applications and device features to which users need access. Once they establish that, it’s important to automatically enforce those policies. That way, nobody can circumvent the policy. Finally, agencies should only approve mobile devices that work well with their specific mobile security policies.
What’s coming up in mobile security that will change the game?
There is a lot of research and development underway that will lead to some interesting advances in the next few years. Within a few years, for example, users won’t have to worry about data on their mobile devices. Most of it will reside in some sort of virtual environment in the cloud. So users will be able to pick up any mobile device and access their virtual mobile environment, including settings, applications and data.
Are there security advances on the horizon that will also help simplify the mobile experience?
One is application-driven security. This means security features will be attached to the application instead of the entire device. For example, an agency might not let users working with specific applications use WiFi or Bluetooth while working with that application. This will reduce the need for containers and let users download and use many more types of applications on their devices, as long as specific applications are secured. Another advance in the works is context-aware security, where based on your location, the device will relax security requirements. For example, if your mobile device realizes you’re in your office, it could let you access certain applications or data that you wouldn’t be able to access in public areas.