Gordon Merrill, MSIA has been thinking hard about security aspects of operating systems mobility and the cloud. This article and the next four in the series are based on some of the papers Mr. Merrill wrote during his studies for the MSIA degree at Norwich University. Everything that follows is Mr. Merrill’s own work with minor edits.
* * *
One of the problems dismaying information assurance professionals today is the avalanche move towards mobile devices taking over computing for most users. A recent study predicts "U.S. mobile handset data traffic will grow from 8 petabytes per month this year [2010] to 327 petabytes per month in 2015." That would translate to an annual compound growth of about 110% per year.
The PC is no longer the primary device for accessing the Internet. The ratio of mobile devices to PCs used for daily computing is no longer even 1-to-1. The days of telling employees that they will connect only to corporate-issued Internet devices are soon to be over as well. With more than a billion mobile devices estimated to be in use before the end of 2013, our users will be doing business with several mobile devices.
In a posting by a criminal-hacker-supporter, "Cheesemunk" wrote, "So say somehow somewhere we ended up choosing a target to start wreaking havoc upon. All we need is an IP Address." The writer then goes on to post details of how to execute simple hacks on any site on the Internet whose IP address is accessible.
[MK adds: everyone reading this article should be familiar with – and periodically use – Steve Gibson’s “ShieldsUP!!” port scanner; your system should result in a solid-green matrix, indicating that all ports from 0 to 1055 are in Stealth mode and do not respond to probes.]
Information assurance was a daunting enough task when we had one operating system (OS), or maybe two, and one standard issue mobile device. The biggest concern with the move to mobile interconnectivity is how we can protect our information in the face of the combinatorial explosion resulting from the manufacturers, models and software versions.
Here's a hypothetical illustration of that combinatorial explosion. Suppose there are
• 10 different mobile device manufacturer
• 20 models per manufacturer
• All devices are available on any mobile network
• Each device has its own OS
• Most users will not upgrade as needed so there may be up to five versions of each in use.
So in this scenario, we would have to cope with
• 10 x 20 = 200 possible devices
• Each of which is tailored to 10 different networks = 200 x 10 = 2,000 and
• Up to five different versions of OS = 5 x 2,000 = 10,000 variations of hardware and software.
How do we control 10,000 different device/OS connection configurations and maintain our sanity? We don't.
We must redesign our concepts of inside and outside our infrastructure. Rather than trying to enforce uniformity on our users' mobile devices, we should supply appropriately restricted data to mobile devices with authenticated users. Instead of trying to dictate specific configurations, we should focus on testing compliance with functional security requirements. The industry is going to have to develop the equivalent of network access controls for mobile devices so that we can verify compliance with minimum security requirements such as resistance to malware and to interception. Examples of highly rated mobile-device management software from a recent report by a research organization that declined to have its name included in this article include AirWatch, Good Technology, MobileIron, Sybase and Tangoe, but these companies seem to focus on specific brands and models of mobile devices. Some of the products use the Open Mobile Alliance (OMA) Device Management developments.
We need security-software professionals to focus on what it will take for any mobile device to prove it is trustworthy for connection to our systems.
Part two of this series will discuss whether our data systems are ready for 4G connectivity.
* * *
Gordon Merrill, MSIA, currently lives and works in Tennessee. His career has taken him to 48 of the 50 states and to six foreign countries. Gordon's information assurance background has included working for major computer companies such as IBM, managing IT projects for Fortune 250 companies in the risk management field, owning his own business, and working as a private consultant. He was chair of the School of Information Technology at the ITT Technical Institute in Chattanooga for three years.