iPhone creates mobile malware tipping point

Apple’s Worldwide Developers Conference is the premiere showcase for new, shiny apple gadgetry. Regardless of your feelings about the company or the MacBook Pro, the iPod, or the iPhone, you can’t dispute the elegance of these devices. Apple has cornered the market on smart design.

The announcements from this year’s WWDC may not excite the masses as much as in the past, but they will have a profound impact on enterprise IT and will help completely revolutionize mobile computing in the enterprise. On the downside, the iPhone also presents the tipping point that will trigger both an explosion slow trickle of mobile malware, and an increase in Mac OSX malware. Not many can say they are the catalyst for good and bad megatrends—so all hail Steve Jobs for setting the foundation for a revolution in malware as well.

The moves to support office applications, broadband connectivity, GPS, and releasing a common development platform for both iPhone and Mac OS X, Apple has created the perfect storm for an explosion of slow trickle of mobile malware, data theft incidents and IT management headaches. Let’s review the more important WWDC announcements and their impact on enterprise security:

• Enterprise Support (including Microsoft Exchange Integration and Office Applications) The point at which mobile and handheld devices become real issues for enterprise IT is the point at which data can be viewed and manipulated in the same way it can be on a desktop or laptop. The ability to store, forward, read, and write Microsoft Office applications eliminates the need to use a conventional computer to do real work, but creates a nightmare scenario for organizations who are still challenged by securing data on the devices for which they are responsible.

• 3G Support Fast Internet access will only increase the use of the iPhone for web browsing, on-line banking, commerce, and enterprise SaaS applications like salesforce.com. Handheld salesforce.com access, for example, will be a boon to field sales people, but opens the door to increasing the number of browser-based attacks.

• GPS Support Although this may seem innocuous from a security perspective, it is clear that targeted malware is on the rise. Imagine being able to tailor a message to not only include information about the recipient but to include or reference their location.

• iPhone Development Environment In my opinion the most significant WWDC announcement has been the introduction of the iPhone as a development platform that shares APIs and tools with Mac OSX. Couple this ability to cross-pollinate malware between the iPhone and Mac OSX, with a rich media layer and an easy-to-use development environment, and you create endless fun for the legions of malware authors looking to profit from the proliferation of iPhone and Mac OS X.

This is not a problem for tomorrow, but a problem of today and if we have any hope of taking control of our environments against the backdrop of an increasingly sophisticated user population, advancing technology, and hostile threats, we must learn to adopt new approaches to enterprise security that go beyond static object defense.

The top three things that IT must do today to deal with mobile computing devices are:

1. Attain Visibility Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for resolving the mobile assets problem. After all, how can you manage what you don’t see? Visibility must extend to mobile assets’ configurations and their actions on the network. It’s not enough to know that Bob in accounting owns an iPhone. You also need to know what software the iPhone runs, whether it is really Bob who is currently accessing confidential data, if he has rights to see this data, and whether he is doing it in a safe way.

2. Set Usage Policy As IT managers lose influence over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a platform-agnostic policy-driven approach to information security management that encompasses both conditions and actions.

3. Enforce Policies and Controls Policies without means to enforce them have all lasting effect of New Year’s resolutions. To be effective in a world of mobile devices that come and go from the enterprise network, enforcement cannot be a matter or centralized command and control, but rules embedded in, and enforced, by the devices themselves.

The majority of organizations are ill-prepared to deal with managing devices they own, let alone managing devices brought in the organization by employees. This consumerization of IT is already straining organizations to manage the unmanageable. The workforce entry of a new generation of tech-savvy youth is forcing once draconian policies around the use of corporate owned devices to be rethought. Smart organizations realize that consumerized IT is not only inevitable, but important in keeping younger workers and successful early adopters motivated and productive. Mobile devices are on the march and there’s no stopping them. If you can’t beat ‘em, join ‘em, and establish the visibility and policy frameworks to enable their productive, safe contributions to achieving enterprise missions.