Lessons Learned from Humpty Dumpty
As the parent of a one-year old, I have found myself very well acquainted with nursery rhymes. From Sesame Street to the myriad of toys that my child owns, nursery rhymes are everywhere in my world. Maybe that explains why I immediately made the connection between a great presentation at the Gartner Security and Risk Summit and the well-known nursery rhyme of Humpty Dumpty.
Yes, I said Humpty Dumpty.
Humpty Dumpty sat on a wall, Humpty Dumpty had a great fall. All the king’s horses and all the king’s men Couldn’t put Humpty together again.
Now, you might be asking – what could Humpty Dumpty possibly have to do with the Gartner Security and Risk Summit? The answer is that I realized during a great presentation by John Girard and Lawrence Pingree that Humpty Dumpty has fallen and that we as security experts need to just accept that he cannot be put back together. RIM can’t do it. Google can’t do it. Apple can’t do it. Microsoft can’t do it.
Humpty Dumpty is my analogy for the state of mobile operating systems today. I believe that Humpty Dumpty has taken his great fall and that the industry (all the king’s horses and all the king’s men) are trying desperately to put Humpty back together. Unfortunately, it can no longer be done.
How Times Have Changed
Ten years ago, there was only one dominant choice for mobile connectivity to the enterprise network and that was through RIM Blackberry. RIM provided the functionality and security that enterprises demanded. Blackberry devices became a badge of corporate America. They were workhorse devices. Then Apple iPhones and iPads came along. Innovative, sleek and cool. Corporate America started buying iPhones and iPads and IT was put in a very difficult position. Could you deny users from bringing their own device to the office? Yes. Could you tell the CEO he couldn’t use his iPhone on the corporate network? No.
Apple started a revolution that was continued by Google. Apple devices are expensive and proprietary. Google introduced Android to be the opposite – inexpensive and open. Android was easy to acquire, inexpensive for manufacturers to license and lead to an even larger adoption of smart devices.
Today, Apple and Google are the dominant operating system choices for smartphones and tablets. Microsoft has made clear its intentions to be more competitive in this space, and RIM is still a player. Many vendors have put a lot of effort into partnerships with Apple and Google to create security products that operate on these devices. Unfortunately, the mobile environment today and for the foreseeable future illustrates that agent based security is not the complete answer.
More to the Story
If we only had four major operating systems vendors to support (Android, Apple, RIM, and Microsoft), things would be simpler. But, that’s not the case. Take a look at the following charts from www.opensignalmaps.com. This is what caused my ‘aha’ moment at the Gartner show and made me think of Humpty Dumpty.
Chart 1 – Android deployments by brand:
Look at how much fragmentation exists today. Can the security industry possibly cover this many variations of operating systems and vendors with agents? Can we as security professionals ensure consistent application of security enforcement given this multitude of hardware and software devices on the market?
The Network is Critical to Solving the Problem
Given the level of fragmentation that exists in the industry, it’s obvious that solving the mobile security challenge will be difficult by relying solely on agents. There are too many operating systems, devices and hardware platforms to expect agents to exist for every device and for every agent to act the same way on every device. Even today, I can take five smartphones from five different handset manufacturers all running Android, install the same security suite on them and still have different levels of policies and enforcement available. This is unacceptable from a security standpoint and puts compliance with regulatory requirements at risk.
This is not to say that agents are bad or not necessary for some organizations. The key point I’m making is that no matter what an organization’s strategy for mobile devices is, it has to include network security. Mobile Device Management (MDM) and agents can only get an organization part of the way there. Security professionals cannot rely on agents alone to cover the complex range of options inherent in mobile devices. Another authority is required. The network is that final authority. Ultimately the network can answer three critical questions the endpoint cannot:
* Who are you?
* Where are you going?
* What data do you need?
The answers to these questions may vary, and as a result, the network needs to have the final say to approve/deny what a user is attempting to accomplish. IT professionals should include network security whenever they’re thinking of mobile devices.
The market for mobile devices indicates that there will not be a unified mobile operating system anytime soon. Organizations should accept this fact and be prepared to address security challenges in a multi-pronged approach that includes the network as the final policy enforcement point. When this happens, maybe we will see that it is the network that can fill in the missing pieces to finally put Humpty Dumpty back together again.