Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
danielvhoffman

WHY SANDBOXING ALONE IS A FALSE SENSE OF SECURITY

by Juniper Employee on ‎09-29-2011 01:09 PM

 

Ask the typical Enterprise about their strategy for mobile security and you will likely hear references to sandboxing Enterprise data.  As you may know, sandboxing is the creation of a container on a mobile device to separate Enterprise data from personal data, consisting of a special e-mail client and sometimes an Internet browser.  Last night, I participated in a panel discussion at the Stevens Institute of Technology in New Jersey and a related question was asked by an audience member, “Doesn’t sandboxing address the security threats to mobile devices”?  This question is best answered by looking at the categorical threats to mobile devices and where sandboxing can provide value.

 

 

Mobile Device Threats

 

Malware – There’s no question the time for mobile Malware has come, with threats being detected every day and exploits growing in complexity.  A sandboxing solution may attempt to segregate Enterprise data; however, it does nothing to protect a mobile device against malicious applications that are installed by the end-user, which is the most common means of infection.  Spyware and Premium SMS Trojans are the most frequent infectors, with Spyware being able to listen into phone conversations, track the device, listen into conversations taking place in the area, etc. and SMS Trojans clandestinely sending messages that will be charged to the device account.  Sandboxing will do nothing to address these threats to the overall device.

 

Direct Attack – Similar to attacking interfaces and services on laptops and desktops, mobile devices can also be attacked, commonly using Malicous and Spam SMS messages.  Sandboxing will do nothing to address these threats to the overall device.

 

Data Communication Interception – Virtually every smart device comes Wi-Fi enabled and the user is incented by performance to connect over Wi-Fi networks for a premium experience.  Unfortunately , the same Wi-Fi sniffing, Evil Twin, etc. exploits apply to mobile devices.  While Sandboxing and Virtualization solutions commonly include encryption, it is important to note that many functions performed by the user will be performed outside of the sandbox and therefore, not afforded that limited protection.  If a user has an iPad, they are going to want to use the robust functionality of the Safari browser, not a stripped-down, mock-up browser in a Sandbox.  Therefore, Sandboxing will provide limited protection to this threat vector.

 

Loss and Theft – The ultra-mobile nature of smart devices certainly makes them prone to loss or theft.  This is where the argument for a Sandbox has merit, in that the Enterprise data would be encrypted or wiped if lost or stolen.  The primary question being raised; however, is whether or not it’s [sp] necessary to include yet another layer of encryption on a device such as an iPad, when encryption already exists and Enterprise E-mail could be easily removed via a number of existing methods.  It’s true that Apple’s encryption had issues in the past, though they have taken notable steps to improve it.  Perhaps the biggest argument towards relying on existing device encryption and means to wipe data instead of relying on a Sandbox as an overlay is around end-user experience.  Without question, a user will have a more productive and enjoyable experience using Apple’s existing e-mail and browser clients instead of stripped-down versions in a Sandbox.  Sandboxing will provide an extra layer of security, though that value needs to be weighed against the user’s strong desire to use the native capabilites of their device and the need for true and  robust endpoint security.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Paul Bristow
Senior Director
Product Management

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Henrik Davidsson
Director
Security Sales

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Steve Hanna
Distinguished Engineer

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.