Ask the typical Enterprise about their strategy for mobile security and you will likely hear references to sandboxing Enterprise data. As you may know, sandboxing is the creation of a container on a mobile device to separate Enterprise data from personal data, consisting of a special e-mail client and sometimes an Internet browser. Last night, I participated in a panel discussion at the Stevens Institute of Technology in New Jersey and a related question was asked by an audience member, “Doesn’t sandboxing address the security threats to mobile devices”? This question is best answered by looking at the categorical threats to mobile devices and where sandboxing can provide value.
Mobile Device Threats
Malware – There’s no question the time for mobile Malware has come, with threats being detected every day and exploits growing in complexity. A sandboxing solution may attempt to segregate Enterprise data; however, it does nothing to protect a mobile device against malicious applications that are installed by the end-user, which is the most common means of infection. Spyware and Premium SMS Trojans are the most frequent infectors, with Spyware being able to listen into phone conversations, track the device, listen into conversations taking place in the area, etc. and SMS Trojans clandestinely sending messages that will be charged to the device account. Sandboxing will do nothing to address these threats to the overall device.
Direct Attack – Similar to attacking interfaces and services on laptops and desktops, mobile devices can also be attacked, commonly using Malicous and Spam SMS messages. Sandboxing will do nothing to address these threats to the overall device.
Data Communication Interception – Virtually every smart device comes Wi-Fi enabled and the user is incented by performance to connect over Wi-Fi networks for a premium experience. Unfortunately , the same Wi-Fi sniffing, Evil Twin, etc. exploits apply to mobile devices. While Sandboxing and Virtualization solutions commonly include encryption, it is important to note that many functions performed by the user will be performed outside of the sandbox and therefore, not afforded that limited protection. If a user has an iPad, they are going to want to use the robust functionality of the Safari browser, not a stripped-down, mock-up browser in a Sandbox. Therefore, Sandboxing will provide limited protection to this threat vector.
Loss and Theft – The ultra-mobile nature of smart devices certainly makes them prone to loss or theft. This is where the argument for a Sandbox has merit, in that the Enterprise data would be encrypted or wiped if lost or stolen. The primary question being raised; however, is whether or not it’s [sp] necessary to include yet another layer of encryption on a device such as an iPad, when encryption already exists and Enterprise E-mail could be easily removed via a number of existing methods. It’s true that Apple’s encryption had issues in the past, though they have taken notable steps to improve it. Perhaps the biggest argument towards relying on existing device encryption and means to wipe data instead of relying on a Sandbox as an overlay is around end-user experience. Without question, a user will have a more productive and enjoyable experience using Apple’s existing e-mail and browser clients instead of stripped-down versions in a Sandbox. Sandboxing will provide an extra layer of security, though that value needs to be weighed against the user’s strong desire to use the native capabilites of their device and the need for true and robust endpoint security.
Discussing a wide range of topics impacting enterprises and
data center security.