Highlights from Zimperium’s Customer Panel at the Gartner Security & Risk Summit
As the global leader in mobile security, Zimperium is proud of the companies and governments that trust us to protect their mobile endpoints and applications. Our customers are not only well-known for their brands, they are recognized as some of the most sophisticated and knowledgeable security organizations in the world.
I recently had the pleasure of moderating a panel with a few Zimperium customers during the annual Gartner Security & Risk Management Summit. It was an interactive and educational session for anyone implementing and prioritizing mobile security. For security professionals that were not able to attend the session, I wanted to share the Top 10 key points made by your peers.
Before outlining the panelists’ key observations and recommendations, it is helpful to understand the focus of the session, as well as the presenters themselves.
JPMC, TikTok, Danaher & Medtronic: How we secured mobile endpoints & apps
Mobile-enabled transformation initiatives (e.g., BYOD, mobile apps) are exposing organizations to new threats including mobile phishing, malware and exploits like Pegasus.
Mobile security (a.k.a., MTD) is a must, but what do CISOs need to know about implementing it to protect endpoints and apps? Please join your peers as they explain what drove them to prioritize MTD, what they learned during their implementations and what obstacles they needed to overcome (e.g., protecting privacy on personal devices of employees and citizens).
|John Rouse||JP Morgan Chase||Vice President||Security Architect for consumer mobile banking; leads mobile security for JPMC|
|Elizabeth Gossell||Danaher||Director, Cyber Security Architecture||Principal Security architect; designs, launches & operates security services on behalf of Danaher’s worldwide community|
|Eric Green||TikTok||Cybersecurity Engineering||Last 11 years, focused on mobile security, including head of mobile & Mac security for HSBC. At Tiktok, Windows security has been added to the mix of responsibilities|
|Mehmet Tumer||Medtronic||Distinguished Engineer||Distinguished engineer in diabetes business unit, responsible for product security activities|
Rather than extrapolate too much myself, I thought it would be most helpful to recap the experts’ actual responses and thoughts around the key points they felt were most important for their peers to know, e.g.,
- Mobile threats are absolutely real and business impacting;
- Enterprises that don’t address mobile risks on endpoints have a huge security gap;
- Every mobile app released creates a new attack surface that must be addressed;
- Most organizations do not understand nuances of mobile endpoints and apps;
- Regardless of ownership, mobile devices need to be treated as hostile environments;
- There is a movement towards Zero Trust / mobile application management (MAM) and away from complete mobile device management;
- Securing mobile devices accessing Office 365, especially on personal devices, is a critical business imperative;
- Mobile security efforts must protect end user privacy;
- Mobile app protection must include security concepts from the very beginning; and
- Mobile security vendors and solutions should be selected based on their ability to adapt to changes over time, not just at the start.
#1. Mobile Attacks Are “Very Real”
Even though stories of mobile attacks are in the news on a daily basis (e.g., Pegasus at the U.S. State Department, PhoneSpy, GriftHorse and the list goes on), the panelists felt compelled to emphasize the depth and width of the threat. Make no mistake about it, they said, mobile threats are absolutely real and increasing. And they want their peers to know about it.
“Attacks are real. They are not just something security people talk about. It’s not fear mongering in the news. The attacks that occur on mobile devices and in mobile apps are very real and can be incredibly business impacting, especially to leaders in companies who have privileged access to corporate data. And don’t forget that executive assistants are also highly vulnerable to these types of attacks. Bottom line is that mobile attacks can truly impact our ability to function as a business.” – Elizabeth Gossell
#2. Mobile Endpoints are a “Huge Security Gap”
In many organizations, mobile endpoints are woefully unprotected compared to traditional endpoints. In addition to reinforcing the reality and volume of mobile attacks, the panelists all agreed that increasing mobile security prioritization/funding requires demonstrating that many traditional endpoint security controls are missing on mobile endpoints.
“A lot of the protections you assume an employee has on their devices are not there on mobile and need to be compensated for. Get a list of the protections on a desktop computer and then see how many are missing for the mobile devices. Then show the executive team the delta to demonstrate the gap in security coverage and talk about how you fill in those gaps. Also, point out that mobile devices are almost always outside the corporate firewall. It’s on some other network who knows where it is being used at all hours day and night.” – John Rouse
“Showing the security gap on mobile is incredibly important. Device integrity is critical to us. Rooted or jailbroken devices are really bad and need to be addressed. None of this would be allowed on traditional devices.” – Eric Green
#3. Every New Mobile App “Creates a New Attack Surface”
The panelists all agreed that mobile apps are critical to business today… and that they bring new risks that must be addressed. Misconfigured mobile apps create vulnerabilities in development, unprotected code and keys provide attackers direct access to data and compromised consumer mobile devices provide further exposure. All of these vectors must be addressed.
“Every time you create a new mobile app, you’re creating a new attack surface. If this is a BYOD application, you’re also creating an attack surface for the employees’ devices. You have to concentrate on your app, and make sure it’s operating securely in a hostile environment.” – Mehmet Tumer
“When we coach our associate who are developing apps, we liken it to a security onion- you only control so many layers of the security onion. Verify that the security is working the way you expect it to, and then make sure the app can self-terminate if it’s operating in a hostile environment. You can only do that if you have runtime awareness to actually tell you it is a hostile environment.” – Elizabeth Gossell
#4. Organizations “Don’t Understand Mobile”
Most security and IT professionals do not have experience with mobile. In order to get organizations to not only prioritize mobile security, but to effectively implement it, security teams need to educate and include the relevant stakeholders early and often.
“A lot of the IT and security teams are associated with backend technology like UNIX servers. Mobile apps and devices look very strange to them. You must make sure to educate and engage everyone as early and often as possible.” – John Rouse
“The main problem in mobile is that most people do not understand how these devices work, and how security tooling works. You need to educate the right people about what they need to know. You need to know who all of the stakeholders are and go partner with everybody.” – Eric Green
“When we started, we acknowledged that phones are treated with a diff level of concern than a laptop. People have a lot of protective emotions tied to their phone; even if it’s a corporate issued device, there may be photos of their kids, etc. We partnered with our change management team and treated the whole mobile security project more like an organizational change. It helped to manage concerns and fear from the end user- that quickly became clear as the priority.” – Elizabeth Gossell
#5. Mobile Endpoints Need to be Treated “As Hostile Environments”
Regardless of ownership (corporate or personal/BYO), mobile devices need to be treated as hostile environments. Mobile devices spend the majority of the time outside of protected networks and are in the hands of users that are not security experts.
“We didn’t have a way to determine whether a device was personal or corporate managed- they just look like phones. We can’t tell them apart. We had to make the assumption that all devices were personal. The Zimperium platform has allowed us to provide our associates with more freedom, less administrative overhead, and more security than they’ve had before. This really hits all the goals of a user-friendly security program.” – Elizabeth Gossell
“Most of our apps are created for a BYO/consumer environment, which means they should be considered operating in a hostile environment.” – Mehmet Tumer
#6. More Zero Trust & Less Device Management
There was an interesting discussion (that was actually continued in the most recent Zimperium Customer Advisory meeting, stay tuned for those observations soon too) around the movement towards Zero Trust / application access policies via mobile application management (MAM) rather than complete mobile device management.
“With Mobile Threat Detection and a risk-aware enforcement platform, you don’t need to manage or control the devices themselves. We took the route that we would not go with an MDM, only application protection policies. Now the only limiting factor for our people is if their device is supported. We now retain the same risk-mitigation level that previously would have required fully-managed devices, configuration policies, and MAM.” – Elizabeth Gossell
“You start with the notion that everyone has bad stuff on their personal devices. You need to implement security and policy control. MDM is a necessary evil to do asset management on managed devices, but you need security too. That is where MTD comes in. And now, everyone is starting to use MAM to protect data without impacting privacy.” – Eric Green
#7. Don’t Enable O365 on Mobile without Mobile Threat Defense.
The panelists all reinforced that mobile security enables critical business initiatives like BYOD, remote work and specifically providing access to Office 365. But they also strongly cautioned that enabling that access without mobile threat defense was dangerous, at a minimum.
“Simply put, do not roll out O365 on mobile without MTD. It is that simple. Think about all of the corporate data sitting in Outlook or being discussed in Teams on mobile endpoints. Would you enable that amount of exposure on any other platform without protection? Never.” – Eric Green
“We’ve been an O365 shop since it came out. Mobile devices are a lifeline to company data, including that housed within O365. The Zimperium platform has allowed us to protect O365 and other apps and provide our associates with more freedom, less administrative overhead, and more security than they’ve had before. This really hits all the goals of a user-friendly security program.” – Elizabeth Gossell
#8. Mobile Security Approaches Must “Protect Privacy Too”
Regardless of whether mobile devices are corporate or personally owned (BYOD), users feel like they are personal. Unlike traditional endpoints, mobile security solutions must protect privacy at the same time they protect data. This requires a different mindset and architectural approach (including on-device detection abilities rather than sending a lot of data to the cloud).
“A lot of the vendors we spoke with were just focused on securing the corporate, managed device. We found with the BYOD space, it ends up looking like the customer space. You can’t just take control of the phone, you have to monitor it without violating privacy.” – John Rouse
“Before you build something out, you need to address the privacy concerns.” – Eric Green
#9. Mobile App Protection Includes “Security Concepts from the Very Beginning”
Securing the entire mobile DevSecOps journey is critical, according to the panelists. While it was expressed across the board, mobile-enabled medical apps took on a special urgency.
“We protect medical devices, including those connected to mobile applications. Securing these apps is critical because lives are on the line. The solution is to have a strong process and design for security – including security concepts – in the very beginning. In that way, you can maximize protection and minimize any impacts.” – Mehmet Tumer
#10. Select Mobile Security Vendors for the Ability to Adapt Over Time
The panelists also recognized the critical importance of having a mobile security vendor (and solution) that accounted for the many changes that continue to occur on mobile platforms and operating systems. Rather than simply focus on a vendor that can check a box today, the panelists urged their peers to make sure their MTD vendor is purpose built for the task.
“Velocity of change in the mobile space is increasing. Every year Apple comes out with a new version of the OS, Android does the same. Pick a mobile security vendor that will be ready for new versions every year. Application quality and stability over time are also critically important.” – John Rouse
“Be mindful of the change down the pipeline. Don’t be afraid to challenge your potential vendors to make sure they’ll be capable of adapting to what will be coming in the future. A good vendor should be your partner too.” – Eric Green
Zimperium provides the only mobile security platform purpose-built for enterprise environments. With machine learning-based protection and a single platform that secures everything from applications to endpoints, Zimperium is the only solution to provide on-device mobile threat defense to protect growing and evolving mobile environments. For more information or to schedule a demo, contact us today.