This
is the first post in a two part series about security. In this post, I tackle the issue of responsibility.
In Part II, we’ll explore some things that developers need to know to help them
write secure apps.
I sat
on a panel recently at Sprint’s Open Solutions Conference in San Jose titled,
“Consumer Application
Security for Developers”. Sexy topics like application security
rarely pack a session hall at any conference and this was no exception. However, the attendance was much higher than
I expected (about 30 people) and the discussion was very lively and
interactive. It was immediately clear to
me that developers –perhaps as consumers themselves-- are thinking more about
security than they had in the past. This
is a good thing.
Whose Problem is Security?
One
of the first questions that came up in the panel was “Whose Problem Is Security”? Our moderator suggested a number of potential
“owners” for this problem and posed the question to his panel. Is it the carrier’s problem? How about the Handset OEM? The OS?
Your Employer’s IT Admin? The App
Developer? The Consumer? As you can see, there’s a lot of parties to
point fingers at when something goes awry.
I
couldn’t help but jump on this one first.
The answer is obvious: Security is everyone’s responsibility. Each player in the mobile device value chain is
responsible for providing a secure environment over the part they control. At its most fundamental level, security is
about protecting valuable assets from those who seek to steal or exploit them. You wouldn’t leave your house in the morning
without locking the door, right? Even
greater diligence is required in the digital world because the value can be
greater, and the thieves are invisible.
Security is everyone’s
responsibility
The Carrier: The carrier is responsible for
providing a network that is secure from being attacked, snooped, or otherwise
compromised. As carriers reduce their
investments in their own app catalogs, their responsibility with app security
lessens but responsibility for cellular and data network integrity remains.
The Device: The device’s operating system (OS)
is at the center of security. The OS’s responsibility is to provide a secure
environment for all applications, services, data storage, and network
connectivity. The OS is responsible for
handling permissions and defending against viruses and malware. Attackers primarily seek to exploit
weaknesses in the OS or in its core applications such as web browsers. This is why it’s so important to design
security into the OS when it’s being architected and built. Platform providers that offer App Stores have
an additional responsibility to ensure that the apps it stocks in its store are
safe from malware and abuse like piracy.
It should be no surprise to anyone that RIM takes the issues of security
very seriously.
The IT
Administrator: The
number one responsibility of IT at any high-tech company is protecting the
company’s Intellectual Property (IP) –it’s like the crown jewels of the
company’s value. In a world where IT
administrators directly managed the mobile devices that had access to the
company’s jewels, their ability to protect them was pretty clear. However, with today’s BYOD trend, their
ability to protect the company’s assets and IP has become less clear. Only RIM has addressed this uncertainty and
given control back to IT administrators and CIO’s with its BlackBerry Mobile Fusion (IT’s MDM Portal) and BlackBerry Balance (the client side partitioning;
controlled by a simple gesture). With
these products and services, IT administrators can enforce corporate security
policies and manage remote devices with confidence.
The App
Developer: App developers have a responsibility
too. It’s their job to build an
application that can’t be exploited by attackers and protects sensitive
information that the user provides. Strong
operating systems provide many mechanisms for app developers to ensure their
app isn’t the “unlocked window” that gains access to someone’s identity or bank
account. App developers need to think
about security as an end-to-end problem.
This includes making secure network connections, encrypting local data
on the device, and ensuring servers with sensitive customer data are adequately
protected from attack.
The Consumer:
Consumers need to be mindful as well. Use device passwords (and not
“1234”) and, perhaps most important of all, be suspicious of applications
asking for permissions to access files, social networks, and your contact list.
RIM offers a great product for consumers called BlackBerry Protect that helps keep the information on
your device backed up and secure should your device get lost or stolen. BlackBerry Protect also allows you to wipe
all the data off your device remotely as well as display an alert message on
the home screen should you lose your BlackBerry.
Why is BlackBerry 10 so secure?
BlackBerry
10, RIM’s upcoming mobile computing platform set to launch on January 30th,
2013 is built on QNX’s Real-Time Operating System. Sebastien Marineau, VP of OS Platforms at
RIM, wrote a great article recently titled: “How BlackBerry 10 avoids Android’s Security Issues”.
In the article, Sebastien notes that the QNX RTOS has approximately
100,000 lines of code whereas a standard Linux implementation is around 14
Million lines of code. QNX is 1% the
size of Linux. When it comes to
security, the fewer places where bugs and security exploits can hide, the
better! Because QNX is so tight, and
because it’s been designed with security in mind from day 1, it’s extremely
hard to break in.
In
addition, BlackBerry 10 includes BlackBerry Balance: a new, unique, and
innovative capability that allows consumers to enjoy the full range of both a
personal mobile device and a secure, encrypted work device without compromising
on either one. No other mobile device
can do this. With one simple gesture,
the user can switch the device from “Personal” mode (wide open with all their
apps, music, media, etc.) to “Work” mode (fully secure as if on your work’s
VPN). Using BlackBerry Mobile Fusion, IT
Administrators can manage their company’s devices remotely and securely
(including Android and iOS devices!).
What's next?
In
this blog post, we explored the responsibility of security. Who owns what piece and why it’s so
important. My next post on this topic,
titled “Application Security Part II: What Should App Developers Do?” will
explore different things developers can do to make sure they’re writing solid,
high quality, secure mobile applications. 
No comments:
Post a Comment