How Mobile Devices and Cloud Computing Changed Security

Prior to the advent of mobile computing, security was limited to corporate IT assets that were often physically secured in facilities owned and managed by the company. According to a recent SANS Institute study, organizations spend as much as 12 percent of their IT budget on security.

In a Ponemon Institute study, it was found that organizations have a 27.7 percent probability of having a material data breach in the next 24 months at an average cost of $3.62M.

Meanwhile, the world of computing has changed. Security is not just about physically secure data centers and corporate controlled computing assets. Instead, end users have gone mobile, connecting to cloud enabled services, often with their own personal devices. And with the rise of the Internet of Things, there will be billions of connected computing devices on the planet in the next several years.

The primary consequences of applications getting hacked include financial loss, destroyed brand reputation, exposure to liability, and regulatory risk. Over 7 billion identities have been stolen in data breaches over the last eight years equal to one data breach for every person on the planet. Meanwhile, mobile’s rapid expansion has introduced a complicated and potentially hostile environment that is difficult to manage and protect.

64 percent of security practitioners said they were very concerned about the use of insecure mobile applications in the workplace with an average of 472 mobile applications reported as actively used in organizations.

Prior to the advent of mobile computing, security was limited to corporate IT assets that were often physically secured in facilities owned and managed by the company, on a network behind a managed firewall, and possibly in a datacenter with multi-factor access, physical security, and armed guards. Because the company owned those assets, they were able to dictate what applications could run on those machines, and actively manage and monitor them, providing the latest patches, endpoint security, and other controls dictated by corporate IT. Assets located in such places were implicitly trusted.

Today, the situation has changed. Mobile devices dominate the market, often as the primary or only way users access the Internet and the many cloud services available. These devices also have very little, if any, physical security. It is a well-worn path hackers use to access such devices to reverse engineer or tamper with the applications running on them, often through rooting, jailbreaking or hoodwinking the user.

This shift has created all sorts of new business models to take advantage of the popularity of mobile devices.

These new business models come with new security problems:

• New forms of payment using near field communications (NFC) on mobile devices are becoming popular in recent years. These applications require that credentials to authenticate users must be stored on the device. If those credentials are compromised, then a hacker can execute fraudulent transactions.
• Mobile devices are being used in the automotive industry to enable remote parking from your smartphone. A compromise of the device could pose a serious safety risk.
• In healthcare, patients are using mobile devices to manage sensitive information collected from various devices ranging from fitness monitors to blood glucose monitors to improve care and create data driven treatment options. A compromise of such a device can lead to a loss of privacy and sensitive information. Or even worse, if a device is hacked, it could potentially lead to life-threatening consequences for the patient.

Internet of Things

By 2025, the total global worth of IoT technology will reach USD 6.2 trillion with the most value coming from health care devices (USD 2.5 trillion) and manufacturing (USD 2.3 trillion). Meanwhile, we see a persistent lack of IoT security investment with 67 percent of medical device makers expecting an attack on their devices while only 17 percent taking measures to prevent an attack. These numbers are staggering when you consider U.S. hospitals have an average of 10 to 15 connected devices per bed with some hospitals registering 5,000 beds — totaling 50,000 connected devices per hospital.

Furthermore, traditional security solutions do not port well to the IoT world, due to differences in system architectures and resource constraints. Therefore, IoT security solutions have not evolved enough and are prone to numerous vulnerabilities.