Good Mobile Security Should Not Require Some Assembly

If you think about how furniture markets have evolved, you may have noticed some interesting trends. Over time, furniture shifted from something designed as a final product to something that’s been designed in a partially assembled state, thus making it easier to ship to the store. The store’s employees add value by completing the assembly and delivering the finished product to the consumer.

Today’s discount furniture stores go one step further, and do not provide furniture assembly in their role in the value chain. The store may put together a sample item, but ultimately, the customer purchases the same disassembled box of parts that the store received from the manufacturer. The end customer is responsible for putting it together to make a working product. These steps make shipping to the end customer easier for the supplier, but it also erodes the customer’s expectation of what the manufacturer needs to provide in terms of a finished product. Some assembly required.

These thoughts crossed my mind when I read the article "Enterprise mobility is flailing. Maybe it’s time to drop the do-it-yourself approach" in GigaOM. It’s an interesting perspective on the state of mobile security, which basically drives home the fact that we are seeing a slew of point products being created for the mobile market, with no regard for how they should work together with one another. In other words, some assembly required.

Rolling your own solution, however, rarely produces the protection one needs, nor the manageability that one desires. This approach is delivering more failure than success, so let's talk about why.

The other approach cited by the article is the approach of designing security around the proprietary app that it protects. I foresee this to be a shortsighted approach as well, because the applications that organizations need aren’t necessarily going to be the ones that come wrinkle-free and ready-to-wear. In fact, the applications that many organizations need are going to be custom built for that particular business. In fact, as the survey within the article notes, most organizations are barely getting e-mail secured (perhaps the most basic use case for mobile security), and yet there’s an example of the company that has 150 additional apps that need to be secured as well. Any solution that centers upon a small handful of apps will only satisfy a small handful of requirements.

One of the things we sought to do when we developed our mobile security solution GlobalProtect was to architect security around the mobile use case first. Instead of simply packaging together the ingredient technologies, we thought about how to best apply them together to address the needs of mobile apps and to stop mobile threats. GlobalProtect is specifically designed to manage the device, protect the device and control the data.

For example, the need to identify and stop malware requires both an element of detection (to identify infected devices) and prevention (to stop other devices from becoming infected as well). GlobalProtect satisfies these requirements by incorporating the state of the device (and knowledge of the apps installed) together with information about malware that comes from WildFire. Furthermore, the traffic that reaches the mobile device benefits from threat prevention using the same WildFire intelligence. It requires a combination of device management, network policy and threat prevention to perform these, but it goes far beyond the individual point products, blending their functions together to deliver the required security.

Perhaps one of the clearest examples of the architecture designed around next-generation security principles lies within the enforcement and delivery of security as expressed through the policy engine. Policy is the essential tool for driving security decisions and controls, and yet policy is typically fractured when using a combination of mobile security point products. GlobalProtect, on the other hand, is built upon driving the security policy decisions specifically using the criteria of users, devices, mobile apps and mobile threats. As a result, there are no questions about which applications that particular users can access from a particular device. There are no gaps in the enforcement of such policy decisions.

If you are interested in taking a new look at mobile security, visit our GlobalProtect resource page. And did you read the GigaOM article? Leave a comment and let us know what you’re thinking about the state of mobile security today.