Banking Mobile Security
With the number of mobile devices deployed shooting up, recent news about Android security vulnerabilities and the exposure of more than 100,000 iPad users' personal data raising user awareness about mobile security, opportunities for channel partners to sell mobile protection into customer environments have certainly ripened. That's if these partners and their vendors can target the mobile risks that matter, security experts believe.
The truth is that security vendors have long been proclaiming that mobile malware would soon overwhelm enterprises once mobile devices established critical mass. But, much like end-times prophets who must periodically "update" their projections for the end of the world, these security prognosticators have pushed back the date of the mobile-security apocalypse.
"A few years ago, F-Secure and Sophos were banging the drum; then, it was Symantec, then McAfee, and now Kaspersky" wrote Andrew Jaquith of Forrester Research in a blog post earlier this year. "Not one of these vendors’ predictions have come remotely true, and none of the vendors are making any money (or even selling much product) in this space." Jaquith says that the sheer variety of mobile platforms makes the rapid proliferation of widespread malware much less likely than it was on the PC running the ubiquitous Microsoft platforms.
However, this doesn't mean that the opportunities for channel partners to sell mobile security are limited. In fact, there are certain key niches and verticals that are looking hotter than ever for solution providers that can help customers manage devices and better secure application.
Some key opportunities and trends make the following markets desirable for the channel:
- Banking mobile security
- Mobile device management
- End-to-end consulting and deployment
- Growing vendor maturity
Let's take a look at each in greater depth.
With so many consumers transitioning to mobile-banking applications, the interest from financial institutions in mobile security is growing. In a report out last week from analyst firm Ovum, industry watcher Graham Titterington noted that the insecurity of mobile devices and the growing computational power of individual devices make the mobile channel a likely risk as an attack vehicle.
"As the ecosystem becomes more diverse, more powerful and complex and more integrated with the IP world" he wrote, "hackers will find ways to attack it and perpetrate fraud. Mobile and Internet banking security communities must work together. Although the means of attack are channel specific, the business level threats are the same.
"As mobile banking services become more powerful, the two channels will move towards being alternative interfaces to a common service. This will create the danger of crossover threats, where weaknesses in one interface may be used to attack the other one."
This will give channel partners a tremendous opportunity to package solutions for financial customers seeking to meet these threats head on. According to Ovum, mobile-security technology areas that will be key for the banking include the following:
- user authentication
- malware detection
- end-to-end encryption
- bank-session monitoring
- blocking of suspect connection
- fraud detection for all transactions
Clearly, all of these are similar to the practices already held dear by financial companies for internet banking--the challenge for partners will be to apply them to the mobile space.
Mass mobile-device infections might not be a very real threat today, but the catastrophic breach of data through the careless loss of a device certainly is. According to a survey released in April 2010 conducted by Osterman Research on behalf of Proofpoint, more than one in five U.S. companies investigated the exposure of confidential, sensitive or private information via lost or stolen mobile devices in the past 12 months. It turns out that 51 percent of companies are highly concerned about the risk of information leakage via e-mail sent from mobile devices.
Channel partners have a tremendous opportunity to help organizations develop and manage policies around how to deal with lost devices, how users interact with data through their mobile devices and how data is encrypted on those devices.
According to recent survey results, there is room for the mobile-device management market to grow. Most enterprises admit that they have no formalized processes or policies to manage mobile devices in place—however, many have device management penciled in to budgets for the near future.
Conducted by Applied Research on behalf of Symantec, one recent survey showed that only 38 percent of enterprise-class organizations have formal device-security policies in place. However, 33 percent of respondents did say they were moving toward formal policies. For the channel, this means that a good third of your potential enterprise clients are looking to spend money in this area.
One of the biggest problems enterprises and SMBs face from the mobile revolution is the complexity it brings to bear for both IT operations and IT security. Not too long ago, businesses could simply require their users to only use one or two approved and company-owned devices (usually a BlackBerry) and develop a sound security strategy based on that simple deployment scenario.
But culture and economic factors have come to bear, bursting the bubble of many an in-house IT guru. Whether they like it or not, enterprises must cater to dozens of devices on numerous platforms, many of them owned by the employee. According to Forrester Research, the number of smartphone devices within the enterprise is expected to triple.
With diminished resources and often few mobile experts within their ranks, IT departments crave a solution provider that can swoop in and deal with the mobile-device dilemma with a one-stop-shopping service and product. Partners that can meet that need stand to do very well.
"There's no single vendor offering a complete solution that encompasses all of the different endpoints that exist today in an enterprise, from servers to PCs to laptops to cell phones," says Ran Ish-Shalom, vice president of business development for Onset Technology, a mobile communications security vendor. "VARs [can] act as integrators to make sure that solutions from various vendors can actually work together and provide a unified approach for the different endpoints."
One of the last and most important factors that will help channel partners' success in the mobile-security market is the fact that partnering vendors are starting to move past the vaporware stage of product development and are making acquisitions that allow them to offer the right mix of solutions and support necessary to help the channel grow in this area.
For example, Symantec last month announced its Norton Everywhere program, a multi-faceted effort to move security beyond the PC. Included in that announcement was the following:
- a new mobile-device security program for Google Android that includes functionalities such as remote wipe and remote data lockout, malicious application blocking and even call screening.
- a cloud-based secure storage option for accessing data via Android or iPhone
- a new secure DNS functionality that filters dangerous content for a range of devices, most notably smartphones and the iPad.
Meanwhile, McAfee announced in June the acquisition of Trust Digital, an enterprise mobility-management and mobile-security software developer. McAfee execs say the Trust Digital portfolio will be fully integrated into ePolicy Orchestrator, giving partners a way to extend ePO across smartphones, thus simplifying the enforcement of mobile-security policies.
And even as the big security players make strides, a spate of smaller software developers, such as Lookout, are cropping up to bring a new generation of free utilities to the market that some channel partners--particularly those that cater to SMB and mid-market customers--can start leveraging to deliver value-added, comprehensive mobile services. Lookout, for example, offers a free mobile-security solution with remote wipe and lockout, antivirus, data backup and, most important, over-the-air device management.