Who's Keeping Tabs on Tablet Security?
Forget the notebook, the netbook or the laptop; this is going to be the year of the tablet. Corporations from Salesforce.com to Mercedes-Benz and JPMorgan Chase have started equipping their executives with iPads. Meanwhile, a slew of new Android and Windows tablets have been taking the spotlight at CES this week, bolstering Gartner's prediction that media tablets and next-generation smartphones will increasingly eat into PC sales.
Consumer demand for media tablets has been building as well -- in fact, 17 percent of iPad owners have two or more tablet devices, according to a survey conducted by YouGuv. In fact, it's consumer demand that is driving the adoption of the iPad -- which so far has been the only tablet in play in decent quantities -- in the enterprise.
At the same time, security vendors have warned that mobile malware is on the rise, and they expect a wave of mobile malware attacks to hit devices this year.
"We will see cybercriminals successfully use mobile drive-by download attacks to steal confidential data and expose users to malicious content," Dave Meizlik, director of product marketing at Websense, told LinuxInsider. "Many of 2011's attacks will exploit mobile Web browsers in the iPad and Android-based devices."
The growing adoption of iPads in the enterprise suggests that tablets may constitute a security threat. After all, they will increasingly hold sensitive corporate data. Given that these devices are more like PCs than smartphones, in that they have more power and capabilities than smartphones, will vendors need to come up with new security approaches? Are there any solutions currently available that offer adequate protection?
Blame It on the Darned Consumer
The first really popular media tablet was the iPad, and it was targeted at the consumer market. Now consumers are getting their hands on an assortment of media tablets running Android. That consumer focus impacts security, contends Torsten George, vice president of worldwide marketing at Agiliance.
"Because these first tablets are driven by the consumer industry rather than business users, they're more focused on usability and screen design than business requirements," George told LinuxInsider.
This doesn't mean that usability and good screen design are incompatible with business requirements such as security; what it does mean is that manufacturers didn't think about security when designing the tablets.
Looking at Media Tablet Security
Media tablets like the iPad and Android tablets are consumption devices. They're a different kettle of fish from the business tablets running Windows CE, which have been around for some time. Those are robust enterprise devices often seen in vertical markets such as engineering, industry, warehousing and the health industry.
The operating systems of media tablets are scaled-up versions of smartphone OSes, so security apps for one should work for the other, Adam Powers, chief technology officer at Lancope, pointed out.
However, there aren't too many security solutions for smartphones on the market now, Powers told LinuxInsider.
Given that we've already seen some malware created for the iPhone and for Android phones, and that security vendors expect more mobile malware to emerge this year, shouldn't they be scrambling to provide security solutions for mobile operating systems?
"Security is always event-driven, and thus far we've seen very few threats that warrant the performance impact that third-party security software would bring to these devices," Powers said.
Limitations to Implementing Security
Security vendors need to know a threat will affect enough people that developing a defense will be worthwhile. They're businesses, and they have to make money.
"There are significant development costs to write security products for new operating systems -- and until there is a significant malware problem, not many companies are going to invest in developing a product that is not likely to generate sales in the near future," explained Randy Abrams, director of technical education at ESET.
Further, antimalware applications will drain the already limited resources of mobile devices -- just think of how long an antivirus scan takes on your PC and ask yourself if you're willing to put up with anything like that kind of delay on your tablet.
"The smartphone and tablet operating environments have limited processor, battery and memory footprint available," Lancope's Powers pointed out.
Adding a layer of antivirus-like software would diminish these devices' performance, and "most users simply won't tolerate that when they see little if any return," Powers explained.
Eventually, security vendors will have security products for tablets, but these will focus on features such as remote wiping and filtering, to minimize resource consumption, ESET's Abrams told LinuxInsider.
Securing the Tablet User
Media tablets in the enterprise can be secured through the usual enterprise security infrastructure, with some modifications.
"It's important that organizations set security policies that reduce the risk of mobile threats but still enable employees to be productive," Websense's Meizlik pointed out.
However, traditional security approaches, which rely heavily on device-based security, are inadequate against sophisticated attacks, he said.
"A lot of the legacy controls in use in the modern enterprise -- such as antivirus, reputation filtering and so on -- are inadequate to meet today's threats, whether they're on a PC or a mobile device," Meizlik remarked.
That requires organizations to update their core enterprise security and figure out how to apply this to their mobile infrastructure, he added.
What about consumers who don't use their devices at work?
Mobile device vendors may come to the rescue, said Agiliance's George. "It's expected that mobile device vendors will offer products that include capabilities such as disk encryption, virtual private network clients, mobile device management, integration with the enterprise infrastructure, and application signing."