(UPDATED) Interview: Sumit Bansal, SOPHOS
[[Interview: Sumit Bansal, SOPHOS – part 1]]
If 2012 was the year of worrying about BYOD (Bring Your Own Device), asking what to do about it and looking for solutions out there, this year is the year that practical solutions have come into play. Sophos is one of the security software vendors which has released products for both consumer and corporate users to address device management issues related to BYOD.
Q. What’s the current threat landscape like?
On the PC (desktops and notebooks) side, three years ago, we used to sample around 1000 malware a day. In 3 years, that has risen to 250,000 on a single day. On mobiles, we are seeing 1000 Android malware a day so if you can imagine what we will probably see in 3 years’ time, it will probably follow a similar pattern.
If you look at what’s happening in the industry, PC vendors like HP, Dell, etc. are all talking about a decline in PC sales. Everyone seems to be jumping on the tablet bandwagon. For the first time in 10 years, there was actually a dip of 20% in PC sales and now there’s an explosion of these mobile devices, so much so that even Microsoft has jumped into this game with their Surface tablets. The reason for that is you can now have mobile access to your corporate applications that run your business. For example, I can go to Salesforce.com and see what we have sold today across the region by country, how many orders were booked, which deals we’ve closed, pending deals and even what’s in the pipeline. For a sales manager, that’s critical as it shows the health of my business. Other people have other applications which they can access anytime, anywhere to do their job.
However, with that capability comes the issue of malware threats. So how does an organisation protect their corporate content or data? The answer is the same as you would on a laptop or desktop.
Q. Why has BYOD become so popular suddenly?
First of all, being able to access business applications remotely makes a user more productive. Secondly, companies want to save money; instead of buying hundreds of devices for their employees which would probably only be used for corporate activities, e.g. making phone calls or accessing limited applications, BYOD allows employees to use their own personal devices to do the same thing. So companies get to save money, while employees get to choose their own preferred device.
Q. What are the greatest concerns regarding BYOD?
There are many benefits to BYOD. However, it also presents a very challenging scenario to businesses. If I lost my device, there are a lot of confidential data on it – emails, documents and applications that can fall into the wrong hands. A lot of businesses are grappling with these issues, because they are not confident that if they allow their employees to bring their own devices, that they will be able to control and manage these devices to prevent the loss of confidential data.
In addition, apps are getting more sophisticated. For example, you can now access mobile banking through Facebook, so if you have an app which is downloaded and has been compromised, you will be vulnerable and open to threats.
Sophos Mobile Control (SMC) which was initially launched a few years ago, allows companies to manage these devices, including the content that is installed on them. If a device is lost, the data on it can be remotely wiped. That allows companies to be flexible with their employees; they can allow all these personal devices to be brought in and used, but all the corporate content will be safe. Our customers can be confident that they are in control of all their corporate information.
Q. Until now, you have been mentioning mostly Android malware but recently, Google’s Eric Schmidt claimed that Android is more secure than iOS. What’s your opinion on this?
Well, when I got my iPhone, it was already encrypted – anything I save on it is automatically encrypted. For Android, I had to download an encryption software to encrypt the phone’s contents as well as its memory card. So the iPhone is inherently more secure from the start. Secondly, the bigger threat is actually the app store. Apple has very tight controls on the apps in their store; every app is scanned and analyzed before being made available. Google also does that for their Play store, but the problem is that Android users often download from other unauthorised app stores as well. And the fact is, some of these apps do have malware. So you could say that iOS is more secure as it is harder to download malware, except if the device is jailbroken.
One of our customers is a TV manufacturer and they install Sophos’ software on their Android-powered Smart TVs which are essentially giant tablets. Apps which users want to install on their TVs will first be scanned for malware. In addition, they also use Sophos to vet through apps before they’re made available on the company’s app store, so there are two layers of protection. Therefore, those who run their own app store should make sure their apps are free of malware, but in reality, not everyone bothers.
Q. So in these cases, how do you prevent malicious apps from getting into devices?
Sophos’ SMC can detect jailbroken iPhones or rooted Android devices, so if there’s a policy against such practices, you can even wipe these devices and prevent them from accessing network resources. Of course, less drastic measures would include locking them or just denying them access to the network.
We can also detect if users have allowed the installation of apps from third-party or unauthorised app stores. So if these devices try to hop onto the corporate network, administrators can lock them out.
Q. How do you ensure that your users’ devices are secure at all times?
My company’s policy is such that if a device has not been scanned for 24 hours, it won’t allow any network traffic until a scan is performed. Administrators can also remotely initiate the scan, so by doing that, we can ensure that each device is up-to-date, as far as malware protection is concerned. Companies can set their security policies in a very detailed manner. You can have web policies which limits access to certain whitelisted sites or block access via a blacklist. Having said that, policies must be balanced, because if you’re too restrictive, an employee who is using his or her own device may not be able to use their device the way they want to. So they may end up not wanting the company to manage their device.
Q. When speaking to companies, how do you advise them to start thinking of having BYOD policies?
Actually, even if you only have 5 employees, you should have security policies. Even emails must be secured as they often contain company confidential data such as purchase orders, price lists, etc. Most employees in small businesses are already using their own devices for work purposes so this is extremely important. Some small companies have very tight control over their PCs, but little or no control over mobile devices. So my question to them is if they’re using phones to access documents, why would they not apply the same strict policies as their desktops?
Sometimes it boils down to their confidence; they’re just not confident that they can manage their BYOD devices properly. That’s where we come in with our solutions. We can provide them with all the necessary tools to secure their computers and mobile devices.
Continued in part 2…
[[Interview: Sumit Bansal, SOPHOS – part 2]]
Q. How has mobile computing changed the face of information security and privacy?
As you know, users can now do a lot of things on their mobiles. Personally, I travel a lot, so I frequently use mobile banking to pay my utility bills. If you’re at the airport and need to get online, you will most likely be using a free WiFi service. There are lots of tools which you can download from the Internet that scans all the WiFi-enabled devices in a certain area which will reveal a lot of information. For example, where a user is from, where they have been, what restaurants they’ve visited, which hotel they are staying at. So you can actually profile a person whose device you’ve scanned.
Companies like Cisco and Aruba who sell wireless network equipment recently acquired technology to perform customer profiling. So if you walk into a shopping mall and use their free WiFi, they will be able to capture your email address which you used to log in to their free WiFi service. Then they can scan and see what searches you’ve performed on Google for the last 24 hours. If you’ve been looking for, say spectacles, they will start pushing ads for those products to you.
Q. So what can users do to protect their privacy?
Well, on our Naked Security blog, we have a list of top ten “common sense” things that users can do to protect themselves. You can find the blog at http://nakedsecurity.sophos.com/ and the article can be found here.
Just to give you an example, 96% of users who lose their smartphones don’t even have a simple password to protect their data. We highly recommend that all phones should be locked automatically, so if should you lose your phone, your data will be safe. Also, users should install a security suite to scan their files and downloads. Speaking of downloads, users should only use the approved app stores; Google and Apple perform a lot of scrutiny on apps before they are released on their app stores.
Q. But there have been instances of malware released on Google’s official Play store!
Yes, there have been some isolated cases, but maybe Google was lax and some may have slipped past their checks. In this regard, Apple is much more secure because they are generally a lot more thorough in their scrutiny.
Q. Why is it that users often let their guard down when it comes to Facebook apps? Why don’t they pay more attention to app permissions?
It’s true that most people don’t really bother going through an app’s permissions list. If you download a game that requires access to your contacts, you should be very suspicious. So unless a user bothers to scrutinize the apps that they install on their devices, sooner or later they will come across software that may be malicious.
Q. What can Sophos do to prevent reckless or irresponsible behavior in employees?
What we have done is to extend web security onto the phones themselves. Administrators can set up policies; for example if you are not allowed to surf the Internet during office hours, it will be the same on their mobiles as well. We also do a lot of white-listing of websites, which is a lot harder than blacklisting.
Another thing that we make easier is that our existing Endpoint customers can get access to a complete security suite. So with Mobile Control, they can secure all their devices. Or, if they are using some other vendor’s product, they can still buy and use Sophos Mobile Control and manage their devices. So our customers get added flexibility to choose what they want.
Having said that, the complete security suite that we offer covers endpoint protection, firewall, web and email security, data encryption; basically everything will be bundled in.
Q. How does Sophos handle malware that it comes across?
Sophos Labs has a hundred “geeks” doing analysis on malware and to go through all the reports that come in. We are very proud that Sophos is a lot more accurate on malware detection compared to its competitors. In fact, we often challenge users who are using a competitor’s product to compare our response time versus their vendor’s. Our typical turnaround time is a couple of days versus four to five for our competitors.
We have certain techniques to analyze malware which gives us a faster turnaround time. And our analysis is usually more accurate plus our SMC software will be updated straight away so the endpoint users can be protected as well.
Q. So what is Sophos launching in the near future?
We’re working to integrate network security very closely with endpoint security. So from our Unified Threat Management device, you will also be able to manage not just the endpoint devices in your network, but all mobile devices as well. This feature is coming in November. In addition, you can capture the same policies at the gateway, so if you’re not within your home network or LAN, the same policies will still apply to you when you’re logged in. So there’s very close integration between our products.
Sophos Cloud will also offer our customers the ability to manage their devices without creating their own management console on their network. Whether it is endpoint, mobile, encryption, the Sophos Cloud will be able to do it all, a 24 by 7, fully redundant management console.
Q. What kind of pricing are we looking at for Sophos Mobile Control?
For about a hundred users, we are looking at around US$31 per user. The lowest number is 5 users which costs US$47 per user. There’s no charge for the console and it covers multi devices and operating systems. Except for Windows Phone 7, we will cover all the other popular OSes in the market, including Blackberry.
Q. Can you tell us more about Sophos’ personal license concept?
Yes, we launched this concept recently. Basically, the license covers a single user who may have multiple devices. Maybe a user has two phones, a laptop, a work desktop but all he needs is one personal license. Like many users or “geeks”, we will keep adding devices. We often pass the old devices down to our family members and end up with even more.
And speaking of multiple devices, Sophos has a unique feature called the Self Service Portal (SSP) which allows an administrator who has set the policies for his organization to provide users with access to their own SSP. The user then logs in and sets up their devices without the need for the admin to set up each device manually. The administrator can control and manage all the devices that the user has added. Users can even wipe any devices which they might have lost by using the SSP. Or if they don’t want a device to be managed anymore, it can also be decommissioned via the SSP.
To set it up, all the user needs to do is to provide the device’s phone number and the SSP will SMS the profile and security certificate to that device. Once that is installed, the smartphone is now added to the list of BYOD devices that can access the company’s network and resources. So once the policies are set up, users can easily get their devices up and running, saving a lot of time and resources for the organization.
Q. Sophos isn’t the only one offering BYOD solutions, so how does a company evaluate which solution to use?
Sophos is in the business of building software that is easily deployed. The management console is very user-friendly and features like the Self Service Portal makes everything very easy to manage. Everything is catered towards general users who may not be technically savvy.
Some BYOD solution vendors offer only the management console portion but lack the security software aspect. Some security software vendors may offer their own solutions but aren’t able to provide BYOD management. Sophos has a complete end-to-end BYOD solution which includes security and manageability so in that sense, we are ahead of the competition.