Entrust CEO: Mobile more secure than desktop for protecting systems against malware

Bill Conner said "malware is in the network, you can't stop it"

Entrust CEO Bill Conner is pushing enterprises to recognise that desktop's are no longer the most secure way to assure an employee's identity and that instead they should be looking to mobile devices for sophisticated protection against malware.

Conner and Entrust argue that mobile phones and the software they run on have been engineered in a way that makes it far more difficult for malware to infiltrate all applications, due to a lack of shared memory. In addition, analytics can be used to ensure that access to critical systems is only granted in certain situations.

In an interview with Computerworld UK, Conner said that companies and governments need to recognise that malware is always going to get into the network and that they need to focus their efforts on securing the identities of individuals through mobile.

"All these malwares are attacking identity - if I can get through the perimeter, what am I going after? I'm going after your digital identity. Our assumption is that the malware is in the network, you can't stop it, if they want in they're getting in," he said.

"Once they are in they have compromised your identity. Is that your employee doing it or is it some malware guy? You administrator will not see them doing things because he or she thinks it's you."

He added: "We are trying to get away from naming the malware and figuring out what it does, and move to figuring out how they are coming in and what we do to secure your systems."

Conner said that the media is convinced that mobile is the most insecure platform on the planet, but he is adamant that it is far more secure than desktops and laptops. He recognises that there are elements of mobile that you can break - SMS, directory, photos - because these all utilise shared memory.

Bill Holtz, Entrust SVP and COO, agreed with Conner and explained why mobile should be recognised as the superior platform for identity assurance.

"The mobile device is architected very differently to a Windows desktop or laptop. Each mobile application lives within a sandbox and at the moment there is no way for malware to jump from one application to another, which isn't the case for Microsoft applications, where you can use malware to elevate your privileges," said Holtz.

"The only vulnerability that lies within mobile applications are the ones that use shared memory - and we know which ones those are. The other apps aren't in shared memory and they are isolated, sandboxes."

Entrust also believes that because of the functionality on mobile phones - such as GPS, Bluetooth, biometrics - they act as a great tool for enabling enterprises to recognise who an individual is through the use of analytics.

"We think of a mobile device as a pretty good credential - just like my behaviours in a normal online world, I'm going to have different behaviours in the mobile world. The more I track what I do, the more I can deal with enabling you as a business, customer or citizen," said Conner.

"If you think about it, my mobile phone goes with me more than any other digital credential I've got. My phone could be my physical credential into my building, it could be my logical access to the desktop - if I get up and walk away from my desk and it logs me off."

Holtz added that enterprises should be coupling their high value and high risk operations to identity assurance via a mobile phone. He said: "If you could identity assure those high risk, high value transactions, we know you'd defeat the malware."

He added that Entrust's solutions have little impact on systems for companies looking to implement identity assurance.

"If you run critical infrastructure we can drop our solution in there, we are not touching your stuff, leave it running - it's a 'zero touch solution'. When an employee is trying to activate something high-value, we can use the phone to ask: 'Are you trying to turn access this system, yes or no?'" said Holtz.

"Then you can also build in analytics on top of the infrastructure that states that that system can only be accessed if you are sitting at a certain terminal in a certain control room - using the mobile. If you are not in the room and your Bluetooth tells us you walked out the building, there's something fundamentally wrong with that transaction."