Mobile devices are becoming a new focal point of cybercrime, and current security strategies are proving ineffective. In November, the Financial Times reported (subscription required) that more than 40% of UK businesses had suffered a mobile security breach in the past 12 months, according to BT Group. Contributing factors were growing rates of criminal cyberbehavior, "hacktivism," and state-sponsored aggression focused on smartphones.
Smartphones are becoming prime targets because they contain such a diverse and rich set of information. The "work versus play" distinction is simplistic and outdated. The smartphone is now a hub for professional communication, corporate data access, personal communication, social networking, photography, financial planning, healthcare, gaming, commerce, and even taxpaying. Smartphones could not be a better target.
Forty percent is an unacceptable breach rate. To secure information, protect privacy, and stay productive, we must virtualize our mobile devices. With the ability to create separate mobile OS instances, customize each environment, and move between our digital lives with a swipe of a finger, we can put up a real defense without sacrificing usability.
The new virtualization
Mobile virtualization is now possible because we have evolved beyond Type 1 virtualization, which is ideal for servers but too taxing for mobile devices. We can overcome the resource constraints on smartphones by using OS-based mobile virtualization, which adds only a minimal footprint at the kernel level of the device. The same way Type 1 virtualization can divide one server into multiple virtual machines, mobile OS virtualization can divide one smartphone into multiple virtual smartphones. Since instances run within their own namespace, they are secure and scalable, and they preserve the overall user experience.
Rather than packing every mobile use case into one OS instance -- and leaving corporate data or financial information as vulnerable as family photos -- we can create customizable OS instances for groups of use cases. For instance, you could have a professional OS instance that is encrypted, contains only corporate approved apps, and connects only to secure WiFi networks. A separate personal communication OS instance could handle regular text messaging, calling, and social networking with security measures chosen by the user. A third OS instance could handle financial planning and healthcare.
The key point is that businesses can use mobile virtualization to secure everything that matters -- without impinging upon employee privacy and choice.
Mobile virtualization is particularly important because the most common mobile security approach, containerization, has proven inadequate. Mobile containers are used to encrypt and separate sensitive apps in one area of a device, but the apps still have to communicate with the device's hardware (e.g., the screen or keyboard) to function in the same namespace as other, unprotected apps.
If you or your kid were to download an app with malware that infected the device, the virus could easily intercept these communications and scrape sensitive information that containers are supposed to protect. It's easy to install malicious apps that seem harmless, especially now that attackers are disguising malware within seemingly legitimate apps. As the McAfee Labs Threat Report found in June, 79% of Flappy Birds clones (Angry Birds spinoffs that were pulled from the store after 50 million downloads) contained malware. By the time the company released its August Threat Report, there were more than 4.5 million known mobile malware samples in circulation, and criminals were producing roughly 700,000 new ones per quarter.
If we begin using virtualization to create separate OS instances for games (and finance, social media, etc.), malware on the gaming OS can't intercept communications on the work OS. The malware doesn't even know the other instances or apps exist. Where containerization fails, mobile virtualization can excel.
Ending the clash between privacy and choice
By producing separate OS instances for every use case, mobile virtualization will finally allow businesses to implement security policies without encroaching on employee privacy and choice. Mobile device management (MDM) solutions are extraordinarily effective and vital to security at many organizations, but employees hate the idea of giving their employer the ability to blacklist apps, geo-fence tools, or lock and wipe all the content on their phones.
Mobile virtualization can eliminate this issue by allowing employers to install MDM on corporate OS instances without having any effect on personal OS instances. It will allow us to encrypt, customize, and, if necessary, lock and wipe corporate instances without touching data on the rest of the device.
When 40% of businesses in a country have suffered mobile cyberattacks, we know our current paradigms of security are failing. If we have vulnerabilities in our mobile security policies, they will be exploited sooner or later. Smartphones contain far too much personal and corporate information that is of value to cybercriminals. We need mobile virtualization to achieve security without sacrificing privacy, choice, and overall user experience.