Mobile devices are, like any powerful tool, a double edged sword. They enable unprecedented ability to access and create information from anywhere! They are also a huge problem for information security.

Unlike a traditional PC, where there are a number of solutions to address various information security needs, mobile devices (those running iOS, Android, Symbian, Blackberry and others) provide little if any mechanisms for third parties to provide security solutions. Beyond ActiveSync integration, which itself is potentially untrustworthy (remember how iOS used to lie to Exchange servers that their mail store was encrypted?), other options for securing the device or data on the device are limited.

That said, mobile operating systems have had the benefit of experience of other operating systems. They are designed to be more resistant to intrusion by requiring signed code, employing sandboxing, limiting the available APIs, and more. It doesn't eliminate the risk of security vulnerabilities, but it does minimize the risk known ones will occur.

Unfortunately, the "baked in" security only addresses a small segment of potential security issues. It does nothing to address future security issues that might crop up. Due to the limited APIs, it is not possible for third parties to address these issues without cooperation from the OS vendor (e.g. Apple, Google, Nokia). Unfortunately, security threats evolve far faster than an OS vendor's ability to mitigate these threats on their own. Just look at how long it took Microsoft to enable the firewall in Microsoft Windows by default, implement driver signing, or any number of other security mechanisms that are just the default on mobile operating systems.

Even so, the most important feature of a mobile device--the ability to access and share information from anywhere--is also a threat to an enterprise. The potential for data leakage is substantial! All I have to do is take a picture of a whiteboard in an office with confidential data on it using an Android phone with Google+ automatically uploading my photos "in the cloud" to have a potential data leak! Not to mention using your personal device to access mobile email and working with attachments.

Even if adequate tools existed to address all the issues on mobile devices, one should not blindly rely on these tools. It comes down to people understanding the security implications of their actions and adjusting their actions accordingly.

From ZoneAlarm’s Newest Security Solution: SocialGuard:

SocialGuard, ZoneAlarm’s newest security solution, promises a groundbreaking new method of monitoring and preventing safety breaches on Facebook the most popular social networking site by a mile, with over 500 million users without “friending” your child and intruding on his/her social space. SocialGuard sends real-time alerts to parents via email–or the SocialGuard interface–whenever suspicious activity is detected on your child’s profile; parents can customize security settings and keywords to trigger such messages if the child is exposed to illicit or inappropriate content. SocialGuard monitors children’s Facebook accounts for threats including cyberbullying, age fraud ensures children are not befriended by adults outside of their network; friend requests, hacked accounts, and link safety flags dangerous/offensive links contained in messages.

The product, available now, can be purchased here.

Check Point, my employer, is behind this. I've used the betas of this product and they do precisely what they say without being a huge burden on you or your computer. The price: $1.99 a month or $19.99 a year, makes this a no-brainer if you have kids using Facebook!

See what Check Point's Head of Consumer Business has to say about SocialGuard.

From Reality Check - Features - Malware - Computer Business Review:

"The industry needs to change a little bit," [Check Point Software Technologies CEO Gil Shwed] says. "Our software blade architecture is the right direction but it's not enough. I think the real change is actually understanding that security is not a bunch of technologies that people need to deploy but understanding that it needs to be treated like a business process. It starts with the well-defined policy of what a company wants to achieve and what is allowed or not allowed, continues with educating - or not educating but involving the users - and the enforcement side is only the last part of it.

"Most of our customers have a lot of check lists but not one clear policy. Everybody is trying to keep the users aside from that, but if users are not aware of their expected behaviour they become the weakest link in security. Then it goes to enforcement, which needs to apply these principles. We've just launched 3D Security that has three elements - policy, people and enforcement - and I think that would be a major change in people's mindset when they think about security.

While Check Point certainly has some great security technology--I should know, I work there--if it's not applied according to a process and policy with defined business goals, the result will be less than satisfying. I've seen it again and again in my work over the years.

On the two Check Point user community sites CPUG and CPshared, I made a couple of interesting observations today:

  • CPshared already had more active threads today than CPUG. This includes all the public boards, which I verified by loading up both sites in Google Chrome's "Incognito Mode" to ensure I wasn't logged in.
  • The number of Check Point employees already participating on CPshared is far more than I've ever noticed on CPUG in the past two years.

Keep in mind that the CPUG forums have been around since August 2005. CPshared was only "officially" announced last week--it had been privately tested for about 4 weeks before that.

Again, these are just observations. They may be completely meaningless. You can come to your own conclusions here.

I've been a participating in the Check Point user community in various places for a long time now. Heck, I ran a Check Point community of my own for a while. It's not often the community gets a new place to congregate, so it's worthy of an announcement.

Presenting CPshared:  The Open Technical Forum for All Things Check Point. In the NG days, this was a base "package" in the Check Point suite that handled communication between management and modules. It was also called the SVN Foundation. This is where the name comes from, and I think it's an appropriate name.

CPshared was started by an ex-Check Point employee and a long-time member of the Check Point community. It is designed to be an alternate approach to information dissemination to more established forums like CPUG--a forum I kickstarted by donating my own content to in 2005. CPshared includes a blog (with contributions by others), a web-based forum, a Twitter account @cpshared, and a web-based chat system.

CPshared has been under private beta for the last few weeks with a number of other long-time members of the Check Point community, including a few Check Point employees. It was formally announced today. If you use Check Point products, give it a look and join the small, but growing community!