A privacy trade-off is required for more personalised and more secure digital experience. The trade-off applies to the strictly personal use of mobile devices (e.g. location data may be used by mobile banking apps), and it also applies to corporate use of our personal devices (BYOD). Enterprises are pushing more sophisticated security agents onto personal devices as a dependency to the privilege of corporate use. As an example, I currently willingly run 2 enterprise security related agents on my personal mobile phone for the privilege of business convenience (e.g. work emails on my personal device).
What visibility, understanding and control do we really have on how our most personal data is used by increasingly sophisticated, and intrusive, enterprise security agents running on our personal mobile devices?
Developments in Context-Aware Security & User Behavioural and Entity Analytics (UBEA) technologies provide a fantastic opportunity to improve security by increasing the efficiency of both access and detective security controls. They do so by processing extra data, contextual and behavioural, surrounding the business use of applications, data, platforms, devices and networks. While privacy is of course a concern with those technologies (e.g. capturing and processing the location of a user for authorisation purposes), the Personally Identifiable Information (PII) at risk was probably primarily contained within a business related context to date. Those technologies have typically been deployed within the corporate environment, extended to the Cloud, by processing information primarily related to business use (incl. user behaviours through the corporate environment). Limited information about what users were doing with their mobile phones was available to those technologies.
Recent development in applications (incl. mobile apps) APIs (e.g. Google Awareness API) now provide a mechanism to further leverage user behavioural data to build apps that can intelligently react to what users are doing, including what users are doing with their personal mobile phones. This is a tremendous opportunity to deliver users with optimised and customised experiences through smarter apps, and it is also an opportunity to leverage further contextual and behavioural data for security purposes.
It presents both an opportunity for better security, including from an Enterprise+BYOD point of view, but a risk to privacy at the same time.
Context-aware security & User Behavioural Analytics
Gartner defines context-aware security as such: “Context-aware security is the use of supplemental information to improve security decisions at the time they are made, resulting in more accurate security decisions capable of supporting dynamic business and IT environments. The most commonly cited context information types are environmental (such as location and time).” Accordingly to Gartner, context-aware security relies on the following type of supplemental data: “IT stack” (IP, URL, etc.), “business value context” and “threat context”.
In the context of access control, supplemental data complements basic user identification and authentication information, such as username and password. A simple example of context-aware security applicability would be the following: a finance team member would appear to have successfully authenticated at 3am from an overseas’ location where the organisation has no business. Something smells fishy here… take action to deny the access or raise an alarm for investigation.
User Behavioural (and Entity) Analytics
Gartner has identified “User and Entity Behavioral Analytics” (UEBA) solutions in the Top 10 Technologies for Information Security in 2016. Gartner identifies UEBA as providing a “user-centric analytics around user behavior, but also around other entities such as endpoints, networks and applications. The correlation of the analyses across various entities makes the analytics’ results more accurate and threat detection more effective.”
Examples of UEBA technologies include: Redowl, Darktrace, Splunk, Rapid7 InsightUBA and Mobile7 Interlock and many others (no promotion here). UEBA use cases can be quite varied and subjective, and typically include the detection of suspected insider threats.
Gartner also reports in their Market Guide for User and Entity Behavior Analytics that “For data privacy reasons, the data collection and analysis will normally be limited to metadata of such communications, but, in some cases, will also include content and sentiment analysis, which provides important contextual information about user activities and behavior.” and “…behavioral information may be found in various user communication channels, such as email and messaging.”
Moving to mobile devices
Context-aware security & UEBA technologies have so far been deployed within the corporate environment, extended to the Cloud, but have presented limited cases of user endpoint (incl. mobile) agent deployment architectures so far. Gartner reports that “Some vendors claim to offer full endpoint visibility without having to deploy endpoint agents.” A vendor also claims that “it already has full agentless visibility into Windows endpoints by using proprietary software that remotely extracts information from the Windows system.”.
However, vendors like Zimperium state that “Mobile Devices are Endpoints Too”. Their product zIPS “… can detect both known and unknown threats by analyzing the behavior of your mobile device.”. The ability of such technologies to leverage mobile (& user) behavioural data for security purposes is increasingly enhanced through new types of apps APIs.
Apps Awareness APIs
Google has released the Google Awareness APIs, which (zdnet) “… will enable apps to guess what a user is doing based on a combination of seven context signals from an Android device including time, location, place type, activity, beacons, headphones, and weather. The Snapshot API lets apps request information about the user’s current context, while the Fence API lets apps react to changes in the user’s context. Using the APIs, a music app, for example, could suggest a particular song if it detects that the user has plugged in the earphones and is walking. The features work even when the app is not active, to help developers to enable their apps to anticipate what users want.”
It is very likely enterprise mobile security agents will further leverage such types of new and enriched apps’ APIs to increase the security of business transactions, especially in BYOD environments.
It is a great opportunity to increase security, but at what level of privacy trade-off?