The Fragmented Picture of Mobile Security

I was in Munich last week, speaking at the European Identity and Cloud Conference in a panel on standards for mobile security. It was a very good session, not least because of the colleagues who joined me on the panel. John Sabo spoke about the work he’s doing in privacy frameworks.  Tony Nadalin spoke about his work in identity management and cloud. Sven Gossel discussed his work in crypto interfaces and mobile environments. There were lots of good questions from our moderator, Fulup ar Foll , as well as great comments and questions from the audience.

Our panel was only one of a number of discussions of mobile security at the conference. In his Thursday keynote, Dr. Kai Rannenberg spoke to the need for hardware roots of trust. Pamela Dingle presented the authentication and authorization token models in OpenID. Craig Burton introduced a UK-based company that has automated the creation of open APIs consumable by mobile devices. There were sessions on VDI and mobile security, SSO and mobile security, and trust frameworks and mobile security: lots of information, across many important and interesting topics.

But in looking back on the various discussions of mobile security at the conference, what strikes me most of all is the fragmented nature of the discussion. Perhaps there were, among the keynotes and sessions I missed, some that gave a more complete picture of where we stand in terms of mobile security. But that was not something I heard or could derive across sessions. Moreover, despite the breadth of discussion, there were nonetheless a number of topics related to mobile security that I didn’t see at the conference, perhaps most strikingly the critical role that analytics, both in risk-based identity management and in threat response, should play in mobile security.

In fairness to the EIC conference, understanding of mobile security seems fragmented across the industry. Developing a comprehensive and comprehensible view of mobile security should be a concern for all of us engaged in the practice of cybersecurity.