My friend Rich Mogull (ex-Gartner) recently posted an article in Dark Reading  called “iPhone Smackdown: Security v. Consumerization” that nicely summarizes the security problems that will arrive when employees being powerful consumer devices (like the iPhone) to work. His basic point is, “get over it; this stuff is coming whether you like it or not.” He then recommends three strategies IT departments should take to deal with it.Rich’s point is sound. It echoes what we at Yankee have been saying for over a year: consumer technologies are transforming IT. This is as inevitable as gravity, and the underlying reason is simple: the consumer technology experience is better than what corporate IT can offer. And the gap will keep getting wider. Consider that corporate capital depreciation cycles are three years. Consumer electronics product cycles have now compressed to about 6 months, one year max. That means, by definition, that the average employee is going to “feel left behind” two-thirds of the time. The same perceptual gap is present in software, too. Why buy (and capitalize) an expensive SPSS license when Swivel works does 90% of what you want? Or implement Remedy when GetSatisfaction.com is good enough? And of course, why tote around a clunky corporate Treo when you can smuggle in an iPhone that is half the thickness, lighter, nicer looking and a whole lot more fun?The key to dealing with rampant consumerization is to move to what we call Zen IT: an architectural approach that puts the right amount of scaffolding in place to allow employees to support themselves, regardless of what kind of shiny object they bring to work. With respect to security, Zen IT demands that enterprises master five key competencies:

1. Manage assets regardless of ownership
2. Make user identities portable
3. Control access to network resources
4. Control content as it moves
5. Secure customer-facing webware

Yankee Group described these strategies in detail in the April 2007 (!) presentation, Securing the Anywhere Enterprise (available to Link Research subscribers). I’d also point readers to colleague Josh Holbrook’s excellent report, Zen and the Art of Rogue Employee Management, to which Sheryl Kingstone, Zeus Kerravalla and I contributed.

Recently I’ve been asked by several publications to comment about mobile security, and more specifically about the security issues that we are seeing on smart mobile devices. Jim Finkle at Reuters did a nice job rounding up the usual suspects in a widely-circulated article that I recommend highly. In it, he quotes Symantec COO Enrique Salem (a smart cookie) and McAfee’s CEO Dave DeWalt (someone I have not met, but who is also said to be a smart cookie). He also solicited some insightful comments from Mark Rasch, a cyber-security lawyer I haven’t met, but whose SecurityFocus columns I have been reading and enjoying for years. I contributed my own little soundbite, which attempted to put things in perspective. All of these parties have interesting things to say, but a multi-interviewee story like Jim’s cannot give you the True Yankee Perspetive. So here it is.

Our take on “mobile security” has always been contrarian, and different from that voiced by the most popular interview subjects, namely security vendors. That camp’s position, grossly simplified, is this:

• Computers, particularly the Windows operating system, has long had a “malware problem.”
• Mobile phones are increasingly taking on computer-like features
• Because mobile phones are like computers, they will soon have malware too
• And because everyone has a phone, everyone will soon have malware

The general point is that endpoint security vendors see mobile phones as just another endpoint that will obviously have the same issues as other platforms they provide products for. In other words: mobile phone security is an adjacent market that they can safely expand into, because we all know that the problem space is the same, right? Right?

Elementary enough on its surface, the logic breaks down under casual scrutiny. The logical flaws remind Yankee Group of the old Woody Allen syllogism from Love and Death: A) Socrates is a man. B) All men are mortal. C) Therefore, all men are Socrates.

My folksy-philosopher dad likes to say that the old saying “seeing is believing” works in reverse, too. In other words: if you believe that a mobile malware maelstrom is approaching, you will see storm clouds everywhere.

Even when the storm clouds are just vapor.

Now, I won’t deny that certain mobile platforms (for example, Symbian) have had some problems with mobile malware. Most security analysts who follow the mobile world are well aware that there are many variants of CommWarrior and Skulls circulating out there. And yes, we know that BlueTooth auto-discovery could well allow phones to be hijacked at close range. Thank you, Sophos, for staging a media event that demonstrated this. Brilliant and well done. We also know that some end-users will be frustrated and occasionally tricked by SMS messages they receive from fraudsters. But misdirection and mischief (social engineering) is not the same thing as malware.

Where I part company with the vendors is the notion that somehow the mobile malware maelstrom is inevitable. Yankee Group has long maintained a consistent position on the coming mobile malware epidemic: there won’t be one. Breathless predictions of impending maladies — regularly recited by sellers of miracle tonics — cannot disguise the fact that the necessary preconditions for pervasive mobile malware do not exist, and never will. Here’s why the tonic-sellers’ logic is fatally flawed:

• Mobiles don’t have a monoculture operating system. Symbian, Windows Mobile, Android, iPhone and RIM all have significant shares, and we won’t see any of them gain more than 50% of the market.
• Malware has no obvious mass-infection vector. Short-range, rifle-shot BlueTooth promiscuities don’t count.
• Less-open operating environments. Most of the smartphone OSes (Symbian, iPhone, RIM for starters) require some form of digital signature to run a third-party application. This provides an audit trail, and gives the OS vendor (or carrier) an opportunity to revoke the certificate if the app misbehaves. I happen to like Apple’s model, because there’s one certificate issuer and thus one point of accountability. No, rogue apps run in jailbroken phones don’t count because they won’t be substantial.

None of these inconvenient facts seem to trouble security vendors too much, and every few months Yankee hears about another mobile security product launch. But mobile anti-malware software isn’t selling. John Thompson (Symantec CEO) more or less admitted it at this year’s Vision conference in Las Vegas, where he said that substantial investments in mobile security software wasn’t a very good use of shareholder money. Hats-off to JWT for telling the truth.

Setting the record straight on mobile security means talking straight about what is actually needed, and what is just hype. Enterprises certainly need the ability to remotely kill devices that have been stolen or lost. And certain kinds of mobile phones will probably also need encryption to keep sensitive contents safe from casual prying eyes. But on-board anti-malware software to prevent phones from contracting hypothetical future maladies? As Mike Rothman might say, “not so much.”

My colleagues Dan Taylor, Jen Simpson and I just took a briefing with Kent Ertugrul, the CEO of Phorm. As many of our blog readers may know from reading The Economist (my favorite magazine), Phorm provides an interesting twist on online advertising. Phorm does two things that promise to overturn the advertising apple cart:

• Omniscience. Phorm’s traffic analysis servers, sitting on ISP premises, filter (nearly) all end-user web traffic and observe the keywords they are interested in. By “keywords” I mean the most frequently occurring words contained in pages served up by webservers users visit. For example, if you visit the front page of Talking Points Memo, Phorm will associate page keywords “Obama”, “McCain”, “527″ (and the other most frequently used words with that page) with a random unique identifier that represents you. It knows these things because it has read and indexed the page when you read it.
• Disintermediates search engines. As you would expect, because Phorm reads the content of nearly every web page (on port 80 aka normal unencrypted HTTP) the user visits, it has unparalleled visibility to the user’s activity. The system is also “opt-out,” meaning that if the ISP installs it, the user has to take an active step to not be included in the system. These two properties — drastically expanded visibility, and the fact that the user cannot escape unless they opt out — enables ISPs to go “over the top” of the heads of Google and other search engines. It has the effect of disintermediating them entirely by allowing Phorm to claim, “yeah, these other guys know what user 123 has been searching for, but we know about all of their interests, across all of the websites they visit.”

Richard Clayton of Cambridge University has published a highly technical analysis of Phorm’s system on the his website. It makes for excellent reading, and I recommend it highly. The comments are particularly entertaining; one reader notes wryly that “It seems the only way to full opt out of this is to change ISP.” Wikipedia also has an informative article that is, on the whole, fairly hostile to Phorm. To date, the biggest objection to Phorm has come from researchers and observers who feel that the fact that it reads and indexes (nearly) all pages you visit is an unwarranted invasion of privacy.

In the briefing, I learned quite a bit about Phorm’s goals from a corporate perspective. My queasiness about inspection of customer web sessions aside, it seems that continued badgering from the press and from UK observers has forced Phorm to add more privacy-preserving features. Certainly, the point of going “over the top” of Google and the other search engines means that Phorm tracking cookies are accessible by any website who wants to use it. It’s clearly very appealing to ISPs, who desperately want a slice of the Internet advertising pie.

The question is, how bad do they want it? It’s clear that researchers like Clayton are not happy with the way Phorm’s system works. The way the system is set up (forcible inspection of HTTP traffic, cookie forging) seems a lot like a wiretap to me (albeit one to which, according to Phorm, the user consents). Today, the system is trialing in the UK with three carriers, including BT and Virgin Media. What happens when Phorm expands to the US is the real question. I suspect the Electronic Frontier Foundation and the ACLU will be all over this like a fat kid on a Twinkie.

For all of its novelty and potential for disruption, adopting the Phorm platform value proposition is a risky one for ISPs. The issue is not about whether Phorm gathers the right kinds of consent from end-users, anonymizes data it collects, or offers appropriate data protection tools for end-users. Phorm may (or may not) be doing all of the right things; that isn’t the point. The issue is, regardless of what Phorm does, whether opponents can muster enough opposition to poison the reputations of ISP customers who adopt it. Examples from other emotionally-charged consumer fights around genetically modified organisms (GMOs) and environmental issues suggests that aggrieved consumers, when riled up, have rather sharp elbows. “Spying on their customers!” would be one charge. “Big brother” would be another.

Phorm’s response, in our briefing, was essentially, “once consumers understand our system and its benefits, they will like it.” Let’s assume for the sake of argument they are right. It would still be an uphill battle, though, because business models predicated in part on user education usually fail. My vendor customers in the consumer security business know this all too well!

All of this leads me to conclude that ISPs who adopt Phorm would be putting a cyanide capsule in their mouths. The worst-case scenario is suicide-by-public-relations. Enough jostling from consumers and — crack — there’d be the sudden, familiar whiff of almonds in the air.

Last week I attended the Symantec WorldWide Industry Analyst Conference, co-located at the annual Symantec Vision conference in Las Vegas. Analyst conferences are always good opportunities to meet executives and, less often, to receive insights from customers.

A staple of analyst conferences, and of analyst slide decks, is something I call the We’re-So-Big Slide. WSB typically makes a forceful, quantitative statement about the core business asset the company possesses. For example:

• The number of sensors deployed in the field
• Assets under management
• Nodes monitored by a managed service

Symantec’s We’re-So-Big Slide is their Global Intelligence Network slide that shows how many countries they operate threat response centers in, and the number of sensors deployed in the field. These sensors serve as honeypots that capture malicious code and network traffic, and provide visibility to their anti-malware labs. They are very proud of their threat network, and rarely miss an opportunity to tell customers and analysts how many sensors they have.

Today’s first sighting of the The WSB Slide was provided by Symantec Chief Strategy Officer Greg Hughes. Yankee Group blog readers will be pleased to know that Symantec has 40,000 sensors deployed worldwide. For sure, all those sensors are helping their labs get lots of visibility into new threats.

The We’re-So-Big Slide is handy shorthand for “We’ve got an asset that is key to our success, and we are flogging it like a jockey on a racehorse. Just how much are we flogging it? So glad you asked. Here’s a slide that tells you exactly how much.”

I always look for The WSB Slide because it’s like an old friend: familiar, comforting and you don’t have to waste time getting re-acquainted. The WSB Slide also tells you something, if only subliminally, about what the company feels is important. There is a super-important downside to keep in mind with WSB, though, which I’ll discuss in a future blog post.

Lost in the noise around the iPhone 3G launch at Apple’s Worldwide Developer Conference is the quiet announcement of OS X 10.6, code-named “Snow Leopard.” AppleInsider reports that Safari 4, the follow-on to the version of Safari in Leopard, will have a feature that allows users to “save a web site” as a stand-alone browser instance. That is, in essence, what we called a “single site browser” back in February of this year.

In our April 4 research note From Anywhere to Somewhere: Single-Site Browsers Keep Users Safer (available to Yankee Group subscribers), we recommended that Apple integrate SSB features into the core browser. We wrote that “creating individual, isolated browser instances for web sites should be as natural and intuitive as creating bookmarks.” I’m pleased to see that Apple will be doing exactly that.

Although I can’t claim with any certainty that our research had any effect on Apple’s product roadmap, it’s nice to see them doing this. And it’s good to get one right every now and then.

My friend Mike Rothman posted a link to an InformationWeek article on “Securing Rogue Mobile Devices.” The article makes a number of sensible points about what kinds of security strategies you should be employing with employees who are carrying their own mobile devices. That said, I have a few problems with the general perspective and tone of the article:

• “Rogue devices” is a misnomer. Do you discipline employees who don’t wear company schwag for wearing “rogue clothing”? Of course you don’t. These are personal choices employees make — forget about the device and focus on the data (which can be leaked even on so-called “approved” devices).
• Users won’t accept “complex passwords” on phones. An alleged best practice is to force employees to keep their phones locked using long, randomized passwords that change frequently. As annoying as this might be on PCs, on mobile phones it’s downright crazy-making. As I point out in my pending report, “Sizing the Mobile Identity Opportunity,” the form-factor of phones is simply not suited to the keyboard-oriented password strategies we’ve become accustomed to on PCs. The PIN is a better model, albeit less secure. Android’s Etch-A-Sketch-like scribbling metaphor (draw a picture to unlock the phone) is probably the best one I’ve heard of yet. Look for more innovation in this area in the future.
• Employees are not a “threat.” Of course, sometimes they make mistakes, like leaving their phones in taxicabs. But the cure for this is a mix of encryption and remote device wipe. In the future, this will exactly resemble credit card deactivation — a phone call to your carrier turns the phone into a brick. Compare and contrast the panicky language of articles like this (the employee is a threat) versus what we hear about credit cards. When was the last time a credit-card carrying consumer was called a “threat”? (And no, testimony from Ben Bernanke about them not spending as much doesn’t count.)

My inner dork noted that the folks at the WebKit project have recently released a new development build that includes a new JavaScript engine called SquirrelFish. WebKit is the browser toolkit that powers Apple’s Safari and MobileSafari on the iPhone. It is also embedded into a smattering of mobile browsers offered by others, including Nokia and Google’s Android mobile OS. I’ve written about WebKit before, most notably my report The Web 2.0 Security Train Wreck.

Now, my computer science self could try and prattle on about what the WebKit team says the new JavaScript engine does better than the old one, or about the advantages of bytecode engines over  syntax tree walkers, and so forth. I could do that, but the article does that pretty well already. The most important things to take away are these:

•  It’s fast. How fast, you ask? 1.6x as fast as the current Safari 3.1.1 implementation. Faster than Firefox 3 and Opera too, if you believe these performance numbers.
• It probably uses less memory. Because speed is usually a function of the complexity of data structures in memory, faster execution probably means less memory consumption also. 

There’s a reason I mention all this. WebKit powers the iPhone, a memory-and-processor bound device. Anything that can speed up MobileSafari is good. If these numbers hold up, I think we can reasonably expect that browsing on the iPhone — which is already pretty terrific — is about to get a lot smoother and more responsive. It won’t be just Apple that benefits, either. The browsing experience on Android and certain Nokia and Samsung devices will improve a lot too.

The last point I’d make is that it’s clear that lever of browser innovation has tipped in favor of open source implementations and away from Microsoft. The WebKit project, Mozilla, and Opera, for example, have been engaging in a friendly competition to pass the Acid3 web standards test. All three of these are continually one-upping each other to be more standards-compliant than the others. This kind of virtuous, friendly competition is terrific for the web, and even better for the mobile web.

Information security is a strange market segment. To outsiders, “security” is a simple thing: you are either secure or you are not. Many people also feel that security is a feature you can add to a product. These perspectives are simultaneously 100% right and completely wrong. They are right because at the and of the day, security should be something that customers expect their vendors will provide. Recent accquisitions by IBM, HP and EMC, for example, exemplify the broader trend of baking security into products and services. This is a good thing.

But, the reductionist view of security is also completely wrong because it masks the variety and subtleties of today’s marketplace, and of the threat landscape. There are probably 1,000 information security vendors in the market, all selling various cures for real and imagined problems. Here at Yankee, we have identified at least 35 individual market segments in the enterprise arena alone. The sheer number of market entrants and threat vectors ensures that security will never again be something so simple as a “yes-you-have-it”/”no-you-don’t” discussion.

But sometimes information security vendors get a little too… shall we say, fancy in describing the terrifying variety of threats to customers’ business assets and peace of mind. I speak, of course, of the medicalization of information security — how endless variations on simple threats get turned into a baffling array of multi-syllabic symptoms, diseases and maladies.

Today’s latest addition to the jargon lexicon is something called “phlashing,” a technique for messing with embedded devices, like your home wireless router. It was uncovered — and named — by an HP researcher with a fondness for cutesy verbiage. He called it “phlashing” to denote the target of the attack vector, namely against embedded devices’ flash ROM firmware. The “ph” is the obligatory geeky add-on that, if you are a security researcher, you feel compelled to add because “fl” is far too simple.

Information security professionals of all types have long moaned that they don’t have visibility to the corner office, and that they don’t know how to “align security with the business.” I would humbly suggest that the wasting disease of medicalized jargon is part of the problem. Can we all agree to stop creating exclusionary terms to describe Yet Another Threat Vector (YATV)?

Here are just a few of the terms I’ve run across in my three years as a security analyst:

• Virus
• Spyware
• Trojan
• Rootkit
• Keylogger
• Bot
• Botnet
• Backdoor
• Dialer
• Drive-by
• Dropper
• Packer
• Phishing
• Pharming
• Phlashing

…and my favorite, “blended threat.” Symantec loves to use this term, but to me it just means “hemlock smoothie.”

I guarantee that nobody outside the information security market knows that any of these things mean. All they do is provide fodder for eager marketroids trying to fleece gullible sheep. Are you worried about creeping rootkititis? Such a deal we have for you!

Let’s get rid of the jargon, please. HP marketing, are you listening?

At Yankee Group, we’ve been researching and predicting the future for a while now. Sometimes we get it right, and sometimes not so much. Our biggest Big Bet is the one we’re making around Anywhere — the notion that the global connectivity revolution will introduce dramatic changes in the way we live and work.

A key part of our Big Bet is around something very tiny. Made from plastic and glass and silicon, mobile phones are getting smarter every day. Even better, the increase in flat-rate data plans means that the mobile internet usage is going to explode. This broad macro trend — increased mobile internet usage — has profound implications for security, and in particular for mobile identity. If you take your phone, keys and credit cards with you, it seems to me that you will want to take your identity along too.

With that background in mind, I’m pleased to give YG blog readers a quick preview of a report I just finished today called Sizing the Mobile Identity Opportunity that puts numbers around how big mobile identity might be. Based on a model derived from our consumer data and mobile forecasts, the numbers, which I believe are conservative, are eye-popping. Assuming our forecasted mobile usage trends continue as we expect, by 2012 US mobile subscribers could generate over 360 billion identity events per year. By “identity event,”  I mean the act of authenticating to an online service or website. Applying the Law of Large Numbers to a miniscule fee per event yields another big number in the hundreds of millions of dollars. These are dollars that mobile operators and identity management vendors could leave on the table unless they capitalize on the opportunity.

This report won’t be available for several weeks. It usually takes a little while for our Editorial services group to bang out the dings in my dented prose, and for our peer reviewers (which in this case will include several outside organizations) to weigh in. More about this soon!

As most people probably know by now, Microsoft has abandoned its pursuit of Yahoo! The deal is dead, and Microsoft won’t pursue any hostile takeover options. In his letter to Yahoo! CEO Jerry Yang, Microsoft CEO Steve Ballmer cited several factors, notably money, Yahoo’s! poison-pill defense and the recent Yahoo!-Google ad outsourcing deal. What’s been interesting to me as in analyst has been watching the cognitive dissonance between the equity analyst/research crowd and the techies. Most everyone I know with a historical memory of Silicon Valley, and with a knowledge of how Yahoo! works, tells me that a Microsoft acquisition could have only ended badly. In short, the transplanted organ would have rejected its host.  As a friend of mine who works at Yahoo! put it, “You have to understand, the old-timers here hate Microsoft with a passion. About 20% of the staff would have left voluntarily, more-or-less immediately, and another 20% would have been laid off. And probably another 20% would have gotten disillusioned and left  over the next year or two.” If you’ll pardon the slightly messy metaphor, it would have been like transplanting an appendix which promptly bursts after the operation, poisoning its host and causing it to stagger around for a while. Perhaps knowing that the operation might have had toxic after-affects helped Microsoft come to its senses. I say “helped” in the sense that the primary cause of death for this deal was money, not culture. But still, the cultural mismatch of this deal was a contributing factor, and an under-appreciated one at that.