Reducing the complexities of product lifecycle management is a key challenge for operators who are looking to be more innovative in the way they combine underlying network and service capabilities, in order to provide blended, tailored packages which are in tune with customer preferences.

Looking back at the news pages last month – and at the pages in this month’s issue – it seems as if we have developed something of a fixation on 3. Rest assured, that is not the case. But it is also true that here is an operator who seems to be getting its users closer to the mobile lifestyle we are so often promised is within our reach. We report on pages 10 and 11 that there is much work still to be done at 3, but the company surely deserves a late entry in the GSMA’s marketing campaign award category in February for how it has executed the arrival of this clutch of X-Series products, all enabled by a flat rate data tariff. 3 has assembled a formidable array of internet companies to partner with, and by being the first to do so can give the illusion of exclusivity. Of course, in a true open garden environment instead of doing a deal to say which VoIP client the operator would support, users could go and find the one they already have. And so on for each of the other services offered. But as Frank Sixt says, it’s just a start. And no doubt users at other operators will soon be asking, “Where’s our X-Series?”
One man sure to have strong views on not over-promising on the benefits of a suite of services like X-Series would be O2’s cto, Dave Williams. On pages 14 and 15, we include his admirably frank rundown of which technologies he rates now, which he’s keeping an eye on with a serious view to doing something about, and those which he is keeping an eye on just to make sure they don’t surprise him by suddenly becoming useful. We were taken by his enthusiasm for the in-building pico and femto cell solutions, with a WLAN router integrated, that would, by using DSL as backhaul, allow users to make calls (and in the 3G version, do all the cool data stuff) from their mobile, bypassing completely their fixed telephony provider. Because, for this to work, you would need to have a broadband connection from Be (or O2 Broadband as we may come to know it). The deal looks a good one to me.

Annual Review

It’s the end of the year. Did we get anything right in 2006? Let’s have a look back and see…

ith our publisher having afforded us the luxury of a joint December/ January issue, the Mobile Europe year begins, as is traditional, in FEBRUARY. And the top story for us? Mobile Search.
We announced,  “Motorola to Launch Yahoo! Ready Applications Pre-Installed on New Motorola Handsets.”
Motorola and Yahoo! announced they will launch pre-installed Yahoo! ready applications on Motorola mobile devices globally in the coming months. Delivering on a commitment between the two companies to bring Yahoo!’s leading products and services to consumers worldwide, the devices will provide consumers access to their Yahoo! services.”
And also…
“Yahoo! Partners With Nokia”
Yahoo! has signed a deal with Nokia to launch a service called Go Mobile in ten countries across Asia and Europe. Consumers purchasing select Nokia 6630, Nokia 6680, Nokia 6681 and Nokia N70 devices will receive Yahoo! Go Mobile pre-installed. Not only that but Motorola and Google announced an alliance to enable users access to Google on Motorola handsets.
Motorola will integrate a Google icon onto select devices so that users can connect directly to Google with one click. The mass-market, “internet-optimised” handsets will be distributed from early 2006 to select Motorola customers worldwide.”
But who’s this? Why it’s Mike Brady, senior director of business development at enterprise search company FAST warning that
“getting into bed with branded search companies is a risky business”.
Brady said, “The mobile industry must seriously think through the implications. Google isn’t just a search engine— it’s now a global brand right up there with Coca-Cola. By partnering with Google, Motorola is allowing its own brand to be diluted — it might seem a smart move in the short-term, but this will definitely impede future business models and revenue potential…”
Oh yeah Mike? tell that to Vodafone which, a few days later, as we reported in our March issue, tied up a deal with Goodle to integrate Google in its live! portal. But wait – only recently we hear rumours all is not well in that relationship, so perhaps Mr Brady was right all along…
Also making a splash in our February issue was Palm, whose new European boss Roy Bedlow was promising to concentrate on 3G and broadening the range OS Palm works with. There were also results of two mobile TV trials in the UK, the start of a story that would come to dominate in 2006.
“Operators running two mobile TV trials, using different technologies have both claimed positive results from user surveys in the UK. One trial, being run by BT  and Virgin Mobile uses DAB (Digital Audio Broadcasting) frequency, while the other, being hosted by O2 in Oxford, is based on DVB-H.”
Also making a splash in this bumper issue for news was multiple litigant Visto, kicking off another typically quiet year by taking on Microsoft, of all people.

MARCH
We’ve been to Barcelona. We’ve just about shaken off the hangover and we’ve hurled together our March issue in quick time before we forgot everything we saw there. Lead story is on Instant Messaging, and the GSMA’s assembling of all the talents to announce their plan to interoperate on IM. And didn’t they look thrilled?
(see pic below).
 The motivation was to open up the market in the same way SMS interoperability had done.
We said, “At present there are a number of ways to interconnect communities, including SIP/SIMPLE, IMPS SSP and XMPP. Different operators have adopted different approaches to their own technical implementations, but if one takes this announcement at face value, the desire is now there to standardise at least on a common user proposition, and ensure interoperability.”
At the show itself, IM vendor OZ Communications’ ceo Skuli Mogensen told us it was a decision clearly made “out of fear”.
Apart from IM, HSDPA was in the news, as networks were going down all over the place, many of them trials, but all of them a clear sign of intent that 2006 was going to be HSDPA’s year.
    Also starting out on the long hard road was Vodafone, the victim of a boardroom row represented as a battle for control between the old guard and the new. CMO Petre Bamford leaves, Sir Chris Gent resigns as life president, and Lord Maclaurin releases an open letter expressing his distress at the reports of unrest. Things didn’t exactly settle down over the rest of the year.
Away from the personalities, Vodafone made significant steps, partnering with Huawei, Nokia and Google in various ways, heralding several trends for the year ahead. (Closer relationship to open OS hadndset platforms, low cost handsets and internet companies)

APRIL
It being obligatory to quote TS Eliot and his “April is the cruellest month” in reviews like this, did Mobile Europe produce any evidence? Well there was the latest in the  nasty battle between Alfa Telecom and Telenor for control of Vimpelcom and Kyivstar.
    We said, “Altimo proposed that Vimpelcom pay $5 billion cash for Kyivstar. It made this deal conditional on one or other of the parties buying the other’s shares in Vimpelcom. Telenor Executive Vice President and Head of Eastern/Central Europe, Jan Edvard Thygesen, said, “We are not prepared to sell Kyivstar to VimpelCom unless there is a structure in place that will ensure that Alfa’s attacks will end.”
Alexey Reznikovich the CEO of Altimo responded by appearing to welcome the suggestion, “We have always backed the merger of VimpelCom and Kyivstar. That’s why we welcome that Telenor demonstrates a constructive approach and agrees the benefits of such an acquisition.”
   And yet, unsurprisingly, this one rumbles on.
 
MAY
Back to mobile TV, and this time Qualcomm is getting a hold in the market not by partnering with an operator, but with a television company.
“Qualcomm and British Sky Broadcasting (BSkyB) have announced that the broadcaster is to carry out its own evaluation of MediaFLO’s technical capabilities in a ten channel trial in the UK. The BSkyB trial is Qualcomm’s first such deal in Europe, where it does not consider itself locked out, despite the presence of DVB-H. It is notable for being conducted not by a mobile operator but by a broadcaster itself.
 Robert Fraser, a BSkyB spokesperson, said that BSkyB had been an active participant as a content provider in both O2’s DVB-H trial last year, and BT Movio’s trial using DMB. The spokesperson said the FLO trial was an extension of Sky’s willingness to explore the capabilities to “further develop our range of services.” The difference in those trials was that they were hosted by a mobile operator in one case and a would-be wholesale mobile TV provider in another.
Explaining Sky decision to conduct its own trial in this instance, Fraser said: “Our involvement will allow us to evaluate the potential of the respective technologies,” When asked if Sky would then use the results of the trial to search for a partner using its preferred technology, or even build out its own system, he said he would not pre-judge the outcome of the trial.
But it seems likely that if Sky is convinced that the FLO meets its technical and business case demands, it would express that preference to any potential operator partner.”
Interesting one this because, with the best will in the world, we can’t see Qualcomm making this stick in Europe. We haven’t spoken to a single operator since that  announcement who has expressed a preference for MediaFLO. Even Vodafone, which is closest to Sky, hasn’t give any indication MediaFLO is on its roadmap.
Aside from TV, operators continued to wrestle with the implications of VoIP. Should they embrace and exploit it, or defend against it and hold on to what they’ve got? T-Mobile banned mobile VoIP from its all-you-can-eat HSDPA data service.
 T-Mobile married its launch of an HSDPA data card and new all-you-can-eat professional tariff with a ban on VoIP or IP messaging over its network.
  The small print following the operator’s launch statement said of VoIP or IP messaging: “If use of either or both of these services is detected, T-Mobile may terminate the contracts with the customer and disconnect any SIM cards and/or web ‘n’ walk cards from the network.”

JUNE
Midway through the year and operators are still getting to grips with that VoIP thing, only this time it’s in the realm of fixed mobile convergence. Or fixed mobile substitution, as the mobile operators might prefer to call it.
Both Vodafone and Orange announced plans for driving cross-platform revenues from converged fixed and mobile properties.
We said, “To play in this field any operator needs to be able to operate at extremely low cost, as margins are not high. Vodafone rightly points out that IP integration at the application layer, and HSDPA at the network, enable convergent, seamless services across different networks. The challlenge is to exploit those opportunities in a profitable manner”
As for Orange we felt, “Orange’s motivation is clearly to make the most of its potential to substitute fixed line usage with mobile solutions for consumers and businesses. The broadband offer is aggressive, but consumers may be surprised when they see what range of UMA phones are available, especially as this phone is supposed to be their prime handset.”
There was also the heartening news, which came to fruition only in December 2006, that TeliaSonera was waking up Xfera, mothballed licence holder of the fourth 3G licence in Spain.
“TeliaSonera has increased its shareholding in mothballed Spanish 3G operator Xfera to 80%, and plans to shake out the cobwebs from Spain’s sleeping “fourth” operator, and launch 3G services after carrying out a UMTS rollout.
The Scandinavian operator paid SEK657 million for the share increase, and plans to invest around a €1 billion in networks, IP-service platforms, start-up costs and spectrum fees (including accrued spectrum fees from 2002).”
Six months later and TeliaSonera has delivered on that promise.

JULY AND AUGUST
Holiday time, another double issue and, appropriately enough, a big fat row about roaming prices. We point out that this one’s been going around for years, but finally seems to be getting somewhere with GSMA hate figure Vivian Reding issuing sets of recommendations all over the place. Reding said, “For years, mobile roaming charges have remained at unjustifiably high levels, in spite of repeated warnings to the industry. This is why Europe needs to act now.”
The GSMA  said, “The new proposals still amount to a straitjacket that will stifle innovation, dampen competition and ultimately harm consumers.”
Result? European operators trying to head reglation off at the pass by announcing new roaming tarrifs.
There was also the news that Intel had pumped the small sum of $600 million into the WiMax market in the form of service provider Clearwire. Motorola brought the total funding up to $900 million. A lot of money, and an investment that brought vertically integrated Intel into the WiMax market.

SEPTEMBER
More regulation, this time on spectrum liberalisation, kept us busy.
“Spectrum management in Europe is in a state of flux. The traditional model under which national regulators grant licences prescribing frequency bands, technologies and services (“command and control”) is under attack.”
And those HSDPA seeds, sown in February and March, grew some shoots as operators began to announce their commercial launches and even (see top) handsets.
“T-Mobile has announced the launch of the first non-data card HSDPA device in the UK on the day 3, carrying out press demos of HSDPA at its London, Oxford Street store, said it would have HSDPA phones available for the Christmas market.”

OCTOBER
Moving closer to recent memory, we lead with the operator allicance to set some specs for next generation networks.
“Leading mobile operators including China Mobile, KPN, NTT DoCoMo, Orange, Sprint Nextel, T-Mobile and Vodafone have joined forces to create the Next Generation Mobile Networks (NGMN) initiative, which has become a limited UK company.
NGMN’s members say it has created, “A set of requirements for a future wide area mobile broadband network that is designed to offer enhanced customer benefits by delivering competitive broadband performance alongside high levels of interoperability.”

NOVEMBER
Truly in recent history now, and the themes of the year continue, with progress on handset development, and another trial of a mobile TV technology.
    Which takes us neatly back where we started…

Mobile Security Vendor Roundup

While security threats in the computer world have been well documented, the mobile arena has developed into a new ‘front’ in the war against viruses, malware and the like. marcia mcleod checks out the latest offerings from several security vendors.

TREND MICRO

TREND MICRO’s Mobile Security 3.0, designed for smartphones and other mobile devices, adds a firewall and intrusion detector, as well as a simplified user interface. Improved support will be offered from next year.
So far, Mobile Security 3.0, which was launched on 1 November, is available only for Windows Mobile 5 because, says Todd Thiemann, director device security, “Windows Mobile has been on the market longer” than any of its rivals. Symbian 9.1 will be supported from next year, but users of older versions of either operating system will have to make do with Mobile Security 2.0.
The new version of Trend’s security product is currently being tested with a major, but unnamed, telecoms company in Taiwan, as well as both corporate and domestic users. The product is available as a download on a free 30-day trial, after which the user is billed US$34.99 per device per year.
“According to Gartner, the smartphone market is expected to jump by 66% to 81m by the end of the year,” says Thiemann. “Next year, smartphones are expected to account for 12% of total wireless device shipments.
“Handset manufacturers are worried about their warranty returns for infected devices and consequent damage to reputation; mobile operators are worried about their reputation, customer churn, and lost billable minutes caused by interrupted service due to denial of service attacks. Security is paramount.”

FORESCOUT

FORESCOUT treats security very seriously. Its Network Asset Control product, CounterAct, protects all devices attached to a network, including those based on VoIP, by detecting and blocking self-propagating threats.
“Companies want to know who’s connecting to their networks, if the person is compliant with the corporate security policies and if they are introducing a worm into the network,” emphasises Ray Wizbowski, VP marketing.
“CounterAct 6.0, which came out in October, ‘sniffs’ everything that comes through the device to see if it is legitimate or not and acts accordingly.”
ForeScout tailors its products so the user obtains the appropriate response to each violation or potential violation. It can simply send an alert to the network administrator stating that the device’s owner is not working in line with the company’s security procedure or, for a serious threat, it can actually block access for a particular device.
“Application termination, added with version 6.0 at the request of the US government, gives much greater control over high risk applications,” Wizbowski adds. “It identifies which applications are running on an affected device, stops one, if necessary, and notifies both the user and his or her boss.
“For example, Skype takes up a huge amount of bandwidth and introduces a new vulnerability. If an employee begins using Skype on their mobile device against the company’s wishes, CounterAct  can turn
it off.”

McAfee

MCAFEE’s Mobile Security product first came out in early 2004, covering all mobile devices, including smartphones. According to mobile security product marketing manager, Jan Volske, the greatest demand is from the carrier, as carriers have the greatest aggregated risk, followed by direct suppliers such as handset manufacturers.
Mobile security, for McAfee, consists of three main areas: risk assessment, recovery, and blocking products. Risk assessment helps a customer look at the potential threats and where the greatest risk is coming from – e.g. is there a bigger problem in one country or from one type of threat. Mobile mailware, for example, is causing a lot of trouble at the moment.
Recovery helps carriers get their services up and running again, while blocking products can stop viruses, spam or a specific application.
“Most of this has been available for a couple of years,” says Volske, “but it is only in the last few months that we have seen much interest from the carrier.

F-SECURE

F-SECURE started its mobile security suite in 2000, working with ISPs. Most ISPs that rely on a partner use F Secure, claims vp mobile security Antti Vihavainen, co-branding the security software or embedding it under their name. F-Secure is also moving towards a corporate product, similar to the desktop security suite.
F-Secure Mobile Security, incorporating a firewall, came out last year ; before that, the product was known as F-Secure Mobile Anti-Virus, and did not have a firewall.
“We were the first to offer a firewell and anti-virus software to Nokia’s third edition devices, the E and N servers, which came out this year,” says Vihavainen. “We also support Panasonic, but Nokia accounts for 70% of Europe’s devices at present.”
Functionality, such as anti-spyware and parental control, will be added over the next few months to match the security levels of the PC. Wider support of the E and N series devices from Nokia and other manufacturers will also be provided, as will support for Windows Mobile.
“We hope to introduce security for Windows Mobile in a relatively short time, before it is really needed,” says Vihavainen. “The market is being driven by demand from enterprise customers with all-encompassing security guidelines which need to make sure the entire network is secure, but there is also demand from the mobile operators who need to mitigate the threat before it happens, to protect their customers and their reputation.”

Symantec

SYMANTEC believes the threat to security is greatest on mobile devices. “The threat against the PC is fairly static,” says Paul Miller, md of Symantec’s mobile security division. “New types of threat attack the mobile device.
“Smartphones are growing at 77% per annum and viruses double every six months. There are 235 out there today for the mobile – and while this compares to 600 for the PC, mobile devices are much easier to lose than a desktop, putting data at greater risk.”
And yet, says Miller, only 25% of companies responding to a recent survey were even thinking about security for their mobile devices.
Symantec protects against what it calls pranking4profit and snoopware. Pranking4profit involves criminals accessing mobile devices for financial gain – a change from the traditional hacker, who does it because he can. “Premium SMS attacks can drain a user’s bank account,” warns Miller.
Snoopware “puts a stranger in your bedroom and a competitor in your boardroom” by accessing personal data. And by activating a microphone in the phone, it allows snoopers to determine the date of a meeting and listen in to proceedings.
Next year, Symantec will turn its attention to loss mitigation. Although it has not released exact details of its plans, it is likely to include data encryption or ‘wipe and kill’, which enables a company or individual to remove data from a mislaid device.

NOKIA

NOKIA launched its Intrusion Prevention with Sourcefire, an enterprise security solution combining intrusion prevention with vulnerability analysis and network behaviour analysis, in November. This follows Nokia’s arrangements to offer Sourcefire’s Intrusion Prevention Service, announced in August.
The software inspects incoming traffic for known and unknown irregularities, blocks traffic or replaces malicious code with benign code based on pre-defined security policies; monitors the network and profiles the network to detect threats; and identifies long-term security trends.
“The market underestimated the growth of mobile,” says Jay Burrell, vp business development enterprise solutions. “The European mobile market is worth US$813m. Sixty-five per cent of enterprises will have wireless applications by 2007/8 and 80% of smartphones will have email capability by 2008.
“Companies need a mobile security strategy – but we see the development of more customised applications for specific verticals, such as health care, construction, field service, parcel delivery, and manufacturing. Middleware will grow, too.
“IT departments have to consider the use of mobile phones by employees. Will every new recruit be given a corporate mobile phone, like they are given a laptop, to avoid the risk of security breaches from privately-owned devices? And how will they back it all up?”

STILL SECURE

STILL SECURE recently integrated its Safe Access and Strata Guard products to provide both pre- and post-connect protection to mobile users and network operators.
“The mobile workforce is not going to go away. It is a force that needs to be dealt with from a security point of view,” says Alan Shimel, chief strategy officer.
Safe Access checks that any person trying to log onto a network with a mobile device meets the enterprise’s network access policy for that type of user. This could vary according to whether the person is a home worker using corporate-owned equipment, a home worker relying on their own equipment, a person with a smartphone and so on.
“As the person logs on, Safe Access can limit the access privileges based on who that person is,” Shimel says.
“It makes sure the mobile user is not introducing anything malicious into the network, while at the same time protecting the mobile user from anything malicious already on the network that might infect their device.”
Strata Guard provides protection after the person has already logged on to the network by monitoring traffic to see if there is anything malicious or potentially damaging on the device and, if necessary, drop the device from the network immediately, block the device from certain parts of the network,  refer the user back to Safe Access or quarantine the user to ensure access is allowed only to specific areas of the system

Exclusive Mobile Security Round Table

The roundtable, organised by cisco exclusively for mobile europe, was an opportunity for several pivotal players within the industry to discuss key issues on mobile security. Companies involved included Cisco Systems, GSMA Security Group, Orange Business
Services, Symbian and Trend Micro. The session was chaired by Mobile Europe editor, Keith Dyer and THE DISCUSSION focusES on three areas: Mobile threat landscape: Security and services – monitor and manage: Corporate mobile device and service management

Now that mobile networks have moved from closed, secure networks, and handsets with proprietary OS, to IP networks and access to IP services from open OS-based devices, does that put mobile on a footing with the threat we have seen to PCs? What is the current threat to mobiles from IP networks and the use of services over them?

Jon Hindle:
I don’t want to paint a picture of doom and gloom but there is a picture to be painted there. Clearly as we have gone from circuit-switched to IP-based networks so devices are accessing a much more open set of apps, and there’s clearly set of issues that are going to become increasingly prevalent through the network. We’ve seen some initial threats and attacks to devices and to the networks themselves, and have also seen operators react fairly sensibly to that. I guess  the ongoing thing is that you can never ‘solve’ security you can only keep the risks at bay as much as possible.

Keith Dyer:
So where are the threats coming from?
JH:
There’s a whole host. As devices get more open in terms of OS there’s the potential from hackers to attack the device. But I think also there are some different ways of looking at threats – for example, if you’ve got access to the internet people can access things maybe you don’t want them to access – for example children accessing inappropriate content.

KD:
And on the device side how are those threats manifested?

Laurent Gondicart:
If we try to make a parallel between the PC world and the mobile world we are light-years away from the situation that we have in PCs. First we don’t have the same dominance of MS on mobile platforms. We do have the dominance of Symbian, and we have seen recent attacks have targeted Symbian, because virus writers tend to go for the most prevalent platform on the market. That said, what we’ve seen so far is proof of concept so I don’t want to scare the public. However, if we look at the shift in the malware industry, nowadays we see that all malware is related to making profit. We see  spam, spyware, greyware really targeted at making profit. We think that when we see a clear market on the mobile, virus and malware writers will shift to that platform because it’s really easy to make money on a mobile platform. With Premium SMS, everything’s there. 

KD:
So Craig, it is likely to be Symbian under attack.

Craig Heath:
That’s true. We do have the biggest installed base of all open OS of mobile phones and I have to agree that, especially with the introduction of IP networks, phones do face the same type of threats as PC desktops. Fortunately, though, because desktop PCs have experienced it we have an opportunity to learn from that. We at Symbian have done that and designed-in security with the aim of staying ahead. Just this year Symbian has introduced a new platform security architecture which we believe is a strong foundation and, touch wood, we have not seen any malware on this platform yet.

KD:
And Juliet, within the scope of the operators, is there a similar level of recognition?

Juliet Walker:
I think we see it as here but emerging. We don’t want to panic customers because we have to be realistic – it’s not a big threat at the moment. But there are really basic things they can do to protect themselves against it, such as not talking about sensitive company information on a train. So what we’re trying to do is provide good guidelines for our business customers about their own usage and that goes from mobile etiquette through to what are the steps you should take to protect against viruses and things like that. We have AV solutions available that customers can download – so we are really trying to address that whole spectrum. But basically I feel that fundamental things aren’t in place. Less than 40% of companies have a mobile security policy that’s enforced within their company. So it’s about trying to extend what’s fairly common in the desktop world into the market place.

KD:
Charles, have you perceived a change in operators’ approaches in order to tackle any of these particular problems?

Charles Brookson:
Certainly, they’ve got to begin to behave a lot more like ISPs, they’ve got to educate their customers as to what they can do. We’re just putting together all the good practice we’ve seen around the world for the GSMA website, for example, so people know what to do. I’d like to reinforce the point of view that it’s another way of people getting into telco fraud – that’s been a big business for many years – people are starting to get content and use that as a way to launch viruses and Trojans. And as well as talking about the mobiles themselves we’re also concerned about the infrastructure, because when you’re talking about an IP infrastructure, that’s far more well known by the hackers, whereas the old circuit-switched infrastructure was much easier to secure. So clearly operators as well have to be reinforcing all the things they’re doing in looking at their IP systems.

EDUCATION AND TECHNOLOGY

KD:
Is there more that the industry can do to combat this threat, given we’re not, as Laurent said, already there yet in the same way the desktop PC market is.

CB:
Well it’s going to be exactly the same messages such as not opening an attachment if you don’t now you can trust the source, not opening MMS if you don’t know where they’ve come form, looking for phishing attacks, education on people answering yes/no on security based questions, on whether someone’s going to open a Java applet on their phone. So yes, it’s a very strong way of trying to educate people and I think that’s a complete change from just receiving voice calls and receiving text messages.

KD:
So it’s about user behaviour there, but Craig, you’re taking a view that there is something you can do at a technical level as well.

CH:
In the desktop world you have Windows Vista coming in that will have a lot of the security features built in, and I think again here we need to stay ahead of the PC world and build those things into the phones and the entire service package. So the operating platform is an essential part but it has to work with other parts of the value chain.
KD:
Juliet, do I need a mobile security policy or do I need to integrate it into my existing security policy?

JW:
I think it’s integrating it into your total business, so you need to understand what are the risks – considering laptops, PCs, mobiles and PDAs within that; having view on what are the appropriate devices; recognising what people have already got; having amnesties around technology; recommending devices people can use within some level of choice. Guidelines need to be clear and well written and then make it clear those things are going to be enforced. Also it’s about recognising that the risks are different for someone out and about on their voice device and the CEO on his BlackBerry in the airport lounge.

CB:
These devices will also have considerably more storage on them, and will have a lot of sensitive information on there, so you’ve really got to have policies as you do with any other device.

JH:
You can try and educate users but it’s a very dynamic area and most users are not educated, so there’s an opportunity for IT departments to take away the complexity. Otherwise it’s too dynamic for the user concerned.

LG:
User education is important but it’s just one piece of the policy. We’ve seen reports in the PC world in Germany of a phishing attack on a German bank and, even though users were aware of the threat, nonetheless 70% of this bank’s users keyed in their login, password and even transaction codes. So education is one way to deal with security but you still need the proper tools on the devices to make sure that if education fails you have a fall back. We’re seeing in enterprises great interesting mobile security solutions. Primarily because enterprises aren’t talking about threats, they’re talking about risks. I’m not sure that the mainstream public is really ready for smartphones so we’re focusing on the enterprise and the operators themselves.

MANAGEMENT OF SECURITY … and security of management

CH:
One of the things that mobile manufacturers are working on right now is management of security, being able to configure the security policies of devices that are in the field, and that’s a clearly a very valuable thing: you can adjust your security policy based on the threats that you can see. That is, you don’t maintain an extreme threat level all the time because there are times when that is inconvenient to people. So we’re very keen on enabling that kind of approach, but there is in my view a missing piece to that, which is, that if you turn it around, you need security of management, and right now phones are quite trusting. If they get a request to upload a security policy then generally they’ll do it and you risk having a situation where an attacker may tell a security guard to go off shift now, as it were. We’re working with phone manufacturers, device creation partners, ISVs such as Trend Micro, network operators who are obviously a crucial part and also enterprise organisations to make sure we’re able to support the kinds of policy settings they are able to do.

FREEDOM AND CONTROL

JH:
I think we are seeing users getting cleverer and cleverer and there’s an onus on the  industry to protect users because often they don’t know what they’re getting into. So we’re seeing a lot in the States and the UK about protecting minors. There’s a strong obligation to give everybody the freedom to do what they want within sensible boundaries.

JW:
I think it’s the same for business customers. We have customers saying they’d be comfortable to pay a nominal amount for us to put security in place to help them manage that and to help them control what happens to their information. Companies recognise the value of mobility and have seen that it makes a real difference to their business – you can close it down but that doesn’t solve the problem so you need to find a balanced view to allow people to exploit the benefits of the technology.

CB:
Which in the end comes down to risk management – taking a practical point of view as to whether it’s good enough to your business.

LG:
It’s very important that the user isn’t burdened by security tools. So if you take the burden of different security tools just for firewall, encryption etc, so it becomes about the  management of security solutions on those devices.

CH:
And it’s very important for those security solutions to work together. If you look at the range of security solutions, including hardware security technologies, in newer chipsets, also the OS security model and the layered security solutions such as malware detection, and try and put those together in a way that the security policy is proportionate to the threat you end up with a much better user experience.

JH:
Users are desperate for somebody to package that together.

KD:
So are we going to see on our mobile bills a check box saying ‘yes, give me security’?

JW:
I suspect that’s where we going. I’m not sure any of us have got there yet, but certainly things like backup are already starting to appear. It varies whether it’s included in the application or not, so for email it would be included in the solution. So, for a small business just simple things like backing up contacts is so easy – but I spoke to one customer in a small business who said she’d move to Orange just for that simple solution to that problem. Because we’re in the industry we tend to know and worry about the future big stuff, but we’re not letting people get aware of the basics, as well as helping the big guys.

PROTECTION, SPYING AND SIGNING ON

JH:
Protecting users from inappropriate content – is that spying on users? Is it intrusion or protection? It’s about freedom of choice and some of that is about having the freedom of choice to be able to select not to receive that, or protect my children from that.

CH:
Standards differ so we have to be careful not to be drawn in to make moral judgements. For example when an application is included in Symbian signed programme, it’s available globally. Some devices by default will not allow applications to install if they are unsigned,and some will. This is all dependent on the configurations by the device manufacturer and, going forward, this will also be manageable in the field.

LG:
I have a slightly controversial view on signed applications. We as an AV vendor have the view that as long as you authorise third party applications on any OS, as secure as it might be, you have the risk of having malware on it. With Microsoft Vista, which is the most secure platform that Microsoft has produced, we already have indications that the Vista platform can be breached by malware using the signed drivers from MS, and that’s something really scary. If the malware writers really want something to happen on a platform, it will, because now it’s really an industry. The FBI says malware in 2005 amounted to $62 billion, that’s more than twice the revenue of the AV industry alone. So we really have to be aware of this and careful about this.

CH:
I completely agree. I mean no signed in system is completely secure. That’s why it’s important not just to focus on prevention but to detect things as they happen and respond to them. Signed is no guarantee but even so you’re better off with them.

LG:
I certainly agree with that!