Interview: Scott Totzke, VP global security, RIM

Totzke: Ten thousand infected devices on an infected carrier's service could cause a DOS outage

V3.co.uk: As vice president of global security for RIM, what are the key data security challenges facing your customers?
Scott Totzke: It's about the security and privacy of information as it leaves the enterprise and is stored on mobile devices. For a lot of our customers it's a question of control: who is in control of the data, how do you manage it and how do you cope with the eventuality of it being lost or stolen in the event of the device being lost or stolen? These things are personal computers now, not cell phones, and they're capable of storing tremendous amounts of information. I've got a 16GB Micro SD card in my device – that's a lot of information.

What specific functionality are enterprises looking for to ensure their mobiles are secure?
Enterprise customers are looking at whether they can audit the communications, if they're in a highly regulated industry. It could be important to audit email, text, MMS and have phone logs so you know who's talking to who and when. And when they deal with the eventuality of a lost or stolen device, they want to make sure the systems they deploy allow for the remote erasing of information. The table stakes in the mobile world are having a secure connection into the enterprise, base manageability of passwords, and the ability to remotely wipe data from lost devices.

Aside from employee error, where do the main risks lie?
A lot of discussions are emerging about what the other mobile threats are. There is a trend towards malicious software in the PC world and it's in the process of migrating to mobile devices, so there's a lot of discussion about how to manage the applications many users want to add to the device. Email is fine, but business transformation-type applications are where you can drive most value from your mobile device.

A financial services customer of ours developed a loan approvals application and within two months it had become business critical; so you have this computing platform, and internally developed applications sitting on top, and then users who want to deploy consumer or lifestyle apps, too. Customers therefore need to look at ways to manage and control what applications run on these devices – to set policies on what can be installed.

How far off is a serious threat from mobile malware?
Mobile malware is already here but two to three years down the road we will see more critical mass and a few very targeted [malicious] applications leading to the leaking of customer data. Proactive customers are already thinking about this. The economies of scale are already there for the malware writers, but only in the past couple of years has the smartphone platform become so robust and powerful and gotten any type of market penetration. However, we've seen a lot of fragmentation in the operating system market, with Apple's iPhone OS, WebOS, and Android all appearing, and this has been a delaying factor.

What are we likely to see from the malware authors?
As mobile payments become a reality, we'll probably see a lot of social engineering efforts targeted at compromising personal information such as credit card details. Another trend we can expect is malicious applications that will strive to exploit the trust that exists between a handset and network provider, or enterprise network. It opens up interesting possibilities for what could be done with a mobile botnet. Ten thousand infected devices on an infected carrier's service could cause a DOS outage.

Is too much information being stored by firms today?
As an industry, technology-wise, security-wise and privacy-wise we need to make sure the solutions we deploy protect our customers' information. The question needs to be asked: why do you need that information? As individuals we also need to question what information we need to provide and look closely at the privacy policies we're signing up to. As we build systems it becomes increasingly important on the IT side to determine why we are collecting information, how we're storing it, what the internal governance is around it and how we protect it. There have been way too many privacy breaches.

Visit our dedicated Summit web site for more breaking news, views, analysis and video on the topic of Information Overload.