The perimeter of the enterprise is disappearing. What happens to Security?
Sramana Mitra: Let’s start by introducing our audience to Appthority and to yourself.
Anne Bonaparte: I’m CEO of Appthority. Appthority is a venture-backed company. It’s a mobile security company and we’re focused on protecting what matters most in the enterprise context, which is enterprise data and employee privacy. As we all know, we can’t live without our phones, both for personal and business use.
Because of that, we have not just a very strong tool but also a tool that can be weaponized against the enterprise. Appthority was founded to be able to assess the risk that is being brought into the environment with their mobile phone. We provide a platform for enterprises.
Sramana Mitra: What is the architecture? Where do you get inserted into the system?
Anne Bonaparte: Our thesis is that the greatest threat vector coming from the mobile ecosystem is from the mobile apps that we all use day in and day out. It’s really the apps on the phone that are the greatest threat. Of course, you have the devices itself, the operating system, the network, and the app.
We protect all of those, but where we’ve been focused from the beginning is deep analysis of mobile apps and what they’re doing from both a static analysis as well as dynamic analysis to really run them through the paces to understand what kind of information they are collecting, what kind of calls they are making, and how they are using data. We are all about protecting the data.
As you know, with the whole app ecosystem that we have created as an industry, many of these apps are collecting way more information than individuals or maybe enterprises might be aware of. We do all of our analysis in the cloud so we can assess what apps are on the phone and then we do the analysis on the cloud. It’s a very light touch for the mobile phone itself.
Sramana Mitra: What are some of the heuristics of what you look for in the architecture that you described? What are some of the heuristics of what you’re looking for in terms of threats?
Anne Bonaparte: Of course, we’re looking for malware. We’re also looking for behaviors that may be problematic. It could be credentials access. It could be sensitive data access like PII, calendar or location. We’re evaluating secure data handling for use of encryption and understanding whether the data storage being employed is secure. Then because we’re doing this in-depth analysis, we’re also able to check it against policy compliance.
Each enterprise has a different framework for how they evaluate regulatory compliance. We have about 170 threat indicators we’re checking against. We have these templates that companies use to be able to test their mobile apps against their already existing compliance policies. They’re able to, not only have a high security test, but also ensure that they’re meeting their regulatory compliance.
Sramana Mitra: How does your system access all of the data that apps are capturing? What is doable in terms of scanning what the apps are doing on these devices that are being plugged into the enterprise?
Anne Bonaparte: We can pull the app inventory from EMM systems. In the cloud, we are doing this analysis that is both static as well as running them in a virtual sandbox. We have millions of apps in our database, so we can easily understand, “Could this app grab calendars?” If you’ve got a flashlight app that is pulling content in the calendar, that’s an indication that you might want to take a second look, because there’s no real reason for that except for malicious or very poor programming practices.
Sramana Mitra: When you look at the ecosystem, one of the questions that I’m trying to get my arms around is that cyber security is one of the most active areas of entrepreneurship and innovation in our industry. There’s always a security company getting funded all throughout the ecosystem.
If you are the Chief Information Officer and you have to figure out how to bring all these different technologies into your organization, how do you frame it? For example, Appthority does one piece of the equation. Can you put on a CISO’s hat on and explain to me how a CISO would think about bringing all these technologies in and how do they bring you in?
Anne Bonaparte: The way I frame it is, I’d be listening to the CISO talk about his overall security architecture and posture. Most likely, it’s going to be cloud-based. We’ll talk about how he’s approaching the management of risk across all these typical hardware and systems that he has in place.
Often, he will share that they have a blindspot with mobile because mobile often involves decisions that are driven by employees and are not necessarily completely controlled by the enterprise. There’s a gap in visibility for that CISO. He’d think about the cloud and where all the data is. What is accessing the cloud? Sometimes, it’s a desktop computer but more and more, it’s a mobile device which is a computer with a lot of surveillance attached to it. The first step in assessing and managing risk is ensuring you have visibility.
Right now, there’s a gap in visibility. I’ve been in the industry for a long time, we used to talk about perimeters. But here, employees with their phones form the perimeter. There’s not a true perimeter.
Sramana Mitra: Exactly.
Anne Bonaparte: If we can get him to be thinking about, “I don’t have complete control of that.”, the first step is visibility. Where we differentiate is we’re able to provide detection depth and we’re able to do it in an easy agent less way. More and more folks do not want to deploy a lot of agents. That definitely is a trend. We recognize that the CISO has established security and compliance policy frameworks.
We’ve designed our system to be easily integrated into those structures rather than starting over. We also have our own portal, of course, but with very flexible and customizable frameworks. He can see how it can snap into his broader vision because mobile can no longer be considered a silo, which I think it was in the early days. You really can’t think of it separately. I don’t think CISO’s are thinking about that. They’re thinking how to integrate mobile into the broader framework.
Sramana Mitra: What about vendor management? Are you directly working with enterprises or do you have to partner with larger vendors to get into the enterprise buying cycle these days? I know the CISO’s are overwhelmed by the number of vendors they have to deal with.
Anne Bonaparte: Yes and yes. We primarily sell direct but we do also sell through a channel network. We’re deeply integrated and partnered with the EMM’s. That’s the ecosystem we play in, but we do still have to fight the good fight and win customers one at a time or through our partner relationships.
Read the original article on the One Million by One Million Blog here.