|Africa and the Middle East 2006
|Mobile data security
|Vice President for the Global Mobile Vertical
Massimo Migliuolo is currently the Vice President for the Global Mobile Vertical at Cisco Systems. On August 1, 2006, he will take on a new role as Cisco Systems’ Vice President of Service Providers in Emerging Markets. Previously, Massimo Migliuolo worked at Lucent Technologies and at AT&T, where he was engaged in the development of their mobile market. Mr Migliuolo spent three years in the oil industry, before joining the telecommunications industry. Massimo Migliuolo graduated from the Bocconi University in Milan with a degree in Business Economics.
The rapid growth of broadband mobile data in Africa and the Middle East brings with it a series of challenges, including the question of Internet Protocol security. Unresolved security concerns could seriously hamper the widespread adoption of wireless data products and services. Operators that are not prepared to address security issues will face severe competitive pressures and, if the sector as a whole ignores the problem, government regulators are likely to impose solutions that could be costly and difficult to implement.
The revenue for delivering wireless data is already exceeding most industry predictions in the Middle East and Africa region (MEA), which is growing faster than Western, Central and Eastern Europe. Spending on wireless data services in MEA is forecast to reach US$9 billion in the next three years. The use of cellular and wireless networks to deliver voice, video and data content brings a new dimension to the broadband market and represents an exciting new source of revenue and margin for mobile operators. It also, however, introduces them to an unfamiliar world of business and technical challenges, particularly in respect to Internet protocol (IP) security. Our research indicates that in order to be successful in this potentially lucrative market, mobile operators must address the challenges of security. If left unresolved, customers’ security concerns could become a serious obstacle to the widespread adoption of wireless data technology, products and services. If mobile operators are perceived as not adequately able to address the problems, other vendors could enter the space, or government regulators could impose solutions that are difficult and costly to implement. By successfully managing network security concerns, mobile operators can expand their revenue opportunities in two ways: first, by offering a new set of basic services to an ever-wider customer base, and second, by charging for select IP security solutions as value-added services. Consumer and enterprise security concerns Consumer and enterprise customers share several security concerns, including secure mobile content and access control, but each also faces independent challenges, such as the assurance of business continuity and service guarantees on the part of enterprise customers. Spam: clogging inboxes While spam is not strictly a security concern, it is an unwanted and potentially expensive nuisance. Spam can often bypass anti-spam filters and appear in e-mail inboxes. The potential to receive unwanted text messages on mobile phones poses an even greater concern as consumer and enterprise customers do not want these messages clogging their inboxes and diminishing their expensive mobile minutes. The U.S. Federal Communications Commission (FCC) voted in August 2004 to ban all unauthorized text messages to mobile phones and pagers unless the user has given prior permission. A mobile data service will need to block spam not just to meet regulatory requirements but also, and perhaps more importantly, to meet customer demand for a clean inbox. Viruses: Infecting mobile devices While common in the wired data world, LibertyCrack 2000, the first known virus for mobile devices, appeared on Palm mobile devices, deleting all executables (program files) in 2004. The virus serves as a long-needed wake-up call for mobile operators because the risk of virus infection through cell phones presents a significant threat to both consumer and enterprise customers. The next generation of viruses could have the capability to record phone calls, shut down phone service, and even infect home office and corporate LAN (local area networks) and WLAN (wireless LAN) networks. Both virus and spam protection services will become a baseline requirement for a successful mobile data service Unrestricted access: Opening Pandora’s Box Teens and children have embraced mobile data applications such as e-mail and Internet access. Parents, however, will not pay for Internet access services for their children unless their concerns about access to adult content Websites are addressed. In the United Kingdom, mobile operators have signed a voluntary “code of conduct” to proactively restrict the access of children and teens to inappropriate content. If mobile operators do not provide an easy way to restrict access to adult sites, government regulators could step in and impose their own solutions, which could be technically difficult and expensive to comply with. If operators are proactive and work with government agencies to help control access, they can potentially gain governmental allies, invaluable PR, and a perception of concern for families. Law enforcement compliance: Playing the informer Mobile operators must also be able to comply with government regulations concerning ‘lawful intercept’. They must be able to respond to subpoenas from law-enforcement authorities to monitor the activities of certain users by examining message streams in real time. For example, to avoid detection, criminals often share e-mail ‘drop boxes’, shared e-mail accounts with a common password, and leave draft messages for one another. The draft e-mails are never sent, so they cannot be tracked. With mobile phones, this strategy becomes even more viable for criminals. In Europe, where prepaid mobile access is more widespread, users can purchase prepaid mobile phone cards or chips and use them to access the Internet. The purchase is a cash transaction, so the temporary service use cannot be traced. The mobile user can communicate unseen, and then discard the device once the conversation is completed. Law enforcement personnel will want to know in real time what cell locations those types of contacts are coming in from so they can take appropriate action. Mobile operators must learn to examine the bit stream in real time and identify the URL that leads to the drop box, find the cell site, and immediately forward that information to the appropriate authorities. Confidentiality: Thwarting thieves For enterprise customers, protecting the privacy of their business communications is paramount. Mobile operators not only provide mobile-data transport to enterprise customers, they must also provide appropriate encryption and authentication safeguards, including support for VPNs (virtual private networks). Mobile operators that have a wide-ranging customer base need a flexible approach to security delivery. For some customers, lower-level safeguards will satisfy their security needs, but others will demand and be willing to pay for higher, more sophisticated, levels of defence. Business guarantees: Taking responsibility In order for large enterprises to consider outsourcing network security, the services must be accompanied by business guarantees. All too often, operators focus on the technical challenges posed by security and overlook the business challenges faced by their customers. The level of concern, which is directly related to confidentiality, is in direct proportion to the value of the information transmitted over the wires. Financial institutions managing mergers and acquisitions, and healthcare organizations handling patient medical records can be held civilly and criminally liable for information that is left unprotected over the wireless infrastructure. Any findings of accidental or deliberate negligence can result in civil or governmental penalties and millions of dollars in fines. These businesses and organizations will expect their mobile service providers to share in this responsibility. Mobile operators must be prepared to accompany their service offers with business guarantees, to prove that they are responsible and that they recognize and understand the severity of the security risks. Checklist of capabilities For mobile operators, a successful content-delivery strategy depends on the ability to control what content is delivered to each subscriber. Content-delivery constraints arise from legal, cultural, corporate-policy, and social-responsibility perspectives. Mobile operators must be able to address all of these aspects, while also giving subscribers some choice and control in the content they access. The questions in this section are designed to help mobile operators plan for the service capabilities their customers will expect from them. For the consumer market 1. Do you have the ability to intervene in a text-message stream and examine whether it is spam or a legitimate e-mail? Today, spam and viruses are perceived as technical problems. However, as mobile telecom becomes ubiquitous, they will be viewed as social problems, providing an opportunity for legislators to establish controls that may be difficult and expensive for you to implement; and 2. As your subscribers browse the Internet, do you have the ability to examine each URL and take appropriate action? Examples might include blocking access to adult content URLs for under-age subscribers, and tracking and triggering law enforcement alerts if a URL is associated with suspected criminal activity. For the enterprise market 1. What markets do you plan to target? What security requirements are dictated by customer expectations, business practice or regulation? The answer to these questions will determine the appropriate security services you will need to deploy. 2. Do you have the appropriate business guarantees to support your technical security implementations? Your guarantee to back up your security assurances communicates a great deal to your customers about your level of investment in and commitment to the services you offer. Mobile security business benefits Delivering content over the mobile infrastructure offers exciting new sources of revenue for mobile operators – and security issues can successfully be addressed with the proper planning and deployment. We recommend that you consider the benefits listed below as you calculate your cost-value analysis. • Mobile data transport can be an attractive service with a wide customer base. If enterprise or consumer customers do not believe the service is secure, however, they will not use it. • Customers are willing to pay for value-added security capabilities. For example, some ISPs offer parents the option of blocking adult and other inappropriate URLs for an additional monthly service fee. • Effective mobile-data security helps create customer loyalty by sending the message to consumers that you are an Internet service provider that cares about protecting their children’s safety and well-being. • Building the perception of secure transport around your mobile service adds value to your brand. • Mounting a proactive response to solving security threats keeps government regulators from imposing their solutions on your operations, or in extreme cases, from shutting down your business because of criminal activity associations.