Security Issues for the Mobile EnterpriseSecurity Issues for the Mobile Enterprise
Security is a complex, multi-faceted topic. Mobile devices can be attacked in different ways for different reasons, and right now it is a serious issue.
September 8, 2010
Security is a complex, multi-faceted topic. Mobile devices can be attacked in different ways for different reasons, and right now it is a serious issue.
Let's start by recalling the basic concept that's driving enterprise mobility. It's predicated on easy access to corporate data as well as the ability to update databases with information and transaction data.
Smart phones are the key driver. They enable data sessions to be conducted at any time and from any place, and they also do voice, email and IM. So now there's a single handheld device that does it all. In addition, we have mobilized applications that are customized to match specific staff requirements, e.g. mobile CRM for sales and a mobile CRM for maintenance.
However, as indicated in the first article in this series, in many enterprises these devices entered via the back door, i.e. usage was not authorized. They have open operating systems and Web browsers, so there is a real risk of infection, which could be contagious if an infected phone was connected to the corporate intranet.
There is therefore a compelling need to secure these devices and also ensure compliance with corporate policies.
Complex and Multi-Faceted
The security issue is compounded by the fact that many employees will have a preferred device and vendors are marketing a steady stream of new models. IT departments will therefore have to manage different devices running different applications on different operating systems, e.g. BlackBerry OS, Windows Mobile, Symbian OS, Mac OS X, Palm OS, and various flavors of mobile Linux.
Every user shouldn't automatically get access to everything on the network. Different departments and employees have different requirements, so a first step is to establish what they hope to gain from mobility. This pragmatic step will allow IT to create groups of users and determine governance policies for each group. These policies will define the "like to have access" and "need to have access" for each group. As a first line of defense, all confidential data on mobile devices should be encrypted. This is enabled on smart phones when the application is client-server, i.e. the communications link is encrypted at both ends: on the servers that run the various business processes as well as the devices.
It is clear that server-side encryption cannot be implemented for social network applications like Facebook. Therefore security that restricts access to social network sites is a trade-off, and objections might arise when an employee cannot use his/her device in his/her role as a consumer. However, workaround solutions are being developed (this is covered in a later section).
That said, disclosure laws such as California's SB 1386, designate as "computerized data" any private information that is stored. Smartphones are not exempt from laws protecting consumers against disclosure of their data by companies holding that data. The easiest ways for enterprises to avoid this is to never allow consumer data to be delivered to a smartphone, to clear caches and temporary buffers after a VPN session, or encrypt all data that the smartphone receives.
Granular Solutions
Security can be linked to the individual; this is known as role-based security. It's realized by establishing finely grained classifications for all relevant employees, i.e., they get a specific bundle of access and other privileges. Employees assigned to a particular classification only have access to the privileges associated with that role.
In addition, security can be object based. In this case, access rights focus on business objects, e.g., leads, sales opportunities, contacts, accounts, quotes, orders, invoices, contracts, etc. Role-based security and object security can be combined in order to define the overall security rights users have for a particular application. IT can set up management and security protocols that conform to those policies. Varying device management tasks and levels of security can also be applied to each group.
Other measures that can and should be taken include anti-virus software, centrally managed in order to ensure that all devices are employing the latest release. In fact, all applications, software distribution and security components should be controlled centrally. And when devices are reported as being lost or stolen, then all data should be wiped automatically.
In a nutshell, when it comes to protecting data and ensuring secure connectivity to applications, a smartphone should be treated the same way as a laptop running Skype or VoIP.
Workaround Solutions
Users can have two virtual profiles: one professional and one consumer. The risk of infection from a consumer app can be minimized using anti-virus software plus checks when the phone is connected to the corporate network, e.g., is the software up-to-date. The wireless network operator can also minimize the risk, but phones sometimes might use Wi-Fi hot spots that bypass the cellular operator.
Another security strategy is to adopt a "sandbox approach." This involves storing enterprise data and applications that are encrypted and password-protected in one part of the device. The remaining files, e.g., music, videos, and photos are retained and made available to users that are not logged onto the corporate network.
Trade-Offs
There is an obvious need to minimize breaches of security, but this task goes beyond simply securing the technologies. Solutions have to be pragmatic and relevant to work processes they are going to protect, so there may be trade-offs. Users have to work with the solution and if usage is too complex or cumbersome it won't work. For example, if corporate policies are too restrictive, users may look for ways of circumventing them. Moreover, lack of user adoption could result in the benefits of a mobile solution not being realized. Therefore solutions should be designed with adoption in mind.
This means that C-level management should take a more active role as security shifts from being technology-centric to business risk-centric. Security decisions should involve business-level discussions, and management is in a better position when it comes to determining the risks involved. And the biggest security risk may turn out to be a disgruntled employee.
In addition, staff should be involved before solutions are implemented. They need to understand the reason for changes in work procedures and, if necessary, training should be provided.
Figure 1: Vanson Bourne surveyed IT decision makers in the UK and US:
A full version of the report can be downloaded from www.good.com.
Sensible Steps
All connectivity to business applications and networks should require a password and an SSL VPN. Every smartphone that is used for business should require a password to be entered before launching a browser, mail agent, or other business application. The last thing IT wants is for a total stranger to turn on a lost smartphone and be given complete network access at the click of an icon. The other great feature of smartphones is the presence of a "kill switch" so that a device reported as lost can be disabled as soon as it is turned on.
Configuration management will become a greater issue for smartphones as business software becomes more prevalent and malicious code starts targeting these devices. Virtualized approaches, for example keeping the application and data in the data center and using the smartphone just for display should be considered. A sensible and rather obvious step is to implement and manage a solution that protects corporate mobile users from malicious programs, SMS spam and Internet attacks that target mobile platforms. This is the baseline functionality provided by Kaspersky Mobile Enterprise Security Edition (see figure 2 below). This solution also provides protection for confidential data stored on a smartphone should the device be lost or stolen, and the Administration Kit provides centralized control.
The solution can be installed from one point regardless of the number of mobile devices employed or their location. As illustrated, installation can be performed via a PC using Microsoft ActiveSync or Nokia PC Suite, or via SMS.
Figure 2: Kaspersky’s solution: (1) indicates the installation of an intelligent network agent; (2) indicates the transparent installation on a mobile phone using synchronization; (3) is the alternative installation method using SMS; (4) indicates the ability to monitor policy enforcement; and (5) is the SMS link to the solution and the configuration.
Adding Encryption
Security vendors are moving forward to embrace the protection of smartphones. There are lots of vendors offering smartphone encryption, including Good Technology (neat name) and Mocana.
Good Technology has a solution suite known as Good for Enterprise that has mobile messaging, secure browser access (coming soon) as well as application/device management and control components. The client application isolates and encrypts enterprise data on the devices, and access to the enterprise system goes via network operations center infrastructure in order to enable end-to-end transport encryption and security. The solution prevents unauthorized access on Android devices, all iPhone models as well as well as the iPad, plus Windows mobile and Symbian devices. On the server side it works with various Exchange and Domino products.
Mocana's core product for this sector is a government-certified cryptographic engine known as NanoCrypto (see sidebar "Tough Standards" after the Conclusions). It offers developers a selection of cryptographic technologies, methods including RSA and elliptic curve, symmetric algorithms like 3DES and AES, message authentication, hashing and pseudorandom number generation.
In the event of a device being lost or stolen, IT can issue a remote wipe command that deletes all encrypted enterprise data within the application. Developers build this function into the solution using the cryptographic engine.
Silicon Solutions
In future we should see robust security engines being embedded in the devices, in which case security will be something we take for granted. However, as shown in Figure 3, devices that have a microSD slot can employ Certgate’s solution, which is based on a flash memory card.
Figure 3: Robust hardware-based security, including encryption, can be provided for mobile devices that have a microSD card slot.
Smartcard functionality for smartphones, i.e., signature and encryption, is enabled through hardware tokens in a microSD card. Together with flash memory and a cryptographic processor, this enables digital key pairs (RSA 2048 bit) and certificates to be generated and stored.
The private keys can be generated directly on the card and once created, they do not leave the card, which means that they cannot be intercepted. This approach also means that there is no operating system dependency. All that is required is a microSD slot, which is available on most mobile devices, the iPhone being a notable exception. In addition, Certgate has developed voice encryption for VoIP calls. Secure mobile email was a relatively expensive but very successful service that RIM pioneered, and the BlackBerry is still the preferred device for business professionals. Data transmitted between the BlackBerry Enterprise Server (BES) and BlackBerry smartphones is encrypted using the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES). The US government uses the latter standard. In addition, RIM's implementation of the S/MIME end-to-end email encryption and signing standard can be activated on both the BES and the devices.
However, while these OS based solutions deliver robust security, they can be augmented by incorporating Certgate's microSD card. For example, it enables true two-factor security, i.e. possession and knowledge, a combination that disallows any unwanted access to the users' private credentials.
Vertical Integration
Discretix also has a "security in silicon" model, but it is significantly different. This vendor believes that security cannot be properly deployed as an afterthought or a bolt on. In order to be to robust and transparent it has to be designed into the device from "the ground up", i.e., from the physical silicon, all the way through to the OS and applications. This approach reflects the fact that security breaches typically appear at the point where two distinct systems are joined together. Therefore in order to minimize security breaches, the number of "joins" needs to be kept to a minimum. Discretix's solution realizes this objective via a vertically integrated, embedded solution known as CrytpoCell that encompasses a security co-processor, middleware and applications.
The coprocessor includes cryptography ciphers such as public key algorithms, symmetric encryption and hash functions. The middleware layer provides support for various algorithms optimized for embedded applications as well as an attack-resistant secure database that uses standard external nonvolatile memory.
Discretix states that around 2 million devices that employ this solution are shipping every month, the majority being for Android and Windows Mobile smartphones.
Conclusions
Security is a complex, multi-faceted topic. Mobile devices can be attacked in different ways for different reasons, and right now it is a serious issue. Smartphones having open operating systems are particularly vulnerable, but at the same time they have advanced the concept of the Mobile Enterprise.
SIDEBAR: Tough Standards
The 140-2 FIPS (Federal Information Processing Standards) are used to accredit the cryptographic "engines" that drive secure software or hardware implementations, and most federal agencies and contractors working on sensitive government projects are prohibited from buying products containing security software that is not officially FIPS-validated.
The National Institute of Standards and Technology wrote the FIPS 140 Publication Series in order to standardize federal cryptography requirements.
Bob Emmerson is a freelance writer who lives in The Netherlands. Email: [email protected]. Web: www.electric-words.org. The author would like to acknowledge the contribution of Henning Dransfeld, Executive Marketing Consultant at T-Systems.