Mobile Security: A Brief History and What is Next
Mobile represents one of the greatest challenges of enterprise IT and security. Employees, business partners, and customers, all want to be able to access enterprise applications and information, from anywhere, at any time, and using any device of their choice. Combined with cloud-based and social applications, this becomes a security and compliance nightmare.
Some of the challenges with mobile access, especially BYOD, include
· People want to use any device of their choice, including devices not issued by and not controlled by the organization. This extends to “transient” devices, e.g., the tablet in the hotel room, or shared devices, e.g., the iPad in the living room
· People want to use same device for work and personal matters. In fact, the distinction between work and pleasure is often blurred. Is DropBox personal? Don’t you use it to store some corporate documents? Is Facebook personal? Really? Think again. What about email? I often get work-related messages to my personal email, and vice versa. Your employees will not like you if you force them to tote two smartphones.
· Some people, e.g., contractors, work for multiple organizations, and want to use a single mobile device
At the same time, most mobile devices were designed as “gadgets” not as “enterprise tools” and focus on user experience, not security
· Mobile devices are lost and stolen in droves
· It will almost always be impossible to wipe a lost/stolen device because it is easy to disable that function simply by disconnecting it from the network
· It has been repeatedly demonstrated that it is easy to extract information from mobile devices, even if they are locked (including corporate passwords that have been stored on the device), and even if they have been encrypted
· It is often possible to hijack information “in the air”, when the device is using unsecured or even secure wi-fi networks. Recently researchers have shown that even cellular communication (yes, 3G) can be hijacked using femtocells.
And users are usually not of much help
· Employees are not willing to provide the organization with full control of all of their devices, and in many cases are even concerned about privacy in the case of corporate issued devices.
· Employees are not willing to give up on the fabulous user experience of the email application of their device of choice in favor of a look-a-like.
· Employees are not willing to live in a segregated container. It is not natural to the mobile experience, and will increasingly limit cross-application integration if the applications are limited by the container “walls”
· There’s generally much research that shows that employees cannot care less about security, and most would openly violate corporate security policies to gain any inch of productivity and convenience (e.g., use forbidden cloud-based services, use unauthorized devices, etc.)
So what should CIO’s and CISO’s do?
They are tasked with securing corporate information. They are required by law, and a plethora of regulations, to secure information about business partners, customers, etc.
And so being the history of mobile security solutions…
Evolution of Mobile Security Solutions
At first, there were laptops and Blackberries. These should not be confused with the mobile devices of today. They were almost always corporate-issued and controlled. IT was able to enforce any security or administrative policy that was deemed important on the use of the device, and this was quite okay with all of us since the devices were used primarily if not exclusively for work purposes.
Then came iPhones and Androids. These are full-fledged computers. Not an email machine. They run a wide variety of applications, with special focus on personal uses and even entertainment.
Experienced IT folks immediately recognized the forthcoming trouble. Their initial professional reaction: not here. I still remember a conversation with a CISO that insisted that he will not allow any device that is not a corporate-issued blackberry to access the corporate email system.
But of course that was fighting the inevitable. The first to break the rules were those that set the rules in the first place, i.e., the highest level executives. They also wanted to use the new gadgets. So they instructed IT to “find a solution”. In the meantime, they excused themselves, and soon enough the exceptions trickled down the corporate ladder.
Generation 1: MDM
Facing the challenge, most CISO’s adopted Mobile Device Management (MDM). MDMs were not born as security solutions. They are designed to manage a fleet of devices, and grant IT control of these devices. At the very least, they thought, they would make sure that some basic security steps are taken by the user (e.g., enforcing a pincode on the device), and they could wipe the device remotely if lost or stolen. This seemed to work for a while, at least for a small number of users and devices.
But then reality hit again. It took some time to realize that MDM gives a false sense of security. Among other issues, the pincode does not really protect against break-in once the device is lost/stolen, and the wipe function can easily be disabled, e.g., by going on airplane mode.
More importantly, users were crying foul. With mobile devices being used primarily for personal purposes, users were concerned about their privacy when IT is provided full control over their device. Modern mobile devices also enable new use patterns, e.g., sharing a device by colleagues or family members. As more users were acquiring more devices, and using them for more personal and otherwise diverse purposes, the MDM approach was quickly losing out.
Finally, managing a growing number of devices also incurs a significant management costs, and may put the organization into certain liability risks, e.g., in case the device is wiped with personal data, or in case an administrator uses the tools to spy after an employee.
Generation 2: Container-based Solutions
And so, it became clear that taking control of a whole device is too high a price to pay to achieve security, and one that puts IT in direct conflict with users, thereby driving down adoption.
A new container-based approach has evolved with a variety of permutations. The main idea was to define a “portion” of the device that would be dedicated to work-related data and applications. That section of the device would be secured and managed by corporate policies, but the rest of the device and all the personal applications are spared of corporate intervention.
In some implementations, there is literally one container (really a mobile app) that is governed by corporate IT rules. In that container, the user can find all the corporate applications that are allowed to be used, and this is also where corporate data is stored, encrypted and secured. Corporate IT can decide which applications are allowed, and can also wipe the container at wish. The leading example of such container is the popular Good Technology container. The first application to use this container was the Good For Enterprise email application. With the new Good Dynamics SDK, application developers can use the SDK to develop applications that can fit in and leverage the Good container technology. Other companies are now also offering a container solution similar to Good’s.
Another approach takes the container approach one step farther, creating a whole separate virtual environment. Sometimes referred to as “virtualization” (not surprisingly starring VMWare’s Horizon), and sometimes referred to as “multi-persona”, in this approach, the user can switch from work-mode to personal-mode. Each of the modes provides the full functionality of the device OS, but there is clear separation of applications and data between the environments.
A third approach is “application wrapping”. In that approach a wrapper provides a “container” around certain applications, protecting the application and its data. This is a more minimal approach, but still requires certain tampering with each application, and creates some duplication in the user experience.
In container-based approaches, security is achieved through separation, and through encryption and control of corporate information. Both approaches reduce the role of the device itself on security, and reduce the impact on personal uses of the device.
However, both approaches impact the user experience in work-related tasks. In some cases, separate applications need to be written for the container, replacing the native (and often loved) applications. This has been a main source of criticism and pushback from users.
In addition, the segregation goes against the grain of modern mobile experience which emphasizes integration between applications and blurring the differences between what is work and what is personal. For instance, it can make it difficult to coordinate multiple calendars (e.g., my work, family, and triathlon training calendars). Many people also have some level of “diffusion” between their personal and work emails.
Finally, these solutions are still device-dependent from a security perspective, and may be targeted on rogue devices. And they still have to be managed per device, pushing the cost of acquisition and cost of management higher.
So where are we going?
Generation 3: Server-side Solutions
With the number and diversity of devices quickly growing, and with many of these devices falling into new categories, e.g. highly personal (glasses, wearable), highly shared (car-based, wall mounted), and transient (hotel TV, rental car), we expect that any solution that is device dependent will not provide an acceptable solution for many use cases.
In many cases, the proper security policy is not related to the device. For example, certain access rights may sometimes be linked to geographic locations. In other cases, it’s the content of a document that dictates that it shouldn’t be accessible from a mobile device. And of course in many cases it is a combination of user, device, location, content, etc. that shall dictate access right and/or level of access.
In our opinion, the solution is simple. As much as possible, ignore the device as it is merely the vehicle used to access the data.
With regard to the device itself, it is okay to require users to avoid using rooted devices when accessing corporate networks. It is also okay to require an anti-malware, or to scan a device for viruses before allowing it in. But, a good solution shall try not to rely on the device itself for security (because it could be undetectably rogue), and a good solution shall not limit access to specific types of devices (just like no one checks which car I use to come to work).
And so, in our opinion the best solution is one where the security is enforced from the server side, without relying on the device. With a server-side solution, the organization has full control over who has access, to which data, where, when, etc.
Ideally, a good solution shall also not change the mobile user experience. Definitely not in personal uses, but if at all possible not affecting the user experience also in work-related matters. Ideally, the individual shall be able to easily interleave work with personal use, as well as enjoy the integration of any and all applications.
We have been working with LetMobile and our customers with their gateway-based solution that can do just that:
The organization gets to secure its data
· Enforce multi-factor authentication before a user/device gets access to the data. Besides the usual factors, LetMobile may refuse to authenticate a device that does not fit company security standards.
· Corporate data (and especially not corporate credentials) are not stored on the device, and so not vulnerable in case of lost/stolen device. Encryption is good, but also subject to certain types of attacks; no data on the device is better
· Each and every access to corporate data is subject to current policy. This allows immediate revocation of access rights, unlike the case where some data has already been downloaded to the device. This also allows policies based on location, time, device type, etc.
· DLP policies can be applied to certain types of content, e.g., social security or credit card numbers, preventing or limiting access to such information from mobile devices and/or from certain locations, e.g., in accordance with the requirements of certain regulation.
· Each and every access to corporate information is logged, and can be used for compliance reporting as well as forensic analysis
At the same time, the user gets all the benefits of modern mobile experience:
· Employees can choose any device they like, and can use it to access work information from anywhere, at any time, using an application they want. All of course subject to corporate policy
· Employees are not required to install an agent that grants the company any control over their device. That means, they can now use personal devices, home devices, etc. without being concerned about their privacy
· Employees can continue to enjoy the native and integrative experience of their device, and are not required to log into a segregated container, and use a look-alike application. This is especially critical for the communication and collaboration applications, e.g., shared email, calendar, contacts.
As a network-based service, their solution can be deployed on-premise, or consumed as a pure cloud-based SaaS. Its architecture makes it very scalable, easy to deploy, and cost effective across a very large number of users and devices.