Mobile Device Management: Taking Containerization to the Next Level

Transcription

1 Mobile Device Management: Taking Containerization to the Next Level _oml_v1p Public Omlis Limited 2015

2 Contents Introduction 2 How EMM has Evolved 3 The Basic Workings of MDM 4 Conventional MDM Security Methods and the Direction of Change 5 Enhanced Smartphone Capability: Flaws and Possibilities 6 How Omlis can Help 7 What s Next for MDM? 7 References 8 Contributors 8 1

3 Introduction After VMWare s $1.54bn buyout of AirWatch in 2014, it became clear that augmenting traditional MDM (Mobile Device Management) with developments like MAM (Mobile Application Management) would become one of the trends of 2015, and containerization strategies would come to represent one of the year s fastest growing markets. As the market matures traditional enterprise mobility vendors will seek to cooperate with the most innovative mobile first security companies such as Omlis. In the period up to 2005, EMM (Enterprise Mobility Management) was fairly simple; the network perimeter was a fortress with few points of access and a majority of locked-down fixed terminals, limiting the extent of the client / server relationship in terms of mobile. In the last ten years the mobile revolution has transformed EMM to incorporate the various software defined modules of MDM. Company resources are accessed through an army of mobile devices with the capacity to store and access huge amounts of valuable data. These powerful smartphones lie in wait at a crumbling network perimeter, each one acting as a potential vehicle ready to infiltrate vast internal siloes of corporate data made available via a compromised phone or MDM server. The complexity of the current mobile ecosystem, and the phenomenon known as BYOD (Bring Your Own Device) has threatened the very existence of MDM in favor of specific containerized solutions, but it s become clear that MDM can adapt and survive on new terms. Modern MDM solutions need to combine potent combinations of secure authentication, threat detection and encryption at both device and application level. In response to these demands a plethora of companies ready to enhance the MDM product offering have emerged, but few can guarantee the kinds of assurances which the Omlis core technology can naturally provide. 2

4 How EMM has Evolved Device management whereby a company attempts to control the entire OS (Operating System), has been learning to coexist with more focused software application management over the last couple of years, which has encouraged the effective partitioning of a mobile device s OS. This increasing influence of software and enterprise apps has placed complicated new demands on security architecture. In response, the lines between classic EMM and more modern conceptions of MDM have now fully blurred, and the classic Web Application Firewall is no longer a comprehensive countermeasure to fraud. MDM s functional boundaries are also expanding to incorporate the likes of MAM, MCM (Mobile Content Management) and Mobile App Development Platforms. In all of these subsectors, security remains the true value added service and differentiator. Consequently, MDM requires increasing input from specialist mobile security innovators such as Omlis; an input which has been sorely missing in previous implementations of MDM. The aforementioned offshoots and expanding dimensions of modern MDM reflect the increasing influence of the mobile platform and mobile first business strategies. Each variation of MDM offers different levels of control over the mobile device and its content, with each exhibiting different authentication methods whether it be secure mutual authentication between client and server or groundbreaking multi-factor authentication involving the latest biometric and heuristic technologies. Despite all of the developments, technology research company ESG stated last year that only 48% of enterprises had an actual MDM strategy, 1 and it s clear that despite a growing awareness, the market is still young and in many ways naïve to the growing security issues surrounding MDM. Operating System Container Omlis Mobile Server Untrusted Network 3

5 The Basic Workings of MDM Broadly speaking, a typical MDM scheme requires server and client components, with the client receiving management commands from a centrally located MDM server, both of which represent targets for hackers. If an MDM scheme is inadequate, an enterprise can rightfully assume that it s strategically wise to risk the loss of an individual device rather than exposing the company to a compromised MDM server. This is the equation which MDM security needs to balance. Sometimes the client component and server component are supplied by different vendors, whereas other times they re supplied by the same vendor. Whilst each system should be judged on its merits, when it comes to mutual authentication, the latter method, if used correctly can offer a certain synergy in terms of efficiencies and security. The renowned BES (Blackberry Enterprise Server) is the most prominent example of server / client partnership, and until last year, the BES was restricted solely to communications with Blackberry phones. Blackberry s recent acquisition of Good Technology for $425m reinforced the fact that the company is seeking further device interoperability. NIST (Section 3.1) recognizes the advantages of some form of client / server unity, stating that: a product provided by a mobile device manufacturer may have more robust support for the mobile devices than third party products. 2 In reality, a combined package with client / server libraries installed on either side may be easier for staff and administrators to self-manage, but the security advantages are less apparent unless unique protocols are being used to communicate. Omlis recognize that the principle transaction between client and server is the basis of any authentication mechanism and due to Omlis architectural potential and unique key exchange principles, we can revolutionize how a client verifies the identity of the MDM server. 4

6 Conventional MDM Security Methods and the Direction of Change Login and authentication are vital to a successful MDM policy, so credential caching and passing sensitive information over the wire is no longer acceptable for the tightest security measures. Caching passwords in the manner of HTTP basic authentication may be good for user convenience, as there are no repeated login requirements but the method is very light in terms of security as logout isn t instigated by the user. The same applies to the highly popular methods of formbased authentication; as we begin to separate hybrid and native apps from the mobile device platform to greater and greater degrees we need to find ways of protecting data which is at rest and in transit. As a consequence of the app revolution, the likes of per-app VPNs (Virtual Private Networks) have become popular along with some highly nuanced containerization strategies. These containerized solutions and VPNs can provide a secure tunnel through which the user accesses a single app, rather than a fully virtualized mobile desktop. Containerization strategies can include sandboxing or simple app wrapping in order to ring-fence corporate assets on employee s phones, authenticating to the MDM server on less demanding terms. App wrapping is a process whereby the app s native libraries are injected with dynamic libraries to incorporate new security capabilities such as authentication, encryption or VPN. 3 In a recent Gartner survey 45% of respondents said that: application modernization of installed on-premises core enterprise applications, was a priority, and app wrapping will represent a key part of this modernization. App wrapping is popular due to its simplicity. It represents a market which ABI Research predict will grow at a rate of 28% through 2018; quicker than more complicated containerization strategies which will see equally significant but less impressive 23% growth rates. 4 Enterprise needs to take advantage of the latest methods of authentication, secure containerization, and ultimately multi-factor authentication to make the MDM proposition worthwhile. At the same time, containerization needs to extend its abilities beyond simple partitioning, combining the latest methods of virtualization, cloud and key generation. To achieve this goal, traditional MDM vendors need to enlist the abilities of companies like Omlis which have harnessed the unique capabilities of the smartphone to develop groundbreaking authentication and encryption techniques. 5

7 Enhanced Smartphone Capability: Flaws and Possibilities Over the last couple of years, the smartphone has assumed center stage in enterprise multi-factor authentication, sharing the burden with traditional hard tokens such as key-fobs which generate one time passcodes. So as well as being a workspace in its own right, the smartphone s ubiquity and wide ranging biometric capabilities have led to an explosion in the soft token market acting as an ancillary credential for secure login to a laptop or PC. For the sake of MDM, we ll continue to view the smartphone as the primary workspace rather than as a means of accessing a separate device. Whilst offering strong opportunities in the field of advanced authentication methods, the increased levels of connectivity which the smartphone can offer opens up a huge array of attack surfaces. After all, security methodologies are only as secure as the platform they re used on and the vulnerabilities of the modern smartphone are well-documented. The phone s OS will always be an access point for criminals looking to breach a weak MDM scheme; once the OS is infiltrated, keylogging and screenshot theft is perfectly achievable. Furthermore, simple implementations of MDM mean that the phone acts as a carrier for unencrypted login tokens which often remain static in the fact that they don t have an expiry date. This leaves the phone exposed as a potential access point if it s lost or stolen. With that said, malicious hacking activities are more of a concern to enterprise than theft or device loss, so the ability of MDM vendors to protect against hacks is paramount. The secure container solution has been developed and implemented in MDM and pioneered by companies such as Mobile Iron. Containerization is a positive move but more often than not the container is only as secure as the OS it resides on. This was highlighted by the vulnerability in Apple s flawed sandboxing mechanism for third party apps. Before its discovery by Appthority, the vulnerability known as Quicksand exposed the configuration settings of managed applications meaning that malicious applications could read critical information such as passwords and tokens associated with MDM. 5 Despite the vulnerability having been patched, the fact remains that 70% of iphones use older operating systems. Android fairs little better. Aside from the PKI (Public Key Infrastructure) and administrative complications associated with a fragmented platform, Android malware which can actively go undetected by MDM root detectors has been produced, reading logs to detect when the user has opened an , before sending the information to a third party account. Not only are mobile devices susceptible to attack, the open networks through which they communicate offer endless opportunities to those looking to perform MitM (Man-inthe-Middle) attacks. The enterprise mobile is predestined for heavy Wi-Fi usage on the train to work, or in various commercial amenities leaving the door wide open for criminals to intercept data. 6

8 How Omlis can Help Whereas other MDM providers can offer a product or container which is only as secure as the platform it s built on and the security of the network, Omlis dependency is drastically negated due to the ways in which we exchange keys, mutual authentication, encryption of data at rest and in transit, and advanced malware protection based on a high integrity approach and run time checks. Mobile environments are extremely heterogeneous, therefore enterprise IT managers must ensure their devices consistently protect data at rest and during transit. Omlis high integrity approach ensures that any sensitive data is fully protected in those unsecure environments thereby taking containerization to a new level. This is accomplished by implementing a much more secure protocol to manage and exchange keys, while conducting multifactor and mutual authentication for every single transaction. Nirmal Misra, Senior Technical Manager at Omlis The security of the Wi-Fi network is also less critical because of our innovative key exchange protocols. Unique keys are generated at the point of transaction and due to the design of our distributed architecture, actual keys are never sent over the network and are never stored on the client or server side; so even if a MitM attack takes place, the hacker will fail to retrieve any meaningful information. This method of generating keys at both ends of the communications channel, means that Omlis never transmit sensitive data in plaintext and information related to transaction keys can be erased from memory as soon as it becomes redundant. Unlike other secure container MDM solutions, Omlis high integrity development protects against side channel attacks; SQL injections are made impossible due to compile time and runtime checks, and keylogging is pointless as the input we collect from the keypad is only used for local encryption. In line with the market for MDM moving towards software based definitions, Omlis also have the ability to offer lightweight SaaS (Software as a Service) options via the cloud, or as part of an in-house setup. What s Next for MDM? Ovum predict that the value of EMM software to grow from $2.7bn in 2014, to just under $10bn in We ll see a particular growth in industry collaborations where traditional MDM vendors will try to beef-up their offerings by forming alliances with niche specialists; Airwatch s collaboration with Pradeo is a prime example of the synergies which MDM can leverage from the mobile sector. MAM will inevitably gather influence on MDM in the coming months. As well as a general adoption of the latest network detection methods, there s also plenty of room for strong authentication services and advanced encryption techniques. This layered approach to security requires mobile specialists such as Omlis to fill the gaps where more conventional secure container solutions have failed. Omlis core technology exhibits the rare ability to combine layered security and enhanced authentication with a streamlined user experience. Containerization needs to move to the next level and companies such as Omlis can provide the technology to empower this transition. 7

9 References Contributors The following individuals contributed to this report: Stéphane Roule Senior Technical Manager Paul Holland Analyst Nirmal Misra Senior Technical Manager Jack Stuart Assistant Analyst 8

10 Omlis Third Floor Tyne House Newcastle upon Tyne United Kingdom NE1 3JD +44 (0) Omlis Limited 2015