Secure Mobile Applications. A Technical White Paper

Transcription

1 Secure Mobile Applications A Technical White Paper

2 Contents Abstract 3 Reality of the Wireless Enterprise 3 Changing the Mobile Landscape 4 Good Architecture Overview 4 Good Security Model 5 Secure User Provisioning 7 Good Assurance 9 Appendix A 10 Good Technology BE-GOOD Secure Mobile Applications 2

3 Abstract This white paper provides a detailed description of Good Technology s Security and Architecture. It provides an overview of the changing landscape of mobile technologies within the enterprise and enumerates the key mobile device challenges faced by enterprise and government organizations. It describes how Good s solution helps administrators manage and control their mobile deployments while maintaining a high level of security that encapsulates enterprise data. Reality of the Wireless Enterprise Only your combined Information Technology (IT), Human Resource (HR), Finance, and Legal functions working closely with your executive team and business unit managers can determine the exact corporate liable and/or individual liable policy that best fits your company, meets its financial goals and objectives, and takes into account security, legal, regulatory, tax, or other requirements and considerations that may uniquely apply to your Company and its operations. Accordingly, the objective of this white paper is not to define an actual individual liable user policy. The questions and policy considerations outlined herein are just that, and must not be construed either individually or collectively as: (i) an actual or complete policy; (ii) either necessary or sufficient to meet the fiduciary, legal, regulatory, or other requirements that may apply to a particular company or policy; or (iii) legal or finance advice. Good Technology disclaims any and all liability for the use of this document and/or the considerations outlined herein, either in whole or in part, in the definition and/or application of specific policies by any company. Browser Access Secure Enterprise Collaboration Anytime, Anywhere Contacts Calendar Enterprise Telephony Audio/Video Conference Voice Mail IM & SN Firewall Document Sharing Good Technology BE-GOOD Secure Mobile Applications 3

4 Changing the Mobile Landscape There are three broad categories that capture the changing landscape in enterprise mobility: 1. Consumerization of IT Infrastructure Smartphones have replaced feature phones as the must-have gadgets among consumers, and increasingly these devices are finding their way into the enterprise. Employees are willing to bear the cost of these mobile devices and associated data plans, which creates an opportunity to eliminate millions of dollars from enterprise IT budgets and make room for mobilizing more applications beyond to increase employee productivity. 2. Device Diversity Rich capabilities including entertainment functions, personalization functions, and applications for increased productivity are driving the adoption of a wide variety of devices. This is leading organizations to move away from supporting a standardized set of devices from one device maker to satisfy employee needs, while protecting sensitive data. 3. Rapid Application Deployment The computing and networking capabilities of smartphones today and the speed with which they are adopted by end users requires new applications that leverage these devices capabilities. IT organizations are looking to rapidly prototype and deploy such applications to reap benefits of mobility while maintaining appropriate security and access control. The Security Challenge For all the promise of these new technologies, security remains the Achilles heel of mobility deployments. Organizations must address security issues to recap the benefits of mobilizing the enterprise. CIOs consistently rank security as one of their top IT priorities and the unique nature of mobility outside the walls of the enterprise adds heightened awareness of the threat. Security breaches put companies valuable assets and information at risk. You cannot compromise intellectual property, proprietary business processes, business intelligence, and customer data in order to mobilize. As a result, CIOs and CSOs demand stringent security standards to ensure that mobile users are allowed access to key enterprise data only as authorized; that such data is safeguarded both during transmission to and while resident on handheld devices; and that the core IT infrastructure is not jeopardized. Good Architecture Overview Good for Enterprise is a comprehensive platform providing end-to-end, wireless, real-time collaboration and enterprise application access supported by comprehensive device management and security. Good for Enterprise provides mobile professionals with up-to-date information when and where they need it and gives IT the means to secure and manage a diverse fleet of smartphones. The data path through the Good system is encrypted end-to-end, from behind-the-firewall enterprise servers all the way to wireless handhelds. The Good platform is built on industry standards to provide organizations with maximum flexibility when mobilizing their enterprise and selecting handhelds. With Good, companies can avoid getting locked into a proprietary wireless system. Good s enterprise mobility platform supports the hottest current ios, Android, and Windows Phone devices. Good for Enterprise is a complete enterprise mobility solution. Users can easily access, in real-time, their , contacts, calendar, and enterprise Web-enabled applications such as Intranets, executive dashboards, wikis, IT monitoring portals and more. Users can view and send rich attachments, including graphics, Word, and Excel files. Using the File Repository, the user can save attachments securely within the Good for Enterprise application and send them via newly composed as attachments. Policy settings allow this feature to be enabled/disabled. Good Technology BE-GOOD Secure Mobile Applications 4

5 When enabled, the user can preview, delete, and open documents in third-party applications. File-handling policies allow administrators to control which file types can be saved, which applications are permitted to save the files, and which applications can be exported to, either inclusively (whitelist) or exclusively (blacklist). The Good Mobile Messaging server routes messages to the enterprise application servers, including Exchange and Domino servers. The Good Mobile Control server allows IT administrators to provision mobile devices that will be connecting to the enterprise via the Good Mobile client. The Good Network Operations Center (NOC) is the core of the Good architecture. Good servers register and authenticate with the NOC using industry standard security procedures. When the mobile device is activated, it authenticates to the NOC. The NOC manages the routing of the device data to the appropriate Good servers, and ensures that only authorized devices are allowed to connect to the enterprise servers. Once authenticated, the mobile device and the servers establish an end to end secure communications channel. The NOC does not have access to the security keys for this communications channel, so unencrypted data is never exposed in the NOC. Those keys are kept by the mobile device and the Good servers located behind the enterprise firewall. Good Security Model Good recognizes that managing enterprise security is a complex undertaking and requires a comprehensive approach especially when it requires providing mobile workers with anytime, anywhere access to the information they need. Good has satisfied the needs of some of the most demanding customers in government, defense and intelligence agencies; in regulated industries such as financial services, healthcare, legal, and defense contractors; and in large enterprises in high tech, retail, manufacturing, and other sectors. We understand that security in such deployments is vital to continuing business operations and growth. The move toward wireless data access extends the corporate network beyond the physical boundaries of the enterprise and frequently places the end point of the network outside the firewall while utilizing public networks to transmit data, raising a multitude of security issues. In such an environment, protecting enterprise IT requires a thorough understanding of the risks associated with mobilizing applications onto handheld devices over wireless networks. Good has developed a security model that addresses the security of every part of the infrastructure. This model has five key elements: 1. Authentication Good provides the administration tools to define strong authentication policies that are enforced consistently across all device platforms. Additionally, you can define policies to wipe the Good application and all its data (or optionally wipe the entire device) for failure to provide the correct password after a set number of attempts. Strong authentication policies can include disabling sequential numbers in passwords, requiring use of special characters, etc. You can also enable a policy that disables the Good application or wipes its data in the event that the device is off-line for a set period of time. This helps prevent an attacker from turning off the device radio in order to block the command from the server to wipe the device. 2. Securing the Platform Good provides strong protection on the platform, with policy controls that include strong encryption of data (over the air and at rest), full device or Good application data wipe, application white-listing/black-listing, detecting jailbroken iphone or rooted Android devices, and preventing certain applications from being installed. Encryption keys are stored securely on the device, and key strengths are designed to provide optimal balance between protection and performance. Good Technology BE-GOOD Secure Mobile Applications 5

6 3. Enforcing Access Controls IT managers can distribute management tasks across a hierarchy of administrators by using role-based administration that offers a set of roles, with varying permissions, for administering the Good server and users. By assigning appropriate roles to administrators, IT can better manage assets and increase security. Routine tasks, such as loading software, can be delegated to a wider group of administrators across multiple locations. More restricted tasks, such as setting global policies or remotely erasing a handheld when lost or stolen, can be limited to a smaller group. Administrators can create groups to organize and manage Good users. All policies and software distribution can be managed at the global, group, or individual user level. This provides IT with more granular control and reduces the time it takes to manage users, especially in larger deployments. IT administrators can also enable the self-service option, allowing users to manage a few policies on their own handheld devices. 4. Securing Network Access The Good server establishes an outbound connection through the enterprise firewall, which means there is no need to open inbound ports and expose the enterprise networks to a variety of potential attacks. Additionally, all network traffic between the device and the server is always protected using AES encryption. And since the NOC does not have access to the encryption keys that encrypt network traffic, the NOC only services encrypted packets and does not see un-encrypted data. The NOC provides the additional functionality of authenticating devices to the network, granting access only to devices that have been provisioned to access their respective services thus preventing rogue devices from getting onto the corporate network. The Good platform allows administrators to control the types of devices that connect to the network, based on the device operating systems that are allowed to install and run Good mobile clients. For management simplicity or security reasons, IT managers may want to standardize on handhelds running a certain operating system and prohibit all other handhelds. When this is the case, IT managers can prohibit use of Good on devices with a particular operating system or a specific version of an OS. This enables the IT administrator to ensure that devices are running with software that includes specific security features that are deemed required for the enterprise. Additionally, Good provides the optional capability to control access to various networks from the device, including Bluetooth and WiFi access. On some devices, Good can offer granular Bluetooth profile management, disabling file transfers and LAN access through the Bluetooth network from taking place, while allowing devices such as head-sets to pair with the device. 5. Data Protection Authentication All data at rest on the device is secured using AES encryption when the Good application is not in use. This assures the confidentiality of data at all times. On some devices, Good also provides the ability to encrypt folders and SD cards. AES encryption keys are derived using the industry standard PBKDF2 protocol and are generated from the passwords provided by the user. If a user s handheld is lost or stolen, the IT administrator can use Good Mobile Control to remotely disable the handheld and remove all Good application data. If a handheld device is recovered, the Good client applications can be restored over-the-air (OTA). IT managers can also initiate a surgical remote wipe of the Good data stored on the handheld if it is lost or stolen. The remote-wipe policy can be enforced on the device, on the SD card as well, and on some device platforms. In the event that the lost or stolen device is out of contact with the Good server for a predetermined period of time, the Good application can either be disabled or the data wiped. Access Control Network Access Platform Data Protection Good Technology BE-GOOD Secure Mobile Applications 6

7 Secure User Provisioning This section describes the security elements that take place transparently from the time a user is enabled to use a handheld in the enterprise network to the time it is provisioned to exchange secure data between the handheld and the Good servers behind the firewall. Connections from the Good servers to the Good NOC utilize Hypertext Transport Protocol (HTTP) and are protected by the Secure Sockets Layer (SSL). Since the connection is established in an outbound direction, there is no need to create an inbound opening in the corporate firewall. Most corporate security policies allow this type of traffic through port 443 without reconfiguring the firewall. However, IT managers may use port 3101 or port 4663 instead. Connections to the Good NOC are used only for sending data to and receiving data from the NOC. Since all handheld traffic is managed through the NOC: 1. No rogue devices can connect directly to the corporate network and all devices connect only through the NOC, providing another layer of security. 2. All applications from the handheld leverage a single connection rather than multiple connections coming into the corporate network from a single handheld. The Good servers authenticate themselves to the NOC by using the host-id and the unique server serial number and license information provided by Good. Provisioning a User for Handheld Use After Good servers are installed, connected, and authenticated to the NOC, the IT administrator can start enabling users by adding handhelds from within GMC. When an IT administrator adds a user to GMC, it generates a 15-digit alpha-numeric PIN associated with the user s address and sends a normal to the user s desktop. The user can access this OTA PIN over their normal desktop . If necessary, messages with the OTA PIN can be suppressed and you can adopt other more secure policies to communicate the OTA PIN to the user. At the same time, GMC creates a 128-bit hash of this 15-digit OTA PIN using industry standard PBKDF2 (Password- Based Key Derivation Function) and then encodes the 128-bit hash in Base64. The server then sends the Base64- encoded hash of the OTA PIN to the NOC. The NOC stores the Base64-encoded hash to help it authenticate devices that seek to connect to the NOC. Authenticating a Devcie to the NOC The user downloads the client (either from Good s webstore, iphone App Store, or Android Market) and launches it. The user is prompted for an address and a 15-digit OTA PIN. The user enters their address and the 15-digit OTA PIN described in the preceding section. The Good client on the device creates a 128-bit hash of this 15-digit OTA PIN using the PBKDF2 and then encodes the 128-bit hash in Base64. The client then authenticates itself to the NOC by sending this Base64-encoded hash to the NOC. The NOC compares the Base64-encoded hash it received from the client to the one it has received from the server. If it finds a successful match, it creates a unique identifier for the device and a mapping to the appropriate server for the device. The NOC then generates three symmetric keys called the GDPKeys and sends these to the device. These keys are used to encrypt the channel that is established for communication between the device and the NOC. The device stores the three symmetric keys securely in the client database. These shared keys are used going forward to authenticate the device to the NOC and encrypt the communication channel to relay payload to and from the server. At the end of this stage the server is able to communicate to the NOC and the device is able to communicate with the NOC, however, no device-to-server communication has been established. Good Technology BE-GOOD Secure Mobile Applications 7

8 Securing End-to-End Communications The following steps take place in sequence after successful device-to-server communication takes place: 1. After receiving the three keys, the client initiates a communication to the server by sending the NOC a 20-byte random number along with a client nonce. 2. The NOC relays this to the server. The server receives this 20-byte random number and the client nonce and responds with a 40-byte random number and a server nonce. 3. The client takes its original 20-byte random number, the server s 40-byte random number, and the original OTA PIN and creates an AES key. 4. The device uses AES encryption to securely send the device serial number, model number, MSIDN and/or other device-specific characteristics to the Good server. 5. The Good server uses its own 40-byte random number, combines it with the 20 byte random number from the client, and generates an AES key. The server uses this key to decrypt the information it just received from the NOC. At the end of this step, the device has authenticated to the Good server. 6. The server generates two session keys. It is seeded using a secure mechanism provided by the underlying operating system (Windows, CryptoAPI). The Session Key (Read) is automatically rotated every 30 days (a server-side setting that can be changed). This is the key that encrypts the payload data when it is in transit between server and client. The Session Key (Master) is not changed, but used to rotate and generate the Session Key (Read). 7. The NOC relays this provisioning data packet to the device. The NOC does not get access to these Session Keys and only the device with the exact same AES key can open them. 8. The device decrypts the provisioning data packet to access the Session Keys. The device stores these Session Keys in the client database. 9. The hash, the AES keys created from random numbers, and OTA PINs are discarded. 10. At the end of this stage, OTA provisioning is complete. The client has all the keys (five keys) to authenticate to the NOC (three keys) and encrypt/decrypt payload (to the server). The NOC has three keys for each client and the server has two keys for exchanging payload information with the client. Secure Container The suite of collaboration products from Good encrypts data when it is at rest and when it is in transit on the network, thus creating a secure container that IT administration can always control. Good employs industrystandard cryptography algorithms that are FIPS certified. Secure Client Database The Good client database (DB) on the handheld is a critical part of the end-to-end security that Good offers as part of its collaboration solution. It is the repository for all of the enterprise data that resides on the client including , calendar appointments, browser history lists, attachments, and cache and IM groups. It is vital to secure this data without compromising the authenticated user s access to information. When the provisioning process is complete, the user is prompted to create a password, assuming the administrator policy requires it. Good strongly recommends that administrators enforce a strong password policy for all handhelds. The client uses the password created by the user, concatenates this with a random 64-bit salt generated using a random number function. This derives an encryption key which is essentially a hash generated using RSA s Good Technology BE-GOOD Secure Mobile Applications 8

9 Password-Based Key Derivation Function (PBKDF2). The hash and the original salt are stored in separate files and used to authenticate users whenever they attempt to use the Good client. Secure End-to-End Communications The Session Key (Read) is critical to end-to-end communications and plays a critical role in maintaining the secure container and extending and securing the end point of the enterprise network. All traffic is protected using AES encryption and the session keys are not available to the NOC, ensuring data protection while information is transported through the NOC. Good Assurance Good has deep understanding and experience with government requirements and has designed its suite of products to meet DoD Directive and Homeland Security Presidential Directive 12. While thousands of government and enterprise customers have adopted Good for their most demanding collaboration needs, several third parties have also validated Good with formal certification. Chief among them are: FIPS Certification FIPS certification is a critical security standard for many government organizations. The cryptography employed by Good has been successfully tested by NIST-approved labs in conjunction with the Cryptographic Module Verification Program (CMVP) and certified to be compliant with FIPS Level 1. FIPS certification covers the operation of Good s cryptographic module, which implements AES encryption along with other cryptographic functions. FIPS also ensures the integrity of the cryptographic module in the field. Common Criteria EAL-4+ Good has submitted its products for Common Criteria EAL-4+ certification. Common Criteria is an international standard (ISO/IEC 15408) for computer security certification. To receive Common Criteria Certification products are submitted to an independent laboratory which conducts rigorous evaluation of the specification and implementation of the security product. Defense Information Systems Agency Good has been working very closely with the Defense Information Systems Agency Field Security Office (DISA FSO) on getting various smartphone operating systems approved for use on the Global Information Grid (GIG) in the form of a Security Technical Implementation Guide (STIG) and as a result is listed as a requirement in the Windows Mobile STIG, Android STIG, and the current Interim Security Configuration Guide (iscg) for ios. US Army The US Army has done several certifications and granted Good a Certificate of Networthiness (CON) as well as an Authority to Operate (ATO), which allows Good to be deployed Army-wide. Additionally, Good is listed on the Army s Information Assurance- Approved Products List (IA-APL) for its Windows Mobile solution. Good Technology BE-GOOD Secure Mobile Applications 9

10 US Air Force At the US Air Force, Good is the only approved alternative to Blackberry. Good has been tested by the US Air Force Network Integration Center (AFNIC), formerly known as the Air Force Communications Agency (AFCA), and is listed on the itrm Approved Products List. Good is currently deployed at all of the major inoscs globally. Department of Homeland Security The Good product is listed on the DHS Technical Reference Model (TRM) Approved Products List as a result of multiple DHS agencies testing, certifying, and deploying Good. Appendix A Security On ios and Android Good on ios and Android platforms offers some unique security functionality that includes Compliance Management. Compliance Management on ios and Android For the ios and Android platforms, Good provides the ability to restrict access to the enterprise data or remote wipe enterprise data depending on the compliance rules enforced by IT. These rules include the ability to detect whether the device has been jailbroken or rooted, the last time the device connected to the enterprise, the OS version, device type, and the Good client version allowed to access the enterprise data. These checks are performed at provisioning time, upon application startup, and based on an IT set interval (1-24 hours). 1. Jailbreak or Rooted Detection: A jailbroken or rooted device is essentially a modification of the underlying OS to behave in a way that it was not originally designed to do. It opens up opportunities for numerous security vulnerabilities. Enterprises can further secure their infrastructure and content by preventing the Good client from running on jailbroken or rooted devices. Although jaibreaking and rooting in and of itself does not expose any data in the Good container, they do enable an environment where malware, spyware, and viruses can be installed on a device that could ultimately compromise enterprise data. Jailbreaking and root detection is not an exact science. Hackers continue to find new ways to bypass detection mechanisms. Good regularly updates our detection processes to provide optimal protection. 2. Manage Device Types: Some organizations may wish to standardize on specific device types. For example, a healthcare organization may wish to allow ipads for access to collaboration and intranet applications, but prevent iphones or ipod Touch devices from doing the same. With Good, the IT administrator can enforce a compliance rule that allows only specific device types to access enterprise data. 3. OS Version: The ios and Android operating systems continue to evolve and new generations of iphones and Android devices provide greater functionality and user experiences compared to older versions. With Good, the IT administrator can enforce a compliance rule that allows only devices with a specific OS to access enterprise data. This enforcement can also be used to ensure that OS versions that contain security vulnerability patches are being employed by users. Good Technology BE-GOOD Secure Mobile Applications 10

11 4. Client Version Number: Frequent upgrades to apps on the iphone, ipad and Android devices are a reality. These upgrades are either due to enhanced functionality or resolving problems in previous versions. IT administrators may desire that all their users use a specific version number of the Good client, either for support reasons or because a specific version offers a security feature or usability feature that they wish to manage. With Good, IT administrators can force users to upgrade to a specific version number of the Good client by setting a policy that refuses to allow older clients to connect to the Good server. 5. Connectivity Verification: The most common mechanism to prevent a remote wipe is to disable the radio and network connections on the mobile device. This will result in remote wipes issued by the IT administrator never reaching the Good client. The administrator can set a policy to wipe the enterprise data within the Good container if the client has not connected to the Good NOC for a specific time period. Additionally, there are numerous other security features implemented for the iphone, ipad and Android devices which makes it possible to make ios and Android viable mobile collaboration platforms even for environments with the most stringent security requirements. See for yourself how Good can improve mobility for your organization. Visit VISTO Corporation and Good Technology, Inc. All rights reserved. Good, Good Technology, the Good logo, Good for Enterprise, Good for Government, Good for You, Good Mobile Messaging, Good Mobile Intranet, and Powered by Good are trademarks of Good Technology, Inc. ConstantSync, Constant Synchronization, Good Mobile Client, Good Mobile Portal, Good Mobile Exchange Access, Good Mobile Platform, Good Easy Setup, Good Social Networking and Good Smarticon are either trademarks or registered trademarks of VISTO Corporation. All third-party trademarks, trade names, or service marks may be claimed as the property of their respective owners. Good and Visto technology are protected by U.S. patents and various other foreign patents. Other patents pending. WP_Security&Architecture_Mar2012_US Good Technology BE-GOOD Secure Mobile Applications 11