Working Together Managing and Securing Enterprise Mobility WHITE PAPER. Larry Klimczyk Digital Defence P:

Transcription

1 Working Together Managing and Securing Enterprise Mobility WHITE PAPER Larry Klimczyk Digital Defence P:

2 Contents Executive Summary... 3 Introduction... 4 Security Requirements... 5 Authentication... 5 Encryption... 7 Encryption Type... 8 Encryption Speed Tests... 9 Write Speed Test Read Speed Test Enhanced Encryption with Secure Mobile Secure Mobile Encryption Features Application Lock-Down User Interface Lock-Down Authentication Encryption Application Lockdown External Communications Protection Secure Mobile Feature Summary Table Page 2

3 Executive Summary Enterprise and government organisations are empowering their people with mobile technology at an ever increasing rate of deployment. By itself, the sheer number of devices with access to company resources and valuable data presents a tremendous task for even the best equipped network administration department to contend with. To make the situation even more challenging and complicated are BYOD (Bring Your Own Device) initiatives finding their way into many organizations as a way to decrease overall hardware TCO (Total Cost of Ownership) the enterprise typically bears. Increasingly these organisations need to ensure that the tools used in the field are both effective and secure and can be centrally managed for applications and security. As the risk of loss or theft of the mobile devices is much higher than traditional desk top computers, the data contained in the deployment of mobile devices must be secured. This includes data on the devices themselves and data on any removable storage such as SD cards and USB memory sticks, which are even more likely to be lost or stolen. The two primary players in mobile security and device management are Digital Defence and SOTI. Digital Defence produces Secure Mobil, Secure PC, and Secure Access Control, while SOTI develops industry-leading Mobile Device Management (MDM), Mobile Content Management (MCM), Mobile Management (MEM), Mobile Application Management (MAM) and Mobile Security Management (MSM) solutions. The scope of this paper will focus on a collaboration of Digital Defence Secure Mobile and SOTI MobiControl. Secure Mobile is positioned in the global market for organizations that require mobile security solutions that work without interrupting the day to day mobility needs of the user. Furthermore, Secure Mobile uses a unique architecture that is invisible to the user and won t impede device performance. SOTI boasts over 80,000 customers worldwide using their award-winning MobiControl to enhance enterprise mobility and enable Bring Your Own Device (BYOD) initiatives. MobiControl manages the deployment of mobile devices and contains a set of tools to maintain the protection of data at rest and in transit. This document focuses on the protection of data at rest as this is the functionality provided by Secure Mobile, as well as the protection of Windows Mobile devices, as Page 3

4 this is the platform that is, today supported by Secure Mobile. In addition, this document aims to show how SOTI s MobiControl and Digital Defence s Secure Mobile work together to provide world class mobile device management and comprehensive FIPS approved encryption, authentication and access control. Each sub-section of the Security Requirements section will analyse a security requirement highlight the additional features when MobiControl is enhanced with Secure Mobile. Introduction Digital Defence s Secure Mobile and SOTI s MobiControl each offer a robust set of features as outlined below. However, there are critical areas where Secure Mobile helps improve the capabilities and features of MobiControl. These will be discussed in more detail later. SECURE MOBILE Enterprise Mobility Validated Security Solution from MOTOROLA Central Control of Black and White Listing of Applications and Wireless Connections. Invisible to User by Residing Under the OS. Transparent Technology Not Visible to User. Excellent Device Performance with Less Than 2% CPU cycles during Encrypting or Decrypting operations. Data Encrypted and Decrypted at Bit Level Without Device Interruption. Device authentication through LDAP Integration Allowing Connection to Remote User Credential Validation. First to Market with Fingerprint User Authentication. Back Office Control and Deployment of Security Policies through the Centralized Management Console. Single Sign-On allowing Automatic File Decryption. File and Folder Level Encryption. 100% Customer Support Customer Driven Feedback System that Drives Further Application Page 4

5 Development. Federal Information Processing Standard (FIPS) Accredited Enforceable User Authentication using Password Strength and LDAP Access Criteria. File Level Encryption using either a Simple or AES Algorithm. Mobile Device Application Blockage. Mobile Device Feature Blockage such as ActiveSync, Camera, Bluetooth, Phone, and Infrared. Phone Number Blockage for Incoming and Outgoing Calls. User Interface Lock Down to Customize the Look and Feel of a Mobile Device. Help Desk Remote Control Feature. Web Filter Policy Controls Location and Geofencing Services. Telcom Expense Management Tools. Certificate Management. Asset Management features for both mobile device hardware and software. Multi-Platform Administration including ios, Android, and Windows, Security Requirements In a brief review of both product offerings, it is clear that each has a robust set of features for mobile device deployment in the enterprise environment. However, there are four areas that deserve specific attention. Authentication To help ensure the right person has access to the right resources at the right time, authentication techniques are utilized for appropriate control. SOTI s MobiControl makes numerous provisions for User Authentication. Page 5

6 ActiveSync Protection o Connecting a PC to the Mobile Device using ActiveSync does not require any authentication. Registry entries and files, including encrypted files, are accessible via a connected PC providing a back door approach to access sensitive data and files. o There is no option to ensure only specific PC s can connect to a mobile device. Password Expiration With Secure Mobile there is the additional option of requiring the password to be changed after a specific period. Password History Protection o There is no available method to force users to choose different passwords each time they change the password. Secure Mobile provides for protection of the mobile device password history information. User Inactivity Controls o Numerous mobile device applications, such as Sat-Nav applications, require time interval access that may not work user inactivity policies. Under these conditions, it would not be desirable for the mobile device to lock after a period of inactivity. Secure Mobile allows for the selection of specific applications that can override the user inactivity lockout setting. Grace Period Support o Secure Mobile provides the user with a grace period from the time a mobile device is turned off (standby mode) to the time the mobile device is turned back on. The grace period does not require user authentication. Full Screen, Large Button, Quick Input Customization o Due to the small size of mobile devices, it can be cumbersome to enter a password into a small on-screen keyboard. It is desirable for the full screen to be utilized in order to provide larger input buttons for faster password entry, of which Digital Defence provides for. Biometric Support o Due to the cumbersome nature of entering a password into a small screen, it is desirable to provide an alternative and faster method for user Page 6

7 authentication. Secure Mobile supports the use of biometric input devices such as a fingerprint reader. Encryption S e c u r i t y F e a t u r e s C o m p a r i s o n Password Fingerprint Cryptographic Card LDAP Integration Enforce Password Enforce Password Expiration Enforce Password History Custom Password Full-Screen Input Grace Period Auto-Off Lock Screen Auto-Off-Disabled during specific active applications ActiveSync Authentication Logging Wipe Device After Failed Attempts F = Future Feature Secure Mobile Encryption policies are used to enforce the encryption of files on a mobile device. Once a file is encrypted, it is decrypted in real-time. The Administrator Authentication and User Authentication must be enabled before this security feature can be enabled. The benefits of encryption include individual file management, access control enforcement, data protection using public domain Internet access points, and the prevention of unauthorized access. F F Page 7

8 Once the policy has been sent to a mobile device, the appropriate files are encrypted in the background. Access to the encrypted files is seamless to the user; the user password authenticates access to the encrypted files. An encrypted file contains extra header information at the start of the file. The original contents of the file are encrypted using encryption key information stored on the mobile device. The header details describe which segments of the file have been encrypted. This allows a partially encrypted file to be accessed by the user. The type of encryption can be setup within Digital Defence s Secure Mobile Configuration Profile. ENCRYPTION TYPE o Simple - used for quick encryption (WEAKEST) Page 8

9 o AES256 (Fixed Password) STRONG. Using this type generates a password that will be permanently used to protect the encryption key. This method does not require user intervention. o AES256 STRONGEST. A password is chosen and must be verified by the user of the mobile device. This method requires user intervention. A Configuration Profile can only be setup on a mobile device via barcode provisioning. This presents a potential operational issue. If the security policy of an organisation changes to require a new encryption algorithm, then all mobile devices need to be recalled. The most efficient method to install AES encryption on all mobile devices would be to clone one mobile device and send out the clone to the population of mobile devices. Encryption Speed Tests A very important aspect of any security policy is the enforcement of encryption on sensitive data. In order for an encryption policy to become effective, the encrypted data should be accessed in real-time and be seamless to the user. The efficiency of encryption can be assessed by executing read and write operations and comparing the access times to those achieved by a mobile device without any encryption. While a typical application will not read and write to storage continuously, this test gives an indication to the efficiency, and therefore usability, of the encryption. The encryption test forces each read and write to be completed to the physical storage (i.e. no caching of data). This ensures that the speed of encryption is fully examined. The following tables show the speed test results of SOTI s encryption compared to the default encryption provided by Windows Mobile and the encryption provided by Secure Mobile. The speed tests were completed on a Motorola ES400 device. The SOTI simple encryption algorithm was chosen for comparison to show the most simple, much weaker, encryption access speed. As can be seen by the tests, SOTI encryption has a very large impact on the usability of the mobile device. The general operation of encrypted SOTI files, however, does not appear to have a large impact on the performance of the mobile device. This indicates that SOTI uses caching Page 9

10 of data to improve the speed of the mobile device. This opens up the vulnerability of sensitive data being held in the mobile device s memory in plain unencrypted form. WRITE SPEED TEST File Size 16KB 128KB 1MB 8MB 128MB Performance Hit No x1.00 Encryption WM AES x2.96 SOTI Simple x52.82 Secure Mobile x3.57 READ SPEED TEST File Size 16KB 128KB 1MB 8MB 128MB Performance Hit No x1.00 Encryption WM AES x2.79 SOTI Simple x Secure Mobile x3.26 Enhanced Encryption with Secure Mobile Digital Defence s Secure Mobile offers these market leading features: File types. Encryption happened on any.exe,.dll, or.bin files. o No matter what the contents are, these file types are encrypted by Secure Mobile. The data inside these file types may simply be executable content, however the data may also be sensitive. Particularly in the case of.bin files. Even an executable file can become sensitive, as in the case of proprietary software. o Keeping these file types secure will help achieve a high level security certification. Page 10

11 o Filename encryption. Secure Mobile encrypts the file s contents and the filename. A filename in many cases contains information relating to the content. Simply knowing a filename could lead to targeted decryption attempts. Keeping the filename secure will help achieve a high level security certification. Authentication. Secure mobile enforces User Authentication on the mobile device and also enforces a PC connection (to the mobile device) to require User Authentication. This prevents an attacker from connecting a mobile device to a PC and simply accessing all the encrypted files as if they are plain un-encrypted ones. Encryption Key Duplication. Secure Mobile creates a different encryption key for every file that is encrypted on the device. If one file can be decrypted, which is highly unlikely, only the data contained in that individual file will be accessed. With Secure Mobile, each file has to be separately decrypted using the a unique algorithm and key value. Application White / Black Listing. Secure Mobile sets rules around what applications can be either White Listed (allowed to access encrypted data) or Black Listed (never allowed to access encrypted data). Secure Mobile is agnostic to what applications are on the device, it simply controls what applications can access encrypted data. SECURE MOBILE ENCRYPTION FEATURES Security Feature Secure Mobile Filename Unique Encryption Key.exe encryption.bin encryption.dll encryption ActiveSync authentication Application authentication Guaranteed encryption Benchmark Speed (Write) x3.5 Benchmark Speed (Read) X3.25 Encryption Algorithm AES 128 and 256 bit FIPS 197 Approved Real-time encryption Encryption Support Tools Page 11

12 Device Authentication enforcement Memory Card Encryption Onboard Persistent Storage Encryption Application Lock-Down An Application on a Windows Mobile device is capable of performing many tasks and operations potentially harmful to the mobile device and its connected network. Therefore, it is desirable to disable unnecessary applications from being executed. It may also be desirable to disable applications from accessing encrypted data. Black List. A list of applications that are not allowed to be executed on the mobile device. White List. A list of applications that are allowed to be executed on the mobile device. This is a potentially dangerous list to include on controlled mobile device, as critical platform applications can be disabled from use. Security Feature Secure Mobile Application White List Application Black List Encryption Blocking Block Bluetooth White List Bluetooth Block Wi-Fi (WLAN) White List Wi-Fi Block Cellular Data (WWAN) White List Cellular Data F Block PC Connection (ActiveSync) Block USB White List USB Block Camera Page 12

13 Block Phone Numbers White List Phone Numbers * - Wi-Fi and Cellular Data Networks can be selectively allowed or completely blocked by setting up a Configuration Profile and locking down the User Interface. - ActriveSynccan be blocked by disabling the appropriate application, or selectively blocking the appropriate USB connection type. F Future feature. User Interface Lock-Down A Windows Mobile device is a generic device capable of performing many diverse tasks. This opens up the device to the threat of many types of security attacks. In an operational sense, there is also the possibility that the workforce is not using a mobile device to its full efficiency (i.e. workers using the device for personal related activities). SOTI MobiControl provides the capability to lock down the interface available to the user. This ensures a mobile device is used for its workforce application only, and also prevents the user from introducing security vulnerabilities. This capability is provided by the Lockdown Policy. Authentication Secure Mobile offers large input buttons for fast input and provides fingerprint integration. Secure Mobile enforces device authentication before an ActiveSync connection is being made. Retrieving any encrypted data from the mobile device is not possible via ActiveSync, including encrypted data. Secure Mobile has the feature of forcing user passwords to expire after a period to enforce the use of rolling passwords, adding an additional level of security. Page 13

14 Encryption MobiControl provides the capability to encrypt files on a mobile device. Once the files have been encrypted, they are accessed by any application in real-time without any extra steps required from the application or the user. The requirement for User Authentication ensures that only an authorised user can access any encrypted data; of course it s still possible to connect a PC to the mobile device, via ActiveSync, without any requirement for user authentication.. This vulnerability can be mitigated by disabling the use of ActiveSync. Although MobiControl can enforce the use of encrypted files in any folder of the mobile device, it does not encrypt.exe,.dll, or.bin file extensions. These file types become vulnerable to attack; it s still possible for sensitive data to be contained inside these file types. MobiControl encrypts files in the background, so it is not known when all files are encrypted at a given point in time. When there is a read or write of encrypted data to physical storage, there is a huge impact on system performance. Although the contents of the files are encrypted, the filenames are not; exposing the filename can result in access to sensitive information contained in the filename. MobiControl does not provide a mechanism to prevent specific applications from accessing encrypted data. Summarised MobiControl s Encryption provides good protection for specific files. It does not provide full protection of all data, which is required for many certifications. If does not provide a complete suite of tools to assist the management of encryption. Physical access of encryption is slow; hence much work is done in the background leading to sensitive data held in memory unencrypted. Page 14

15 Application Lockdown MobiControl provides the capability to block applications from being executed; it also provides the capability to setup a list of applications, of which only they can be executed. This provides a method to ensure the users of the mobile devices are only using the devices for work related activities and also prevents rogue applications from being executed. MobiControl does not provide a mechanism to protect encrypted data from unknown applications. Summarised MobiControl effectively locks out applications from being accessed by a user, however if does not provide the same capability to lockout applications from accessing encrypted data. EXTERNAL COMMUNICATIONS PROTECTION MobiControl provides the capability to disable features of a mobile device relating to external data communications. This capability protects security vulnerabilities emanating from external sources. MobiControl does not provide any method for blocking the connection of USB devices, except for the prevention of using ActiveSync. USB devices are capable of sending and receiving data, therefore presenting a security risk. MobiControl does not provide a method for generally or selectively blocking Wi-Fi, Bluetooth, or Cellular Data. MobiControl can lock down the User Interface, thereby blocking any chance for the user to setup any external connections. Pre-defined external connection settings can be setup using a Configuration Profile. This combination is the only way of creating a White List of external connections. Page 15

16 Summarised MobiControl provides the capability to disable some external communications from being used, however it does not provide full disablement nor does it provide customisation for specific external communication channels to be used. It does, however, allow the User Interface to be locked out from the user; thereby effectively providing the customisation of external communication channels (via a Configuration Profile). Secure Mobile Feature Summary Table The following table summarizes the features provided by Digital Defence Secure Mobile. Security Feature Authentication Password Fingerprint Cryptographic Card LDAP Integration Enforce Password Strength Enforce Password expiration Enforce Password History Grace Period Custom Password Full-Screen Input Screen Auto-Off Lock Screen Auto-Off Disabled during specific active applications ActiveSync authentication Logging Wipe Device after x failed attempts Secure Mobile F F Page 16

17 Encryption Filename Unique Encryption Key.exe encryption.bin encryption.dll encryption ActiveSync authentication Application authentication Guaranteed encryption Benchmark Speed (Write) X3.5 Benchmark Speed (Read) X3.25 Encryption Algorithm AES 128bit Real-time encryption Encryption Support Tools Device Authentication enforcement Memory Card Encryption Onboard Persistent Storage Encryption Application Lockdown Application White List Application Black List Encryption Blocking Communications Lockdown Block Bluetooth White List Bluetooth Block Wi-Fi (WLAN) White List Wi-Fi Block Cellular Data (WWAN) White List Cellular Data F Block PC Connection (ActiveSync) Block USB Page 17

18 White List USB Block Camera Block Phone Numbers White List Phone Numbers - ActiveSync can be blocked by disabling the appropriate application, or selectively blocking the appropriate USB connection type. F -Future feature. Page 18