WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise



Similar documents
FileCloud Security FAQ

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Security Architecture Whitepaper

Ensuring the security of your mobile business intelligence

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Global Partner Management Notice

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

White Paper. BD Assurity Linc Software Security. Overview

GFI White Paper PCI-DSS compliance and GFI Software products

Complying with PCI Data Security

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

How To Secure An Rsa Authentication Agent

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

When enterprise mobility strategies are discussed, security is usually one of the first topics

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Novell Access Manager SSL Virtual Private Network

Mobile Admin Security

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Does your Citrix or Terminal Server environment have an Achilles heel?

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

White Paper Secure Reverse Proxy Server and Web Application Firewall

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

ONE Mail Direct for Mobile Devices

Section 12 MUST BE COMPLETED BY: 4/22

Mobile Devices and Malicious Code Attack Prevention

Windows Remote Access

Ovation Security Center Data Sheet

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

HIPAA Compliance and Wireless Networks

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

BYOD Guidance: BlackBerry Secure Work Space

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

ipad in Business Security

Network Access Control ProCurve and Microsoft NAP Integration

Network Security Guidelines. e-governance

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Securing mobile devices in the business environment

SCADA SYSTEMS AND SECURITY WHITEPAPER

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Remote Access Security

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

The Benefits of SSL Content Inspection ABSTRACT

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Overview Servers and Infrastructure Communication channels Peer-to-Peer connections Data Compression and Encryption...

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Best Practices for Outdoor Wireless Security

Supplier Information Security Addendum for GE Restricted Data

Security Considerations for DirectAccess Deployments. Whitepaper

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Security Technology: Firewalls and VPNs

Did you know your security solution can help with PCI compliance too?

Xerox Mobile Print Cloud

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Implementation Guide

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

The Key to Secure Online Financial Transactions

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Cyber-Ark Software and the PCI Data Security Standard

Best Practices for Secure Remote Access. Aventail Technical White Paper

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Automate PCI Compliance Monitoring, Investigation & Reporting

Deploying iphone and ipad Security Overview

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

SecureAge SecureDs Data Breach Prevention Solution

GiftWrap 4.0 Security FAQ

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

White Paper: Secure Printing and Mobile Devices

Securing Data on Microsoft SQL Server 2012

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Transcription:

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise WICKSoft Corporation http://www.wicksoft.com

Copyright WICKSoft 2007. WICKSoft Mobile Documents is a registered trademark of WICKSoft Corporation in certain countries. 2

Table of Contents Table of Contents... 3 Introduction... 4 Security Issues facing the mobile Enterprise... 4 Summary... 5 General Network Architecture... 6 Data transfer layer... 7 Two layers of cryptography... 8 WICKSoft Mobile Documents proprietary protocol... 9 Application level security... 10 Authentication... 10 Security Policy... 10 Publishing Rule... 11 Windows Policies... 11 Windows ACLs... 11 Application layer security summary... 11 Handheld level security... 12 Conclusion... 13 3

Introduction Mobile document access technology which allows users to remotely access important documents and information from their wireless handheld greatly improves both employee productivity and convenience by freeing users from having to carry laptops when traveling, and by allowing immediate response and action to issues in real-time. However, there are certain unique security concerns that are inherent to the operating environment. Due to the fact that data travels over-the-air, and that mobile assets can be easily lost or misplaced, special care and attention must be given when considering any solution for the mobile enterprise. Security Issues facing the mobile Enterprise There are four major security challenges facing the mobile Enterprise. 1. Data travels over shared, public, and sometimes open networks. 2. Mobile handhelds may be misplaced or stolen, exposing sensitive information. 3. The mobile device represents a potentially unmanaged point-of-entry in to the network. 4. Worms and viruses may be transferred to the corporate internal network via tunnels created in the mobile VPN technology 1. WICKSoft, makers of WICKSoft Mobile Documents for the BlackBerry, offers technology to combat the aforementioned problems and enables mobile remote access to be achievable in a secure way from anywhere. 1 The Cabir virus and BBProxy are just two examples of the kinds of malware that can be propagated though Email and Bluetooth enabled devices. According to antivirus maker F Secure, there are already more than 370 different wireless threates in the air, including attacks that attempt to delete data stored on handhelds and even record end users phone calls. 4

Summary WICKSoft Mobile Documents approaches the issue of security from three distinct levels. The first is the data-transfer level, the second is at the application level, and the third is at the handheld level. Security at the data transfer level--where traffic may be susceptible to monitoring, and where worms, viruses, and attackers may attempt to gain a remote point of entry--ensures that a secure tunnel is created and maintained from the handheld directly to the Enterprise. Application level security is a policy-based approach to ensure sensitive data never leaves the office, and that only operations deemed safe from a mobile device are possible. Mobile VPN technology must ensure that users cannot accidentally distribute, remove, or otherwise tamper with sensitive information and other network resources. At the handheld level, the mobile VPN solution must be able to effect changes immediately, even if a handheld is turned off. This provision is necessary to ensure that stolen or misplaced assets can be disabled immediately, and that no sensitive information is ever left behind. Combined, these three levels provide a secure channel between the BlackBerry and the Intranet, and also a secure platform through which to operate. 5

General Network Architecture WICKSoft Mobile Documents is built on, leverages, and extends the inherent security built into the BlackBerry infrastructure. When used in conjunction with BES and MDS (BlackBerry Mobile Data System ), the WICKSoft Mobile Documents Server does not need to be accessible from the Internet the connection will originate from BES. In other words: no additional ports or entry points need to be opened into the network in order for WICKSoft Mobile Documents to function. By using BES with Enterprise-activated handhelds, a secure connection is already present. Data is transmitted over an encrypted channel from the handheld to the BES, which is located in the intranet. Additional security measures, which are discussed later in this document, ensure additional levels of security and integrity are achieved at both the data transmission levels, as well as the application layer. 6

Data transfer layer WICKSoft Mobile Documents communicates over a secure channel which is comprised of the three security layers. This secure channel ensures that: External threats cannot monitor, intercept, or modify data going between the handheld and the Intranet. Hostile internal processes, such as worms, users, or other programs introduced via some other means, cannot monitor, intercept, or modify data going between the wireless infrastructure and internal resources. Rogue applications, such as Trojans, worms, viruses, and unauthorized user applications cannot hijack or exploit the mobile VPN tunnel. WICKSoft Mobile Documents creates a secure channel to the Intranet Two separate layers of cryptography move the WICKSoft Mobile Documents protocol across the wireless network. The addition of an extra cryptography layer ensures that even traffic within the Intranet is secure. A proprietary protocol is used to transmit instructions from the WICKSoft Mobile Documents client, running on the BlackBerry, to the WICKSoft Mobile Documents Server that resides within the Intranet. 7

The three security features that make up the secure channel used by WICKSoft Mobile Documents are: AES cryptography from the handheld to the BES Server (or wireless carrier if no BES is present) SSL cryptography from the handheld to the WICKSoft Mobile Documents Server, through the AES tunnel. A proprietary protocol designed exclusively for the application of mobile document access. Two layers of cryptography The first two layers, the AES and SSL cryptographic layers, protect network traffic all the way from the internal WICKSoft Mobile Documents server out to the handheld. These layers ensure that data to and from the handheld always remains secure. The AES layer provides a secure tunnel from the handheld up to the BES server (or to the carrier, if no BES is present). With BES, this prevents any monitoring or tampering of the network traffic while it moves over-the-air and over open networks. The SSL layer increases the security of the AES layer while at the same time protects the tunnel while it moves through the internal Intranet. When used in conjunction with BES the WICKSoft Mobile Documents Server never needs to be accessible via the Internet, or even internal computers. In this way you can restrict the point-of-entry to verified assets (Enterprise activated handhelds) over a secure and encrypted source. This is similar to restricting an IPSEC VPN to a specific MAC address, only with a higher level of obfuscation. 8

WICKSoft Mobile Documents proprietary protocol WICKSoft Mobile Documents employs a proprietary communications protocol that protects internal resources from Trojans, viruses, rogue devices, and careless end users. This protocol operates over a standard HTTPS connection, so can work with your existing security infrastructure. This protocol provides no mechanism to execute remote programs or manipulate a database, and can only convey simple end user operations such as List the contents of a folder. Using such a protocol provides the following benefits: Existing security resources, such as content scanners, MDS, Microsoft ISA Server, and other Firewall products continue to take effect. Deployment requirements-- and therefore the security impact are reduced because the protocol tunnels through standard HTTPS. The limited scope of the WICKSoft Mobile Documents protocol makes it almost impossible for a standard Windows worm (like an SQL injection exploit) or Trojan to propagate through the system. The WICKSoft Mobile Documents protocol is exclusive to WICKSoft Mobile Documents in other words, other applications cannot use the protocol. The result is that WICKSoft Mobile Documents is highly resistant to tunneling efforts, such as running a torrent, remote desktop application, or some other network utility across the same protocol. For example: an end user could not setup a program like VNC within the Intranet and then use WICKSoft Mobile Documents to access VNC, thus circumventing security measures. The WICKSoft Mobile Documents protocol will not facilitate tunneling or hijacking by other applications. The protocol is highly conducive to policy enforcement. In this way WICKSoft Mobile Documents provides additional layers of security which will be discussed later, that are context and content sensitive. 9

Application level security All data that moves through WICKSoft Mobile Documents goes through the same set of checks and balances before being passed on to the internal network. Only after these checks and balances have been satisfied will WICKSoft Mobile Documents perform a given operation on the internal network. Authentication The first check is authentication. All WICKSoft Mobile Documents users must login to WICKSoft Mobile Documents using their BlackBerry. This authentication data is checked by the WICKSoft Mobile Documents server for each and every operation before being processed. Once authenticated, all processes within WICKSoft Mobile Documents are undertaken as if the user were logged in to the local network as that user. If an account is disabled or modified in Active Directory, or Novell edirectory, then the changes will be reflected in real-time and rejected by both WICKSoft Mobile Documents and the Operating System. Security Policy The second check is against the security policy. WICKSoft Mobile Documents contains its own patent-pending security policy technology that has been designed for remote access applications. Policies can be customized to restrict access by users and groups to: Machines Shares Files and Folders Web resources File types 10

Additionally, all requests must pass a basic sanity test which guards against certain intrusion attempts. Publishing Rule The third check is against publishing rules. Administrators must explicitly allow network resources to be made available to end users. In this way the risk of accidently exposing sensitive resources is mitigated. Keep in mind that security policies (mentioned earlier) override publishing rules, so mistakenly providing access to an explicitly denied resource (or user) will not compromise the system. Windows and Novell Policies The fourth check is against your Windows or Novell Security Policy. Once a user logs in to WICKSoft Mobile Documents they are subject to all of the security constraints implemented at the Intranet level. In this way a Microsoft Security Policy will affect and constrain a WICKSoft Mobile Documents user as if the user were accessing the Intranet locally. Windows and Novell ACLs The fifth check is against your Windows or Novell ACLs. At no point will WICKSoft Mobile Documents ever grant a user access to something they do not have sufficient rights to access. WICKSoft Mobile Documents honors all Microsoft Windows and Novell ACLs at both the share and folder level. These ACL checks guarantee that the end user will never be able to do something that they couldn t do from the office. Application layer security summary The application security layer, with its multiple checks and balances, makes it very easy to lock down the mobile enterprise. Basic built-in sanity checks, which cannot be overridden, ensure that relative path referencing, local paths, and certain other aberrant access types are never permitted to flow throughout the rest of the system. A failure at any one point along the sequence immediately invalidates a client request and is logged to a special security log. The entire secure channel ultimately provides a level of data and application control that facilitates only the operation of WICKSoft Mobile Documents, but no other applications. 11

Handheld level security The BlackBerry Wireless Handheld is a very secure operating environment and WICKSoft Mobile Documents leverages and enhances this inherent security. WICKSoft Mobile Documents provides the following security features on the handheld: At no time is sensitive data ever stored on the handheld, a SIM card, or other portable storage device 2. All e-mail messages sent using WICKSoft Mobile Documents are sent from within the corporate intranet, and do not travel over the air. When used in conjunction with Microsoft Exchange, WICKSoft Mobile Documents acts as if the user sent an email message from their desk, even leaving a copy of the outgoing message in the user s Sent Items. WICKSoft Mobile Documents honors the automatic lock-out during periods of inactivity that is provided by the BlackBerry. WICKSoft Mobile Documents provides an independent automatic lock-out so that WICKSoft Mobile Documents will become locked after a period of inactivity. Data cannot be transferred from an external source, through the BlackBerry, through WICKSoft Mobile Documents. This makes WICKSoft Mobile Documents immune to Bluetooth born viruses and worms, and protects against MIDP and handheld based Trojans. 2 File downloading is disabled by default. If administrators choose to enable downloading in both the server wide security policy, and specific publishing rules, then clients may store information on their PDA. Security policies and publishing rules can restrict downloading to documents deemed safe for transfer to a PDA. 12

Conclusion WICKSoft Mobile Documents delivers a secure channel to the enterprise that facilitates mobile document access without exposing the corporate network to external threats. Enterprise security management features allow administrators to control mobile access to network resources. Extensive logging allows for continuous auditing of many aspects of the WICKSoft Mobile Documents deployment. Full access traces and security notification permit the administrator to closely monitor activity. By leveraging existing infrastructure WICKSoft Mobile Documents can seamlessly integrate with the mobile enterprise while providing an enhanced level of security and access control. Sensitive data is never stored on the handheld, and data transfers (such as file management, and e-mail attachments) do not travel over-the-air. Existing security infrastructure is applied to mobile user. A proprietary protocol ensures existing security threats, such as worms and viruses, do not hijack or tunnel through the secure WICKSoft Mobile Documents channel. For more information about WICKSoft Mobile Documents for the BlackBerry please visit http://www.wicksoft.com 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information