The transformation of mobile communications brought about by the advent of tablets and smartphones over the last five years is one of the most dramatic in the history of technology.
The number and variety of mobile devices in use are growing at an exponential rate. For the enterprise, the correct mobile strategy can undoubtedly boost profits, productivity and profile.
However, concerns have been raised that this brave new mobile world is vulnerable to an increased level and a greater variety of security risks than the established world of IT.
These threats are not specific to mobile security, but mobility itself brings additional risks. Creating the right security approach will help enterprises to address these threats while taking advantage of the huge benefits mobile offers.
There are three main targets for threats – information, identity, and availability.
A mobile device is personal, and is used for both private and business productivity even more in the context of a Bring Your Own Device (BYOD) company scenario. Devices store valuable and sensitive information. Keeping that information secure is vital. The consequences of a malicious third party gaining access to personal financial information, for example, could be disastrous and irreparable. With mobile devices gathering personal, often photographic, information about where the owner lives, works and spends his or her leisure time, the consequences of a mobile device getting into the wrong hands could be truly catastrophic.
And with devices being used for work and leisure, the possibility of sensitive business information getting into the wrong hands could have much, much wider – and potentially massive – implications.
Moreover, the major new challenge to security is that information is now scattered rather than being centrally stored. For this reason, rather than being on the datacenter, security must now be on the transport medium and the information itself. Addressing the linked, unprecedented security challenges of scattered information being accessed and exchanged via mobile devices is the subject of this point of view.
The lifecycle begins with the design of the mobile security architecture, and consists of a structured process that defines the contextual, conceptual, logical, and physical architectures for mobile security. It starts by defining the business requirements for mobile security in a contextual mobile security architecture, which is refined all the way down to the physical level.
The physical mobile security architecture defines the actual products and technologies used to implement the mobile security architecture. This is the lifecycle’s second phase. It includes elements such as selecting mobile platforms, system design of mobile apps, handling secure access to data, secure transfer of data, secure storage of data, testing mobile security, as well as managing devices and apps.
The last, and probably most important, phase of the lifecycle defines how to manage the mobile security architecture over time. This involves keeping up to date on threats, improving implementation based on a changing technology landscape and best practices.
A Structured Approach to Mobile Security
Given the previously mentioned threats and many more, there is clearly a need for attention to mobile security. Several aspects must be considered when working with mobile security and apps (for which enterprise mobility is often predicated on):
• Confidentiality: Does the app keep private data private?
• Integrity: Can data passed to and from the app be trusted and verified?
• Authentication: Does the app verify the user’s identity to an appropriate degree of certainty?
• Authorization: Does the app properly limit user privileges?
• Availability: Can an attacker harm the mobile solution in any way?
• Non-Repudiation: Does your app keep records of events?
A structured approach to working with mobile security is to define mobile security architecture with the following lifecycle.
Designing a Mobile Security Architecture
Designing a secure corporate mobile environment can be done in four steps. We can summarize the whole process by giving an answer to the following questions:
• Why do we need to design a secure architecture for mobility? – Security principles and drivers for mobility.
• What do we need to protect? – Assets to be protected. People involved.
• How do we protect the mobile environment? – Functions needed to achieve security.
• With what do we implement? – The physical aspects of mobile security such as material and location.
These four steps help define the business requirements for security and are the founding principles used to build sustainable mobile security architecture. In essence, an audit of the situation with inventory of vulnerabilities is performed to inform the design requirements. In more detail:
• WHY? The Contextual Mobile Security Architecture
The contextual architecture takes in input from the business requirements and all the constraints (policies, guidance, legal, regulation) as well as assumptions. It will then define a clear and shared view on the scope and the principles that will drive the secure mobile architecture. This means there is ultimately a focus on data and application level security instead of relying only on network security only.
• WHAT? The Conceptual Mobile Security Architecture
The conceptual security architecture aims to identify the security requirements. The way to identify security requirements is mainly to perform a risk assessment; what are the most significant threats and consequently what are the security services that must be implemented to reduce the corresponding risks.
• HOW? The Logical Mobile Security Architecture
This logical architecture intends to provide a logical model which delivers the security services while conforming to the principles and models as set out in the Contextual Architecture and the Conceptual Mobile Security Architecture.
The purpose of the Logical Security Architecture is to communicate how security should be implemented.
• WITH WHAT? The Physical Mobile Security Architecture
The physical architecture is the selection of technologies and products that will be used to implement the Logical Mobile Security Architecture patterns defined in the step before.
In parallel runs the important task of defining how the mobile security architecture will be maintained and updated over time.
The result is referred to as the Operational Mobile Security Architecture and is covered in the next section.
With risk assessment in hand and processes defined, the last piece in design is to validate the plan complies with applicable law and regulations. The legal framework a company must adhere to will be dictated by their own local and industry-related circumstances. In some countries, for example, companies have a responsibility for any malicious or illegal utilization of the platforms used by employees. In this situation, companies could use the legal framework to ensure employees comply with the right and secure way to use platforms. Attention to this legal step will ensure stakeholders are accountable and users compliant when it comes to implementing mobile security measures.
Implementing Mobile Security
Having established the approach of creating a mobile security architecture in a structured way, it’s vital to look at the concrete challenges that need to be dealt with. The most important areas are:
• Mobile Platforms: Evaluate security considerations for iOS, Android, and Windows Phone
• Mobile Apps, websites, and architecture: Security for apps, websites accessed from mobile browsers, and the important role of a solid software architecture
• Access Control: Select an authentication mechanism
• Data in Transit: Choose how to encrypt data communication
• Data at Rest: Set up secure data storage and containerization
• Mobile Testing: Test the security aspects (confidentiality, integrity, etc.) of the mobile solution
• Mobile Enterprise Platforms: managing mobile devices, apps, and content in a secure way.
Several mobile operating systems drive millions of applications on billions of devices. In February 2013, IDC reported Google’s Android and Apple iOS as the two most prevalent, ahead of BlackBerry and Windows Phone. Android is the only operating system built on open source. Its open nature, spread across multiple device manufacturers, means that manufacturers should have the policy to distribute updates at the required frequency, which is not always the case. For this reason, security holes on Android devices can be left unpatched for a long time. The closed source code models of iOS and Windows Phone tend to update all devices within a matter of weeks of updates being available, thereby quickly fixing security issues.
Regarding mobile application distribution, all three operating systems have app stores with a built-in aim of preventing the downloading of malicious software (malware). In the iOS App Store and Windows Phone Store, each app will go through an approval process before they are made available to users, making it significantly harder for malware to be spread. There is no such rigorous process for Android apps in Google’s Play Store. High risk apps are removed but the risk of distributing apps tainted with malware is clearly higher with Android devices. The fact that it’s even possible to install apps not distributed through Google
Play, further increases that risk. Windows Phone and iOS don’t allow distribution of apps from outside their own app stores except in very specific enterprise cases.
It is possible to remove built-in security restrictions on devices that use any of the three operating systems by “jailbreaking” or “rooting”. Indeed, over fourteen million devices on iOS 6.x have been jailbroken. So policies and solutions must be implemented to counter this vulnerability. The enterprise policy should indicate whether users are supported if they choose to modify their device and a technical solution could be implemented to test for such jailbreaks (while noting jailbreaks are not always detectable by automatic means).
Two features of Android and Windows Phone that iOS owners don’t have access to (and are therefore safe from), are the ability to use SD cards and USB Mass Storage. In the case of SD cards, neither Android or Windows Phone encrypt the content by default and therefore there are two risks: that sensitive information can be leaked and that malware can enter the mobile device. Similarly, when the device is connected to the computer and allowed to be used as USB storage, this also means that information can leak and malware enter the mobile device.
It is relatively easy to reverse-engineer complied Java (Android) and .NET (Windows Phone). The dynamic nature of the Objective C language used within iOS also enables users to reverse-engineer applications. This ability to reverseengineer an app to reveal its source code, can provide valuable information to hackers.
When addressing what operating systems should be supported by the corporate infrastructure, it’s important to consider the differences in security features of each platform.
Mobile Apps, Websites, and Architecture
There are two main ways to deliver content and functionality to mobile devices: via mobile apps or via websites that are viewed through a web browser. The majority of apps available are written in a programming language that is platform-specific. All are compiled into a binary executable file that is made to download and run entirely on each specific platform. These are generally referred to as native apps. However, most of these apps also include some web content and functionality that is either distributed with the app or accessed in real-time from a web server through a native component (often called a web view). Such apps are referred to as hybrid apps. The parts of a native app that consist of web content and functionality have the same security risks as any web site run in the browser.
Managing the Mobile Security Architecture
Ideally, a mobile security architecture is not created as a one-off effort, it is a living thing that needs to be maintained and applied constantly. It’s a reference that should be used by project teams as they design and implement their specific mobile solutions. However, the world is constantly changing.
Business requirements evolve, and the front end of the architecture, the contextual architecture, must be reviewed and updated periodically. An important question is: at what point do the contextual changes create sufficient pressure to change the underlying conceptual architecture and other layers?
The changing behavior of mobile users affects the security aspects of the solutions they use. There is also a need to keep pace with changes in the world of mobile security, such as new threats and best practices to handle them.
The question arises: how do we monitor and measure the security aspects of our mobile solutions and keep up to date with changes affecting security in the mobile world?
Technology also changes and new mobile security solutions become available. This also raises a question: when should you change decisions in the physical architecture from one technology or product to another? These questions suggest a continual architecture review process that is governed in a structured way and monitors how well mobile operations are performing to meet business security requirements.
Crucialto ongoing efficiency and security of mobile solutions is user awareness. All the required attention to architecture and operations is worth nothing unless continued effort is made to ensure users are aware and comply with relevant and up to date policy and governance.
Security is a vital part of any large IT deployment and is arguably even more important with mobile devices. The key to securing these devices is understanding the risks posed to the enterprise by their use.
The trend towards “scattering” of information across many locations has grown in parallel with the uptake of mobile devices for personal and business use. With the acceptance of mobile device use within the enterprise, these separate, but related trends offer many benefits, but present many new and unprecedented security challenges.
A careful selection and enforcement of technologies, policies and governance can ensure that a mobile strategy provides adequate support to build secured mobile solutions and, potentially, could be more secure than current systems. A suitable strategy will allow the enterprise to reap the business benefits of the mobile revolution, while safeguarding it and its employees and clients from the risks.