How trustworthy are mobile platforms and devices?
For the maintainers of corporate networks and those charged with protecting sensitive data on those networks this is a very serious question. Corporate users are increasingly utilizing smart phones, tablets and other devices, which facilitate a more mobile and connected workforce. Often times, these devices are personal property of the user, yet users often use them for legitimate business purposes. Users desire the convenience of owning one, personal mobile device that can connect them to to a wide variety of data sources and applications: corporate email, personal email, personal data, personal applications and business applications. Reconciling device ownership and trustworthiness is a very difficult task.
Ultimately, a business has a right to protect its proprietary and sensitive information, even if that information resides on a personal device belonging to the end user. If a user desires to consume business resources and store sensitive information using their phone, then the business has a right to implement reasonable safeguards to protect the data and resources. Though the user owns the device and has the right to do as they please with it, they do not own all of the data on the device if they allow sensitive corporate data onto it.
A reasonable analogy, which approximates this situation, is a personally owned briefcase. For the sake of making an example, let us pretend the user has access to physical keys and sensitive printed documents. The user stores both these keys and documents inside of their briefcase. The user owns the briefcase, but the business still owns whats inside it. The business would expect the owner of the briefcase to take reasonable measures to protect the briefcase, and thus the contents of the briefcase. The same applies to virtually anything a person owns that can “contain” business assets. The problem is this gets much murkier and difficult to deal with in the digital environment, but the need exists and is clear.
Business policy is usually clear and requires that sensitive data must be protected at all times using reasonable measures that provide adequate security. And the subtext for that policy is to use a risk assessment to intelligently decide exactly what “adequate security” really is. Another consideration that goes into “adequate security” is what happens when an employee leaves an organization. What recourse does a business have to ensure their data is protected when the user is no longer an employee and the business cannot legitimately control the user’s device? One option is that the user’s personal device is wiped, no matter what, before it is put into an “unmanaged” mode where the business entity can no longer enforce policy on the device. Another option is to simply ask that the user be responsible and delete all of the data from their phone.
Now comes the fun part – the three major mobile platforms that users will typically wish to use. The three major platforms up for consideration in this article are: iOS (iPhone, iPad and iPod Touch), Android (tablets, smartphones) and BlackBerry (mostly phones). Some of these devices, depending on the version and configuration can meet what I consider “adequate” security. Others cannot. Now that the stage is set, the remainder of this article will explore the features of the three platforms.
First up for consideration are iOS devices (iOS does not stand for anything; it is a standalone entity now). First, one of the major caveats or things to understand about iOS is that every jailbreak out there is exploiting vulnerabilities in the operating system or a critical application on the device. Most observers would call these “security holes”. That said, Apple continually closes the holes and the security of the platform has improved steadily since its inception. Apple provides a robust set of security features for most iOS 4 devices. There are generally two approaches when allowing corporate data onto an iPhone or iPad: Force the device to become “managed” or only allow that data to be consumed inside of a trusted application, such as Good for iOS. Inside of a trusted application, ironclad control can be had on the data as it never leaves the confines of that application’s sandbox, assuming your user has not jailbroken their device. In managed mode it is possible to control many aspects of the device, such as password policy, user accounts and even restrictions on how the device can be used. It is also possible to issue commands to the device, such as remote wipe. Mobile device management servers can also query the device for a variety of information. More on the available device management servers and their features will be covered in an upcoming blog post. The features on iOS 4 rival the features available on the BlackBerry platform. iOS 4 takes the platform well beyond the limited policies available in Exchange ActiveSync. Network administrators have all of the tools they need to enforce policy on a personal user’s device.
BlackBerry has built a strong reputation on the security and corporate friendliness of the devices. Administrators have long relied on the features in the BlackBerry to set up, and enforce, effective information security policy. There are minimal gaps, if any, in the features provided by BlackBerry platform. The situation is thus very similar to that of iOS 4 (though BlackBerry has had these features for a much longer period). BlackBerry devices using a BlackBerry enterprise server can remotely wipe a device, enforce password policy and configure various other security settings remotely on a user’s personal device that should allow most corporate information security policies to be enforced
Android platform security, from a “managed security” standpoint, is not nearly as mature in terms of features provided by the OS. Only as recently as Android 2.2, the latest version of the Android OS, have features like Remote Wipe via Exchange ActiveSync (EAS) become available. There are some third party solutions out there. The more open nature of the Android platform means that third parties can more readily support the Android platform and provide features, such as remote wipe and password policy enforcement (these features are also available through EAS). There are also options, such as Good for Android, which again self contain many of the most common features a user desires.
The elephant in the room for the iOS and Android devices are the words, “jailbroken” and “rooted”. When jailbreaking and or rooting a device the goal is to circumvent or disable the pieces of the OS and platform that keep applications in a sandbox and running with limited privileges. These devices could be difficult, or even impossible, to enforce security policy on as the user can trivially circumvent the policy enforcement without the management servers being aware of it. The solution for this is much less clear and hinges on user’s being aware of the risks associated with jailbreaking and rooting, risks which they often are not aware of when they jailbreak or root their devices.
Overall mobile platforms are reaching a point where it is impossible to ignore that businesses, and users by extension, demand the ability to manage personal user devices (and corporate owned devices). iOS 4 and BlackBerry provide a compelling and rich feature set for device management and Android has turned a keen eye towards platform security. There are also many third party options and applications that aim to solve the problem of device management. Ultimately, the features provided by the vendor and operating system drive the features and provide the possibility for solutions to this problem that businesses can rely upon.
Hopefully this blog post sets the stage for future discussions on this topic. We closely follow this space and welcome opinions, links to other resources, and personal experiences of dealing with this new era of Personal yet Managed mobile devices.
Cheers!
Jeremy Allen