Applications and best practices to keep your mobile devices secure

Applications and best practices to keep your mobile devices secure

With the advent of smart phones and mobile

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

technologies, it was only a matter of time before IT pros would have to worry about securing these devices. In this eguide from sConsumerization featuring Jack Madden, find out about a technology that enables users to remain in control of their own data on their devices. Find out about an application that supports secure emailing, browsing, and document handling. Also, discover other ways to avoid mobile device security threats. BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control
By: Jack Madden Now that Ive had some time to get more familiar with a number of BYOD/MDM/split persona vendors, Im going to go down the list and report on my briefings with each one. These vendors run the gamut from application management to mobile hypervisors to traditional mobile device management solutions. Overall, the concentration is on vendors that, no matter what their background, promise solutions that enable BYOD with some degree of separation between work and private personas. Im going through the vendors in the same order that I spoke to them, and there are still more briefings to be had and more vendors to be added to the list. In December I met with John Herrema, SVP of corporate strategy at Good Technology, and Nicko van Someren, Goods CTO. Good has been around since 1996, and these days they have about 4000 customers. Their primary BYOD product, Good for Enterprise, is available for iOS, Android, and a few other platforms, but not for Blackberry. Good Technologys approach to BYOD/split persona Good takes an application-only or secure container approach to managing BYOD. Essentially, the Good Technology approach is to be unconcerned with the users personal device, avoiding restrictions on how it is used or

Page 2 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

what applications can be installed. Instead, they provide their own applications (or partners applications) to give the enterprise islands of trust (as Nicko put it) on personal applications There are some MDM capabilities built into the product (the Good for Enterprise application can reach out and wipe the whole device if necessary), but generally the security restrictions are around the Good applications only. Users can manage their devices as they would have previouslywith whatever level of security they please (such as weak or nonexistent passwords, because, hey, the users data is their own problem, not the companys)leaving the security around only the enterprise applications and data. It is this layer where Good for Enterprises features come into play and fine-grained permission-based security policies can be applied. The core Good Technology application The Good for Enterprise core application has features that support secure emailing, browsing, and document handling (with restrictions around open-in and clipboard capabilities, for example). Tasks like enforcing policies, pushing applications, and locking users out are restricted to the core Good for Enterprise application. Data to and from the device is encrypted, requiring infrastructure on the corporate end, inside of the firewall. The result, though, is that no special ports have to be opened. Good for Government has similar features, but adds more options features, such as support for CAC cards, S/MIME and Department of Defense public key infrastructures. To enroll in Good for Enterprise, any user can download the app, but naturally its useless without permission to join a corporate environment. Similarly, a user can always choose to remove the app, and their access to corporate resources will disappear. Third-party apps Good Dynamics is the platform for developing third-party apps that can interact with the Good for Enterprise core application. Currently (February 2012) its only available for iOS, with Android support expected in April (2012). Good Dynamics consists of an SDK that enabling developers to

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

Page 3 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

create applications that incorporate the same security features as Good for Enterprise.

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

John and Nicko told me that among the security features that Good Dynamics incorporates are provisions for encrypting data in motion within a device. Data to and from a device and data at rest on a device are the usual targets for encryption. With Good Dynamics, data that is transferred between Good for Enterprise and third-party applications developed with their SDK is not allowed to touch the memory in an unencrypted state. This is necessary because erasing data from flash memory generally consists of merely marking blocks to be overwritten, leaving the remnants susceptible to being read by other applications. The approaches for locking-down access to third party apps are the same as for the core application. Depending on how permissions are set, open-in, clipboard, hardware access and other parameters are limited or monitored. Organizations can develop their own apps using Good Dynamics, or turn to commercially available Good-compatible versions of apps. Ultimately, though, end users do have to have to rely on the availability of these special versions of applications, and if one isnt available, a user could be tempted to get data and work on their personal device using alternative means (FUIT). An organization will need to be proactive in ensuring that applications are available for their users. On Good Technologys part, in order to encourage a broad ecosystem of apps, one of the first things they did was look at the 100 most popular apps in the enterpriseand after removing all of the job-finding appsthey approached the creators about making Good Dynamics versions. Good also notes that this creates opportunities for individual developers. Final thoughts Good Technologys product enables a dual-persona BYOD scenario, while keeping a small footprint on the end-user side. On the corporate side, there is a need to ensure that Good-compatible versions of apps (both commercial and home-grown) and back-end (for Good servers) infrastructure exists.

Page 4 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

While Good for Enterprise is not separated to the degree of supporting multiple phone numbers or billing plans, all of the core functions are containerized. Having all the core functions under one application makes it easy to separate corporate work from personal usage. When work is just one icon, its easy to hide it for the weekend, instead of having a prompt for a long password reminding users about it every time they pick up their phone. Feature Overview This feature overview will be updated from time to time, and a similar feature overview will be included with every article in this series. If you notice any inaccuracies, please comment or email me at jmadden@techtarget.com. There are a lot of vendors and features to keep track of, and I want to be sure and keep everything straight. Platform iOS, (including Good for Enterprise, Good Dynamics, and Good for Government) Android (Good for Enterprise; Good Dynamics pending), Windows Mobile, Symbian, PalmOS (Good for Enterprise only) Architecture containerized Application Security at the application level App sources integrated with the product, home-grown, third-party How external apps are brought in developed using SDK App stores corporate, commercial Split plans/phone numbers no Management interface web based On-site requirements Yes, can be virtual machine Provisioning users download, then ask to join corporate environment

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

Page 5 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

Protecting enterprise networks from new mobile application downloads Contents

BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads
By: Sandra Kay Miller, Contributor Want to surreptitiously share your contacts with your competitors? There's an app for that. Need to covertly keep tabs on your employees or spouse? There's an app for that. Looking to harvest passwords for mobile transactions? There's an app for that, too. Kidding aside, with the growth of mobile application download sites, iPhone and BlackBerry users now have an unprecedented number of third-party applications available for their enterprise handhelds. According to a recent study from Jupiter Research Inc., mobile application downloads are expected to reach 20 billion annually by 2014. Network security pros will face mounting challenges from a rising tide of mobile apps touching private networks and information. As mobile devices and third-party applications proliferate, they pose a number of security risks for the enterprise, perhaps most notably serving as a platform for the distribution of malware and unauthorized access to private information. Since IT shops already report mounting internal pressure to integrate and support third-party apps, their options for defending against related threat vectors are constricted. "There's no question that as these devices proliferate that there are going to be people wanting to do nasty things -- affect the device, get into the network, steal data, spread malware, said Jack E. Gold, president and principal analyst at J. Gold Associates LLC, a technology research consultancy in Northborough, Mass. Mobile device, application security: Policy and technology Since many third-party mobile application downloads can quickly compromise enterprise security -- Apple currently offers apps with the capability to use data directly from enterprise applications including SAP, Oracle and other sales force automation tools; the rapidly changing landscape requires vigilance in both policy and technology.

Page 6 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

Gold points out that focusing solely on policy is difficult unless there is an

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

automated policy-management system in place, such as the Unwired Platform from Sybase Inc. or Mobile Management from Symantec Corp., for actively monitoring policies on each phone. However, these products can be costly and complex to implement. "It's easy for a company to say these are the devices you are going to use, and you will only have these applications on the device. The problem with that is you are limiting the end user's choice and, ultimately, productivity. There aren't any absolutes, and there are a number of variables that are really limited to the individual organization. If the CEO comes in and says, 'I want this', then you either give it to them or you go find another job. It's a balancing act," Gold said. In order to maintain better control over wireless devices, organizations often choose to deploy their own IT-configured smartphones. While this is undoubtedly a time- and cost-intensive endeavor for enterprises that deem employee mobile device usage a high-risk activity, this makes it much easier to enforce policies regarding the installation and use of third-party apps. Mobile device "hardening" is similar to the wired world in that unnecessary services or those that pose a significant risk should be turned off, disabled or uninstalled. Larger organizations, such as Kraft Foods Inc., are deploying smartphones and mobile devices in record numbers. Mark Dajani, senior VP of GIS at Kraft, understood that employees were increasingly utilizing smartphones, regardless of corporate IT policy, so his department not only provided iPhones to key employees, but also chose to support personally owned devices. Dajani took the initiative by providing in-house apps -- email, calendar and contacts -- and having users connect directly with Kraft's Microsoft Exchange Server. Not only did this choice provide corporate access to information, but it also enabled enterprise-grade security. In order to access corporate assets, users must authenticate prior to touching networked resources.

Page 7 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

Instead of wasting resources trying to keep individual mobile devices at bay, Kraft chose to focus that energy into support instead of prevention.

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

Thwarting mobile device application threats The Center for Internet Security has created the Security Configuration Benchmarks, a set of consensus best practice security configuration standards that covers mobile devices, such as the iPhone, and the variety of third-party apps that they support. At the base level, CIS advises organizations to be "practical and prudent" on policies regarding mobile application security and how users are allowed to use such applications to interact with the network and its data. For instance, Apple has made it much easier for users to configure the iPhone to access corporate email and other back-end systems, like CRM and ERP, creating a scenario in which sensitive corporate data could leak out of the enterprise without proper controls. Just about any of the CIS benchmarks would alleviate this type of data leak scenario. Passcode settings, for example, offer strong protection against data loss, including features and functions like "Required Passcode," "Auto-lock Timeout" and "Erase Data Upon Excessive Passcode Failures." Another potential threat vector is the availability of a Wi-Fi network or location services (GPS), upon which many devices depend to transfer data. CIS offers explanations and instructions on how to set devices to turn off these services when not needed. Yet the reality is that today's wireless devices can exchange data over the air with greater ease than ever before. For instance, there are numerous thirdparty apps that allow for the wireless transfer of files from a PC or laptop to a mobile device. Someone looking to swipe a file from the network no longer needs to plug in a USB drive to grab sensitive data. To reduce the risk of remote attacks on mobile devices through networked apps, devices such as the iPhone can be set to disable all transceivers and receivers -- referred to as "Airplane Mode." When engaged, the GPS function

Page 8 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

is turned off and all wireless signals (Wi-Fi, Bluetooth and cellular) are blocked.

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

Users can also be encouraged to configure employee-owned devices so they don't automatically connect to any available Wi-Fi network. This setting doesn't necessarily hamper access to enterprise apps, such as email or a browser, since both readily connect via cellular, but it does ensure devices aren't left wide open for attackers. Other organizations delving deeper into the mobile realm secure mobile device applications with third-party products. In the latest iPhone firmware release, there's now support for Cisco Systems Inc.'s VPN as well as Microsoft Exchange. However, IT shops need more options to leverage existing security infrastructure to defend against non-authorized, potentially dangerous mobile apps that also touch corporate networks. Trust Digital Inc.'s enterprise mobility management (EMM) software support for iPhone, for example, allows IT to manage and secure iPhones from a centralized management console. "There's always that 3-5% of users that causes havoc, but IT professionals now have more options for securing mobile devices against risks from the growing number of third-party apps than previously." Gold said.

Page 9 of 10

Sponsored by

Applications and best practices to keep your mobile devices secure

Contents
BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control Protecting enterprise networks from new mobile application downloads

Free resources for technology professionals

TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Webs largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts.

What makes TechTarget unique?

TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peersall to create compelling and actionable information for enterprise IT professionals across all industries and markets.

Related TechTarget Websites

Page 10 of 10

Sponsored by