Why Mobility is Good for Security

I should get the Pulitzer for these headlines. It’s only an matter of time until they add blogging to the list of literary/artistic mediums.

What it should say, is that BECAUSE of Mobility/BYOD, the spectre of information security raises its head higher than it usually does (which isn’t saying much), thus getting the attention of the senior management who are either entirely focused on running their business, or busy running it into the ground.

I actually had first-hand experience a while ago of an organisation that is on its way to becoming a BYOD-free zone, and considering what they do, I don’t blame them. At least until they get their security culture and policies sorted out anyway.

Which is kinda the point, as very few things I can think of have put the business side and the IT side into greater confrontation.  Business wants increased productivity AND cost savings, and IT Security want …well …IT security.

I don’t think anyone can deny the inevitable increase in productivity when your work email is sent to the same device you spend vast portions of your life on (usually in order to avoid talking to actual people).  But then you also can’t deny that confidential information on a device that is insecure (currently) is a VERY bad idea.

I know there are BYOD ‘solutions’ out there, but none of them work, and most of them are downright crap.

So where do businesses screw-up?; easy, they look IMMEDIATELY to technology to solve the problem that only education and policy can solve (again, currently).

Here’s a scenario:

  1. A salesperson wants to send a classified contract to legal, should they;
    1. Just send it, because it’s to an ‘internal’ department?
    2. Password protect it if they have that ability on their mobile device?
    3. Never try to send it from a mobile device?
    4. Follow the corporate policy?
    5. Wait until the next day to send it securely from a known-good device?

The correct answer is d.

Hang on – you may say before hearing the explanation – why are b., c. and e. wrong?  They are not wrong, they’re just not right given that policy ALWAYS trumps what you think is the right thing to do.  If corporate policy says you can post classified docs to Facebook for feedback, so be it.  You’re company will be out of business, and your CEO in jail (hopefully), but that’s a perfect segue to my next point…

Do you think you have the right to question your company’s policies?

The answer is that you absoLUTEly have not only the right, but the obliGAtion to question policies if you consider them in any way discriminatory, incomplete, redundant, inappropriate, unworkable …you name it. Not only that, you have a further obligation to help enforce those policies, it’s your company as well.

Policies are supposed to be the parameters upon which the corporate culture if founded.  They define the CEOs perspective on everything from community programmes, to acceptable use, to expenses, and if the CEO doesn’t bother to create them (or at least approve them), as well as evangelise them, they will not be followed.

So, back to my favourite phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [secure BYOD though policy enforcement] , it’s the CEOs fault, and no-one else’s.

If you don’t think policy is the way to go on this, let me ask you one question; Would you follow company policy if this was the language in it; ‘All employees are strictly forbidden to send confidential information from their mobile devices.  All confidential data must be deleted immediately, and the matter reported to [department].  Any breach of this policy will result in dismissal, and subsequent legal action if deemed appropriate.’

I would.

Why Is Bring Your Own Device (BYOD) So Hard?

This is not going to be about the legalities, policy, or privacy issues surrounding BYOD, that has been covered many times over in articles like this one; “Why almost everyone gets it wrong about BYOD” by Brian Katz.  I would hope that you are fully aware that regular information security policies do not cover the use of personal devices, and have established appropriate policies accordingly.

What I will be focusing on is a) the risks based approach, b) some musings on current ‘solutions’, and c) my thoughts on a possible technology solution.

A lot of these so-called BYOD solutions focus on the communication channels, secure browsing, malware protection, and/or Mobile Device Management.  All of them miss the major point, which is the risk to data at rest.  Do you really expect your employees to VPN into some kind of proxy just to browse the Internet?  Or how do you expect people to sign up to having their phone entirely erased if they loose it?

The issue is that not one mobile application, I repeat, not ONE, works at an Operating System (OS) layer that prevents jailbreaking.  Any encryption of either  the data channels or the data itself is performed by software running on top of the underlying OS.  Jailbreaks work AT the OS layer, meaning that any functionality of the application is immediately at risk, including any encryption keys.

Charles Henderson says it better than me; “Is Your Mobile App Safe?

So BYOD is not about keeping your data from being stolen, you can’t, it’s about agreeing on what you are prepared to loose, and what to do if (when) that happens. So instead of throwing ineffective technologies at the problem, you have go back to basics and look at Role Based Access Control, data classification, retention policies and so on.  You should even question whether or not the cost savings and assumed productivity enhancements associated with it are really worth the effort.

In other words, if you do decide to proceed, assume that whatever your employees are downloading on their phones and tablets is now available to everyone, and implement your BYOD solution accordingly.

I would argue that you are probably better off educating your employees to never put confidential information in emails than you are trying to control how they use / abuse their personal phones.

I believe that there is currently only one way to perform BYOD securely; in a hardware module.  If you accept that you cannot perform authentication / encryption safely at the application layer, and that you will likely never have access to the underlying OS (iOS for example), then you are left with hardware.

The hardware module would perform several functions;

1. Authentication – Once the module is plugged into the mobile device, it establishes a secure channel back to home base to perform whatever form of authentication you choose (LDAP, username/password, certificate, even biometrics).  All encryption keys are kept on the hardware device.

2. Encryption – Seeing as the keys are on the hardware device (some form of mini-HSM perhaps), you can leave the encrypted data on the mobile device when not used for work related applications.

3. Storage – The hardware module could also be used to store all work related data, and the mobile device provides nothing more than  a communications channel.

The form factor for the hardware module could be something that is already very common, the phone case / battery charger.  Like this for example;
Screen Shot 2013-07-08 at 16.43.01

Or it could be something like this that has many connection types;

Screen Shot 2013-07-08 at 16.46.01

There are many things to work through, and perhaps the most significant is that this module would literally have to jailbreak / hijack the mobile device before it could have the kind of control needed to enforce the BYOD policies.  Easy enough on Android/Windows, but I’m fairly sure Apple would have issues, they have already totally screwed the ancillary device market with their lightning adapter. I know Apple are also working on an secure embedded SIM technology, but I really don’t see how it can perform he above functions in something so small, and they haven’t even seen fit to add Near Field Communications (NFC) chips to their iPhones.

Thinking ahead, this may not be a viable solution for all businesses, you still have to purchase hardware, and the centralised management station would have to perform everything an MDM does, but for the hardware modules, not the mobile device.  However, for government, government contractors, military and so on, perhaps the encryption aspect alone would be of interest?

Who is currently best placed to corner this particular market?  I think POS / terminal manufacturers like Verifone, Ingenico, or Micros would be contenders.  They already have manufacturing capability, HSM technology, small-form storage modules, OS and mobile communications expertise etc.

All they would really need is deep expertise in the specific mobile technologies covering the majority of the smartphone / tablet market; Apple, Android, Samsung, maybe even BlackBerry.  I’m guessing those skill-sets are not too hard to find.

Clearly there is a lot more to it that I have mentioned here, I do want to keep something back for collaboration opportunities 🙂

What are your thoughts?  What have I missed?  Is this viable?