February 2015

David Abbou

It’s amazing how fast mobile technology has become intertwined with both our personal and business lives. For BYOD users, their mobile device has fast become a one-stop shop for both work and play. In a world where there’s always “an app for that”, BYOD users are increasingly interacting with both work and personal apps on their smartphones. There’s really not much you couldn’t find out about many mobile users if you could peek into their browsing history or the apps they like to play with. But the virtual playground is one we also share with cyberattackers.

Take love and dating for example. Mobile users turn to dating apps like Tinder, OKCupid and POF in their pursuit of romance. But love in the mobile world is just about as risky as in the real world, only worse – you could infect your boss – or your company’s data to be precise! An IBM study of 41 popular Android dating apps revealed that more than 60 percent possess medium to high-severity vulnerabilities which are prone to cyber attacks.

73 percent of the apps examined obtain access to the device’s current and historical GPS location. Cybercriminals can exploit this data to identify the user’s home and work information and other preferred destinations. Other vulnerabilities surrender control of the device’s camera and microphone even when the user is no longer logged into the app, as well as storage and billing details to lurking cyber criminals. Once these vulnerabilities are leveraged to compromise device security, intruders can hack into the corporate network and steal sensitive information.

These threats of course extend beyond apps and can be added to the pile of mobile malware that comes from users surfing online on vulnerable dating sites. But let’s not forget the sexiest threat gaining prominence right now – ransomware. Spread through e-mail attachments and infected web sites and programs, this type of malware encrypts the victim’s data and demands some type of payment for the decryption key. Typically, ransomware manifests itself in one of two ways. The first is locking your screen entirely and displaying a full-screen demanding the ransom amount. The second scenario involves locking files such as documents and spreadsheets on the device with a password. Imagine the damage and chaos this could wreak to employees and their colleagues collaborating on important documents in addition to the risks of losing sensitive corporate data.

And you don’t necessarily need to be surfing one of those naughty sites to fall prey to this trap. In fact, a lot of ransomware injects your device with indecent materials with the aim of scaring you into paying rather than explain the embarrassing material found on your device.

So how can organizations and users practice safer BYOD?

Educate your users

You can’t stop what you don’t know. Your IT department needs to be in regular contact with HR and Communications. As they compile more knowledge on the latest malware and app security risks, practical security practices need to be delivered to all BYOD users. This isn’t a one-off event, it’s about creating a more educated workforce that’s better equipped for the new BYOD world. Like other major strategic organizational objectives, a security conscious mobile workforce should be a made priority and be incorporated into your organization’s orientation and employee communications programs. This is a long-term investment that will help your organization reduce mitigate mobile security risks. More employees will exercise caution if they are attuned to the dangers inherent in many consumer apps and why they should only download from authorized app stores.

Keep Corporate and Personal Data Separate

The more invested businesses of all sizes become in BYOD, the more important keeping corporate and personal data separate becomes for your organization’s security. That’s because the mobile app market – be it consumer or enterprise – is going to continue to grow at a prolific rate, and the security risks both old and new are sure to keep coming. App wrapping and other containerization methods can only take mobile security so far because the encryption keys that hackers seek are located on the device. Newer security approaches like Virtual Mobile Infrastructure have emerged that let organizations keep and control their enterprise apps and data on a remote and secured mobile platform. The apps are transferred to devices as a display using a single thin client app and deliver a native mobile user experience with both Android and iOS devices. No matter what your employees are downloading and what malware they may be attracting on their smartphones or tablets, their personal and enterprise apps will not be mixing and mingling in the same location. Which means IT can sleep a whole lot easier knowing their apps are away and safe from the never ending stream of mobile device and application threats.

David Abbou

All Microsoft mobile app jokes aside, it’s no secret few cloud sync and share vendors have been able to deliver on high quality, native mobile functionality for enterprise office tools. CloudOn was a rare exception to this rule, and now they have been scooped up by cloud storage provider Dropbox, who has been on a torrid shopping spree of late.

Up until now CloudOn has been a tremendously successful startup, amassing over 9 million users since it entered the market in 2012. At the time, there was no offering available to consumers which coupled both file storage and collaboration abilities with mobile-first content creation apps. Cloudon’s team of founders stepped in, and in the eyes of many were the first to provide office apps for enterprise that were driven by the needs of mobile users. Where others in the space tried with only limited success to modify their desktop iterations for mobile interfaces, CloudOn simply “got it right”. Microsoft’s OneDrive, Google’s Drive and Box have since invested a lot of effort to fulfill this need.

But right up until its founders agreed to the as yet undisclosed offer they couldn’t refuse, CloudOn was seen by many as a shining light, a beacon for user experience excellence. Their detailed focus on ’gesture-first’ design allowed them to stand out from the competition, and for users to tap, type, pinch and grab their way to document creation. Their ability to integrate with all of the aforementioned cloud storage services above also gave them a distinct leg up.

But as of March 15, CloudOn’s service will be shut down for good, and it remains to be seen what the net effect will look like for consumers. Without a shadow of a doubt, the market needs more business-class apps with the fresh, mobile-first UX design that helped CloudOn users to create and share over 90 million documents to date.

There are many questions that have been left unanswered. How does Microsoft’s partnership with Dropbox figure into the bigger picture? Are the unique elements CloudOn brought to the table going to be resurrected on a mobile device near you, only this time in the form of a Dropbox or Microsoft offering? The recent launch of Harmony addresses desktop apps, but in an increasingly mobile workplace, a rather large part of the enterprise puzzle is about to go missing. Or did Dropbox simply buy out CloudOn and absorb its brain trust to eliminate a worthy competitor?

One fact is certain: these moves reflect Dropbox’s determination to make significant inroads into the enterprise market.

Meanwhile, enterprise mobility users deserve top-class productivity tools that can be easily shared and collaborated on the cloud. Here’s hoping that as Dropbox looks to integrate enterprise mobile productivity apps with Microsoft’s current suite, consumers will gain the intuitive user experience that quickly became CloudOn’s signature quality.

David Abbou

As organizations continue evolving in the digital age, they will increasingly look to integrate data-rich mobile applications with mobile devices, empowering their workforce with the ability to add organizational value from any location. As the number of enterprise and consumer apps continues to proliferate, however, businesses are facing technical challenges that if not overcome can work against the very productivity benefits their enterprise mobility programs are supposed to enhance. Enter one of today’s most pressing mobility priorities – password management. This challenge is already on the front-burner for corporations in many industries. As access to more corporate data is needed by professionals, IT must figure out how to simplify authentication processes. Creating and implementing a secure Single Sign-on (SSO) process is becoming another must-have, but the complexity of this challenge is causing too many enterprises to delay tackling this issue head on.

But analysis paralysis costs organizations time, money and valuable IT resources. Requiring users to undergo separate log-in and authentication processes per mobile app creates several significant issues that span both sides of the employee – IT security spectrum:

1. Workflow disruptions and hampered productivity

Time is money. Having to remember multiple passwords or re-entering the same password multiple times to access the enterprise apps equals too much time being spent on menial sign-on processes, contradicting all the time-saving benefits mobility is supposed to produce. Users (aka people in general) have proven to be notoriously inefficient at creating and remembering multiple passwords with any degree of reliability. The tediousness of it all leads to the next major issue…

2. Deters users from using enterprise apps altogether

This one is not rocket science. No matter how impressive a product you may produce, not nearly enough people are buying if you don’t make the experience a comfortable one. The same is true for enterprise apps. Unlike desktops or laptops, touchscreen functionality makes typing passwords on smartphones much slower and less user-friendly. Not the end of the world if you’re typing a password once or twice, but definitely a nuisance if you need to re-enter it several times in one workday. This results in too many users resorting to ad hoc methods of getting their work done. This circumvents security policy and undermines the potential that can be accomplished by everyone using a uniform platform to transmit and share data. But it’s not just users who feel the migraine. If they’re feeling the stress, you can be sure it will projected onto IT…

3. Burdens IT with troubleshooting user errors and managing multiple user IDs:

Still don’t have a SSO process in place? I have one question for you: How big is your Help Desk?! The preventable traffic directed towards your IT staff to satisfy forgotten passwords and reset requests affects both the quantity and quality of their own performance. It’s safe to say their resources would be best allocated elsewhere. Another significant load levied on IT administrators is the need to handle multiple user identities and create separate credential directories for each app. And that’s not even including the time spent on password security vulnerabilities…

4. Multiple passwords open the door for hackers to enter your network

Hackers are keenly aware of the opportunity that password processes offer them, and the more inefficient these processes are all the better for them. Keylogger malware or keyboard capturing is a very prevalent attack method where the user’s keystrokes are recorded by the intruder. This is often used to capture passwords and access enterprise apps where valuable data can be stolen. But mobile apps and device data are just the beginning. The captured credentials can also be used to log-in and attack network resources behind your organization’s firewall.

How to implement an SSO process

The mission then is clear: implement an SSO process that lets users access multiple apps and services by logging in just once. But this project doesn’t have to become a ’Mission Impossible’ if planned with the right components. Here are the must-have ingredients:

1. Central authentication platform

First, you’ll need one centralized platform to handle identity management and deliver mobile app access to all of the different BYOD devices in your network. This is necessary so that users will log in to this platform only once and have their credentials authenticated and approved.

2. Authenticate device passcodes, not domain passwords

All BYOD users should be required to use a passcode on their devices and this is directly related to how mobile security threats such as keyboard logging, phishing and man in the middle (MITM) attacks intercept passwords. You can’t always control if a password can be compromised within a mobile device, but you can control how far that password will take the intruder. Using device passcodes in tandem with a One-time Password system is much more user-friendly and prevents many of these security threats.

3. One-time Password (OTP)

OTP systems also helps prevent the above-mentioned attacks and other hack techniques by ensuring that a unique and temporary password is used only once – each time a user logs into a session. Using this method in addition to smartphone passcodes goes a long way towards strengthening the authentication process.

4. SSL VPN

Access to the network needs to be granted through your corporate VPN network first. This is more secure and works well in combination with an OTP system. An SSL VPN will let you grant users access to specific apps they are approved for.

5. Enterprise Authentication Standards

Typically the go-to authentication protocol has been Kerberos, which allows users to login once within either a LAN network, domain or from a mobile device. Users request encrypted session keys/tickets to access network resources, instead of keying in their password. These tickets are typically time-stamped helping reduce the risk of eavesdropping and replay attacks. While Kerberos has worked very effectively for PCs and laptops, it can be much more problematic when extended to mobile devices. A popular alternative protocol to use is SAML 2.0, an open, XML-based protocol which enables the creation and use of a security token which can be used to log into multiple apps. This facilitates cross-domain SSO processes and allows users to log in using existing IDs, such as Facebook or Google credentials.

6. Consider your Security Architecture

Integrating SSO for mobile devices is going to become the standard going forward. So it’s important to consider in which way this can be achieved most smoothly and securely. You need a solution that can support the various mobile devices, each version of each accompanying OS, the variety of enterprise apps and SaaS tools that you need to provide to your users. One technology that complements all of these requirements effectively is Virtual Mobile Infrastructure (VMI). Under VMI architecture, a centralized mobile platform situated on a remote server runs a mobile OS which supports all mobile OS versions and devices. This is where all of the apps and network services your enterprise needs to deliver to mobile devices is stored. In light of this, enterprise IT can manage SSO and password management from a much more controlled environment. A reflected image of the apps is transferred to devices using remote display protocol. OTP systems and all other authentication details are not exposed to mobile devices, neutralizing many of the security risks that mobile devices have introduced to your network.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google analytics
_gid	24 hours	Google analytics