Anat Litan Sever

A Delicate Balance: Photo by Jennifer B. Short.

In the era of BYOD (Bring your own device), enterprise organizations are searching for the optimum mobile work environment — one that will function with a delicate balance between security and user experience. The enterprise organization’s goal is to reach the highest level of security, while the employees (the users) want to interact with a simple and fun user experience.

The Arrival of VMI — Virtual Mobile Infrastructure

To bridge the two sides, we’re seeing the emergence of a new disruptive technology called VMIVirtual Mobile Infrastructure. Why is it disruptive? Because instead of installing native mobile apps on a device, they are installed on a remote server. A remote mobile environment allows enterprise organizations to own and control all their data, rather than have data stored on personal devices. From the users’ perspective, they will continue working with their iOS or Android devices, only they will interact with a remote cloud and will maintain the feel and experience of working on a native mobile device. The idea is to have a remote workspace based on a mobile operating system like Android. Some call this technology mobile-based VDI (Virtual Desktop Infrastructure) or Android enterprise cloud. By using a remote workspace, all of the organizations’ apps and data are safely located at the datacenter. Adopting VMI means that when millions of mobile devices are “traveling” the world containing precious corporate information, they are traveling safe. Employees who are working everywhere with their mobile devices will gain another environment with the most up-to-date Android work tools. It allows them to keep working on-the-go.

The Unseen Brain

One of the main differences between VMI and the common alternatives is rooted in the Unseen Brain concept. The term “The Unseen Brain” is a metaphor. The “brain” is the remote Android platform that knows how to handle multiple work environments. “Unseen” refers to the fact that this brain, is unseen to mobile devices, as it is located outside the device on a remote cloud. The other alternatives store apps and data on the mobile devices. Even if they are stored in a secured container, an attacker can go behind the container (i.e. break the encryption layer), and analyze the data thoroughly. After breaking through the encryption barrier, the attacker can enter the fully exposed data of the organization.

An attack can be carried out by finding the encrypted keys. If the data is encrypted and decrypted within the device, the keys must also reside in the device. The answer to this problem is to simply not store any data on the device.

On the contrary, when using VMI technology, the only thing that appears on the screen is a flat image, which is a “mirror” to the Android cloud. This flat image can neither be analyzed nor captured. Even print screen is locked.

One Work Environment for One Enterprise Organization

Resembling the enterprise’s remote platform, the Unseen Brain enables all the employees in the enterprise organization to work on one unified work environment, no matter if they are using Android or iOS devices. Let’s dive into security opportunities. Since the Android OS is installed on a server, it enhances the remote Android server’s security through a variety of means, resulting in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process. Another important outcome of having the Android OS installed on a server is that IT controls and manages only one environment for all their clients. The employees benefit with an easy collaborative experience, as everyone in the organization shares the same work environment. For example, if John, a salesperson who is using an Android device wants to interact with Kim, a marketing writer, who uses an iOS device, he can do it easily as both will have the same Android apps with the same collaborative features, and the same file types.

Will Employees Select Their Own Mobile Work App in the Future?

When the enterprise organization is planning a BYOD strategy, it will also take into consideration what apps and tools are needed in order to serve the needs of its users. The employees prefer to use the apps that they already know from their personal environment. When using VMI, the users will continue having the same experience they’re familiar with from their personal use with their enterprise use. Moreover, this technology allows the employees to safely install (from the remote cloud) any Android-based apps, thereby integrating user satisfaction with business needs. When selecting the specific apps to be used for selected users, it’s important to consult with the various departments in the organization (for example, engineering, finance, sales, marketing, etc.) who can advise on which apps can best serve the organization’s needs.

The organization can set budgets per department or per employee. Every department can install the professional mobile apps they want to use: Graphic designers have their favorite apps while marketing folks use the specific analyzing apps that are most productive and efficient for them.

In this aspect, the employees are having a positive experience by letting them select what best suits their needs while enjoying the same app experience that they are used to. In short, the enterprise organization will benefit from faster and better apps, acquired by those who know best what suits them.

A Communication Protocol that Answers Both Security and User Experience Needs

Another key to success when developing a remote mobile environment is building a communication protocol with maximum security. MDM (Mobile Device Management) or MAM (Mobile Application Management) solutions utilize and transfer multiple protocols in one tunnel —
one for each app. Working with multiple protocols adds a number of potential Achilles’ heel weak links. The more communication protocols “running” in the tunnel, the less secure the environment is. With a remote mobile environment there is only one safe communication protocol. When this communication protocol is reflecting the user experience, it needs to be built to support all mobile experiences, including rotation, vibration, visual, navigation, touch, and sound. Users who depend on an enterprise work environment should be supported by the entire mobile experience.

A Delicate Balance

In the end, just as the enterprise is hungry to find a holistic approach that will include maximum security, there is equally a hunger on the part of its most valuable assets — its employees — who simply want to enjoy their work experiences just as much as they enjoy their private ones. A VMI solution can help organizations maximize returns for both of these important outcomes and strike the BYOD balance.

 

David Abbou

Freedom in the enterprise: It’s the way of the future, and it is here to stay. But freedom without structure equals chaos. For most organizations, adapting to the BYOD world and finding this balance has proven to be a work in progress, and for some the road has been a rocky one.

A recent study by research firm Ovum found that 62 percent of BYOD employees are doing so with no policy in place. But despite that, employees are going ahead with BYOD – with or without their company’s approval. It’s time to accept and embrace BYOD for what it is – the future. But in order to make BYOD work for your organization, you need a well-researched and defined policy that is tailored to who needs access to corporate data, what apps and programs they need to be productive, which devices and operating systems (OSs) will need support and how to best secure this data in scalable and sustainable way not just for the short-term, but well into the future. Asking the right questions will help you define the requirements for successful enterprise mobility and how to keep it secure.

It’s important not to forget that implementing BYOD in your organization is meant to enhance your business in ways that greatly exceed the security adjustments needed to realize this vision. Effective BYOD is not a one-size-fits-all solution for every organization or industry, so it’s vital at the very beginning to obtain valuable and actionable feedback from your security team as well as management and staff at different levels who are the BYOD end-users. That way you can create policies that are driven by their needs and your organization’s strategic objectives, while aligning with regulatory and compliance requirements.

Here’s an overview of the steps you should take to create a BYOD policy. Covering these bases will help your company strike the balance between BYOD freedom and security.

BYOD POLICY CHECKLIST
Step 1: Define your BYOD Policy Team
Which Personnel (i.e. IT, HR, Finance, etc.) can form your policy team be channels
to obtain accurate feedback on the BYOD needs of your employees?Example: Have Communications prepare a survey distribute via your BYOD policy team to gather feedback.
checkList_ic
Step 2: Define your BYOD Objectives
What tasks do your employees need to perform by using BYOD?
For example:

  • Email (Compose, Respond, Open Send attachments)
  • Create share documents
  • Use corporate apps. (e.g. CRM ERP databases)
  • Use consumer business apps from Apple Google stores with corporate data?
checkList_ic
What are the main strategic benefits you expect to see from your BYOD program? For example:

  • Efficiency:
    • Save costs on hardware or software?
    • Save time IT resources on addressing device security issues threats?
  • Productivity:
    • Better collaboration workflow?
    • Quicker response times?
  • Flexibility: Anytime, Anywhere access
checkList_ic
Step 3: Define BYOD apps data
What data must employees access to achieve the BYOD objectives? Engage departments business units to define the functions roles who need to access corporate information on mobile devices. checkList_ic
What data in your company is highly proprietary/sensitive? Separate data into categories of sensitivity. Example:

  • High: CRM
  • Medium: Emails
  • Low: Contact list, Calendar
checkList_ic
Which apps are most in-demand by employees in your organization why? List apps by department function. Sales – CRM to generate quote documents Admin. – Time tracking, expense reporting apps etc. checkList_ic
What are the UX requirements that work best for your employees?
Example:

  • Native touch interface
  • Works with HTML
checkList_ic
Step 4: Define the BYOD Users
Who in your organization needs to access work email business apps away from the office? List the departments functions that apply. checkList_ic
Which employees require special permission for mobile access to information that is highly sensitive (Proprietary/Confidential)?
Example:
CFO – financial data
checkList_ic
Which employees require mobile access to lower levels of data sensitivity?
Example: Customer Service reps – access to emails calendar.
checkList_ic
Step 5: Identify Security Threats Vulnerabilities
Which mobile devices OSs are being used by your defined BYOD users?
Example:

  • 60% use iPhone 4s – iPhone 6
  • 95% of iPhone users use iOS 8
  • 20% use Samsung Galaxy 4 up
  • 20% use other Android phones (e.g. Nexus, LG)
  • 10% use iPads (all versions)
checkList_ic
Which types OSs devices cannot be supported for BYOD by IT Why?
Example:

  • Android devices version 2.2 or lower (Unsecured incompatible with majority of apps)
  • Devices with a screen size of 3 inches or lower (Apps unable to run smoothly on screens this small)
checkList_ic
Which device vulnerabilities must be excluded from your BYOD Program
Example: Jailbroken Rooted Devices
checkList_ic

Once you’ve gathered all of the information and determined your BYOD policy congratulate your team! This is the first major step towards a successful BYOD program. The next step is implementation of your BYOD policy. In Part II of this series, we’ll break down the different considerations you should make in determining the security approach that will best fit your organization. Stay tuned!

David Abbou

Regardless of whether you work in the IT field or not, technology has likely changed the way you work in recent years and consequently bombarding you with a seemingly endless combination of alphabet soup and tech mumbo jumbo that might overwhelm and cloud (pun intended) all you really need to know about handling the freedom and responsibilities that come with the Bring Your Own Device phenomenon. With that in mind, this cheat sheet will help you or your less tech savvy colleagues understand the phenomenon and industry behind it.

Free @ Last: The BYOD Industry

Enterprise Mobility: The trend towards employees working out of the office and using mobile devices and cloud services to access corporate resources and perform business tasks.

Bring Your Own Device (BYOD): This is the policy to make enterprise mobility happen and can differ greatly from one company to the next. At the heart of this trend is letting employees work on their personally-owned mobile devices such as smartphones, tablets and laptops to connect to corporate network resources and access corporate information.

BYOD Policy: A set of rules designed to effectively govern IT management’s implementation of BYOD. These policies vary depending on the organization’s specific size, budget and security considerations.

Choose Your Own Device (CYOD): Like BYOD, CYOD lets employees use smartphones and tablets to get work done. But the employees must choose a device from a pre-approved list. Some companies have chosen this route to give IT more control and cut down on the security risks posed by different device types. Devices have security software and settings pre-installed.

Mobile Security Threats

Malware: Malicious software appearing to be executable code, scripts and other software that disrupts computer operation, gather sensitive information, or gains access to private computer systems. ’Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.

Phishing: Scams that use social engineering and computer programming to lure email recipients and web users into visiting fake sites in order to steal private and sensitive information such as credit card numbers, personal identification and account usernames and passwords. No longer bound to email, phishing scams are now using cloned mobile applications to dupe users and acquire their personal and financial data.

Man-in-the-Middle (MITM) attack: Attackers use an MITM to create false connections between two parties relaying fake messages between them. They intercept and record all messages that follow between the two parties and impersonate each party convincingly enough to gain confidential information from one or both of the victims.

Common Vulnerabilities

Vulnerability: A mistake in software that can be directly used by hackers to gain access to a system or network and violate a system security policy. These flaws allow attackers to execute commands as another user, access restricted data, impersonate another entity and cause a denial of service. There are both known and unknown vulnerabilities.

Known vulnerabilities: Once found, vulnerabilities are published and given a unique ID number, or
CVE identifier
. Even after being discovered devices need to patched in order to nullify the threat.

Unknown vulnerabilities: Vulnerabilities that simply haven’t been found yet. These gaps are often exposed so early that there has been no time for developers to patch the flaw before attackers can exploit it. This leaves applications and OSs prone to Zero-day attacks. Once the vulnerability has been found, developers need to work on a patch and distribute across the devices.

Zero-day attack: When unknown vulnerabilities are discovered and systems are attacked because programmers have not had sufficient time to realize and apply a patch. Zero-day attackers often sell information to government agencies for use in cyber warfare.

BYOD Security Solutions

Enterprise Mobility Management (EMM): The management and deployment of technology, processes and policies to manage mobile devices, wireless networks and related services relevant to an organization.

Mobile Application Management (MAM): A security management designed to secure software products, specifically mobile apps on smartphones, tablets and other mobile devices.

Mobile Device Management (MDM): Security software used by an IT department to monitor, manage and secure employees’ mobile devices that are deployed across multiple mobile service providers and mobile operating systems being used in the organization. Often combined with additional security services as part of a complete Enterprise Mobility Management solution.

Mobile Information Management (MIM): MIM describes cloud-based services like Dropbox and Google Drive that sync files and documents across different devices. There are also on-premise enterprise versions of these products available to store corporate data.

Virtual Desktop Infrastructure (VDI): Virtualization architecture that typically runs a Microsoft Windows operating system and reflects corporate apps and data onto desktop computers and laptops using remote display protocol.

Virtual Mobile Infrastructure (VMI): Sometimes referred to as “mobile-based VDI”, VMI is a security technology that runs an Android operating system on a cloud-based remote server or company datacenter and uses a remote display protocol to transfer all corporate data and apps to mobile devices. By using a thin client to display a flat image on devices, no actual corporate data is stored on the devices themselves. VMI was created specifically for enterprise mobility and BYOD organizations.

Dual-Persona: A technology that creates two separate environments on one device; one for IT to manage enterprise data and the other for the user to manage personal files and apps. This requires storing corporate data in a container on the device.

Multi-Persona: A device management platform that separates more than two environments on one device mainly to secure corporate data on the device.

Containerization: A technology used by EMM and MDM solutions to separate data and apps on a device. Corporate apps on the device are stored in a separate area that is password protected and encrypted.

App wrapping: MAM solutions initially used this approach to secure apps for corporate use by applying a management layer to mobile apps. This process allows administrators to add extra security features and modify apps to require connection to the VPN or further authentication using a local passkey.

Virtual Private Network (VPN) Tunnel: EMM products wrap data between the mobile apps and the corporate server inside a VPN connection to improve security and avoid data being captured by external intruders.