Becrypt Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :


Evolving mobile device management strategies

960 640 Guest Post

By Dom Hume, VP Product & Technical Services,  Becrypt

As organisations continue to innovate to realise efficiencies through the use of increasingly sophisticated and pervasive mobile technologies, many are continually challenged by the risks associated with managing an ever growing device estate.

Successfully managing the complexity of multiple software and hardware mobile platforms necessitates a practical, secure and cost-effective way to manage, monitor and track devices.

This is best achieved through implementing an end-to-end Mobile Device Management (MDM) strategy, that can sometimes require consideration of the entire software and hardware stack, to ensure valuable time and resources are used effectively in securing and monitoring mobile devices that accesses business-critical data.

I have summarised four of the themes we believe are important for organisations to consider when implementing a robust MDM strategy, much of which is based on work we have undertaken with UK Government.

Choose a device manufacturer committed to security patching

It is important that you take into consideration that Android and iOS have fundamentally different approaches to the phone ecosystem. Apple has a closed eco-system, whereas Android is an open platform, and phone manufacturers are supported to build their own devices using  Android. Google releases updates and patches to its Pixel phones, at the same time as it releases patches to the wider Android community. It inevitably takes time for the individual manufacturers to integrate, test and release the patch to their handsets. Consequently, this can result in a period of time where publicly known vulnerabilities exist that may be exploited, for a period that depends on the responsiveness of the manufacturer. This situation is not directly mirrored in the Apple ecosystem.

It is worth also investigating the patch lifetime to which a manufacturer has committed, as this often correlates with patch responsiveness. Organisations with long-term projects may wish to consider specialist manufacturers such as Bittium that will commit to extended device lifecycles.

Plan your application lifecycle management

From an application provisioning platform perspective, the Apple App Store and Google Play Store perform the same functions. While there are some differences in approach, both no longer favour users’ side-loading applications.

Since its inception, the Apple App Store has implemented a quality and compliance gateway process, through which apps must pass before they appear on the store front. App developers can still sign their own apps and push them to devices, via some MDMs that offer private app stores. However, if an app developer’s certificate is revoked, the apps will no longer work.

A safer method is to get your developer to submit the app to the actual App Store, where apps are vetted to ensure they work and don’t affect the functionality and security of the device. For enterprise customers, Apple created the Volume Purchase Program (VPP) for businesses. This allows organisations to submit apps only for themselves or for specific customers to access.

It’s important to note that apps are not always delivered from Apple servers. They are in fact often provided by a Content Delivery Network middle man. All iOS devices have the App Store function built in; this can be switched off from an MDM server. Organisations can also push mandated apps and updates from the MDM server.

Google also has a vetting process for apps, subject to a review process that can be somewhat slow. While there is no dedicated business-only Play Store, Google offers a ‘Private Apps’ concept, allowing the user to differentiate between work and personal applications. MDM administrators can remove business apps from a managed phone. Similar to ‘Bring Your Own Device’, the organisation sets the rules and locks down the device, while allowing the user some freedom to adapt it for personal use. The user feels there is some degree of privacy afforded, but this is not a security feature per se.

Consider a ‘split proxy’ architecture for high-threat environments

Organisations that are considered high-value targets and are subject to sophisticated cyber-attacks have become increasingly concerned about the consequences of an MDM server compromise. Attackers that breach an MDM server can easily locate and unlock a device posing a serious threat to an organisation’s security. Compromised servers can also be used for subsequent lateral movement, or act as the ideal data egress point.

The data security challenges associated with managing mobile devices result from the characteristics imposed by the smartphone ecosystem. Such concerns apply regardless of whether an organisation’s MDM is on premise or consumed as a cloud service. MDM servers have complex communication protocols that interact with several internet-based services, such as push notification systems and online app stores. Usually, these communication channels are authenticated and encrypted end-to-end, preventing them from being inspected for threats.

Therefore, an organisation or its service provider can either open its firewall ports to an MDM server hosted in their most trusted network segment or host the MDM server in a less trusted segment – a ‘DMZ’ of sorts. Ultimately, this equates to either compromising a secure network, or sacrificing the MDM server.

One way to mitigate the risks of such a compromise is to choose a solution that employs a ‘split-proxy’ architecture. Utilising a series of proxy servers residing in a DMZ, these fulfil the range of encrypted communications with the smartphone ecosystem, which are required of an MDM server. MDM traffic is rendered inspectable by the proxies and is subjected to a web application firewall to test for anomalies.

The MDM server may be hosted within the secure network, with appropriately secured and managed communication with the proxy servers. This type of solution can provide a significantly improved level of defence, whilst being completely transparent to the end user.

Consider the business objectives before implementation 

Ultimately, organisations that prioritise data and employee protection as part of their MDM strategy should assess what they need from their mobile devices, and how they intend to be used. A multi-functional work device that requires access to multiple back-end systems including sensitive customer data will almost certainly demand a large budget spend, in addition to robust risk analysis capabilities.

On the other hand, a small business continuity project, that keeps employees informed of out-of-hours actions in certain circumstances, may be achievable without any MDM implementation at all.

Regardless of whether an organisation is operating in a high or low-threat environment, it needs to select an MDM solution that is resilient enough to protect its data from increasingly sophisticated and well-funded threat actors, who are intent on infiltrating the mobile ecosystem to compromise company data.

GUEST BLOG: SME collaboration delivering effective Public Sector IT security

960 640 Stuart O'Brien

Written by Bernard Parsons, CEO, Becrypt

When Becrypt began developing security technology for government more than a decade ago, relationships with Systems Integrators were the only viable route to understanding and accessing customer requirements.

Our experiences today are of a vastly more diverse supply chain, with some major government programmes consuming our services as part of a collaborative ecosystem of cyber security SMEs.

The public sector is under intense pressure to transform its services by delivering better, more reliable experiences, more efficiently for UK citizens. Technology is at the heart of that ambition.

User expectations increase exponentially as consumer tech evolves, added to which the opportunities emerging from private sector innovation in everything from Artificial Intelligence (AI) to big data analytics are so significant that the public sector has an obligation to establish how they can be deployed for public benefit.

Nevertheless, unlocking the advantages of flexible, mobile, data-driven services requires effective cyber security. Public sector data is incalculably valuable; from citizens’ personal identifiable information to highly classified government records, the risk of compromise by accident or malicious intent must be appropriately managed.

Within one major government programme, we are actively collaborating with ten innovative SMEs working directly with government to deliver cloud-based services and mobile platforms that have functional and performance characteristics more typical of our faster-paced private sector customers than government systems of old, whilst achieving the ‘high assurance’ requirements of sensitive government networks.

This new way of working has been driven in part by a convergence of public and private sector requirements, both in terms of technology expectations and cyber threat. To help drive the required innovation, government departments now engage directly with SME’s through agile sprint processes, supported by lighter-weight contracting vehicles, leveraging the agility of SMEs and their desire to align innovation with emerging customer requirements.

Whilst agile SME suppliers have flexibility to tailor solutions closely to public sector customer requirements, government’s relatively recent desire to avoid bespoke systems, combined with market convergence, allows the same R&D costs to meet the needs of broader markets.

For example, Becrypt has worked with the National Cyber Security Centre and other government departments to develop a ‘Cloud Client’ End User Device platform for accessing cloud and online services, leveraging open source components to develop a security-focused operating system. As a ‘born-in-government’ product, we have then been able to deploy the same technology across other security conscious organisations, such as those within the Critical National Infrastructure.

The wider marketing of products built for, or at least influenced by government is helped in part by the thorough technical due diligence or product assurance that government typically undertakes. Such activities are very resource intensive but can nevertheless be a very effective mechanism for an SME needing to establish its first market for a new product. Using product assurance or system accreditation as a meaningful differentiator, is more viable for an SME than the alternative of competing with the vast marketing budgets of multinationals, allowing a beachhead to be created within government, before ‘crossing the chasm’ to adjacent markets where requirements now overlap.

There will of course always be an important place for System Integrators as part of the cyber security supply ecosystem for government, and indeed many are evolving internal structures to promote greater agility, innovation and collaboration through mechanisms such as ‘Intrapreneurship’.

But in our experience, collaboration between cyber SMEs over recent years, combined with new public sector engagement models, has had a transformative effect on a number of key government IT programmes.