Mobile Security Buyer’s Guide
PART 1: THE BASICS
Author – Andrew Braunberg
Overview
The consumerization of information technology (IT), particularly relating to the increasingly common bring your own device (BYOD) policy, is one of the most important technology trends affecting businesses today. As such, it has resulted in a critical need for enterprises to address security issues associated with the use of such consumer mobile devices on corporate networks.
The availability of easy-‐to-‐use smartphones, cloud services, and collaborative social networks is creating new work and productivity patterns for employees; however, these new practices are often being implemented without the approval of IT departments or, even worse, without their knowledge. Enterprises that have yet to address these trends should do so quickly. This guide is intended to help enterprises understand the choices available to address security concerns associated with the use of mobile devices on corporate networks.
The “Mobile Security Buyer’s Guide” is comprised of two analyst briefs: “Part 1: The Basics” introduces the technologies, products, and vendors in the mobile security market, while “Part 2: Costs And Use Cases” highlights the more common use cases and costs associated with managing and securing mobile devices, including a chart that maps available security products to use cases.
NSS Lab Findings:
• The mobile device management (MDM) market is quickly maturing and expanding; there are dozens of vendors in the market today.
• From a security perspective, MDM delivers a fairly commoditized set of features that are ultimately controlled by the functionality permitted by each mobile operating system (OS).
• The mobile application security segment is changing as a broad new set of products providing richer and more data-‐centric security features to mobile devices enters the market,
• Two important metrics to consider when assessing whether a mobile security technology will find market acceptance are the technology’s impact on the end user experience and the demands it makes on application developers.
• Traditional security vendors are adopting a more visible role in the protection and management of mobile ecosystems.
• Enterprises will often need to mix and match products from multiple vendors, depending on their primary use cases and on their particular market of corporate constraints.
• While malware is still a relatively minor threat on mobile devices (besides Android), phishing is not.
NSS Labs Recommendations:
• Organizations should approach mobile security in a measured, thoughtful manner. IT personnel should work collaboratively with end users to achieve the best possible balance of productivity and security.
• Data protection must be the primary security goal of organizations.
• Enterprises should view MDM as providing a minimum level of security for mobile devices that access corporate networks.
• Enterprises need to take a best-‐of-‐breed approach to building solutions, since security requirements differ significantly depending on individual use cases.
Analysis
Drivers: Consumerization of IT and the Response from Enterprises
In 2011, shipments of smartphones exceeded total PC shipments for the first time. This represents a sea change in the way that people consume information and in their use of “computers.” The number of mobile applications that are being downloaded for both Apple iOS and Google Android devices now averages more than one billion per month. That’s not a wave, it’s a tsunami, and it is being pushed along one consumer purchase at a time. Knowledge about these consumers is as important as the volume of devices being sold. Consumer requirements are driving the mobile market today, with profound implications for enterprises, since these devices and their applications increasingly find their way onto corporate networks.
As of February 2013, 57 percent of American adults owned a smart phone. Ninety percent of these phones run either Apple iOS or some variant of Google Android. These consumers want to bring their devices to work for several reasons, most obviously because they are personally invested in the technology. Such market-‐based endorsements represent an emotional and financial investment from the consumer. It is an easy progression for consumers to decide that the same communication, collaboration, and research tools that enhance their personal lives are also adaptable to their work lives.
For the last couple years, enterprises have often been caught off guard by the speed and pervasiveness of the consumerization of IT phenomenon. Saying “no” to consumer mobile devices is no longer is an option for most IT or information security (IS) teams. Today, some of the largest companies in the world, such as Cisco and IBM, have broadly embraced the consumerization of IT. This is often manifest in the BYOD policy, where employees are allowed to use their personal devices to access corporate resources; however, a BYOD policy that amounts to “allow all” is a mistake.
It is important not to conflate the consumerization of IT trend with a corporate policy decision to allow BYOD. The latter is clearly a response to the former, but it is not the only response, nor is it the best response. What is needed is a managed approach to balance the employee desire to use consumer devices with the business requirements for security, compliance, and control. The idea that these business requirements are somewhat negotiable does not sit well with many traditional IT/IS departments; however, these departments generally no longer determine every aspect of technology deployment within an organization because employees now have numerous ways to “end run” uncooperative IT departments.
BYOD policies have been particularly hard on Research in Motion (RIM), the maker of Blackberry phones, which has never been a major player in the consumer market. The company’s share of the overall smartphone market continues to slip; it is currently less than 5% globally1. Concerns about the long-‐term viability of the company and the reliability of its infrastructure have customers working on contingency plans that would allow them to move to other mobile platforms. While Apple iOS and Google Android are the clear choices today, Microsoft Windows Phone 8 may also be a longer term competitor, given the trust and familiarity that enterprise IT shops have with Microsoft and its products.
Options
The first place to which most organizations turn is MDM. There are dozens of MDM vendors in the market that provide provisioning, configuration, security, and management of mobile devices. However, MDM is only a start, and it is expected that the features in these products will continue to be subsumed by the mobile OS vendors and the device manufacturers.
Indeed, more enterprise class controls are being built into mobile operating systems with each new release, and a fairly consistent base of features is likely to emerge across the leading mobile operating systems. MDM vendors continue to differentiate their products in several directions, such as broader mobile OS support, cloud-‐based delivery options, richer reporting features, enterprise app store support, and the inclusion of additional cost control capabilities.
Concurrently, the rich ecosystem of third-‐party vendors that has emerged to augment native device capabilities in heterogeneous environments will increasingly focus on a broader set of capabilities. There are several important classes of functionality on top of MDM that enterprise customers should be looking for, and NSS believes that the two main areas of focus should be security and mobile application management (MAM). Current MDM products do address these functional areas, but not to the degree that is required going forward.
The Basics: MDM
MDM products emerged because of the difficulties of using non-‐Blackberry devices in business environments. Apple’s iPhone and the many variants of Google Android devices are primarily designed with consumers in mind; however, this is slowly changing as the boundary between business and private use continues to blur. MDM products address the limitations in these devices by enabling device provisioning, configuration, security management, software management, inventory management, and continuous monitoring and support. As the name implies, MDM has traditionally delivered mobile lifecycle management with a device orientation, from provisioning to remote data wipe if the device is lost or if an employee leaves the organization.
Despite the continued flow of new entrants to an already crowded market, the MDM market is relatively mature. This is because all MDM vendors rely on mobile OS interfaces to enable their functionality. In the case of Apple devices in particular, access to low level OS functionality is prohibited altogether, severely restricting any form of innovation on the part of MDM vendors.
This means that many basic features are uniform and are done through the same mechanisms. More importantly, there is a fundamental limit to what can be accomplished with a device-‐level orientation. This has driven MDM vendors and many other mobile players to introduce additional products to augment mobile devices.
BASELINE MDM CAPABILITIES
Provisioning/Configuration Remote lock/wipe Feature control/disable Inventory management Software management Enterprise App Store
Device monitoring Reporting
Help Desk/Service management Expense management
Security
Blackberry has traditionally been the “gold standard” with respect to security on a mobile device, but other mobile operating systems are catching up, particularly Apple iOS. The strength, and appeal, of consumer devices relies largely in their general ease of use and broad application availability. From a security point of view, however, IT/IS personnel are generally neutral on the former attribute and suspicious of the latter, and neither Apple nor Google have made it a priority to address the concerns of business users. There are several important security features that can be activated out of the box on both platforms. And the OS vendors provide application programming interfaces (APIs) that allow numerous third-‐party products to augment the security shortcomings in these devices. General device controls are a good start, but they are coarse-‐grained and must be augmented with many
additional security capabilities and policy controls. Organizations should carefully consider what needs protection. The real focus should not be on securing the device, which the enterprise may not even own, but on protecting any corporate data on that device (or data that is moving to and from that device). All non-‐Blackberry devices used on corporate networks will require some third-‐party security and management software. The exact amount required will depend on the devices being used, the use cases of employees, and any compliance considerations.
Mobile security products can be grouped into four basic categories:
General consumer-‐grade device controls: Examples include passcode use enforcement and remote location capabilities in case of loss or theft. The controls provide a base level of protection against end user misfortune or stupidity. They can be thought of as security features that are enabled out of the box and are designed for security conscious consumers.
Advanced configuration policy support and feature controls: Exploiting these features typically requires the use of third-‐party MDM products, but provides a much richer set of configuration and security policy settings. Network access control (NAC) products have also found application in the discovery and control of unmanaged mobile devices attempting to access network resources.
Traditional threat protection: (For example, Anti X, URL scans). Much of the malware concern associated with mobile devices is focused specifically on the Android platform.
Data protection (For example, encryption and data loss prevention) and application hardening: Protecting corporate data on mobile devices should be the ultimate goal of any security strategy.
The level of security required depends on several factors. These factors are covered in detail in the companion document in this series: “Part 2: Costs And Use Cases.” At the very least, businesses should assume that addressing a base level of security will require the use of third-‐party MDM software in order to enable configuration and policy controls. RIM’s Blackberry Enterprise Server (BES) delivers the most sophisticated and fine-‐grained policy controls, but historically just for RIM devices.
As a benchmark, Blackberry BES supports approximately 550 configuration and security policies. Apple, Google, and Microsoft provide some management and security APIs that allow third-‐party MDM vendors to provide additional security policy controls on these platforms. Apple, Google, and Microsoft all also have varying levels of support for Microsoft Exchange ActiveSync (EAS). EAS enables approximately 100 mobile policies and features. At a minimum, NSS Labs expects all devices used in corporate environments to support some level of EAS. Several leading MDM vendors use NitroDesk’s TouchDown client to augment their EAS feature support. MDM vendors currently OEMing TouchDown are MobileIron, Notify Technology, Sybase Afaria, AirWatch, Fiberlink (MaaS360), SOTI MobiControl, Citrix Zenprise, REVIVAL, 3LM, Wavelink Avalanche, Capricode, Tangoe MDM, and Symantec. While Android is generally considered the least secure, and the least manageable, of the leading mobile operating systems, it is receiving the most third-‐party help to improve its standing. Android device OEMs are delivering enterprise-‐ready versions of their mobile devices. For example, Samsung offers Samsung Approved for Enterprise (SAFE) devices that are preconfigured with encryption, MDM, VPN, and secure connectivity software (i.e., wireless local area network (WLAN) security) from a host of third-‐party security providers. SAFE also supports a much richer set of Microsoft EAS policies than does native Android. Samsung’s more recently announced KNOX focuses on additional platform security, applications security, richer MDM APIs and theft recovery features. (For more details see the Samsung KNOX whitepaper.)2
The impact of consumerization of IT and BYOD policies on corporate WLAN infrastructure is an important consideration from both a security and a performance perspective. Network access control (NAC) products are being adopted to enable the discovery of unmanaged mobile devices attempting to access network resources. NAC products can augment MDM solutions, and partnerships between NAC and MDM vendors are forming, such as the union between MaaS360 and ForeScout.
As mobile devices are used in the role of corporate endpoint computing devices, their attack surfaces increase and so does their appeal to malware writers. This is evidenced by the growth in reported malware on Android devices and by the appearance of rogue applications in Google’s application store. To address these issues, security
2 http://www.samsung.com/global/business/business-‐images/resource/white-‐paper/2013/05/Samsung_KNOX_whitepaper_April2013_v1.1-‐
vendors are porting traditional endpoint security products to mobile platforms. These technologies include VPN, encryption, identity management, web filtering, Anti-‐X scanning, and personal firewalls. It is expected that traditional security vendors will take an increasingly visible role in protecting and managing mobile ecosystems. The need for traditional endpoint security products on mobile devices currently differs significantly by mobile platform. Apple iOS has proved itself immune from malware, while Android has become the preferred target of mobile malware writers. Apple’s success is chiefly attributed to its closed application ecosystem. Apple requires that all code running on iOS devices is approved by Apple and is digitally signed using an Apple-‐issued certificate. This requirement extends Apple’s secure chain of trust, which begins with system boot up.3 While malware is currently manageable on most mobile devices, phishing attacks are a serious problem for all. Secure mobile browser applications are appearing on the market to help alleviate this problem.
Beyond simply securing the device, enterprises need to move quickly to better protect corporate applications on mobile devices and thus the corporate data that resides within these applications. MDM vendors have reacted to this requirement, with several vendors introducing versions of their data loss prevention (DLP) products for mobile devices. The goal of these solutions is to provide real-‐time monitoring (and potential blocking) of data moving to and from mobile devices. Vendors such as RSA, Symantec, and Websense have introduced products in this space, and Zenprise (now a part of Citrix) is one of the few traditional mobile players to enter this segment.
There are other approaches to the problem of securing corporate data on mobile devices, such as virtualization. These products are marketed as providing dual personae (one personal and one corporate) for mobile devices. The idea is that all corporate applications and data will be stored in a secure and encrypted partition, or “vault”, on the device, and all personal applications and data will be stored in the standard user space. This approach has
attracted interest from the leading server virtualization vendors (for example, Citrix and VMware), as well as from several startups, such as Red Bend and Open Kernel Labs (acquired by General Dynamics). Type 1 (i.e., bare metal) and Type 2 mobile client hypervisors are currently on the market. Virtualization is an interesting approach, but products have been slow to enter the market and questions remain regarding their impact on device performance and on the end user experience. Two virtualization vendors to watch closely in 2013 are Red Bend and VMware. Red Bend has partnered with mobile chip designer, ARM. Red Bend’s hypervisor will run in ARM’s new Cortex A15 processor, to be delivered this year. VMware also expects its hypervisors to ship this year, through partnerships with LG, Motorola, and Samsung.
New classes of security products are emerging in the mobile space, with specific focus on data management and security on a per application basis. Because security is a chief component of mobile application lifecycle
management, application-‐specific security products are an important segment of this market.
Mobile Application Management
When vendors talk about mobile application management (MAM), they are usually talking about mobile application security, although there is more to it than just that. The primary goal of this security is to ensure the confidentiality, integrity, and availability of corporate data on mobile devices. There are six technical approaches that are being applied to this problem: enterprise class mobile applications, app wrappers, software development kits (SDKs), sandboxes, virtualization, and DLP.
These approaches can be consolidated into three strategies: individual application hardening (i.e., enterprise apps, app wrappers and SDKs), creation of a dedicated workspace (i.e., sandboxes, virtualization), and data monitoring and control (i.e., DLP).
APPLICATION SECURITY STRATEGY CHIEF CHARACTERISTIC VENDOR EXAMPLES
Application Hardening Secure apps or security feature libraries (for example,
authentication, encryption) for building/modifying apps.
Good Technology, MaaS360, MobileIron, Mocana, Nukona/Symantec
Secure Workspaces Isolated workspaces for corporate applications.
Fixmo, Enterproid, Red Bend, VMware
DLP Data discovery and policy control of
data in transit or rest on device.
RSA, Citrix Zenprise
Since secure access to email, calendar, and contact information was one of the initial mobile use cases, secure messaging was one of the first enterprise class mobile applications to reach the market. Vendors soon realized that the application hardening techniques being used to build these one-‐off applications could be abstracted and applied generally to existing consumer applications, or could be used as part of mobile application development. The availability of hardened applications therefore includes existing enterprise applications, wrappers for modifying existing consumer grade applications, and SDKs that developers can use to custom build secure applications.
Several vendors offer enterprise-‐ready mobile enterprise business tools. Secure messaging and/or secure content management products on the market include Mobile Email Management (Airwatch), Mobile Content Management (AirWatch), Bitzer Enterprise Application Mobility (BitzerMobile), @WorkMail (Citrix), ShareFile (Citrix), Secure Document Sharing with MaaS360 (Fiberlink), Good for Enterprise and Mobile Collaboration (Good Technology), Mobile Enterprise Compliance and Security Server (Mobile Active Defense), and Docs@Work (MobileIron). While the market for mobile enterprise software will continue to expand, it is, for now, limited in scope when compared to that which is available for PCs. Consumer grade applications can be wrapped, with limited need for application developer participation, but hardening can affect the user experience. SDKs provide a means of incorporating security features into mobile applications from the start of the development process, but require much more from the application development community.
Developers must become comfortable with a host of security features, such as built-‐in encryption for data at rest and in motion; application level policy controls, such as passcode management and integrity checks on the device before application launch; and remote wipe and lock on a per-‐application basis. This space has attracted numerous start ups, including BitzerMobile, Enterproid, Fixmo, Fiberlink, Good Technology, MobileIron, Mocana, Mokafive, Nukona (acquired by Symantec), and OpenPeak.
Mobile application security is just one component of broader mobile application management. Provisioning and inventory management through enterprise application stores is also important, as is use monitoring, auditing, reporting, and compliance management. In practice, gray areas will exist with respect to applications because employees will want to use existing third-‐party mobile applications with which they are familiar.
Organizations should work with a green, yellow, and red frame of reference. Within such a frame of reference, green applications are supported, maintained and perhaps even required; yellow applications are tolerated, but not supported; and red applications are blocked. Products are currently available to help organizations rate the “reputation” of mobile applications.
Building Solutions
Players in the mobile market are building out suites of products to address these requirements, but it is difficult to single out one vendor that delivers best-‐of-‐breed functionality across the board. Enterprises will often need to mix and match products from multiple vendors, depending on their primary use cases and on their particular market of corporate constraints. Before considering typical use cases, however, cost and project management should be addressed.
The goal is to add the appropriate level of security as the amount of work performed on mobile devices increases and diversifies, but this must be accomplished without negatively impacting the usability of the device. In general, as the number of security controls increases, usability decreases, and costs increase. All of these variables scale with the number of corporate applications on the device.
Figure 1 – Security Requirements, Usability, and Cost Versus the Number of Corporate Applications on the Device
0 1 2 3 4 5 6
Number of Corp.
Apps on Device 5 10 15
Security Costs Usability
Reading List
Mobile Security Buyer’s Guide Part 2: Costs and Use Cases. NSS Labs
https://www.nsslabs.com/reports/mobile-‐security-‐buyers-‐guide-‐part-‐2-‐costs-‐and-‐use-‐cases Exchange ActiveSync Client Comparison Table
http://social.technet.microsoft.com/wiki/contents/articles/1150.exchange-‐activesync-‐client-‐comparison-‐ table.aspx
© 2013 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors.
Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice.
2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader’s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report.
3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-‐INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT
DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader’s expectations, requirements, needs, or
specifications, or that they will operate without interruption.
5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report.
6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners.
Contact Information
NSS Labs, Inc. 206 Wild Basin Road Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-‐5300
www.nsslabs.com
This analyst brief was produced as part of NSS Labs’ independent testing information services. Leading products
were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief.
