[Type text] Fact Sheet.
Building the Mobility Security
Eco System in the Cloud for
Universal Communications
Problem statement
While mobile phones are widely used within all industries today, their use poses 3 significant problems
Security
Mobile phones/Tablets and the networks to which they connect, do not provide the level of security needed to allow their use for operational communications. Some of the underlying security problems are
Convenience
Employees in common with partners and customers like the convenience of using mobile phones and tend to prefer their personal phones/tablets to officially issued devices. The reason for this preference is that personal contracts tend to deliver new handset models more quickly than corporate contracts. Employees, Executives and Consumers also prefer the convenience of carrying a single phone to juggling multiple devices. Industry is not alone in facing this trend. Forrester Research reported that nearly 60% of companies allow employees to use personal devices for work and provide IT support for some or all of these devices. A Wall Street Journal report places the figure at 87% and notes that this causing a headache for IT departments.
When the security problems of mobile networks are added to the IT support headaches, trying to control the use of personal mobile devices is a serious problem for the entire industry.
Recognising that controlling personal mobile/tablet device use is a best very difficult, a better approach would be to find a solution to the security and IT support problems. Budgetary Pressures
Providing mobile phones/tablets for employees and servicing the contracts on those phones places significant pressure on budgets. As all businesses in the economic down turn are facing budgetary pressure, measures that can reduce costs while maintaining or improving service levels will be welcome.
You’ve probably heard about the “Bring Your Own Device” (BYOD) schemes that allow
employees to bring their own gear to the work. While that’s all nice — companies get to save some cash on buying dedicated devices and employees get to carry only a single device around , there are major downsides to the business from a security stand point.
Communication Eco System for Universal Communications
How can technology services provide an answer to all of the above?
ISEC 7 has provided solutions to Corporate, Network Service providers and Mobile Handset makes over the last decade, in this time they have seen first-hand how difficult it is to manage and secure mobile connectivity to central services, such as company infrastructure and unified communication systems designed to improve cost reduction and risk management.
The solution is to provide a secure voice, video, text/Instant Messaging and data communication for all mobile devices using today’s IP networks. Working with UM-Labs a 21st century Security Software Platform as a Service (SSPaaS) development, was motivated by the realisation that despite the claims of the network operators, cellular mobile networks are insecure at some point and gaps appear when inter-operation across technology platforms are required . This is confirmed by recent research and by a number of public demonstrations.
These demonstrations include:
Building a low cost fake base station using readily available hardware components and open source software.
Exploiting weaknesses in two different commercially available femto cells. Femto cells are low cost devices which provide localised GSM coverage in areas with poor cell phone reception. They work by relaying calls to the mobile network via a
standard broadband Internet connection. Detailed instructions have been published for turning Mobile operator’s Sure Signal into a GSM call interceptor.
Open text calling between mobile devices and industry standard Unified
Communication platforms which do not connect to each other, so un-encrypted calling, video calling and messaging have been hacked to show weakness where inter-operation currently has no security.
These examples illustrate that it is possible to eavesdrop on calls made over cellular networks with relatively little investment. A determined and well-resourced attacker would no doubt find other methods to intercept GSM calls or to target phones. Alternative attacks could include the use of commercially available, but expensive, call interceptors or social engineering attacks. Examples of social engineering attacks include attempts to discover passwords for voicemail by posing as service provider
representatives or support staff.
The problem is even more acute if a mobile device connects to a public Wi-Fi hotspot. By definition anyone can connect to these networks and tools that allow a connected system to monitor all traffic on that network are readily available.
Businesses and users of consumer devices at work need Security
Investment in Unified Communications has been a major part of the IT budget in the last 5 years with many looking to use Voice over the Internet, Video and Instant Messaging as productivity tools, which improves communication, saves significant costs to the business and is the future.
Add the use of Bring Your Own Devices (BYOD-Mobile) together with adopting
computing in the Cloud, private or public and the variants of technologies using SIP has created a natural void, and in this we see security gaps have occurred which adds risk to the business and allows various criminal activities such as:-
Denial of Service Attacks Eavesdropping Packet Spoofing Replay Attack Message Integrity Information Leakage
UM-LABS SSPAAS enables secure communications over insecure network by using published standards to provide secure communication over mobile network data channels. This design approach means that UM-LABS SSPAAS is able to secure communication over any network, including both GSM and Wi-Fi.
UM-LABS SSPAAS also addresses the problem of mobile management by providing a mobile device application which includes the necessary device security controls and provides centralised management for deployed devices. UM-LABS SSPAAS is also designed to be easy to use and to provide separation between the UM-LABS SSPAAS application and other applications installed on the mobile device. Both of these features reduce the IT support overhead.
Secure Communication
The UM-LABS SSPAAS facilitates reliable, secure communication for employees engaged in critical security transactions. Employees in the field and at Corporate HQ can securely inter-communicate to properly manage and adapt an operation as required using the UM-LABS SSPAAS. This has broad applicability within the scope of any industry; it also has applications in and around the markets for finance,
important sales security events and meetings.
Secure Communication using the UM-LABS SSPAAS is also applicable to executives who are responsible for strategic policy. It facilitates secure discussion of sensitive or secret intelligence at a strategic level within the company, safe in the knowledge that this communication remains secret and immune from interception by criminal activity or Private Investigation.
The UM Labs SSPAAS focuses on securing real-time Unified Communication (UC) services. The real-time requirements and the protocols used by UC mean that these services are not well protected by security systems developed for data applications. This means that the services which are relied on to carry the most sensitive
communications, such as audio/video calls, conference calls and Instant Messaging, are often the most poorly protected. The UM Labs service addresses this problem safeguarding the full range of real-time UC services.
Device Management
The UM-LABS SSPAAS can also assist the industry in their day-to-day activities such as trading using UC. It facilitates instant secure communication with other remote dealers or market professionals and with HQ through their personal mobile device. This can reduce the information gap for employees in day-to-day situations, allowing them to operate more efficiently. The UM-LABS SSPAAS, as a security solution, can be deployed directly to an operative’s personal mobile device. It then creates a secure, encrypted environment on that device were operational instructions and data can be stored without fear of cross contamination from personal, unsecured information simultaneously stored on the device. This division of operational and personal functions for a mobile device helps to create a fluid, cost effective policing network by reducing the requirement for individuals to carry separate expensive often unreliable hardware communication devices.
Wireless Networks
The UM-LABS SSPAAS can securely connect to all wireless networks. This would facilitate secure communications for industry who are authorised to run the UM-LABS SSPAAS on the existing Wi-Fi network on the markets. This helps increase the operational reach of readers, dealers or executives secure communication capability.
UM-LABS SSPAAS Infrastructure
There are two primary components in the UM-LABS SSPAAS service. These are the UM-LABS SSPAAS application which is available on a range of smart-phones and the back-end systems which include a Security platform in the cloud, Private, Public or Hybrid and an IP-PBX required.
The platform is responsible for handling security functions which include signalling and media encryption for the back-end systems. Calls made via the platform are decrypted and forwarded to an IP-PBX. The IP-PBX is responsible for routing calls between handsets, for providing a voice mail service for handsets that are not currently reachable and for implementing other functions including text messaging and conferencing. The IP-PBX processes clear-text audio streams, and so must be contained within a secure perimeter with all connections to external services calls routed via the platform.
The UM-LABS SSPAAS system can also support secure connections to desk phones and connections to external systems including the police internal phone system and SIP trunk services to provide PSTN access. Most external connections will be made in clear-text.
Handset Provisioning
The UM-LABS SSPAAS mobile device application is designed to be easy to install and activate even when large numbers of handsets are deployed. Application installation uses the standard installation procedure relevant to the handset type. Once
installed, the phone and application must be activated via a provisioning process. Provisioning confirms the identity of the phone and the end-user and then configures the handset to enable it to join the UM-LABS SSPAAS network.
The provisioning process is designed to be sufficiently flexible to allow an end-user to configure and operate a phone without the need for specialist help, but also to allow provisioning to be integrated with a suitable administrative process to ensure that the application is enabled for identified and authorised end-users only.
UM-LABS SSPAAS User Groups
By default UM-LABS SSPAAS provides secure communication within a closed user group. For the industry closed user group would include all handsets and users configure to user the industry back-end system. The back-end servers (UM-LABS SSPAAS platform and IP-PBX) would be installed in a suitable secure cloud controlled by the company or trusted provider and would allow calls between users registered with that system. The identity of users allowed to register with and to use the system is entirely under the control of the company.
UM-LABS SSPAAS can optionally allow secure calls to other UM-LABS SSPAAS
systems. For example if other companies were to adopt UM-LABS SSPAAS, then with mutual consent, the systems owned by the original company and another trading partner could be configured to enable encrypted calls between those partners. These external connections are subject to access controls. These controls determine the set of phones on each system which are permitted to use the external link.
Voice Mail Security
The UM-LABS SSPAAS system includes secure voice mail. All voice mail access is encrypted and access to voice mail is restricted to registered and authorised phones to prevent unauthorised access to voice mail by third parties.
Handset Security
While the primary function of UM-LABS SSPAAS is to provide communication security, this security can be compromised if the handset is not protected. To address this risk, the UM-LABS SSPAAS client application includes security controls for the local device. These controls include data encryption, sand-boxing, malware protection and jail-break protection.
Data encryption protects the confidentiality of data generated and stored by the UM-LABS SSPAAS application. Stored data includes configuration information and stored text messages.
Sand-boxing isolates the UM-LABS SSPAAS application from other applications on the device. This ensures other application cannot compromise the security of the UM-LABS SSPAAS application and provides a further level of security for UM-UM-LABS SSPAAS data stored locally on the handset.
Malware protection guards against attacks that could compromise communication security by intercepting the data flow between UM-LABS SSPAAS and handset’s input and output devices (screen, keyboard, microphone and audio output). Malware protection also monitors application download and blocks applications that demonstrate suspicious behaviour.
Jail-break protection ensures that UM-LABS SSPAAS will not run on a jail-broken device. Jail-breaking a device compromises the device’s security. If the UM-LABS SSPAAS client application detects that the host device is jail-broken it will delete its stored configuration disabling the device.
ISEC 7 and UM-Labs ‘Innovation in Security’ Showcase and it include:
Secure Communications at the touch of a button from the remote device any mobile, anywhere
Simple connectivity to legacy phone systems Secure SIP Trunking for better ROI
Secure Voice/video for Bring Your Own Device’s
Secure Networking and Community Building with no ‘Eavesdropping’ Secure Virtual Business applications for Unified Communications
‘Innovation in Security’ showcase is the world’s first authentication and Encryption Software Security Platform as a Service (SSPaaS) for UC, which brings together ‘Persona Management’ and ‘End to End encryption’ across an enterprise voice network, allowing 21st century social business to be performed in safety, protected from corruption or eavesdropping.
The aims are to deliver a breakthrough environment that decreases risk, reduces costs and improves communication across the business, gaining improved ROI from the use of VOIP/Video/IM/BYOD in an Enterprise UC 21st century environment.
About ISEC 7
The ISEC7 Group (www.isec7.com) is a global provider of mobile business services and software solutions. The company was one of the first movers to mobilize company and business processes. Today, ISEC7 counts several renowned companies and governmental organizations as committed customers.
Both of the ISEC7 founders and CEOs, Marco Gocht and Roger Dost, belong to the first movers in the enterprise managed mobility (EMM) field. In 2005 ISEC7 launched one of the first MDM systems in the market worldwide. The innovative ISEC7 solutions, such as Mobility for SAP, B *Nator and Mobile Exchange Delegate have proven to be ground breaking in their sector and are always state of the art.
ISEC7 continually invests in the evaluation and development of new technologies. The innovative ISEC7 solutions, such as Mobility for SAP, B *Nator and Mobile Exchange Delegate have proven to be ground breaking in their sector and are always state of the art. Mobility for SAP allows mobile access to any SAP backend without the need for additional middleware. B*Nator has been presented the “Most Innovative Enterprise Application“ by BlackBerry. It is a comprehensive globally applicable enterprise managed mobility solution. With the ISEC7 solution Mobile Exchange Delegate, it is possible for third parties to access Microsoft Outlook calendars, e-mails and contacts via the BlackBerry® smartphone.
The continuously growing company has partnerships with network operators such as Telekom, Vodafone, Telefónica, E-Plus and third party provider’s .as well as strategic co-operations with BlackBerry, SAP, Microsoft and IBM.
Over the years, ISEC7 has received numerous awards: These include the Telekom Business Premium Partner 2012/2013, Vodafone Solution Partner Premium 2014-2012, Vodafone Solution TOP Partner 2012 (finalist, TOP 3), BlackBerry Developer Challenge – EMEA, Recognition Award Winner 2012, BlackBerry EMEA Innovation Award 2011 (finalist), Vodafone Solution Top Partner 2011, BlackBerry Innovation Award 2010 (finalist, TOP 3).
The ISEC7 solutions can be found in ranging branches and industries such as
transportation, finance, manufacturing, construction, trade, tourism, pharmaceuticals and telecommunication. ISEC7 was founded in Hamburg in 2003 and has international offices including Germany, USA, Switzerland, Spain and Brazil.
