Weitere ähnliche Inhalte
Ähnlich wie Mobile Device Management: Taking Conainerisation to the Next Level
Ähnlich wie Mobile Device Management: Taking Conainerisation to the Next Level (20)
Kürzlich hochgeladen (20)
Mobile Device Management: Taking Conainerisation to the Next Level
- 2. 1151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
Contents
Introduction 2
How EMM has Evolved 3
The Basic Workings of MDM 4
Conventional MDM Security Methods and the Direction of Change 5
Enhanced Smartphone Capability: Flaws and Possibilities 6
How Omlis can Help 7
What’s Next for MDM? 7
References 8
Contributors 8
- 3. 2151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
Introduction
After VMWare’s $1.54bn buyout of
AirWatch in 2014, it became clear
that augmenting traditional MDM
(Mobile Device Management) with
developments like MAM (Mobile
Application Management) would
become one of the trends of 2015,
and containerization strategies would
come to represent one of the year’s
fastest growing markets. As the market
matures traditional enterprise mobility
vendors will seek to cooperate with the
most innovative ‘mobile first’ security
companies such as Omlis.
In the period up to 2005, EMM (Enterprise Mobility
Management) was fairly simple; the network perimeter
was a fortress with few points of access and a majority
of locked-down fixed terminals, limiting the extent of the
client / server relationship in terms of mobile.
In the last ten years the mobile revolution has transformed
EMM to incorporate the various software defined modules
of MDM. Company resources are accessed through an
army of mobile devices with the capacity to store and
access huge amounts of valuable data. These powerful
smartphones lie in wait at a crumbling network perimeter,
each one acting as a potential vehicle ready to infiltrate
vast internal siloes of corporate data made available via a
compromised phone or MDM server.
The complexity of the current mobile ecosystem, and the
phenomenon known as BYOD (Bring Your Own Device)
has threatened the very existence of MDM in favor of
specific containerized solutions, but it’s become clear that
MDM can adapt and survive on new terms.
Modern MDM solutions need to combine potent
combinations of secure authentication, threat detection
and encryption at both device and application level. In
response to these demands a plethora of companies ready
to enhance the MDM product offering have emerged, but
few can guarantee the kinds of assurances which the
Omlis core technology can naturally provide.
- 4. 3151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
How EMM has Evolved
Device management whereby a company attempts
to control the entire OS (Operating System), has been
learning to coexist with more focused software application
management over the last couple of years, which has
encouraged the effective partitioning of a mobile device’s
OS. This increasing influence of software and enterprise
apps has placed complicated new demands on security
architecture.
In response, the lines between classic EMM and more
modern conceptions of MDM have now fully blurred,
and the classic Web Application Firewall is no longer a
comprehensive countermeasure to fraud.
MDM’s functional boundaries are also expanding to
incorporate the likes of MAM, MCM (Mobile Content
Management) and Mobile App Development Platforms.
In all of these subsectors, security remains the true value
added service and differentiator.
Consequently, MDM requires increasing input from
specialist mobile security innovators such as Omlis;
an input which has been sorely missing in previous
implementations of MDM.
The aforementioned offshoots and expanding dimensions
of modern MDM reflect the increasing influence of the
mobile platform and ‘mobile first’ business strategies.
Each variation of MDM offers different levels of control
over the mobile device and its content, with each
exhibiting different authentication methods whether it be
secure mutual authentication between client and server or
groundbreaking multi-factor authentication involving the
latest biometric and heuristic technologies.
Despite all of the developments, technology research
company ESG stated last year that only 48% of enterprises
had an actual MDM strategy,
1
and it’s clear that despite a
growing awareness, the market is still young and in many
ways naïve to the growing security issues surrounding
MDM.
Server
Mobile
Untrusted Network
Operating System
Container
Omlis
- 5. 4151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
The Basic Workings of MDM
Broadly speaking, a typical MDM scheme requires
server and client components, with the client receiving
management commands from a centrally located MDM
server, both of which represent targets for hackers.
If an MDM scheme is inadequate, an enterprise can
rightfully assume that it’s strategically wise to risk the loss
of an individual device rather than exposing the company
to a compromised MDM server. This is the equation which
MDM security needs to balance.
Sometimes the client component and server component
are supplied by different vendors, whereas other times
they’re supplied by the same vendor. Whilst each system
should be judged on its merits, when it comes to mutual
authentication, the latter method, if used correctly can
offer a certain synergy in terms of efficiencies and security.
The renowned BES (Blackberry Enterprise Server) is the
most prominent example of server / client partnership,
and until last year, the BES was restricted solely to
communications with Blackberry phones. Blackberry’s
recent acquisition of Good Technology for $425m
reinforced the fact that the company is seeking further
device interoperability.
NIST 800-124 (Section 3.1) recognizes the advantages of
some form of client / server unity, stating that: “a product
provided by a mobile device manufacturer may have more
robust support for the mobile devices than third party
products.”
2
In reality, a combined package with client / server libraries
installed on either side may be easier for staff and
administrators to self-manage, but the security advantages
are less apparent unless unique protocols are being used
to communicate.
Omlis recognize that the principle transaction between
client and server is the basis of any authentication
mechanism and due to Omlis’ architectural potential and
unique key exchange principles, we can revolutionize how
a client verifies the identity of the MDM server.
- 6. 5151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
Conventional MDM Security Methods
and the Direction of Change
Login and authentication are vital to a successful MDM
policy, so credential caching and passing sensitive
information over the wire is no longer acceptable for the
tightest security measures. Caching passwords in the
manner of HTTP basic authentication may be good for user
convenience, as there are no repeated login requirements
but the method is very light in terms of security as logout
isn’t instigated by the user.
The same applies to the highly popular methods of form-
based authentication; as we begin to separate hybrid and
native apps from the mobile device platform to greater and
greater degrees we need to find ways of protecting data
which is at rest and in transit.
As a consequence of the app revolution, the likes of
per-app VPNs (Virtual Private Networks) have become
popular along with some highly nuanced containerization
strategies. These containerized solutions and VPNs can
provide a secure tunnel through which the user accesses
a single app, rather than a fully virtualized mobile desktop.
Containerization strategies can include sandboxing or
simple app wrapping in order to ring-fence corporate
assets on employee’s phones, authenticating to the MDM
server on less demanding terms. App wrapping is a
process whereby the app’s native libraries are injected with
dynamic libraries to incorporate new security capabilities
such as authentication, encryption or VPN.
3
In a recent Gartner survey 45% of respondents said
that: “application modernization of installed on-premises
core enterprise applications”, was a priority, and app
wrapping will represent a key part of this modernization.
App wrapping is popular due to its simplicity. It represents
a market which ABI Research predict will grow at a rate
of 28% through 2018; quicker than more complicated
containerization strategies which will see equally significant
but less impressive 23% growth rates.
4
Enterprise needs to take advantage of the latest methods
of authentication, secure containerization, and ultimately
multi-factor authentication to make the MDM proposition
worthwhile. At the same time, containerization needs to
extend its abilities beyond simple partitioning, combining
the latest methods of virtualization, cloud and key
generation.
To achieve this goal, traditional MDM vendors need to
enlist the abilities of companies like Omlis which have
harnessed the unique capabilities of the smartphone to
develop groundbreaking authentication and encryption
techniques.
- 7. 6151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
Enhanced Smartphone Capability:
Flaws and Possibilities
Over the last couple of years, the smartphone has assumed
center stage in enterprise multi-factor authentication,
sharing the burden with traditional hard tokens such as
key-fobs which generate one time passcodes. So as well
as being a workspace in its own right, the smartphone’s
ubiquity and wide ranging biometric capabilities have
led to an explosion in the soft token market acting as an
ancillary credential for secure login to a laptop or PC.
For the sake of MDM, we’ll continue to view the smartphone
as the primary workspace rather than as a means of
accessing a separate device.
Whilst offering strong opportunities in the field of
advanced authentication methods, the increased levels
of connectivity which the smartphone can offer opens
up a huge array of attack surfaces. After all, security
methodologies are only as secure as the platform they’re
used on and the vulnerabilities of the modern smartphone
are well-documented.
The phone’s OS will always be an access point for criminals
looking to breach a weak MDM scheme; once the OS is
infiltrated, keylogging and screenshot theft is perfectly
achievable.
Furthermore, simple implementations of MDM mean that
the phone acts as a carrier for unencrypted login tokens
which often remain static in the fact that they don’t have an
expiry date. This leaves the phone exposed as a potential
access point if it’s lost or stolen. With that said, malicious
hacking activities are more of a concern to enterprise
than theft or device loss, so the ability of MDM vendors to
protect against hacks is paramount.
The secure container solution has been developed and
implemented in MDM and pioneered by companies such
as Mobile Iron. Containerization is a positive move but
more often than not the container is only as secure as the
OS it resides on.
This was highlighted by the vulnerability in Apple’s flawed
sandboxing mechanism for third party apps. Before
its discovery by Appthority, the vulnerability known as
Quicksand exposed the configuration settings of managed
applications meaning that malicious applications could
read critical information such as passwords and tokens
associated with MDM.
5
Despite the vulnerability having
been patched, the fact remains that 70% of iPhones use
older operating systems.
Android fairs little better. Aside from the PKI (Public
Key Infrastructure) and administrative complications
associated with a fragmented platform, Android malware
which can actively go undetected by MDM root detectors
has been produced, reading logs to detect when the user
has opened an email, before sending the information to a
third party account.
Not only are mobile devices susceptible to attack, the open
networks through which they communicate offer endless
opportunities to those looking to perform MitM (Man-in-
the-Middle) attacks. The enterprise mobile is predestined
for heavy Wi-Fi usage on the train to work, or in various
commercial amenities leaving the door wide open for
criminals to intercept data.
- 8. 7151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
How Omlis can Help
Whereas other MDM providers can offer a product or
container which is only as secure as the platform it’s built
on and the security of the network, Omlis’ dependency is
drastically negated due to the ways in which we exchange
keys, mutual authentication, encryption of data at rest and
in transit, and advanced malware protection based on a
high integrity approach and run time checks.
“Mobile environments are extremely heterogeneous,
therefore enterprise IT managers must ensure their devices
consistently protect data at rest and during transit. Omlis’
high integrity approach ensures that any sensitive data is
fully protected in those unsecure environments thereby
taking containerization to a new level. This is accomplished
by implementing a much more secure protocol to manage
and exchange keys, while conducting multifactor and
mutual authentication for every single transaction.”
Nirmal Misra, Senior Technical Manager at Omlis
The security of the Wi-Fi network is also less critical
because of our innovative key exchange protocols. Unique
keys are generated at the point of transaction and due to
the design of our distributed architecture, actual keys are
never sent over the network and are never stored on the
client or server side; so even if a MitM attack takes place,
the hacker will fail to retrieve any meaningful information.
This method of generating keys at both ends of the
communications channel, means that Omlis never
transmit sensitive data in plaintext and information related
to transaction keys can be erased from memory as soon
as it becomes redundant.
Unlike other secure container MDM solutions, Omlis’
high integrity development protects against side channel
attacks; SQL injections are made impossible due to
compile time and runtime checks, and keylogging is
pointless as the input we collect from the keypad is only
used for local encryption.
In line with the market for MDM moving towards software
based definitions, Omlis also have the ability to offer
lightweight SaaS (Software as a Service) options via the
cloud, or as part of an in-house setup.
What’s Next for MDM?
Ovum predict that the value of EMM software to grow
from $2.7bn in 2014, to just under $10bn in 2019.
6
We’ll
see a particular growth in industry collaborations where
traditional MDM vendors will try to beef-up their offerings
by forming alliances with niche specialists; Airwatch’s
collaboration with Pradeo is a prime example of the
synergies which MDM can leverage from the mobile sector.
MAM will inevitably gather influence on MDM in the
coming months. As well as a general adoption of the latest
network detection methods, there’s also plenty of room for
strong authentication services and advanced encryption
techniques.
This layered approach to security requires mobile
specialists such as Omlis to fill the gaps where more
conventional secure container solutions have failed. Omlis’
core technology exhibits the rare ability to combine layered
security and enhanced authentication with a streamlined
user experience. Containerization needs to move to the
next level and companies such as Omlis can provide the
technology to empower this transition.
- 9. 8151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015
1. http://www.esg-global.com/blogs/mobile-
device-management-mdm-deployment-remains-
elementary-and-immature/
2. http://csrc.nist.gov/publications/PubsSPs.html
3. https://www.apperian.com/mam-blog/app-
wrapping-is-a-form-of-containerization/
4. https://www.abiresearch.com/press/app-
wrapping-and-container-technologies-to-
drive-m/
5. http://www.securityweek.com/attackers-can-
exploit-ios-flaw-target-companies-using-mdm
6. http://www.ovum.com/press_releases/ovum-
sees-enterprise-mobility-management-software-
market-nearly-quadrupling-in-four-years/
References
Contributors
The following individuals contributed to this report:
Stéphane Roule
Senior Technical Manager
Nirmal Misra
Senior Technical Manager
Paul Holland
Analyst
Jack Stuart
Assistant Analyst