5 Tips for Securing SmartPhones
Insights from Bob Janacek, CTO and Founder, DataMotionBob Janacek, CTO and founder of DataMotion, has spent a great deal of time studying the use of smartphones and how best to manage the risks posed by these mobile devices. His research boils down into a series of security tips for organizations.
In an exclusive interview, Janacek offers 5 key tips on topics such as:
- How to set and enforce policies;
- Protecting devices from left;
- The growing threat of malware.
Janacek has over 20 years of security and software design experience, and is the architect, designer and original developer of DataMotion's managed information delivery platform. In his role as CTO at DataMotion he is responsible for keeping DataMotion technology on the cutting edge, while his ongoing communications with customers ensure that the products are easy to use and manage. In 1999 he co-founded DataMotion, and in 2004 he received a fundamental patent for 'dynamic creation of recipient accounts upon receiving a message.'
Previously, Janacek was co-founder of Safetynet, and served as architect and developer of their award-winning suite of data security products. He has worked closely evolving security standards including the NSA Rainbow Series, FIPS and Common Criteria. He holds a BS in Computer Science from the New Jersey Institute of Technology, and an MBA in Marketing from Rutgers University.
TOM FIELD: Smartphones. They are everywhere today, officially or unofficially. But how secure are they?
That is an interesting question, Tom. The early waves of Smartphones were basically driven by businesses, and they were issued to their employees. These were phones like the Blackberry and Windows Mobile 6, and the reason they were given out to employees was they gave the organization a lot of control over central management and also security.
But what we see with today's waves of smartphones that are pressing into the enterprise -- phones like the I-Phone and the phones that are based on Google Android -- they were really targeted toward consumers. The security and central management is either non-existent, or it is such a significant backseat in their design. So, what has happened is individuals are bringing these into the workplace, they are pressing their IT staffs to hook them up into the corporate network, and you have devices that are as powerful as laptops, and they have access to the email systems and all the internal systems through VPN. But they really weren't built with the concept of security and central control.
Then another area that surprises a lot of organizations is related to the security of the devices as it relates to messages. Blackberry has gotten a lot of attention recently in the press where foreign governments are asking Blackberry to hand over their keys, for instance, so they can monitor and intercept messages. So that is perpetuating a myth that if you use a Blackberry device that the messages are secure. and that you don't need any other security to send sensitive data. In reality, though, Blackberry is acting in a very similar way to other email clients. The hop from the device to its server is secure. Now in Blackberry's case, their server is in Canada, and so the first hop leaves a foreign country borders in encrypted form all the way to Canada that can't be ease dropped by those countries by those governments, but once it goes from the server across the internet to the recipient, it's just like any other standard email system in that messages goes into clear. So, what we see in the marketplace are companies that have a false sense of security, and actually they put themselves at risk of violating various privacy regulations.
The Vulnerabilities
FIELD: Well, Bob, you make an interesting point, because in a number of cases here the smartphones are being introduced by the end users who feel they are doing the organization a favor because they are extending their availability, they are able to work remotely, and yet it sounds like they are opening their organizations to some vulnerabilities they might not suspect. I would like to know more about some of those vulnerabilities.JANACEK: These devices are powerful enough to connect to an organization's internal servers and email systems, and that is one of the reasons why they are so popular with users. Unfortunately, though, these devices are with us all the time, for work and for personal use, and an alarming number of them are lost. I had just read a report that said in the United Kingdom alone, over 4.5 million mobile phones are lost or damaged in one year. So this causes a large security and a liability risk for organizations, both from phones falling into the wrong hands and also for those that are sent out for repair that can still access the corporation's email systems and internal systems through VPN.
Another key vulnerability is malware, and as the recent Google Android marketplace incident has shown, it's quite easy to get malware installed by unsuspecting smartphone users. In Android's case, there were about two dozen malicious applications that were put in their app store and they were downloaded by over 100,000 users. So these applications, because they are running on devices that are very powerful, also can do and have a lot of power to do harm. They can access data that is on the phones and transmit them to the remote service packers. They can even be used as bots that can be taken over by hackers, and remotely controlled when the device is connected into internal systems. So the idea that you have a very powerful platform, but you don't really have a similar combination of strong security controls really presents a big vulnerability to organizations.
Secure e-Mail
FIELD: Bob, you mentioned a term a few minutes ago I went to pick up on, and that is secure email. It strikes me as something that is critical for organizations and end users alike to know more about. What are the areas that maybe are misunderstood about secure email?JANACEK: One of the things is a lot of organizations feel that email is secure. They have to log in to their email client, let's say Microsoft Outlook is accessed like login to a desktop, and then compose a message, they click send and it magically appears on the other side. So they don't really think about email from the perspective of security at all; it just happens. But what is going on behind the scenes is that once the message goes from the email client to server, it's then sent over the public internet , and in order to make the internet resilient and redundant in case there are failures, there are usually numerous hops and routes that a message can take when it goes from point a to b, even if it's going to a company that is across the street. It may end up traveling from New Jersey down to Florida over to Texas and back, through all types of systems and such, many of which are logging and archiving along the way. So, what they see are plain text messages. So, if you are in the financial industry for instance, and you are sending client data, you are sending credit card information, statements, mortgage applications, social security numbers to clients, the risk is there that many systems along the way will have copies of that, which is in violation of privacy laws.
Now from a mobile perspective, once again these devices are just like laptops, just a little bit smaller. The same rules apply. They are very powerful devices. They can interact with all types of data, and users really need to be in power to be able to send messages securely from their mobile devices in a similar way that many organizations implement security now on their desktops. So, the challenge with mobile devices -- especially with the I-Phones and the Androids -- is that their popularity is largely driven by how easy they are to use. The challenge for secure email vendors, unlike ourselves, DataMotion, is creating a secure email interface experience for the user that is as easy as using standard email on these devices. So what we've done is we've completely integrated secure email into the existing email client of the I-Phone, the I-Pad, Android, basically any of the modern smartphones. If the user knows how to use the standard email interface, it will also know how to use the secure mail interface. That is for sending messages, for reading messages, and there are no additional passwords or keys. They don't have to launch another app and see what is going on in that other app. It's completely built into the email client, so much so that even when a new secure mail message comes into the device, the mail icon will light up and show that there is an unread message waiting.
5 Tips
FIELD: Well, Bob, that is good insight. Now I know you've thought an awful a lot about smartphones, and you've put together, even a series of tips for organizations. Do you mind if I ask you about a few specific areas where maybe you can offer some tips?JANACEK: Yeah sure that would be great.
FIELD: First I want to ask you about the policies, and it strikes that with smartphones, like with social media, policies might be something that are sort of a new thought to organizations.
JANACEK: Right, well the policies, once again we have to look at smartphones just like laptops and desktop computers that they are just as powerful. An organization needs to have policies governing their assets, specifically their use of computers and laptops and what happens, for instance, if a laptop gets lost. There need to be procedures written out in policies that instruct employees as to what to do. In the same way, there need to be policies governing smartphones. For instance, if the device is lost or stolen, what does the employee do? There also need to be policies that set various security settings, such as the boot-up and screen saver passwords, requiring encryption on a device, making sure that there is an email profile on the device that allows for sending secure email. These are all part of a policy that should be extended to smartphones to make sure that the organization is protected.
FIELD: Another topic I want to discuss with you is data loss. What are some of the areas that organizations should be thinking about in terms of just securing the data that users are walking out with on these devices?
JANACEK:The encryption should be turned on the devices, but unfortunately the encryption is typically automatic, which means it will encrypt automatically and it will decrypt automatically. So it may be a=the memory on the device is encrypted, but if somebody tries to access it, it's going to decrypt it for them without them even trying. Fortunately, though, from data loss perspective, smartphones do present some good news, and it is rare that documents are even on smartphones. They are typically for consuming data and maybe making some minor modifications. So the documents are typically stored elsewhere on servers or on desktops, so if a smartphone is lost, you're not going to lose original work. In addition, to ensure that data doesn't fall on to wrong hands, I'll go back to that IT security policy that says that you should have a PIN if needed when the device is first booted, in case it's lost and gets into the wrong hands, or if the device is just left on a desk and left unattended. When the user tries to get in or somebody who doesn't own the phone, it should prompt for that same PIN to get access to the data. So the data at rest is protected through a PIN, but also the loss of data, or original data, is really minimal since the data probably resides in other systems as well.
FIELD: Bob, you hinted at this earlier, and that is the topic of theft. We know just from our own reading that so many data breaches these days are the result of a lost or stolen mobile device. I here from CISOs that one of their biggest issues is that the users, not just that the devices are stolen, but that the users often don't know that they are lost or stolen. What can be done about some of these risks?
JANACEK: Right, well going back to the concept of central control and IT polices. That combination is really used to address lost or stolen devices. Essential control means that if a device is lost or stolen that the IT staff can issue a remote command to wipe the device. Also, the IT policy should instruct the employee to contact the IT staff to let them know so they can change the names and passwords for the email for their VPN and such. You want to be able to change the credentials that may be cashed on a device so that if someone recovers the device and tries to get to internal systems that there is a new set of credential.
FIELD: One of the other topics you brought up a few minutes ago is malware, and it strikes me when I talk with experts in this area that when it comes to smartphones, malware is sort of n emerging market. The fraudsters are just discovering this as a great opportunity for them. It strikes me that this puts us all on warning.
JANACEK: Malware is the big issue. What happened is: The capabilities and the processing power of smartphones are really exciting. They are enabling them to take on a lot of the capabilities of laptops and desktops, but these devices are written on new operating systems. The security vendors and security aspects of the smartphones really haven't had time to catch up with the capabilities of the phone and the types of threats that the malware applications are presenting. So as that example in the Google marketplace shows, it's easy for end users to install applications on the phones, and it is also easy for an app developer to put in malicious code. So one of the ways to prevent this was what the Blackberry uses and also what Windows Mobile 6 uses, and that is called a central white list where the IT staff can design which applications are allowed to be installed on the phone, and they do that from a central location. So for those devices to connect to the network, they have to basically follow that white list, ensuring that rogue programs don't get installed. Unfortunately, with the I-Phone and the Android and their lack of security controls, they don't allow application white listing. In fact, a big part of their desirability is that they allow consumers to download all of these marvelous apps and gains and Facebook connectors and such from their app store. I mean, Apple has hundreds of thousands of applications that the consumer can download. That kind of goes against the concept of the central IT department white listing and controlling only what they can use. In certain environments, though, that are especially sensitive, I recommend having phones like the Android and I-Phone issued to users and having the app installation password already set by the IT department. So the end user doesn't know about that password. They are not able to install applications on their own. Hopefully, the IT department has a charitable policy about installing some gains and such on the devices, by allowing the users to use them as a consumer, as a personal device, and a business device, but yet at the same time, keeping an eye on the applications that the users are installing.
FIELD: Bob, one last area I want to ask you about is a remote capability, and I assume when we talk about remote capabilities we're talking about more than the poison pill where the IT department sends out a signal to disable a lost or a stolen device.
JANACEK: Yes, unfortunately we've gone a little backwards here. It's unusual in technology to take big steps backward, but for years Blackberry and Window Mobile 6 have had very robust remote capabilities. The Blackberry list on their website that there are about 300 different parameters that can be centrally or remotely controlled on the devices, and Windows Mobile has basically had a lot of years to catch up with Blackberry, and they also have a very extensive list of capabilities that can be remotely controlled. Now just going back, the I-Phone and the Androids and the devices that people want to get into the organization, out of the 100-plus controls that are available through the Microsoft active synch environment and Microsoft Exchange, the I-Phone and Android only recognize a few of those 100-plus settings. So while there are some capabilities for remote control, these new devices have a long way to go before being as comprehensive as what organizations became comfortable with the Blackberry and Windows Mobile 6.
Starting Point for Security
FIELD: Bob, we've touched upon an awful lot here, and it strikes me that any one of the topics that we've discussed, whether it's data loss or theft or malware, could have been a conversation in of itself. But to boil it down, for organizations that are just now starting to address the challenge of securing their smartphones, where is a good starting point?JANACEK: Well I think the five tips that we just discussed deserve to be reviewed and drilled down. I think if the organization can address those five areas, they are really off to a great start. In addition, based on the types of phones that are being requested to be connected to the corporate network, and whether they are from Apple or Android or Blackberry or Microsoft, each one of those operating system vendors has a rather complete website detailing their enterprise capabilities and also their security profile. In fact, Microsoft has a site for users of Microsoft exchange and Active Synch, which actually lists all of the properties that Active Synch can control. So an IT staff can get a good idea if they are going to allow a phone into an environment, which capabilities they are able to control and which ones they aren't able. The third area where an organization should look into is if these operating systems -- especially the I-Phone and the Android and I-Pad -- they are very new. Instead of having operating system updates every several years like organizations were used to with Windows, these OS are being updated quarterly or every six months with major new versions. So, it's really important to stay up with the trends in mobile security, not only from the operating system perspective but also from what third-party vendors are offering to supplement security. I would recommend a quick internet search on mobile security, for instance, that will quickly uncover blogs and magazine articles that focus on mobile security, just kind of keeping up to date that way because it is a very, very rapidly evolving field.