Organizations spent over $640 million USD on data loss prevention (DLP) software in 2014. But with many users accessing corporate data from their mobile devices, just how effective is DLP?
Back in the good old days when network boundaries were clearly defined, DLP products could monitor corporate-owned end points and network communications relatively easily. But the combination of enterprise mobility and cloud computing is causing traditional DLP strategies to fall apart.
Mobile Users Can Bypass DLP
Organizations that have purchased enterprise DLP solutions lock down their end points, such as their corporate PCs and laptops, with DLP agent software. However, they usually don’t enforce the same level of control on employee-owned mobile devices. Privacy concerns and device compatibility issues are the main culprits behind weaker security enforcement on mobile devices. According to Gartner, “Having a useful mobile agent on a device you do not own is simply not a reality for many users or organizations. In particular, there are not full-featured DLP agents for iPads, iPhones or the near infinite variations of Android devices that perform DLP capabilities.”
Because most organizations do not deploy DLP agents on mobile devices, mobile users can often skirt around strict DLP controls by downloading confidential files to their phone or uploading email attachments from their phone to file sharing sites. With a simple swipe, an employee can copy financial data or a customer’s credit card number into a text messaging app and with another tap or swipe, it is gone. As a result, enterprise mobility is rendering many DLP deployments ineffective.
VPNs and CASBs Don’t Stop Data Leaks
To tackle mobile use cases, some organizations are turning to Virtual Private Networks (VPNs) and cloud security services. VPNs provide a way for organizations to monitor and control access to application servers hosted in the network. But with more organizations turning to Software as a Service (SaaS) apps like Microsoft Office 365, Salesforce, and Workday, users can bypass VPNs to access the business apps they need directly—and avoid cumbersome VPNs altogether. As a result, mobile users can view or download sensitive data to their phones.
Cloud Access Security Brokers (CASBs) provide a way for organizations to secure access to popular SaaS applications, but they offer limited DLP capabilities. For example, few CASBs can prevent mobile users from taking screenshots from their phone or copying and pasting confidential data into other mobile apps. They cannot record user sessions for forensics. In addition, many CASBs only support a small number of cloud apps; they generally won’t support industry-specific apps or home-grown apps.
With businesses turning out sensitive data at a faster rate than ever—training videos, product plans, sales presentations, customer reports, and the like—data loss prevention is more important than ever. This leaves IT administrators with the agonizing choice of deploying intrusive mobile device management software on employees’ phones for minimal DLP protection or just crossing their fingers and hoping users comply with security policies.
So how should organizations prevent data loss from mobile devices? IT and InfoSec teams need to prioritize the biggest risks that mobility introduces—risks like physical device theft, accidental or intentional data sharing, weak authentication, and mobile malware.
To prevent data loss from mobile devices, organizations should:
- Prevent sensitive data from being downloaded or saved to mobile devices
- Block screen captures and clipboard functions for sensitive apps
- Watermark confidential files and videos
- Log mobile user activity
- Record suspicious user sessions with screen recording
- Enforce multi-factor authentication for mobile apps
- Detect and stop brute force and password guessing attacks
- Encrypt communications between app servers and client devices
Mobile Security Checklist
There are a number of ways that organizations can implement these DLP controls. To learn more about avoiding data leaks from mobile devices, please see the white paper “Mobile Security Checklist: An Easy, Achievable Plan for Security and Compliance.”
Learn how NIST SP 800-46 Could Impact You
Last week, the National Institute of Standards and Technology (NIST) updated its guidance for mobile security with two new publication drafts. The folks at NIST recognize that more and more employees are using mobile devices to access confidential data and that mobile devices have become a weak link in many organizations’ defenses.
According to NIST computer scientist Murugiah Souppaya, “Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework.”
The new NIST SP 800-46 draft, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, offers recommendations to improve BYOD security and reduce the risk of data breaches caused by mobile devices.
According to the NIST publication, organizations should:
- Encrypt all sensitive data stored on client devices or not storing sensitive data on client devices.
- Use strong authentication—preferably multi-factor—for enterprise access
- Encrypt communications to maintain confidentiality and integrity and prevent eavesdropping and interception
The publication also recommends that virtual mobile infrastructure can help secure BYOD access:
Although terminal server access and VDI technologies are primarily meant for telework PCs, there is an emerging technology that provides similar capabilities for mobile devices: virtual mobile infrastructure (VMI). Just as a VDI solution delivers a secure virtual desktop to a telework PC, so does VMI deliver a secure virtual mobile device environment to a telework mobile device. Organizations considering the use of mobile devices for telework, particularly BYOD or third-party-controlled mobile devices, should investigate VMI technologies to see if they may be helpful in improving security.
A lot has changed since NIST published its original guide for telework and remote access nine years ago. That guide focused on personal computers and laptops. Since that time, mobile device use has skyrocketed. Government agencies and enterprises alike must grapple with a host of different phones and tablets owned by employees.
Today, many government and defense agencies provide their employees with locked-down, secure mobile devices. However, some of these employees end up carrying around two mobile devices: one for work and another for personal use. This practice is not only cumbersome and costly, but it probably increases the risk of losing a device because it is harder for workers to keep track of two devices than just one.
While federal workers are not going to ditch their employer-provided phones anytime soon (especially if they need to access top secret data), government agencies should consider technologies like VMI for BYOD. VMI provides secure remote access to sensitive data while still allowing users to access their personal apps. VMI also extends secure access to contractors and partners that do not have locked-down and managed devices.
Mobility has revolutionized how users work, collaborate and communicate, but it has also introduced a wide array of new security risks. NIST SP 800-46 provides an excellent framework for securing mobile access from all users, including emplo
 Executive Summary (lines 236 – 244) of NIST SP 800-46 Rev. 2 (Draft)
 Section 2.2.2 of NIST SP 800-46 Rev. 2 (Draft)
Implementing a BYOD program can be a long and grueling journey fraught with unexpected challenges. Sierraware has created an infographic that shows the obstacles that organizations often encounter when deploying, managing and securing mobile apps. It illustrates how Virtual Mobile Infrastructure can provide a shortcut to BYOD success. Click here to view the entire infographic.
RSA Conference 2016
On a separate note, if you are attending RSA Conference in San Francisco, meet us and learn how you can protect your mobile apps with virtual mobile infrastructure. Contact us now to schedule a meeting.
Businesses around the world want to leverage mobility to drive digital transformation. However, before businesses start rolling out new mobile apps to their employees, they must consider security and compliance risks. It is much easier to enforce data loss prevention (DLP) policies on corporate-owned laptops than it is on employee-owned mobile devices.
Why? Because many traditional DLP products are not designed for mobile devices. The few products that do support mobile devices require mobile apps to be routed through a VPN connection.
Often times, users can find ways to bypass these VPN connections. And even with VPN, organizations may not gain full visibility into encrypted traffic, depending on the mobile app. This provides a gap in defenses that users can exploit. It may also expose organizations to compliance violations or regulatory fines if they are not using sufficient controls to monitor and protect business data.
Mobile access is within scope of most compliance mandates if mobile users can view or modify regulated data, such as Personally Identifiable Information (PII), financial data, or healthcare records. For example:
- PCI DSS: Merchants and payment processors must protect cardholder data. If users can access user records and cardholder data from mobile apps, then they could theoretically take screenshots and share cardholder data.
- HIPAA: Organizations can be fined up to $50,000 per violation for the disclosure individual health information. If healthcare workers can access patient records from their phone, they could take and distribute a screenshot from their phone.
- ISO/IEC 27002: To address International Organization of Standardization (ISO) rules, organizations must track privileged user accounts and prevent unauthorized changes to software or logs. If mobile access to sensitive systems is supported, then organizations must prevent privileged users from downloading and sharing confidential data from their phones.
With virtual mobile infrastructure (VMI), organizations can regain control over mobile data by logging all activity and preventing users from storing data on their devices. VMI is like virtual desktop infrastructure for mobile apps, allowing users to securely access Android apps from iOS, Android, Windows, or Mac devices.
However, stopping users from downloading, copying or printing content does not completely prevent data loss. Users can still take screenshots of sensitive data from their mobile device. So, the SierraVMI client can optionally block users from taking screen captures of the VMI app.
Even with anti-screen capture technology, users could take a photograph of sensitive information with a separate camera. To deter would-be photographers, SierraVMI also offers watermarking. When watermarking is enabled, the VMI client’s username is displayed diagonally across the mobile device. screen. Because users would know that they would be identified if they distributed the image, they would be less likely to photograph sensitive data.
Plus, watermarking acts as a subtle reminder to users that they are accessing protected information. That knowledge can be enough to reduce the risk of unwanted activity.
Today’s workforce is mobile. Workers are not just relying on their mobile devices to check their email, but to perform their job. Field service workers, doctors, police officers, flight attendants, and many more use their phones and tablets every day to look up records, to collect customer data, and to communicate.
Mobile workers also take photographs on their phones to document information or gather evidence. Unfortunately, without proper security and storage, those photos might be erased or—worse yet—they might expose workers and their employers to legal risks.
Let’s take a look at some of the reasons why workers snap photos on the job and why they should not store photos locally on their mobile devices.
- Insurance adjusters: often take photos of insured vehicles or property to document damage. If an insurance adjuster’s phone is stolen, the photos could be lost.
- Doctors: use their camera phones to record the conditions of their patients. However, most doctors do not want photos of a patient’s ugly foot rash sandwiched between photos of their kids and their Hawaiian vacation.
- Office workers: take photos of white board sessions and presentations from their phones. If these photos reveal proprietary information, such as business plans or product roadmaps, organizations should protect them just as they would protect confidential documents and spreadsheets.
- Police officers: use camera phones to collect evidence of criminal activity, but officers should avoid storing graphic or disturbing photos on their personal phones; storing photos of child exploitation or other illicit activity could make law enforcement officers liable for the crimes they are trying to prevent.
- Meter readers: take photos of electricity meter levels to ensure meter reading data is accurate and to reduce fraud. Storing these photos instantly in a central location will expedite the collection and cataloging meter data and reduce loss.
These are just a few examples showcasing why mobile workers capture information with their mobile cameras. As mobile devices become more integrated into employees’ everyday jobs, cameras will play an increasing role.
Virtual Mobile Infrastructure (VMI) can help organizations take control of photos captured on mobile devices. With VMI, employees can capture a photo using their camera phone using a camera application hosted on a remote VMI server. Unlike content management and containerization tools from MDM vendors, VMI ensures that confidential photos are never stored on mobile devices.
To learn how to protect photos and other applications on mobile devices, read about SierraVMI Virtual Mobile Infrastructure.
Employees are clamoring to bring their own devices to work. However, before IT security teams allow BYOD users to access business data or use Wi-Fi networks, they must consider the security implications. BYOD trends not only introduce new risks, they can also provide an avenue for users to circumvent existing security measures. Therefore, IT security teams must develop a strategy to prevent:
- Data breaches caused by lost or stolen mobile devices
- Data leaks from mobile users
- Access to phishing and malicious sites from mobile devices
- Reduced employee productivity due to lack of web filtering controls
Lost and Stolen Phones
Organizations’ top mobile security challenge, bar none, is lost and stolen phones. To address this challenge, organizations can keep sensitive data off of mobile devices by hosting mobile apps in a secure data center or they can remotely wipe lost devices. While IT security teams have several options to mitigate the threat of lost and stolen devices, other BYOD security risks are not as easy to solve.
Data Leaks from Mobile Users
PCs and laptops are relatively easy to lock down. With data loss prevention (DLP) software, organizations can block users from saving data to USB drives or from printing confidential files. Organizations have fewer options to prevent data loss on mobile devices. And even with the few tools that do exist, many users will balk if their employer tries to monitor their mobile usage when they are at home.
Phishing and Access to Inappropriate Websites
For two decades, organizations have maximized employee productivity and reduced risk by blocking malicious and undesirable websites. However, the combined trends of BYOD and SSL encryption make it challenging for organizations to control mobile users—and even desktop users. These challenges are due to several reasons, such as the lack of IT management tools to control browser or certificate settings for different mobile devices. In addition, the widespread use of certificate pinning in mobile apps makes it challenging for organizations to decrypt and inspect traffic.
As a result, many users can bypass web filtering controls simply by bringing their phones and tablets to work. Plus, IT administrators may end up disabling security measures for both mobile and desktop users when mobile users complain they cannot access specific websites.
What Organizations Can Do to Regain Control
To protect corporate data and control BYOD access, IT security teams can consider virtual mobile infrastructure (VMI). With VMI, mobile users access apps hosted remotely in a data center or in the cloud, rather than on their phone or tablet.
VMI helps mitigates risks due to lost and stolen phones and data leaks from malicious insiders. With VMI, organizations can easily monitor and control which websites mobile users visit.
Plus, as an added bonus, VMI helps thwart mobile malware. Mobile malware cannot exfiltrate sensitive data because sensitive data is never downloaded to the device. Anti-screen capture technology blocks malware from intercepting VMI images. So if mobile malware like XcodeGhost and YiSpecter become more widespread, VMI will keep malware risks at bay.
As we creep closer and closer to Halloween, fears of ghosts and bad-tempered trick-or-treaters will keep some folks up late at night. But IT security professionals face even greater risks, not just at Halloween, but all year long. Some of these risks are well-documented, while others are not as widely known, but end up causing just as many sleepless nights.
Top seven scariest BYOD threats are:
- Lost and stolen phones: Lost and stolen mobile devices are the biggest BYOD risk by a landslide. With over three million phones stolen every year, the chances that an employee’s phone will get into the wrong hands is extremely high. It’s not surprising, then, that 68 percent of healthcare breaches were due to the loss or theft of mobile devices, according to a Bitglass survey.
- Mobile applications with weak authentication: Many recent high-profile breaches were due—at least in part—to attackers bypassing weak or non-existent authentication. As organizations move their business apps to the cloud and allow mobile users to access those apps from any location, they also make it easier for cyber-attackers to find and exploit authentication weaknesses.
- Data leaks from disgruntled employees: Mobility enables “anywhere” access to business applications, but it also makes it harder for organizations to monitor user access and prevent data leaks. Traditional network monitoring controls only work when mobile users are the network, while end-point data loss prevention (DLP) software only supports a few pre-defined apps on mobile devices. As a result, many employees can easily distribute sensitive data by uploading it to cloud file sharing sites or copying it into a text messaging app with a couple of clicks—leaving employers none the wiser.
- Business photos stored on phones: A wide range of users—from police officers to doctors to meter readers—use mobile devices in the field on the job every day. Often, they need to take photos for evidence or for analysis purposes. Whether snapping a picture of a broken ankle or recording a crime scene, users may need to take photos, but they shouldn’t store these photos alongside pictures of their kids. Organizations need a way to isolate business and personal use of camera, microphone, and data storage.
- Jailbroken and rooted phones: An estimated 7.5%[i] of iOS users and 27%[ii] or more of Android users jailbreak or root their phones. Plus, some Android phone manufacturers are using modified Android OSs like Cyanogen and Xiaomi that support apps from third-party app stores that could distribute malware. Jailbreaking and rooting phones not only increases the risks of malware, but it also allows employees to circumvent some types of security controls.
- Excessive app development costs: In the past, organizations could develop apps for Windows and possibly Mac clients. Today, to support the profusion of different mobile devices, organizations need to build apps for different versions of Android, iOS Windows Phone, Blackberry, and traditional desktop operating systems. App costs can skyrocket if organizations try to integrate their apps with mobile app management and app wrapping tools.
- Limited patches for older software and unexpected release cycles: In the days of yore (pre-smartphones), IT administrators could prepare for and test operating system updates before rolling out the changes on users’ desktops. Now, phone manufacturers can deploy new operating system versions and patches with little warning. Mobile users can upgrade their operating system at any time, occasionally breaking apps. In addition, phone manufacturers may not patch vulnerabilities quickly or patch older OS versions. This leaves IT and security administrators at the mercy of the phone vendors to ensure that users’ phones are secure.
No More Double, Double, Toil and Trouble
Regardless of which BYOD headache gives you nightmares, virtual mobile infrastructure (VMI) can bring you piece of mind. Learn more about VMI and how it safeguards mobile apps and data.
4 Reasons Why SierraVMI’s Compression Is Better than Pied Piper’s
This past June, hundreds of thousands of viewers in the U.S. and the Philippines tuned in to watch Pied Piper’s Condor Cam. While the condor egg never hatched, viewers witnessed an equally riveting event: a museum worker falling down a ravine. Condor cam watchers observed every moan and every whimper in high resolution from Pied Piper’s ground-breaking 4K middle-out compression.
After the Condor Cam went dark, many viewers[i] asked the Sierraware team how our compression would stack up against Pied Piper’s. Like Pied Piper, SierraVMI Virtual Mobile Infrastructure also compresses video streams. So, to answer your collective request, our engineering team performed and in-depth analysis and they discovered—low and behold—that our compression beats out Pied Piper’s middle-out algorithm. Here’s why:
- SierraVMI uses popular codecs, so it can provide optimal performance and not burden mobile device CPUs for decoding. Offering two different types of compression image formats, users can adjust settings based on their requirements. Pied Piper, with its new, middle-out compression, would not support ordinary GPU cards for acceleration or hardware codecs in most mobile devices.
- The type of data you compress can be as important as the actual compression algorithm. With streaming data, SierraVMI uses an intelligent data selection algorithm to find the pixels that have changed and data that can be re-constructed from historical data without re-transmission. It reduces the amount of information that needs to be transmitted, putting less burden on the compression algorithm and enabling the solution to handle low-bandwidth networks.
- SierraVMI uses a variable frame rate feature that dynamically adjusts the vertical sync and the frame rate based on application requirements or based on the type of user interaction. Its intelligent algorithm takes into account various attributes such as an active text input field to temporarily increase the frame rate.
- Unlike Pied Piper’s technology, Sierraware’s compression technology actually exists. Vinith Misra, the Silicon Valley consultant that helped devise Pied Piper’s compression, admitted in an interview: “We had to come up with an approach that isn’t possible today, but it isn’t immediately obvious that it isn’t possible.” In contrast, Sierraware’s compression is very real. Test it out yourself today or watch an online demo of SierraVMI in action.
[i] By many, I mean none
If you’re defining your company’s BYOD strategy, learn what actions to take and what to avoid. Sierraware has published an infographic that reveals The Top 10 Mobile Security Do’s and Don’ts. Click on the image to view or download the full infographic from SlideShare.
As employees bring their own devices to work, IT teams face an assortment of challenges, from managing mobile apps on a myriad of different devices to backing up and restoring business data. But bar none, the greatest burden for IT staff is securing business data on mobile devices.
The Good, the Bad, and the Ugly
(in Reverse Order)
The Ugly: the BYOD phenomenon has spawned an array of new security risks. These risks include data breaches caused by lost and stolen phones, data exfiltration from insiders, wireless or man-in-the-middle attacks, and mobile malware.
While the insider threat might not seem daunting, a lack of oversight makes it easy for employees to abuse trust. From their mobile device, employees can easily open sensitive email attachments and then upload them to a cloud-based storage site and then—poof—they are gone.
The Bad: Lost and stolen phones are the top mobile security risk for organizations. Thieves steal a whopping 3.1M smartphones every year.[i] Users can also simply lose or misplace their phones. Unfortunately, both scenarios expose organizations to data loss. An experiment by Symantec revealed that 96% of people that find a lost phone will attempt to access sensitive information such as an HR or password file stored on a recovered phone.
The Good: Malware, the cyber-attack of choice in the PC world, has only penetrated a small percentage of mobile devices. But risks increase dramatically on jailbroken phones.
Mobile Device Management: Intrusive
Mobile Device Management (MDM) can help reduce mobile security risks. With MDM, IT administrators can remotely wipe lost devices, control which apps can be installed on a device, and manage encryption settings. However, MDM solutions cannot monitor app usage or prevent insider abuse.
Moreover, employees aren’t thrilled about corporate-mandated MDM solutions. In a recent report by Webroot, 55 percent of respondents would be extremely or very concerned if their employer could access personal data and 47 percent are concerned about personal data being wiped by an employer.[ii]
The Rise of Mobile App Ma nagement and App Wrapping
To satisfy privacy concerns and app auditing requirements, mobile security vendors have introduced Mobile Application Management (MAM). MAM solutions can manage, monitor, and secure individual apps. MAM relies on secure containers or app wrapping to protect custom apps.
With app wrapping, MAM vendors provide customers business apps developed by the MAM vendor or by app partners with built in security controls. These apps typically include email programs, contact lists and secure browsers.
Alternatively, organizations can wrap their own apps by integrating code from the MAM vendor’s software development kits (SDKs) into their app. SDK integration is only available if organizations have developed their own apps.
While application wrapping avoids the privacy concerns introduced with MDM, it also imposes its own unique set of problems.
Unwrapping App Wrapping
While app wrapping provides greater control over mobile apps without intruding on users’ personal data, it is not practical for most organizations.
The drawbacks of app wrapping and MAM include:
- MAM vendors that offer pre-wrapped apps only support a small number of apps. As of May 2015, Google Play featured 1.5M apps while Apple App Store hosted 1.4 million apps.[iii] MAM vendors support a miniscule fraction of total apps, preventing organizations from supporting the business apps they need.
- Employees might dislike apps developed by MAM vendors. Some MAM vendors offer their own browser, email and calendaring apps. Unfortunately, your employees may complain that these apps are not as feature rich as their favorite browser, email client, or calendar app.
- SDK integration can be costly. Some MAM vendors offer SDKs that allow organization to wrap their own apps. Unfortunately, app development can be costly for smaller businesses, especially if businesses need to support multiple types and versions of mobile devices.
- Lack of coverage for all types of mobile devices. Employees with Blackberry, CyanogenMod, Windows Phone, and Firefox OS devices may be unable to access mobile resources if MAM vendors do not support these platforms.
- Even with app wrapping, sensitive data is still stored on devices. While MAM security measures like strong authentication and data encryption drastically reduce the risk of data loss, if phone owners choose weak passwords, then phone thieves may still gain access to sensitive apps and data.
As a result of these shortcomings, organizations may want to consider alternative approaches to mobile security before plowing ahead with an investment in MAM.
Alternative BYOD security solutions like virtual mobile infrastructure (VMI) mitigate security risks by preventing data from being downloaded and stored on mobile devices. Organizations can monitor app activity to prevent insider abuse and data loss. To learn some of the use cases for VMI, check out our choose your own adventure eBook, “What Virtual Mobile Infrastructure Can Do for You.”
Enterprises of all sizes have witnessed the emergence of the “Bring Your Own Device” phenomenon. Employees are bringing their phones and tablets to work and they want to use their devices to access business applications. With industry surveys indicating that 9 in 10 Americans use their smartphones for work, BYOD is not just a trend, it is a reality.
BYOD promises many benefits, but also poses challenges for IT security and operations teams. Small businesses, with equally small budgets and limited IT staff, face even greater headaches as they attempt to adopt IT solutions designed for large enterprises. But before we explore the drawbacks, let’s take a look at some of the advantages of BYOD.
Proponents claim that BYOD improves productivity and employee satisfaction and reduces capital costs. Employees can also work from anywhere—including at home and on the go—allowing an increasingly mobile workforce to respond to inquiries from coworkers and customers more quickly and simply work longer hours because employees are always connected. And employees can use their preferred devices rather than inheriting used laptops or being forced to use company-approved phones.
When employees purchase and use their own phones and laptops at work, everyone benefits, according to BYOD champions. A number of studies back up these claims. A Forrester Consulting report reveals that working hours increased 45 to 60 minutes per employee per week. The same report revealed that organizations saved $350 on phone acquisition costs and $90 per month per device on voice and data services.
BYOD offers small businesses many benefits. And—like it or not—BYOD has become an unavoidable reality as both rank and file employees and executives come to expect it. Unfortunately, many small businesses have started allowing users to access email and other applications from their phones before they had assessed the security and compliance implications. This leaves IT administrators at a crossroads as they try implement controls after they have rolled out access.
Just like large enterprises, small businesses need to provision and support business apps on their employees’ devices. They also need to protect business data and meet compliance requirements.
However, small businesses do not always have the financial resources of large enterprises. If they have developed custom business apps, they cannot port those apps to every type and version of mobile device. They also may not have the resources required to manage and maintain third-party apps, especially if these apps do not support all types of devices, versions of operating systems, or device peripherals.
Small businesses also need to consider security risks like data on lost and stolen devices or the threat of mobile malware. If employees are allowed to access sensitive data like customer records from their phones, then businesses may need to audit employee activity. On top of these requirements small businesses should enforce strong encryption and dual factor authentication to prevent snooping and unauthorized access.
If these requirements were not tricky enough, many businesses must also contend with an ungainly assortment of internally-developed apps and apps from third party vendors. Each app might implement a different type of authentication, encryption and access control. Lax and uneven security controls might be one reason why, in a recent survey, 72 percent of IT professionals claimed that company data is at risks due to mobile device access.
Many BYOD Solutions Designed for Large Enterprises
Enterprises can turn to several solutions to help secure mobile data and streamline management of mobile apps. Security technologies like mobile device management (MDM) can help distribute mobile apps and manage the settings of mobile devices. MDM can even remotely lock or wipe a device. Unfortunately, MDM can be costly and difficult for small businesses to implement. Plus, some employees might not want their employer to control their phone or decide which apps they can install.
Alternatively, organizations can deploy virtual desktop infrastructure (VDI). With VDI, organizations host Windows applications centrally on data center servers rather than installing apps and data on mobile devices. Mobile users can access these applications from a Web browser or a mobile client.
VDI offers many advantages; VDI can support virtually any mobile device without forcing IT teams to port applications to various mobile operating systems. VDI also centralizes app management and data storage, keeping sensitive data in the data center and not on mobile devices that can easily get lost or stolen.
However, VDI is not designed for the faint of heart. VDI solutions are costly. They are typically designed for large enterprises usually require dedicated IT staff to manage. Plus, VDI is designed to make Windows desktop apps accessible to mobile users, but it doesn’t support the growing array of mobile apps that were designed for touch input and mobile screen sizes.
The BYOD Solution for Small Businesses: Virtual Mobile Infrastructure
To protect mobile data and streamline app management, small business can deploy Virtual Mobile Infrastructure (VMI). VMI addresses the security challenges imposed by BYOD, allowing small businesses to protect mobile data and achieve compliance. VMI is like VDI, but rather than virtualizing Windows applications, VMI virtualizes Android apps.
Because VMI hosts mobile apps on central servers, it allows small businesses to avoid data loss from lost and stolen phones. It satisfies compliance and improves security by allowing IT staff to enforce dual factor authentication and end-to-end encryption. Plus, if organizations want to, they can audit activity and make sure that users do not download or transfer large amounts of sensitive data.
In addition, VMI can make it easy for small businesses to extend coverage to any type of mobile device, including Android, iOS, Windows Phone, Blackberry, and Firefox OS. Either through native clients or HTML5-enabled browsers, mobile users can access the apps they need securely.
The major advantage, though, of VMI is that it is very cost effective to provision and manage. Most VMI solutions are much less expensive than VDI products. Plus, VMI solutions that support mobile app virtualization offer unbeatable density, allowing small businesses to host up to 100 concurrent app sessions on a single, rack-mountable server. IT administrators don’t need to bother with complex VM environments, OpenStack integration, and hypervisor management.
As a plug and play solution, VMI enables small businesses to protect mobile data and streamline app management. VMI levels the playing field for small businesses, allowing them to embrace BYOD initiatives without putting their data at risk.
To learn more about Virtual Mobile Infrastructure solutions and see if they would suit the needs of your small business, download our white paper: “7 Things You Need to Know about Virtual Mobile Infrastructure.”
 Cisco Partner BYOD Insights Study
 The Total Economic Impact of IBM Managed Mobility for BYOD, Forrester Consulting
 TEKsystems 2014 BYOD Study
The Bring Your Own Device (BYOD) phenomenon has not just pervaded corporate offices. Today, doctors, real estate agents, police officers, and many others are bringing their devices to work. With the proliferation of mobile devices in boardrooms and in classrooms, IT administrators must develop new ways to support a diverse array of tablets and phones. They must find new ways to provision software and to protect end user devices, while yielding control to the employees that purchased their own devices.
Because of the security and management challenges introduced by mobile devices, the BYOD trend has paved the way for another trend: Virtual Mobile Infrastructure (VMI). VMI allows organizations to host Android apps on servers and allow users to securely access the apps from their own phone or tablet. VMI enables organizations to:
- Develop apps once and support any mobile device
- Centralize and simplify mobile app management
- Monitor user activity for unauthorized access or data exfiltration
- Enforce strong authentication and encryption
But not all VMI solutions are equal. While VDI and app virtualization products have been around for over two decades, remote access solutions for Android are relatively new. Therefore, prospective customers must carefully evaluate potential solutions and make sure that the products they purchase will meet their performance requirements and will support their Android applications.
Mobile App Virtualization vs. Full OS Virtualization
There are two main VMI architectures today: virtualizing individual Android applications—also called mobile app virtualization—and running a full Android operating system. With mobile app virtualization, organizations can run multiple, isolated and secure app instances on a single Android operating system. Each user’s data is stored separately, ensuring that users can save their settings and access them later.
Mobile App Virtualization and Full OS Virtualization architectures. Mobile App Virtualization provides unprecedented performance and app density.
Because mobile app virtualization does not need to run a separate Android VM per user, it delivers eight to ten times better density compared to full OS virtualization. As a result, mobile app virtualization reduces the number of servers needed to host VMI, it lowers hardware and operating costs, and it streamlines management.
If organizations plan to host a unique Android VM for every user in the cloud, they could quickly rack up expensive bills. This is because most cloud providers charge for every VM instance. If an organization has one thousand concurrent users, they would need to pay for one thousand VMs. Managing VMs in a corporate data center would be equally expensive; organizations would incur higher IT management and capital costs. Plus, hosting a separate VM per user would necessitate high-performance storage hardware—similar to what Windows VDI customers must purchase today.
Instead, organizations should consider a VMI architecture based on mobile app virtualization. Rendering images inline and processing display data and input events at the application level, which is only possible with mobile app virtualization, maximizes performance and density. Combining mobile app virtualization with secure containers ensures that each user session is isolated. And mobile app virtualization brings other benefits like accelerating application “boot up time” when users launch VMI sessions.
Purpose-built Android Architectures Compared to QEMU Emulation
Besides relying on full OS virtualization, many VMI products use QEMU emulation to host Android instances. QEMU is an emulation tool that is useful developers to test Android on Intel servers. Unfortunately, using QEMU emulation limits VM density and it also makes it much more difficult to take advantage of server features like GPU acceleration. Mobile app virtualization using a purpose-built architecture offers immense advantages compared to full Android stack virtualization either using a QEMU emulation, hypervisors, or LXC style containers, such as:
- Zero latency new session establishment as there is no need to boot Android
- Very low server CPU and memory requirements; an Android instance will need approximately 2GB RAM, while an Android application will just need around 32 to 64MB RAM.
- The ability to avoid complex IT infrastructures like SAN, Network switches, VM IP address management because a single server is enough to serve a large number of users.
- Reduced hardware, operating, data center cooling, and space costs, because mobile app virtualization delivers 10x to 20x greater app density per server.
Seven Things You Need to Know about VMI
Mobile app virtualization is only one factor to consider when looking virtual mobile infrastructure solutions. You also must consider client support, usability, deployment, and other requirements. To help you develop your evaluation criteria, we have published a white paper that lists the seven features you should look for when evaluating VMI. To learn more, download the white paper “7 Things You Need to Know about Virtual Mobile Infrastructure.”
 Density estimate based on a 16 MB mobile app running on a 1 GB Android system.
In just under two weeks, Sierraware’s CEO, Gopal Jayaraman, will discuss risks introduced by certificate pinning at BSides San Francisco. Gopal’s session, at 10:00 A.M. on April 19th, gives you an important reason to wake up early on Sunday. If you are coming into San Francisco to attend RSA Conference 2015, be sure to attend. During his session, Gopal will explain why developers are implementing certificate pinning in their apps. He will describe how certificate pinning works and how it creates security black holes in corporate defenses.
The Chain of Trust Can’t Be Trusted
Today, cybercriminals and even governments can easily exploit the certificate trust model. Malware can install fake root CA certificates on devices, certificate authorities (CAs) can issue fake certificates on behalf of nefarious organizations, and hardware manufacturers can add forged certificates to laptops. Recent news headlines illustrate that these dangers are real. For example, on March 20th, Google discovered that fake certificates had been issued for several Google domains. Unfortunately for Google, this is not the first time third parties had issued certificates without Google’s permission.
App Developers Are Fighting Back
To verify the identity of app servers, an increasing number of app developers are implementing certificate pinning. Certificate pinning prevents Man in the Middle (MitM) attacks and fraud due to fake certificates; with certificate pinning, an application checks that the server certificate matches the cert or hash “pinned” to the app. Today’s most popular mobile apps—including Facebook, Twitter, Dropbox and many more—use certificate pinning.
Certificate Pinning Reduces Security Visibility
While certificate pinning improves user privacy, it also creates a gap in corporate defenses. This is because security solutions like firewalls cannot decrypt pinned SSL traffic. Almost every type of network security product, including intrusion prevention, data loss prevention (DLP), forensics, and advanced threat protection (ATP) platforms cannot detect threats hidden in pinned traffic; certificate pinning creates a black hole in organizations’ defenses.
Sierraware’s session at BSidesSF will explain the threats imposed by certificate pinning. Attend the session to learn creative strategies that can help IT Security teams regain visibility into all traffic, including traffic encrypted with certificate pinning.
When: Sunday, April 19, 2015 at 10:00 A.M.
Where: Security BSides San Francisco at the OpenDNS office, 135 Bluxome St. San Francisco, CA 94107
Attend our session and let us know what you think.
On an unrelated note, go Duke in the NCAA finals!
- Page 1 of 2