Some tidbits while tinkering.

Category: Mobile

LAUSD and Cheapo MDM

I’m actually a big fan of using Apple software like Configurator and Profile Manager to do MDM on the cheap – and using ActiveSync profiles means that most people will be able to secure the information on the device, which is what most companies need.

But the particular needs of the LA Unified School District don’t really fit neatly in here.

Thanks to a whole range of news articles (the best one, I think is from Ars Technica), the LAUSD has now found out that users can easily delete their ActiveSync profile to return to an ‘unmanaged’ state.  I’m seriously amazed they could get this far down this path, with a $1B project, likely lots of support from Apple directly, and not realise that profiles can be deleted?

Apple has, in effect, always gone for a model where a device could, one way or another, be put back to a ‘virgin’ state. Even if this particular method wasn’t used, there are plenty of others to restore an iPad, with the only minor issues being getting access to specific enterprise apps.  It’s not rocket science.

The key is whether you secure your data at the app level, and whether you provide enough benefit that your users continue to elect to be under management.  In business, this is easy (lost devices can be claimed via insurance, lost data is harder), and for home users, parents could just take away the device.  But for education, where programs will rely on access to these iPads, it has a unique need to securely lock down the device entirely, but being a school, doesn’t have the budget for good MDM to help.

One of the things I’m not aware of yet it any features around device management, particularly ‘supervised’ mode in the new versions of Apple Server iOS management tools and iOS that will prevent this.  We have the functionality to, with Activation Lock, as well as supervised modes, but have not seen or tested the ability to lock down the ability to remove profiles in iOS7.  Though, with this sort of news hitting Apple in education (though not really their fault) one could imagine this being a feature introduced in iOS7.1, if it’s not in already…

MDM vs API and Application Level controls

This article at Ars technica had a phrase that really gets to one of my primary issues with MDM (Mobile Device Management).  It was “Most people believe that mobile device management—the idea that I can ask an employee to hand over his new personal phone, root it, hand it back to them—is not viable,” from Michael Mullany, CEO of Sencha.

For some reason, the security field still believes it is appropriate! Even though I know the concept, and am in security, the idea that I trust my enterprise to have root control of my device is still alien, and a massive turn off for BYOD.

With de-perimeterised networks, with federated identities, with API’s causing unprecedented levels of interaction, and typically poor security models applied at the application layer, direct control of the mobile device is archaic, and still rooted in the ‘if the CEO loses his iPhone, someone can access all his email’ type thinking.

One of the great aspects of the article is the brief discussion of API-level governance.

The reason we (as an industry of security professionals) look at MDM is because dealing with developers and making up an application security model is simply too hard for many, precious few of which program, and even fewer know the benefits of things like Agile and new API interaction models. But much like many security professionals (including me) missing the boat around iPhone adoption – this model is already in.  It’s not the future, it’s the now, and we absolutely need to embrace it.

The focus on BYOD and device-level sandboxing is useful, but ultimately only a tool to accentuate the new model of security – that of defining, and implementing security at the per-app basis, while sharing authentication and authorisation duties around.  This will require a massive change in thought processes, and a modelling of user/role and data access that in my experience hasn’t been done outside of academia.  It’s made all the more complex with the unknown sets of interaction possible, and may well require data itself containing tokens on the usability – such as that the photo your share with your friends, can’t be shared publicly by them, which will require a new set of common, standard protocols to be developed. Hopefully, these can be as useful as the original OAuth standards, rather than the less successful ones, like OAuth 2.0 :)




BYOD and MDM – why Bother?

Vito Forte with Fortescue Metal has recently commented about not overcomplicating mobility.

For me, the idea of BYOD, and the normally draconian rules applied if you purchase an MDM solution seem diametrically opposed.  The process seems to be:

  1. Allow BYOD because someone told you it would save money.
  2. Somebody freaks out about security, and lack of control.
  3. The solution is MDM!
  4. MDM is expensive.  And nobody wants to install it.
  5. And thus, some companies even go to the point of purchasing the devices that they were meant to get employees to buy!

MDM is honestly, a fantastic tool for enterprise fleets, in particular those with needs to roll out and manage enterprise software, or who have very strict requirements on what their mobile userbase do.

But it doesn’t meld well with BYOD.

Typically, most of what people want MDM to do (passwords on devices, and remote wipe – really, that’s the typical useful limit!) can be done via ActiveSync settings in Exchange.  Which almost everyone runs. Or something like Google Apps supporting the same functionality. You don’t get encryption, but it should soon be easily accessible on Android and iOS devices, even on a per-app basis, which is the essence of BYOD.

Then, all you need to do, is make sure you encrypt data in transit, even using the new iOS per-app VPN feature, and even better, use the new iOS SSO features (not yet publicly released) to make multiple app sign-in relatively painless.

You loose the ability to have enterprise software roll-outs automatically, but both Android and Apple seem to be recognising the difficulty in enterprise apps and BYOD, and working hard on solutions. Expect iOS 7 to have a number of improvements to this, and there are ways around it on Android already.

My point is, don’t treat mobile as something to over-regulate because you don’t understand it. The new security models and improved overall device constraints make the average mobile significantly more secure than the average desktop – even most policy-secure desktops. Embracing the new systems with a little thought will allow more flexible deployments, and keep the bean counters happy.

SSO and Mobile

Thankfully, Apple have finally brought SSO to the table for mobile apps.

I think it’s really important – in fact, I was going to do a post how mobile apps are probably the best application of SSO, considering how users keep the device with them, and the current methods of authentication are painful (passwords on a mobile device take a long time and are error prone), and so many apps just save the password anyway to save the hassle.

The are some issues I see with SSO on mobile, and will need to be used carefully to avoid breaking two-factor authentication models, but it’s a huge win for business, and I hope it will be available via the SDK shortly.  I am really excited to see the new security features in iOS7, and keen to try them out!

Expect some posts about the Enterprise licensing (also massive improvement of enterprise management), and I’m keen to see the applications of the per-app encryption, and per-app VPN connectivity too.  It has simply huge ramifications for BYOD, and how it’s able to be accessed may be the difference between whether MDM remains relevant, or becomes even more integral to enterprise mobile management.

More on iOS7 to come for sure!

Extra Bluetooth Functionality in iOS7

Another really cool feature of ios7 is the new additional bluetooth capability.  Some major news sites have covered this, such as 9to5Mac, and the essence is the most complete bluetooth LE coverage in a mobile device so far.  So comprehensive in fact, I wonder how long it will take Android to catch up – particularly as we are still waiting for the official google bluetooth stack.

The ability to have push notification flow through to bluetooth devices, and the mechanisms to allow ‘always on’ will really improve the accessory market for iOS, and it certainly an area booming right now. I’m really looking forward to the advances we can get from Bluetooth LE! The iPhone, and to a lesser extent Android, will really have the capability to be the device ‘keyed in’ to a fully connected environment. I just wish the iPhone had more sensors onboard, but will see what the next iPhone brings.

Security and Continued FUD

After being in security for a while, and seeing the view of multiple waves of management, in multiple organisations, I’m starting to get jaded at our ability to see beyond our own noses.  The FUD mechanism is really something I think that should be put down. Whenever I see it, I just feel like it’s the last resort of either people with vested interests in short term sales, people without the ability to properly define the issue in terms of risk, or just being lazy.

Case in point: This article on titled ‘Bad idea: Neglecting mobile device security’.

Now mobile security is one of my things, but on reading this article, it’s ridiculous.

It starts off as a SANS survey of the preparedness level of security experts on Mobile Device Security and Mobile Device Management, which is great, but makes a logical mistake at assuming that because a lot of security professionals aren’t prepared for BYOD, that they are underprepared, and HP is happy to underline that point, and sell you some stuff to fix it.

Why do we keep doing this to ourselves as a group of (relatively) smart professionals?

As the Verizon report helps to back up, we don’t really have a problem with mobile security.  We did a few years ago, and nobody let mobiles connect to sensitive stuff.  But nowadays, there a many real solutions to security the apps (not the mobile devices) themselves, and security the backends, such that as long as mobiles have passwords/PINs and remote wipe capability, most enterprises are covered.  I’ll go into the real threat model around mobile soon, but sufficed to say BYOD and the hype around it is more to deal with security vendors sunk costs, than it is to real vulnerability for most business.

So then why do we keep inventing issues for technology and policy to fix, hype it up internally, and to our management, and then get disappointed when they don’t throw money our way?  We need to wake up to the way salespeople are taking over our spiel to management and get back to finding out ways to get what management wants done, done. Metrics not on surveys, but on actual financial loss wouldn’t hurt either.

Verizon 2013 report, mobile and virtualisation

One of the big bugbears that used to come up, and still does, is the impact of mobile and virtualisation on security. These have been portrayed as new waves of poor security, and of massive importance to organisations.
Though in reality, and even specifically highlighted in the latest Verizon security report, is that true hacking attempts using these vectors just isn’t happening.
While a number of vendors will have you believe otherwise, the trend towards attacking the application layer, and the overall ease of phishing attacks make attacking mobile devices and virtualisation high effort, low payback.

In mobile, this is due to:
1. Overall improvement in security models – the per app security access model provides practical insulation from the most useful ‘root’ compromise.
2. Overall unreliable mobile networks make network based attacks difficult.
3. Bias towards content consumption on a mobile device makes valuable information harder to obtain
4. Basic activesync security has been available for a long time now on all mobile platforms. It’s very easy to implement, and if used half-way proactively, gives a real security boost.

As for virtualisation, VMWare has always done a decent job if protecting the infrastructure, but other vendors who aren’t as good aren’t been compromised all over the place either. Why? Because in reality, virtualisation doesn’t significantly increase the usable attack surface of the server, when your easiest targets are mid configured applications anyway.

The situation may change, and is worth watching, but right now there is no reason to invest any significant money in MDM or virtualisation security products for the enterprise.

However, there are still some things to think about, and I’ll go over a number of those in other blog posts.