In my last blog we discussed how people often use the term “ActiveSync” as shorthand to refer to the entire pipeline that is built to move and protect data (such as email, calendar and contact information) from end-to-end – rather than the simple communication protocol that it is – and thereby spread confusion regarding whether or not it’s “secure”. We observed that security is instead defined by the end-to-end solution, from the mail server all the way to the native email app, including the app itself and the solution’s underlying model for security and management (or lack thereof).
Today we’re going to dig more deeply into some examples where “ActiveSync” is ostensibly “insecure”, and uncover again that, in reality, the key to its security is in how it’s implemented.
“At rest” data encryption
Native mail apps typically rely on the “whole device” password to enable data encryption. Unfortunately, that doesn’t work very well in Bring Your Own Device (“BYOD”) and Company Owned Personally Enabled” (“COPE”) scenarios where users are accessing both corporate information as well as their own personal information on the same device. This is because users strongly resist having sufficiently strong passwords or short password timeout periods on the “whole device”, because those interfere too much with their personal usage. This typically forces IT into a position where they’re then compelled to use weak “whole device” passcodes and longer timeout periods, which effectively undermines the value of encryption – and not just for the native mail app, but for any and all apps on the device that also rely on the native encryption model. A good rule of thumb is, if you wouldn’t apply a given password strength and timeout policy to a company-owned laptop because it is too “weak”, then it is also too “weak” for the smartphone or tablet. It’s that simple.
Good resolves this issue by allowing IT to set a separate policy on the Good for Enterprise app and other apps based on our Good Dynamics Secure Mobility platform that then works with Good’s own data encryption to provide strong security that does not interfere in any way with the user’s overall personal experience. It’s worth noting that in this entire section there was no reference to ActiveSync – that’s because ActiveSync itself does not determine how “whole device” encryption and management works on a particular device, nor how its implementation will be received by end users in a particular deployment model such as BYOD or COPE.
Network access to the ActiveSync-enabled mail server infrastructure
Organizations often leave access to ActiveSync ports open to connection from any ActiveSync enabled app. This can clearly create additional security issues which, again, are not inherently an issue with ActiveSync itself. For example, there are apps out there that are purposely designed to support the ActiveSync protocol, but do not consistently enforce encryption or other policy controls that then determine how the data is secured and managed once it leaves the enterprise and reaches the app. This is one of the reasons that the Good for Enterprise application and other applications based on the Good Dynamics Secure Mobility platform come with an additional “built-in” layer of network access controls that ensure only the specifically authorized users and apps can access the company’s infrastructure. This is further coupled with a model for enabling secure connectivity to the enterprise that eliminates the need for VPN, or any “open” ports through the company’s firewall that can create additional attack points.
These protections are applied not just for messaging apps and infrastructure, but also to any other apps and infrastructure ranging from Intranets, to SharePoint, to LOB apps and systems for CRM, BI, etc. This is another case where particular protocols, whether ActiveSync for messaging or other protocols for accessing other apps and infrastructure, are not inherently secure or insecure. It’s much more about the end-to-end approach to how those protocols are exposed to apps and how those apps then handle the data they send and receive through the protocols.
So now you know
Hopefully my two blogs – this one and the last one – have answered any questions you might have regarding ActiveSync and security. Remember, ActiveSync is just a protocol and, as such, is not itself inherently secure or not. Instead, you owe it to yourself and your organization to understand how your secure mobility provider protects your critical content, credentials, and configurations from end-to-end throughout their mobile journey.