As organizations have seen employees bring in their own smart phones, the Bring Your Own (BYO) use case has rapidly emerged. While corporate owned devices are extremely important for certain roles (i.e., field service, executives) and tasks (i.e., shared tablets for nurses), personal devices are becoming the most prevalent devices under enterprise management. According to Gartner, 45% of companies’ surveyed plan to stop issuing corporate owned devices and allow only a BYO option to users by 2020, but only 15% of companies will not adopt BYO1. The great news is that BYO continues to open up mobile productivity to the masses, whereas it was once an amenity reserved for a select few fortunate enough to have a device provided to them with their job.
BYO is one of the six use cases that Gartner recently reviewed in the Gartner Critical Capabilities for High Security Mobility Management (view the report here). Let’s take a look at Gartner’s scores for the BYO use case:
Vendors’ Product Scores for the BYO Use Case (Gartner, 2015)
At Good we feel successful BYO is about securing corporate apps and data on the user’s personal device while not infringing on the user’s native device experience and personal privacy. That means IT needs mobile security controls in place that protect what I call the 3 C’s of Secure Mobility - corporate content, credentials, and configurations - while offering users the least intrusive method to preserve user experience and personal information such as photos, music, contacts, passwords, banking and others.
Good secures corporate content at rest within our FIPS-validated encrypted app container – the Good secure container - that is not reliant on the native device encryption (this should be the first question you ask container vendors!). Good also uniquely encrypts data throughout the Open In process. Natively an unencrypted copy is placed in the receiving app and is not encrypted until saved to disk. Do users save their work as they move from app to app in a workflow? Not always. This causes unencrypted copies of documents to be strewn all over the mobile file system, easily recoverable if a device is lost or stolen or potentially malware infected. With Good this risk is mitigated.
Good also protects content over the air between the corporate network and the device using a dedicated secure connection that does not rely on DMZ relays or native transport (i.e., HTTPS/SSL/TLS). DMZ relays require open inbound firewall ports and native transport has been hit by very public exploits in the wild such as Heartbleed (crypto-level vulnerabilities), GotoFail (OS-level vulnerabilities), and overall certificate chaining/path validation required for HTTPS/SSL/TLS (root CA compromises). Good does not rely on the device’s native transport so these issues are mitigated.
Corporate Credentials and Configurations
Good protects corporate credentials and application configuration data (i.e., IPs, hostnames, URLs) stored in the container since all data is encrypted. Good does not rely on the OS keychain or store domain credentials on the device. Kerberos Constrained Delegation and other methods are utilized to access back end application access.
As mentioned, Good does not require a DMZ relay. Good servers are typically placed inside the firewall and no open inbound ports are required, protecting firewall configurations. Good also integrates with enterprise PKIs so workarounds are not required and consistent authentication can be maintained. Good also leverages existing user repositories like Active Directory and LDAP so duplicate user stores are not required. Note that all of the above regarding protections on corporate content, corporate credentials and configurations apply to any app – whether a Good app, a 3rd party ISV app or a customer-built app – built on the Good Dynamics platform.
Preserving User Experience with Enterprise Grade Security
For all Good-secured apps, the native device user experience is preserved. A complex device passcode is not needed since IT can manage and apply appropriate policy controls to just the Good-secured apps. Similarly, full device wipe is not needed since IT can simply wipe the Good-secured apps. Battery draining location services are not needed to wake up the MDM agent to perform a jailbreak or root test. IT does not need to blacklist apps as all Good-secured apps can be restricted from communicating with non-Good apps.
When ISVs or internal developers build their apps on the Good Dynamics platform using the Good secure container, the app features remain the same. Good security is transparent to the end user. That’s why enterprise application vendors like Microsoft, Oracle, IBM, and HP have integrated Good security into their mobile apps.
Good’s own apps are built with native IDEs. And while not the consumer apps that come with the device, they are built to provide a better business experience that takes advantage of the richness of native development. That’s why Gartner in the 2015 EMM Magic Quadrant Gartner stated, “Good's PIM functionality is the most advanced among the EMM vendors, including capabilities such as mail push notifications on iOS/Android/Windows, presence, advanced search and contact history.” So if you haven’t checked out next generation Good Work for email, PIM, and collaboration, you need the free trial now.
MAM: A BYO World without MDM
Today many Good customers use a “mobile application management” (MAM)-only approach to BYOD, where IT provides secured Good-secured apps to BYO devices but an MDM profile is not deployed to the device. In fact, Gartner predicts, “By 2018, more than half of all bring your own device (BYOD) users that currently have an MDM agent will be managed by an agentless solution.” And in fact, Good does not require an MDM profile or device policies to secure the corporate apps and data. Many EMM vendors started with EMM and added MAM, and their MDM agent is required to manage the apps. With Good the opposite is true; using the Good Dynamics secure mobile app platform, Good MDM is simply another app under its management.
In sum, Good is pleased to have received the high score in the BYO use case in Gartner’s new Critical Capabilities for High Security Mobility Management. View the report to read Gartner’s write-up of Good’s support of all 6 use cases and the critical capabilities that comprise them. I also recently discussed the new Gartner report and the latest on Good’s security architecture on a webinar with Brian Reed, Good’s Chief Mobility Officer, and Eugene Liderman, Director of Public Sector Technology. In my next blog, I’ll cover Gartner’s High Security Commercial use case.
1 - Defining BYOD Ownership and Support Expectations in Contracts Ensures Successful Implementation (8/3/2015)
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
On August 19, 2015 AppThority posted a blog detailing the vulnerabilities associated with Apple’s Managed Application Configuration utility, referenced as CVE-2015-5749. AppThority’s article can be found here.
Unlike our competitors, Good Technology does not use the ‘“Managed App Configuration” setting to configure and store private settings and information.’ All Good apps and Good-secured apps developed on the Good Dynamics Secure Mobility Platform are not vulnerable to Quicksand because of our secure containerization approach to protecting content, configuration and credentials. We call these the 3 C’s of Security (we have a great white paper here).
Good applications would never store enterprise secrets in a location that is readable to any application on the device. A detailed explanation can be found here (registration required) sections 9.5 and 9.6.
The second major concern with the published MDM vulnerability is that Apple Managed App Configuration allows an IT department to control the “Open In” behavior of the managed application. Using the default “Open In” functionality data is replicated in clear text as it is moved from one application to another. Good has architected a secure Inter-Container Communications (ICC) protocol that is managed within the application policies of each Good application on the end user’s device. The ICC protocol allows for the Good applications to securely send documents or messages between approved Good applications.
Within Good’s management policy the IT administrator may define which applications are allowed to collaborate with each other. This information is not stored in a .plist file that is vulnerable to the attack outlined in the original blog post. To craft an attack like this, the malicious actor would need to have access to the Good management consoles to add their malicious application to the policy and then distribute those policies out to the end users. Without this access applications would not be able to leak data to a non-trusted application.
Good has built a robust ecosystem of applications that have all gone through rigorous testing and have been validated to properly use the controls that Good has in place to ensure that enterprise data, including credentials and connection settings are protected. These Good Dynamics applications allow IT to ensure that all of their enterprise data on mobile devices is secured above and beyond the protection provided by Apple and other operating system vendors.
Good does not use the Apple Managed App solution to provision applications with secret/confidential data.
Good does not recommend that enterprises deploy applications that store credentials and secrets in the keychain as there are known ways to extract information from the keystore.
Good’s Inter-Container Communication protocol allows for the secure communication of data between applications on the device.
Good provides a secure approach to allow the end user and device to authenticate to back office systems like email, sharepoint, etc. This methodology has proven to ensure confidentiality of user data that is unmatched by others.
That said, AppThority has identified a genuine issue with the implementation of device management on iOS, which Apple has now fixed. It raises issues around implementation, not design. Since managed devices are readable by all apps, if you have configuration in there then that is also readable by all apps. Quicksand reinforces the more general class of vulnerabilities that come from relying on the devices security for protecting credentials and configuration.
Until recently, a surefire way to spot business travelers at the airport was to look for a laptop. We carry our laptops with us in bags down the concourse and place it in its own bin at the security line. In our seats, we scrunch down to take it out and stow it for takeoff and landing.
And so it was with great interest that I heard Stephan Schleibinger’s story. Stephan is the head of front office for MBDA, a German missile systems company. Given the nature of the business, security is obviously critical. And yet when Stephan recently traveled to Great Britain to give a presentation at a conference, he was able to leave his encrypted laptop behind. In fact, the only devices he needed for the trip were an iPhone and iPad, both secured by Good Collaboration Suite.
Before departing at the airport, Stephan used his iPad with Good to access PowerPoint—stored securely on the company’s file share—and make a few last-minute changes. When he arrived at his UK hotel, he used the same company-owned iPad and a Wi-Fi connection to catch up on personal email and watch a soccer match. Of course, his Good-secured iPhone was also nearby to quickly check work email, social media or to call colleagues and family.
When it came time to give his presentation, he just connected the iPad to a HDMI/VGA projector to share the PowerPoint, which was stored securely back at the home office. People were astonished at the quality, Stephan told me. More than a few came up to him after the conference to say they were jealous because they’d had to lug laptops and power supplies.
Two things strike me about Stephan’s story. The first is how simple MBDA has made it for mobile employees to work securely. Instead of waiting for their laptops to boot up—and then waiting again for a VPN connection—they just tap to open mobile apps for secure email, calendars, contacts, file sharing, and intranet access.
The second is the convenience of using the same device for work and personal matters, like Stephan’s soccer match or calling his family. That works because Good stores work data and content separately, in secure containers that the IT team can control and monitor with fine-grained policies. Whatever Stephan does outside of Good-secured apps is his own private use and not the concern of the company.
Now that secure mobility doesn’t necessarily require a laptop, we’ll need another way to tell if the person who snagged the aisle seat is traveling for business or pleasure.