Use Wufoo integrations and get your data to your favorite apps.

Category: security

There are 9 posts published under security.

Lifting the Ban on Dropbox

Dropbox can put organizations at risk by not having adequate security controls, increasing the chance of security breaches.

 

In one incident, Dropbox email addresses were successfully hacked and then used to send Dropbox users spam.Many enterprises are not prepared to take the necessary risk and are forbidding the use of Dropbox making it the number one banned application according to a survey by Fiberlink.

 

Dropbox introduces security risks by not including the necessary authorizations that are required as part of healthcare and financial regulations. For example, Dropbox is typically not integrated with an organization’s DLP (data loss prevention) solution that ensures that only authorized users transfer files and that sensitive data, such as credit card numbers and patient data doesn’t leak from the organization. Dropbox also does not include a full audit trail of which files were transferred, when and by whom, as well as who downloaded the files.

 

Once the data resides in Dropbox the risk continues. This data might remain on the cloud forever without any control or monitoring. Hackers are aware that Dropbox can contain important data and often make breaching Dropbox a high priority target and they will do whatever it takes to access this information.

 

Dropbox is not the only collaboration solution that can be more easily compromised. Other cloud file sharing solutions such as Google Drive and Microsoft SkyDrive have similar limitations.

 

Dropbox keeps coming back

 

Based on Dropbox’s vast scale — it boasts 200 million users with business users quadrupling in recent years — users are not likely to volunteer to give up using Dropbox on their own.

 

When users need to collaborate with business partners, remote users and customers, file sync and share services such as Dropbox are easy to use, offering a good alternative to the organization’s email systems which in most organizations don’t enable the transfer of large files (10MB and over).

 

There are other proprietary solutions available as an alternative to Dropbox, but they often add a level of complexity which users resist when they are under pressure to transfer a file.  These procedures include encrypting passwords and requiring recipients to install specialized software.

 

Using Dropbox Safely

 

Rather than replacing Dropbox, another layer of security can be added to existing file transfer procedures that would enable organizations to control which files are uploaded to Dropbox, and who has authority to share these files. An open solution that integrates easily with existing security tools of the organization such as DLP, Anti-virus and authentication systems would enable all data shared to undergo authentication, data scanning and data encryption.  These additional precautions significantly reduce the chances that data shared using Dropbox will be compromised.

 

Such a system would also include a full audit trail of who transferred which files, enabling compliance in the healthcare, insurance and banking industries and meeting over a dozen regulations including PCI-DSS and HIPAA. Providing additional checks and balances can also be used for automated file transfers. This enhances IT productivity and reduces operational costs by streamlining business processes which were previously done manually using standard file transfer solutions. Perhaps the most significant benefit is that files can be shared easily among partners, suppliers and customers, without requiring additional software or procedures on the receiving end.

 

The simpler the solution, the greater the chance that employees will use it. If they are required to change their habits too much there is always the risk that they will be tempted to go back to using Dropbox unprotected. By using security systems which add functionality to make Dropbox more secure, employees can do their work with the least amount of disruption, giving IT managers’ peace of mind knowing that their sensitive corporate data is well protected.

299

IT Risks of Toolbars

Toolbar add-ons are a type of browser extension that typically provide users with various additional functionalities by adding a bar with several buttons within the browsers, oftentimes along with a search box as well.

 

Toolbars may also have features for altering the user’s homepage, allowing searches of third party sites (e.g. Amazon, eBay, IMDb), and modifying page scripts or the html page display. Although toolbars can provide advantages to the user, IT administrators often do not want toolbars to be installed on the computers in their network; toolbars can introduce various non-monetary costs as well as create risks for enterprise networks.

The “costs” and risks of toolbars

 

Screen Space:

 

Every browser toolbar takes up browser page space. More toolbars means less space for the browser to display the website page content. In some extreme cases, up to 80% of the browser view has been occupied by the “toolbar armies.”

 

Performance:

 

Each toolbar increases the amount of memory which is used by the browser. Web browsers consume significant memory when loading complex or scripted pages. Installing a few toolbars on the system may consume additional amounts of the computer’s physical RAM and slow things down considerably.

 

Privacy:

 

Most toolbars are embedded into the browsers and collect private data. Even reputable toolbars from companies like Google have this behavior. One of the Google Toolbar’s “extended” features sends certain information back to Google. If the computer belongs to a private intranet system, and it accesses internal content through a web browser, installing a toolbar is introducing a risk that sensitive information could be compromised to the outside world and interferes with the user’s ability to safely view and access data.

 

Viruses and spyware:

 

Toolbars can function as an entry point for malware to gain access to your “secured” systems. Since users rarely have the ability to verify the complete list of toolbar behavior, some publishers could simply use them to collect anonymous information about browsing habits, network usage and login accounts. In some case, toolbars could be used as a “Trojan horse,” concealing viruses inside the installation package. Even in the cases of non-malicious toolbars from reputable providers, the toolbar still represents another network exposed surface potentially vulnerable to attack, one that is likely much less tested and secured than other internet facing software.

 

Determining whether a toolbar may be malicious

 

Toolbars generally do not provide as much value as the cost and risk they introduce, but this does not mean that all toolbars are malicious or dangerous; some of them are just annoying and introduce inconvenience. So how can users or IT administrators determine whether a particular toolbar is a malicious one? Here are some clues to look for:

 

  1. Degradation of speed: you notice the computer is functioning slower than usual.
  2. Unfamiliar buttons: you find unknown buttons or other unexpected features have been implanted inside your browser or inside web pages rendered by your browser.
  3. Hijacked homepage: you notice the browser homepage has been modified without your knowledge.
  4. Modified Hosts file or DNS settings: you realize the URL address is no longer pointing you to the expected website.
  5. Annoying popups: you receive a lot of unwanted popups, fake advertisements or sometimes system errors while you are surfing the internet.
  6. Strange search engine: you notice that when you are doing a search request, the return result is not from your expected or preferred search engine, and not from a provider such as Google or Microsoft Bing. It may constantly redirect you to pages which contain unexpected results unrelated to your keywords.
  7. Deactivation of phishing protection: you notice that even though your browser’s anti-phishing protect option is enabled, your computer is not getting any security alerts from the browser when you visit suspected phishing sites.
  8. Loss of sensitive information: you realize some of your personal information related to credit card accounts or insurance information has recently been stolen from your computer.

 

If any of these occur on your system, the installed toolbar may be malicious. Based on the costs associated with the toolbar and potential risk involved, you may want to uninstall the toolbar from all associated browsers as soon as possible.

270

The Best Security Defense is a Good Open Source Offense

The hackers who compromised Adobe’s network knew, when they hacked into the system, that the most valuable prize would be the one that was the most secretive – their source code.

 

Exploiting secrets is the name of the game for the hacking community, but now, the new hot secret to steal is beyond personal data, it’s the code that makes things tick.

 

In the past, companies viewed source code as their best defense. Develop a code, hold it tight to the vest, and your system would be as secure as a maximum-security prison, or so they thought. Today, many of the same organizations, which thought keeping their code closed was a best practice in security, are finding themselves in hot water and re-evaluating their security policies.

 

What’s the solution? It’s quite simple. The best security defense is a good open source offense. Instead of holding your code so close, open it up and share it with the community. Although it may seem counter-intuitive to share more, if there’s no secret, there’s nothing to steal.

 

Greater scrutiny

 

Oftentimes, rather than thinking of open source as an offensive strategy to protect against security breaches, people believe that sharing code makes you more vulnerable to security threats. The truth is that open source code goes through much more vigorous scrutiny and is, therefore, less likely to have security holes. Not only are you one step ahead of the hackers by sharing your past secrets, but you have an entire community of developers helping you to make sure that bugs are flagged and fixed faster, assuring that the code does not become vulnerable to any future attacks.

 

Quicker evolution of code

 

Open source is inherently dynamic – constantly evolving with faster releases compared to proprietary code. And, with the software quickly changing, hackers have less time to infiltrate the code. Since the hacker community is constantly looking for new ways to attack companies and software, it is important that security holes get identified quickly.  When code is open source, everyone from end-users to community developers is able to identify issues and fix them quickly. Hackers might be fast, but when there is a community evaluating code, organizations have the opportunity to be much faster.

 

Transparent solutions

 

Companies often use proprietary software from third-party vendors. As a result, they do not have a clear and transparent view of how their software works while using the code. Proprietary vendors hold on to their “secrets” and, if there is a security issue, customers are unable to get a full picture of the problem. Organizations can find themselves in a situation where they know they have a breach, but are unable to identify the source. In the meantime, their customers are waiting for them to resolve the problem. If they had chosen an open source software solution instead, they would have a much easier time identifying and understanding the issue. Open source provides a complete picture of the software and how it is integrated with the overall product, providing a tremendous advantage when answering the big question – “what went wrong?”

 

The more inter-dependencies, the bigger the issue

 

Software has several interdependencies and if one portion is hacked, it’s very likely that other parts of the product will also be affected. Open source operating systems (OS), like Linux, are modeled on UNIX – a modular OS. These systems are not only transparent to users and administrators, but also have fewer interdependencies in comparison to proprietary systems. When there is an issue with one part, it’s easier to work on fixing it without having to worry about its impact on other components. And of course, if one part is hacked, it doesn’t mean that the entire system has been compromised.

 

As we all know in the security world, hackers are always thinking of new ways to attack our systems, and open source is not going to solve all security challenges, but going on the offensive is the first step in taking back control. The characteristics of open source, such as constant evolution, quicker fixes and lesser interdependencies, can be a huge advantage when facing hackers. Evaluating security policies to understand the “secrets” in an organization’s IT vault and how they are impacting the organization is critical in assuring that the next breach is merely an inconvenience rather than a catastrophe.

 

Security cannot be taken for granted and requires constant vigilance. There are no easy fixes and substitutes for being aware of ones environment and vigilant for threats and attacks. Using open source software is one tool in an entire arsenal of protective strategy that is needed to ensure security in the modern enterprise.

295

How Solid Web Builders and Design can Help Boost Your Brand

You may not be aware of this, but crafty marketing and advertising campaigns are not the only means with which you can boost your brand. And you may be surprised by this, but a solidly planned-out web design could mean the difference between a website with high page ranking and large traffic volume, and a website with a low page rank and negligible traffic. In fact, over 70% of large marketing agencies report that they use website optimization on a design and content level to bolster their marketing efforts.

 

A common misconception with novice webmasters is that a uniquely designed, attention-grabbing website is always preferable to a clean, more intuitive user interface, building on the premise that a website is the online embodiment of a given brand, and, thus, should leave a lasting impression on its visitors (and potential customers).

 

Though there is merit to this assumption, an over-designed, overly-complicated user interface can not only encumber user navigation, but could also prohibit search engine web crawlers from properly indexing your website, thus decreasing your page ranking and potential traffic to your site.

 

How can you avoid this conundrum?

 

  • As previously mentioned, a uniquely designed website may be visually appealing, but may cause some of your site’s pages to remain unindexed. A Clean, intuitive user interface will ensure that both your visitors and the various search engine web crawlers can properly navigate or index (as is the case with web crawlers) your website. Also, recent statisticss report that 40% of visitors will leave a website if it does not load in 3 seconds, so make sure that your site does not involve too many design elements that are heavy on the page load.

 

  • Keep your content separate from your design elements (i.e. pictures, promo blocks, banners. Your search engine’s crawler cannot index content that is embedded into design elements. Consequently, if you want said content to be indexed, make sure that it also appears separately on the site’s page.

 

  • If you’re using Flash or Javascript-generated content, create an additional, separate HTML-only version of your website, complete with a properly planned and constructed sitemap, in order to ensure that each and every page, or link, on your site is properly indexed by the search engine’s crawler.

 

  • Make sure that your website is mobile compatible, as 44% of mobile users claim that they have difficulty in navigating websites via their mobile devices, and 48% of all users claim that, if they happen upon a mobile site that isn’t working, it speaks volumes about the business in question.

 

  • Finally, if you are using one of the top website builders to build your very own business website, then take advantage of the service’s offered SEO and marketing tools, including search engine directory submissions, advertising credits, traffic tracking and analytic tools. These features are offered to you for a reason and have a proven record when it comes to increasing your site’s traffic.
278

DDoS Attackers New Tactics Amplify Attack Sizes and Hide Identities

Distributed denial of service (DDoS) perpetrators changed tactics in Q3 2013 to boost denial of service attack sizes and hide their identities. By employing a type of DDoS attack called a reflection attack, which leverages the capabilities of vulnerable servers, malicious actors launched high-bandwidth attacks with fewer resources with the intent to cause outages at their intended targets.

 

As reported in Prolexic’s Q3 2013 Global Attack Report, the reflection attack method grew in popularity among malicious actors by 265% year-over-year compared to Q3 2012 and by 70% in just the past quarter. Attackers are flocking to these distributed reflection denial of service (DrDoS) attacks, because this type of attack method provides them with significant benefits.

 

One benefit of DrDoS attacks for the malicious actor is the obscuring of the source of the attack (anonymity). By going through a victim server, the original attacker’s identity is hidden. Instead, it looks like the victim servers initiated the attack against the target.

 

The other benefit of DrDoS attacks for malicious actors is the ability to use the bandwidth of intermediary victim servers to make the attack more powerful. Because the amplification factor is so large – for one type of protocol attack the amplification factor is 17 – less outbound bot traffic is needed and the botnet can be much smaller.

 

In DrDos attacks there are always two or more victims: the malicious actor’s intended target and the intermediary servers. The intermediary victims usually participate unknowingly. They aren’t infected with malicious code. Instead, they may have a server feature turned on that DrDoS attackers have learned to exploit opportunistically – typically a common network protocol such as DNS or CHARGEN.

 

In Q3 there was a big jump in UDP attacks and a corresponding drop in SYN attacks. The increase in UDP attacks is part of this reflection attack trend.

 

Other DDoS trends identified in Q3 was related to the number of attacks. We found that the total number of DDoS attacks launched against our clients in Q3 2013 remained high and represented the highest total ever for one quarter. Usually Q3 is a relatively quiet month, but the DDoS attack trend showed a consistently heightened level of DDoS activity around the world over the last six months.

 

Since Q3 2013, we have seen a 58 percent increase in total DDOS attacks, 101 percent increase in application layer (Layer 7) attacks, 48 percent increase in infrastructure (Layer 3 & 4) attacks and 12.3 percent increase in the average attack duration.

 

Prolexic’s Q3 2013 Global DDoS Attack Report is available as a free PDF download. It includes a detailed analysis of the DDoS trend toward DrDoS reflection attacks. The analysis examines DrDoS attack methods, tools and services – specifically CHARGEN attacks being integrated into the DDoS threatscape – and provides steps for remediating CHARGEN attacks.

611

Cyber Mercenary 'Icefog' Attacks South Korean and Japanese Supply Chains

An advanced persistent threat (APT), named Icefog, has been detected; mostly targeting South Korean and Japanese supply chains, including: government institutions, military contractors, maritime and ship-building group, telecom operators, satellite operators, industrial and high technology companies and mass media.

 

Icefog, tracked by Kaspersky since 2011, was recently discovered in June 2013 following an attack sample which was retrieved from Fuji TV. Upon analysis, different variants were identified — 6 to be exact. It was also found that these attacks were essentially a newer form of an original attack on the Japanese Parliament in 2011.

 

Icefog follows an ongoing trend, consisting of a relatively small group of attackers that perform hit-and-run tasks with a focus on supply chain. The attack is done, initially, through spear-phishing emails — the victims get an email with an attachment or link to malicious sites with downloadable files. When the files are downloaded, a backdoor is dropped into the system, giving Icefog access to the machine. Then specific, sensitive information is extracted with surgical precision. Special to Icefog’s method of attack, once information has been acquired, the group moves on to another machine in sharp contrast to the usual, long-time infection that other APTs maintain.

 

So, who, in general, is susceptible to Icefog’s attack? Their attacks are done through the use of custom-made cyber espionage tools that act on Microsoft Windows and Apple Mac OSX, leaving Linux computers immune to hacking attempts. An Android variant is suspected to exist, but has not yet been found.

 

Considering some of the major tensions in East Asia, Icefog’s attack pattern begs the question “are these attacks sponsored by a state?” Usually, a state is inferred and determined based on the motivations of the campaign, which tends to last a long time. Because of the hit-and-run method of attack by Icefog, it’s hard to determine an overarching theme beyond supply chain and, thus, makes it difficult to pinpoint anyone. Though, it should be mentioned that, based on the IP addresses used to monitor and control the infrastructure, the ones that could be responsible for Icefog could be deduced to: China, South Korea, or Japan.

 

Fortunately, Kaspersky found a few command-and-control servers and sinkholed some of them — preventing access to hundreds of users. Additionally, Kaspersky is able to identify and neutralize all variants of Icefog. Despite the work being done towards these APTs, Kaspersky says that “In the future, [they] predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of ‘cyber mercenaries’ of the modern world.”

277

Patient Data Lost in the Cloud

Hospitals are increasingly at risk of data breaches

 

According to a Ponemon Study, nine out of ten hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years exposing their patients’ personal data. In one incident alone, a stolen laptop in Massachusetts resulted in exposing the names, Social Security numbers, addresses and diagnoses of more than 100,000 patients. These breaches can not only tarnish the reputation of the hospital, they can also result in heavy fines. Brighton and Sussex University Hospitals was given the largest ever data breach penalty last year, of £325k, after its patient confidential data was sold on eBay. Data breaches are ongoing operational and security risks that could be costing the U.S. healthcare industry an average of $7 billion annually, as stated in the Ponemon findings.

 

Most of this data loss is due to devices such as laptops and USB sticks being stolen or lost. Data breaches, however, can also be a result of unclear or unenforced security policies for sharing patients’ confidential information. More than 3,000 patients at Oregon Health and Science University had their health information compromised after residents and physicians-in-training in three departments used Google cloud services to share patient data. According to officials, the university doesn’t have a contractual agreement to use the cloud-based ISP, but residents and physicians-in-training were using the service anyway to share patient information ages, provider names, diagnoses, in some cases, addresses. Apparently this practice is fairly common. In the Ponemon survey, 91% of hospitals surveyed are using cloud-based services, yet 47% lack confidence in the ability to keep data secure in the cloud.

 

The use of cloud based services is often ”hidden” from the hospital IT managers when health care workers use cloud services using their own personal mobile devices. According to the Ponemon study, 81% of hospitals permit employees and medical staff to use their own mobile devices, such as smartphones or tablets to connect to their organizations’ networks or enterprise systems. However, 54% of respondents say they are not confident that these personally owned mobile devices are secure.

 

Previously focused on maintaining physical access to patient records with key cards, medical IT managers are now becoming aware that the process of sharing patient data also needs to be protected. The risk will continue to rise now that more and more medical records are digitized; employees are working from home, hotels and Internet cafes, and are storing files using public cloud services.

 

If hospitals approach patient information in the same way that banks approach personal data for online banking, many of the risks can be minimized. Maintaining security policies that grant individual authorizations and assign security levels to each patient file, while having sensitive data encrypted at all times, can bring control to managing hospital information. If the process of loading documents on the cloud is policed and authorizations are enforced automatically using proper security systems, highly sensitive data would never be exposed. Likewise, if file sharing policies were enforced, sensitive patient data would be encrypted resulting in no data loss if the devices were stolen.

 

Many of these secured data sharing practices already exist in the banking and insurance industries and can be easily adopted to the healthcare industry. Now, the pressure is on hospitals to make data security part of their everyday business. Even medical professionals are going mobile and using cloud services, but it is important that they make sure they keep sensitive data secure, or they risk paying a heavy price.

201

Top Startup and Tech News Today-7 Things You Missed Today

1. AT&T, Verizon, Sprint Are Paid Cash by NSA For Your Private Communications

The NSA (National Security Agency) pays AT&T, Verizon, and Sprint hundreds of millions of dollars per year for access to 81% of all international calls in the US, according to a leaked inspector general’s report. The secret report states that “NSA maintains relationships with over 100 U.S. companies”, emphasizing that the United States has the “home-field advantage as the primary hub for worldwide communications.”

According to the report, AT&T charges $325 for each activation fee and then a $10 a day additional fee to monitor the account. Verizon charges $775 for the first month and then $500 for the months that follow after. Microsoft, Yahoo, and Google refuse to say how much they charge the government to tap into their emails and information. The Washington Post states that in a separate report, the NSA has been said to pay the telephone companies roughly $300 million annually in order to access communication information.

2. Ailing BlackBerry Agrees To $4.7 Billion Buyout

Blackberry has agreed to a probable $4.7 billion buyout from Ontario-based Fairfax Financial Holdings. Fairfax, which is headed by billionaire Prem Wasta, is already BlackBerry’s largest shareholder with approximately 50% of BlackBerry’s shares. They plan on taking the smartphone maker private. Wasta says that the sale of BlackBerry “will open an exciting new private chapter for BlackBerry, its customers, carriers and employees… We can deliver immediate value to shareholders while we continue the execution of a long-term strategy in a private company.”

Under the proposed deal, $9 would be offered for each outstanding share, and Fairfax would contribute its own shares in this transaction. BlackBerry’s board supports this plan. A firm and solid deal is expected by November 4th.

 

3. Apple Polishes Forecast After Selling 9 Million New iPhones

 

Apple has sold 9 million new iPhones during their first three days in stores. This record breaking sale period has prompted the company to issue a new and, much rosier, financial forecast. Shares in the company closed up 5% at $490.65 on Monday after the company said that revenue during the fiscal fourth quarter would most likely be between $34 and $37 billion. Apple rarely adjusts its outlook mid-quarter, so this change in numbers comes as a surprise.

“The critics have told you Apple lost its magic,” said Daniel Ernst, a Hudson Square Research analyst.  “Customers are telling you something very different. Clearly, people like the product. That sentiment is almost more important than the number.” Sales of the iPhone 5S and 5C nearly doubled that of the iPhone 5’s 5 million numbers during the first weekend. The 9 million sale surpassed the rough number of 6 million that analysts projected.

4. Google Says Widespread Gmail Outages and Delays Should Be Resolved Soon

 

If you’re a user of Gmail, you may have noticed Gmail failing to load and having a very rocky performance. Google says that the delays should be resolved soon. Gmail has been dealing with disruption and outages for users over the past day, with slow load times and delayed receiving of emails as a result. More than 50% of users have been seeing performance issues. Google hopes to resolve the problem soon – until then, simply wait out the problem while they fix the email service.

5. Is the Race for Smartphone Camera Megapixels Over?

 

Smartphones like to brag about the number of megapixels their phone offers. However, things might be changing, as smartphone makes shift their focus on not the number of megapixels, but the size of each pixel. Apple and HTC both launched new smartphones this year with larger pixels, as opposed to more pixels. HTC actually halved its pixel count, saying that having fewer pixels allowed the now larger pixels to capture more light. CK Lu, a principal research analyst for Gartner, says that “It is not a race of the megapixels anymore… Some phone makers are deciding to make bigger pixels instead, which is a tradeoff, but results in better quality pictures in low light.”

However, analysts say that this isn’t the end of the megapixel competition. Dale Gai, an anlalyst for Barclays says that many companies will continue focusing on just megapixels. However, more established companies with higher-end smartphones will continue focusing on megapixel size, as they look for ways to differentiate their camera from the camera of other smartphones.

6. Tough Times Ahead For LG and Sony

Apple’s announcement of selling a record breaking 9 million iPhones during its debut weekend for the 5s and 5s is a nightmare for Asian vendors who are rolling out huge numbers of Android models. This is particularly harsh for the two vendors trying to stage comebacks in 2013 – namely, LG and Sony. The rapid sell-outs of the gold iPhone 5S might mean smaller early production volumes, as many industry sources are currently anticipating. Also, since Apple’s consumer demand is above Wall Street and industry projections, it can be assumed that Apple’s unaccounted for consumer base is one stolen from possible customers for LG and Sony.

Samsung is currently preparing an aggressive marketing campaign for the Galaxy Note, while smaller brands LG, Sony, and HTC are targeting the $600+ smartphone bracket. It will be likely that some of these brands, or all of these brands, will reconsider their marketing and product plan before the year ends.

7. Flipboard Raises $50 Million in New Funding

 

Flipboard, the app startup that lets users read digital copies of magazines, has raised $50 million new funding, putting them at a valuation of $800 million. This marks the company’s third funding round. Flipboard says that their user base has grown 60% to 80 million users, compared to six months ago. Also, there are now 3.5 million magazines on Flipboard.  “It’s definitely early days for us still but the traction this quarter will be 2x or 3x what last quarter was,” said Mike McCue, CEO of Flipboard. “The combination between the traction we’ve seen on the revenue side with these brand advertisements and brand magazines combined with what we did with 2.0 where anyone can build their own magazine—that really got us moving towards doing another round of fundraising.”

McCue says that most of the late financing will go towards hiring engineers and designers. He sees the staff, currently at a size of 90, growing to a size of 200.

239

The Missing IT Puzzle Piece for BYOD Mobility

Companies want to leverage BYOD to mobilize more of their employees, granting them the freedom to use the device of their choice for work. As a result, Android is increasingly growing to be a key part of the enterprise IT landscape–and that makes CISOs nervous. They are now searching for what may be the final puzzle piece in their BYOD strategy–a single security standard for both Apple and Android devices that helps mitigate the growing fragmentation of Android operating systems.

The introduction of iOS 7 is a huge step forward, but it only solves half of the problem.  For enterprise IT, the iPhone and iPad are the new corporate BlackBerry, providing companies with security protection and application freedom that they can rely and standardize on when they choose mobile devices for employees. But BYOD leaves device choice up to the employee, creating a wrinkle in their otherwise cohesive mobility strategy. Industry analysts recently reported that consumers are increasingly choosing Android smartphones with almost three out of five smartphone buyers opting for an Android smartphone over an iPhone or other device.  The iPad continues to dominate the tablet market, but that may also change in the future as Android powered tablets continue to gain consumer popularity.

 

The diversity of Android devices appeals to consumer buyers, but is a source of angst anxiety for IT security experts. OpenSignal, a UK-based mobile company, recently published a survey of almost 700,000 devices and reported approximately 12,000 distinct Android devices using eight different versions of the Google operating system. For many IT organizations charting out their BYOD strategy, this translates into security risks that are tough to monitor and control.

 

Enterprises need a BYOD solution that uniformly secures iOS and Android devices. Ideally, this approach must provide a security baseline that protects corporate data against leakage and loss in three key ways:  1.) protects access to apps and data using a passcode 2.) isolates enterprise data by preventing data sharing between personal and enterprise apps, and 3) lets enterprises wipes corporate data without affecting personal data. The advent of iOS 7 delivers these things for Apple devices but leaves a huge security hole for Android.

 

Enterprise IT has an array of solutions and tools to try and fill the Android void; in general, that can be broken down into two camps: old world solutions and new world solutions. Old world solutions were designed before BYOD, whereas new world solutions were (and are being) made in the context of a world filled with mobile apps and with the challenges of securing corporate information on personal devices.

 

Old world approaches leverage mobile device management (MDM) or a security container. MDM was designed to give IT similar control and security that they long enjoyed with BlackBerry. These solutions manage the whole device using native device support.  As a result, they have been commoditized by Apple iOS APIs and are prone to Android fragmentation. They also ignite users’ privacy concerns since they manage the whole device.

 

Proprietary container solutions are also old world approaches, but they differ from MDM because they logically sector off a portion of the mobile device that is managed and secured by IT.  The container vendor provides the apps used within the container—typically email, contacts, calendar and browser. This approach provides strong isolation of enterprise data, but containers are difficult to extend to third party apps. In addition, users must use the container vendor’s user interface, instead of their favored device’s native user experience.

 

New world mobility gives app choice back to the enterprise and device choice back to employees. The latest generation of mobile security solutions combines Apple’s iOS 7 app management capabilities with app virtualization technology for Android to create a trusted BYOD workspace that supports any mobile app. The marriage of these two approaches provides a uniform way to protect corporate information against leakage and loss by encrypting all data at rest, controlling data sharing between enterprise apps and connecting directly to the enterprise VPN. IT manages the workspace via policy and can wipe the workspace with its apps and data without affecting the personal data on the device.

 

Unlike old world methods, IT administrators can select any mobile app for workspace use and assign it via policy, without modification, to tailor workspaces per employee role while providing a true native user experience that preserves the way apps are licensed, distributed and updated. This approach lets enterprise IT fully leverage consumer mobile innovation for business use. Equally importantly, it eliminates the headaches of Android fragmentation and gives IT the confidence that their BYOD deployment will be secure.

221