mobile device management: taking conainerisation to the next level

Mobile Device Management: Taking Containerization

to the Next Level

151002_oml_v1p | Public | © Omlis Limited 2015

1151002_oml_mobile_device_management_v1p | Public | © Omlis Limited 2015

ContentsIntroduction 2

How EMM has Evolved 3

The Basic Workings of MDM 4

Conventional MDM Security Methods and the Direction of Change 5

Enhanced Smartphone Capability: Flaws and Possibilities 6

How Omlis can Help 7

What’s Next for MDM? 7

References 8

Contributors 8


IntroductionAfter VMWare’s $1.54bn buyout of AirWatch in 2014, it became clear that augmenting traditional MDM (Mobile Device Management) with developments like MAM (Mobile Application Management) would become one of the trends of 2015, and containerization strategies would come to represent one of the year’s fastest growing markets. As the market matures traditional enterprise mobility vendors will seek to cooperate with the most innovative ‘mobile first’ security companies such as Omlis.

In the period up to 2005, EMM (Enterprise Mobility

Management) was fairly simple; the network perimeter

was a fortress with few points of access and a majority

of locked-down fixed terminals, limiting the extent of the

client / server relationship in terms of mobile.

In the last ten years the mobile revolution has transformed

EMM to incorporate the various software defined modules

of MDM. Company resources are accessed through an

army of mobile devices with the capacity to store and

access huge amounts of valuable data. These powerful

smartphones lie in wait at a crumbling network perimeter,

each one acting as a potential vehicle ready to infiltrate

vast internal siloes of corporate data made available via a

compromised phone or MDM server.

The complexity of the current mobile ecosystem, and the

phenomenon known as BYOD (Bring Your Own Device)

has threatened the very existence of MDM in favor of

specific containerized solutions, but it’s become clear that

MDM can adapt and survive on new terms.

Modern MDM solutions need to combine potent

combinations of secure authentication, threat detection

and encryption at both device and application level. In

response to these demands a plethora of companies ready

to enhance the MDM product offering have emerged, but

few can guarantee the kinds of assurances which the

Omlis core technology can naturally provide.


How EMM has EvolvedDevice management whereby a company attempts

to control the entire OS (Operating System), has been

learning to coexist with more focused software application

management over the last couple of years, which has

encouraged the effective partitioning of a mobile device’s

OS. This increasing influence of software and enterprise

apps has placed complicated new demands on security

architecture.

In response, the lines between classic EMM and more

modern conceptions of MDM have now fully blurred,

and the classic Web Application Firewall is no longer a

comprehensive countermeasure to fraud.

MDM’s functional boundaries are also expanding to

incorporate the likes of MAM, MCM (Mobile Content

Management) and Mobile App Development Platforms.

In all of these subsectors, security remains the true value

added service and differentiator.

Consequently, MDM requires increasing input from

specialist mobile security innovators such as Omlis;

an input which has been sorely missing in previous

implementations of MDM.

The aforementioned offshoots and expanding dimensions

of modern MDM reflect the increasing influence of the

mobile platform and ‘mobile first’ business strategies.

Each variation of MDM offers different levels of control

over the mobile device and its content, with each

exhibiting different authentication methods whether it be

secure mutual authentication between client and server or

groundbreaking multi-factor authentication involving the

latest biometric and heuristic technologies.

Despite all of the developments, technology research

company ESG stated last year that only 48% of enterprises

had an actual MDM strategy,1 and it’s clear that despite a

growing awareness, the market is still young and in many

ways naïve to the growing security issues surrounding

MDM.

ServerMobile

Untrusted Network

Operating System

Container

Omlis


The Basic Workings of MDMBroadly speaking, a typical MDM scheme requires

server and client components, with the client receiving

management commands from a centrally located MDM

server, both of which represent targets for hackers.

If an MDM scheme is inadequate, an enterprise can

rightfully assume that it’s strategically wise to risk the loss

of an individual device rather than exposing the company

to a compromised MDM server. This is the equation which

MDM security needs to balance.

Sometimes the client component and server component

are supplied by different vendors, whereas other times

they’re supplied by the same vendor. Whilst each system

should be judged on its merits, when it comes to mutual

authentication, the latter method, if used correctly can

offer a certain synergy in terms of efficiencies and security.

The renowned BES (Blackberry Enterprise Server) is the

most prominent example of server / client partnership,

and until last year, the BES was restricted solely to

communications with Blackberry phones. Blackberry’s

recent acquisition of Good Technology for $425m

reinforced the fact that the company is seeking further

device interoperability.

NIST 800-124 (Section 3.1) recognizes the advantages of

some form of client / server unity, stating that: “a product

provided by a mobile device manufacturer may have more

robust support for the mobile devices than third party

products.” 2

In reality, a combined package with client / server libraries

installed on either side may be easier for staff and

administrators to self-manage, but the security advantages

are less apparent unless unique protocols are being used

to communicate.

Omlis recognize that the principle transaction between

client and server is the basis of any authentication

mechanism and due to Omlis’ architectural potential and

unique key exchange principles, we can revolutionize how

a client verifies the identity of the MDM server.


Conventional MDM Security Methods and the Direction of ChangeLogin and authentication are vital to a successful MDM

policy, so credential caching and passing sensitive

information over the wire is no longer acceptable for the

tightest security measures. Caching passwords in the

manner of HTTP basic authentication may be good for user

convenience, as there are no repeated login requirements

but the method is very light in terms of security as logout

isn’t instigated by the user.

The same applies to the highly popular methods of form-

based authentication; as we begin to separate hybrid and

native apps from the mobile device platform to greater and

greater degrees we need to find ways of protecting data

which is at rest and in transit.

As a consequence of the app revolution, the likes of

per-app VPNs (Virtual Private Networks) have become

popular along with some highly nuanced containerization

strategies. These containerized solutions and VPNs can

provide a secure tunnel through which the user accesses

a single app, rather than a fully virtualized mobile desktop.

Containerization strategies can include sandboxing or

simple app wrapping in order to ring-fence corporate

assets on employee’s phones, authenticating to the MDM

server on less demanding terms. App wrapping is a

process whereby the app’s native libraries are injected with

dynamic libraries to incorporate new security capabilities

such as authentication, encryption or VPN.3

In a recent Gartner survey 45% of respondents said

that: “application modernization of installed on-premises

core enterprise applications”, was a priority, and app

wrapping will represent a key part of this modernization.

App wrapping is popular due to its simplicity. It represents

a market which ABI Research predict will grow at a rate

of 28% through 2018; quicker than more complicated

containerization strategies which will see equally significant

but less impressive 23% growth rates.4

Enterprise needs to take advantage of the latest methods

of authentication, secure containerization, and ultimately

multi-factor authentication to make the MDM proposition

worthwhile. At the same time, containerization needs to

extend its abilities beyond simple partitioning, combining

the latest methods of virtualization, cloud and key

generation.

To achieve this goal, traditional MDM vendors need to

enlist the abilities of companies like Omlis which have

harnessed the unique capabilities of the smartphone to

develop groundbreaking authentication and encryption

techniques.


Enhanced Smartphone Capability: Flaws and PossibilitiesOver the last couple of years, the smartphone has assumed

center stage in enterprise multi-factor authentication,

sharing the burden with traditional hard tokens such as

key-fobs which generate one time passcodes. So as well

as being a workspace in its own right, the smartphone’s

ubiquity and wide ranging biometric capabilities have

led to an explosion in the soft token market acting as an

ancillary credential for secure login to a laptop or PC.

For the sake of MDM, we’ll continue to view the smartphone

as the primary workspace rather than as a means of

accessing a separate device.

Whilst offering strong opportunities in the field of

advanced authentication methods, the increased levels

of connectivity which the smartphone can offer opens

up a huge array of attack surfaces. After all, security

methodologies are only as secure as the platform they’re

used on and the vulnerabilities of the modern smartphone

are well-documented.

The phone’s OS will always be an access point for criminals

looking to breach a weak MDM scheme; once the OS is

infiltrated, keylogging and screenshot theft is perfectly

achievable.

Furthermore, simple implementations of MDM mean that

the phone acts as a carrier for unencrypted login tokens

which often remain static in the fact that they don’t have an

expiry date. This leaves the phone exposed as a potential

access point if it’s lost or stolen. With that said, malicious

hacking activities are more of a concern to enterprise

than theft or device loss, so the ability of MDM vendors to

protect against hacks is paramount.

The secure container solution has been developed and

implemented in MDM and pioneered by companies such

as Mobile Iron. Containerization is a positive move but

more often than not the container is only as secure as the

OS it resides on.

This was highlighted by the vulnerability in Apple’s flawed

sandboxing mechanism for third party apps. Before

its discovery by Appthority, the vulnerability known as

Quicksand exposed the configuration settings of managed

applications meaning that malicious applications could

read critical information such as passwords and tokens

associated with MDM.5 Despite the vulnerability having

been patched, the fact remains that 70% of iPhones use

older operating systems.

Android fairs little better. Aside from the PKI (Public

Key Infrastructure) and administrative complications

associated with a fragmented platform, Android malware

which can actively go undetected by MDM root detectors

has been produced, reading logs to detect when the user

has opened an email, before sending the information to a

third party account.

Not only are mobile devices susceptible to attack, the open

networks through which they communicate offer endless

opportunities to those looking to perform MitM (Man-in-

the-Middle) attacks. The enterprise mobile is predestined

for heavy Wi-Fi usage on the train to work, or in various

commercial amenities leaving the door wide open for

criminals to intercept data.


How Omlis can HelpWhereas other MDM providers can offer a product or

container which is only as secure as the platform it’s built

on and the security of the network, Omlis’ dependency is

drastically negated due to the ways in which we exchange

keys, mutual authentication, encryption of data at rest and

in transit, and advanced malware protection based on a

high integrity approach and run time checks.

“Mobile environments are extremely heterogeneous,

therefore enterprise IT managers must ensure their devices

consistently protect data at rest and during transit. Omlis’

high integrity approach ensures that any sensitive data is

fully protected in those unsecure environments thereby

taking containerization to a new level. This is accomplished

by implementing a much more secure protocol to manage

and exchange keys, while conducting multifactor and

mutual authentication for every single transaction.”

Nirmal Misra, Senior Technical Manager at Omlis

The security of the Wi-Fi network is also less critical

because of our innovative key exchange protocols. Unique

keys are generated at the point of transaction and due to

the design of our distributed architecture, actual keys are

never sent over the network and are never stored on the

client or server side; so even if a MitM attack takes place,

the hacker will fail to retrieve any meaningful information.

This method of generating keys at both ends of the

communications channel, means that Omlis never

transmit sensitive data in plaintext and information related

to transaction keys can be erased from memory as soon

as it becomes redundant.

Unlike other secure container MDM solutions, Omlis’

high integrity development protects against side channel

attacks; SQL injections are made impossible due to

compile time and runtime checks, and keylogging is

pointless as the input we collect from the keypad is only

used for local encryption.

In line with the market for MDM moving towards software

based definitions, Omlis also have the ability to offer

lightweight SaaS (Software as a Service) options via the

cloud, or as part of an in-house setup.

What’s Next for MDM?Ovum predict that the value of EMM software to grow

from $2.7bn in 2014, to just under $10bn in 2019.6 We’ll

see a particular growth in industry collaborations where

traditional MDM vendors will try to beef-up their offerings

by forming alliances with niche specialists; Airwatch’s

collaboration with Pradeo is a prime example of the

synergies which MDM can leverage from the mobile sector.

MAM will inevitably gather influence on MDM in the

coming months. As well as a general adoption of the latest

network detection methods, there’s also plenty of room for

strong authentication services and advanced encryption

techniques.

This layered approach to security requires mobile

specialists such as Omlis to fill the gaps where more

conventional secure container solutions have failed. Omlis’

core technology exhibits the rare ability to combine layered

security and enhanced authentication with a streamlined

user experience. Containerization needs to move to the

next level and companies such as Omlis can provide the

technology to empower this transition.


1. http://www.esg-global.com/blogs/mobile-

device-management-mdm-deployment-remains-

elementary-and-immature/

2. http://csrc.nist.gov/publications/PubsSPs.html

3. https://www.apperian.com/mam-blog/app-

wrapping-is-a-form-of-containerization/

4. https://www.abiresearch.com/press/app-

wrapping-and-container-technologies-to-

drive-m/

5. http://www.securityweek.com/attackers-can-

exploit-ios-flaw-target-companies-using-mdm

6. http://www.ovum.com/press_releases/ovum-

sees-enterprise-mobility-management-software-

market-nearly-quadrupling-in-four-years/

References

Contributors

The following individuals contributed to this report:

Stéphane Roule

Senior Technical Manager

Nirmal Misra

Senior Technical Manager

Paul Holland

Analyst

Jack Stuart

Assistant Analyst

OmlisThird FloorTyne House

Newcastle upon TyneUnited Kingdom

NE1 3JD

+44 (0) 845 838 [email protected]

© Omlis Limited 2015