Co-Founder Sean Ferrel Talks Mobility and Security on ESPN TV's segment "The American Dream"

President and Co-Founder of Managed Solution, Sean Ferrel, shared his mobility and security insights on ESPN TV's segment "The American Dream" on March 1st at 10:30 AM. In the segment, Ferrel discusses how companies can manage mobile devices and keep data secure.  The Internet of Things (IoT) is making mobility faster and more widespread. Mobile device management is more important now more than ever. With cloud solutions, mobile device management can be simple without compromising any security.



The future of mobile data management

By Will Kelly as written on
Many government agencies have mastered the basics of mobile device management (MDM), but the growing number increasingly powerful devices is changing the mobile threat landscape, and bringing a whole new level of complexity as security concerns shift from apps to data.
GCN spoke with a range of experts about the evolving challenges. The following tools and tactics are worth watching as agencies seek better ways to secure their data:

Data loss prevention

Look for DLP solutions to become location- and destination-aware, said Brian Kenyon, chief strategy officer for cybersecurity firm Blue Coat Systems. “We're starting to realize that data is going to [mobile] devices, so rather than saying we need to prevent it, we need to move to a model [where] is this okay… so we know what data is going, what devices it's going to and if we're comfortable with that or not.”
The federal sector is increasingly interested in extending data loss prevention (DLP) capabilities -- beyond data center and PC controls -- to the mobile world, added Rob Potter, vice president, public sector, Symantec.
Because most agencies need some kind of hybrid cloud environment, he said, they must expect data to become portable from the cloud to an on-premise environment and then to a mobile device. Expecting to secure data through virtualization or having it never leave the data center is a false hope, considering the amount of information sharing that takes place in government and the intra-agency dependencies that go along with that sharing, he said.
Therefore, Potter recommended that government agencies move toward a comprehensive method of DLP, including:
•Know that agency data is going to move
•Put controls around agency data that identify who is try to access it
•Place protections around the data

Derived credentials: CAC and PIV for a mobile workforce

“The part I think that is starting to become more of a challenge these days is around the access control piece,” said Dan Quintas, solutions engineer, AirWatch. “We know that as of a few months ago, the concept of using a username and password to access resources is essentially off the table for any federal agency. What that means is we're looking at alternative forms of authentication.”
It can be expensive to deploy CAC and PIV readers to a mobile workforce, according to Quintas. Nor are they necessarily the right answer for mobile authentication.
“Where people are starting to look now is around the concept of derived credentials,” in which a soft certificate – derived from the user’s CAC or PIV certificate -- is installed on a mobile device, Quintas explained.
However, derived credentials and single sign on are independent of one another, Symantec’s Potter stressed. Having a derived credential infrastructure will simplify the sign-on process, but agencies must drive SSO across applications, multiple devices, and inside their infrastructure.
He acknowledged the hesitation among agency IT managers who say, "I'm never getting derived credentials so I have single sign on,” but pointed out that derived credentials are about trusting multiple components in an enterprise environment. Once you achieve that trust, Potter said, SSO becomes much easier for a federal agency.

Common criteria

Citrix's Rajiv Taori, who vice president for product management in that firm's mobile platforms group, echoed Quintas’s observations about derived credentials and sees Common Criteria security standards as another option for agencies to protect their data on mobile devices. With every agency doing something different for security, he said, standardization is an important next step for improving data security.

Windows 10

Sean Ginevan, MobileIron's senior director for strategy, predicted Windows 10 will change how federal agencies manage their mobile devices. He sees federal customers asking whether to treat Windows 10 devices like desktops, “where the security model is, I'm inside the network, and I join the Windows domain, and I get my security policies and update that way,’ or do I treat them more like mobile devices?"
Ginevan wasn’t the only expert to mention Windows 10's place in the agency toolbox. Chuck Brown, a product manager for FiberLink, an IBM company, said his company is also getting inquiries from some federal customers about the new operating system. Windows apps are in place, and users would require little to no retraining.
Windows 10 could enter the “side door” to mobile device management as agencies change out Windows laptops for Windows 10-based tablets like the Microsoft Surface, according to Brown and others.

Mobile app vetting

Mobilegov President Tom Suder said app vetting will become increasingly important. Mobile app developers don’t necessarily think about how an app’s security affects backend systems, he said, which can open data centers to potential attack. Agencies need to secure and authenticate both the app and the mobile device, he said, to ensure that it’s not doing anything you don’t want it to do.
Adam Salerno, Veris Group's manager for federal programs, agreed, and sees agencies adopting app vetting as another layer of security beyond MDM. He explained that the app vetting process runs mobile apps in a sandbox where security specialists look at the mobile app’s code -- and at the static and dynamic natures of the app.
“We can observe the [app] behavior and notice if contacts or data and other things are being exfiltrated in ways that are not obvious to a user,” Salerno said.

Cloud services

Cloud services are part of the evolving tactics that will take agencies beyond traditional MDM. As more cloud vendors achieve certification through the Federal Risk and Authorization Management Program, Salerno sees more questions for agencies to resolve around VPN access, data flow between the cloud and mobile devices, auditing tools on the cloud service side and the potential requirement for a hybrid cloud with data being synced to a virtual appliance residing behind an agency firewall.
Suder mentioned that mobile backend as a service (MBaaS) could help agencies link their mobile users to legacy backend databases and systems. Because MBaaS provides easy-to-use developer tools including user authentication, he said, it could prove to be an economical option for agencies mobilizing their data.

Containerization (or not)

Agencies' use of secure virtual container technologies beyond MDM seems uneven, based on the interviews conducted for this article. FiberLink’s Brown sees containerization alive and well with agencies making secure containers the next step beyond MDM along with implementing DLP. And Salerno added that agencies can use secure containers, because they apply an additional level of encryption security above and beyond what’s on the device. Containers can work on agency-owned and BYOD devices alike.
Quintas from AirWatch, however, sees containers differently. In his company’s conversations with federal agencies in particular, he said, IT managers report that while the concept of using the email container is a very strong security solution, end users are starting to revolt against it.
“Those mobile IT teams in federal are starting to wrap their arms around [the idea that] maybe the email container's not the answer for everything,” Quintas explained. "Maybe you can achieve security using the native protocols that are there today."
Source: Adam Salerno, Veris Group's manager for federal programs, agreed, and sees agencies adopting app vetting as another layer of security beyond MDM. He explained that the app vetting process runs mobile apps in a sandbox where security specialists look at the mobile app’s code -- and at the static and dynamic natures of the app.
samsung_news_managed_solutionIf you’re one of the millions of users of a Samsung Galaxy phone, you might be a potential target for a malicious hacker.
A report released on 6/17/15 by NowSecure, a security firm located in Chicago, found that a glitch in Swift, the keyboard software used by default on all Samsung Galaxy devices could allow a remote attacker to compromise your phone.
This particular bug makes the phone vulnerable to what is known as a “man in the middle” attack. The Swift software consistently sends requests to a server, checking for updates. To someone with the right knowhow, though, it’s possible to impersonate Swift’s server and send through software that can be used to gain control of the device.
The main problem with this vulnerability is that there’s no real solution. The Swift keyboard is so integrated into Samsung’s software that it cannot be removed or disabled — even if it is switched out with a different keyboard app. Steering clear of unsecured Wi-Fi networks will make you less likely to be targeted, but it won’t render you invulnerable.
Swift runs with elevated permissions, giving it pretty much free rein around the phone. This means that a hacker that worms his way into it can also access the Galaxy’s microphone and camera, track the user’s location or listen to their calls. They can even install apps.
NowSecure claims to have made Samsung and Google’s Android team aware of this vulnerability in late 2014, and Samsung reportedly has made a patch available to network providers. It’s not clear, though, whether providers have pushed out the patch to users yet. Many networks have a record of being notoriously slow to push through updates and security patches, and NowSecure’s tests found a number of Galaxy phones on different carriers were still vulnerable as of Tuesday.
If you’re of a more technical bent, you may be interested in seeing the details of NowSecure’s report on their blog. If you’re of a less technical bent, you might want to check with your carrier and try to avoid insecure Wi-Fi networks.
Article by: Andrew Lumby, MSN

Contact us Today!

Chat with an expert about your business’s technology needs.