Cybersecurity is a subject high on the agenda for every corporate organisation. Large corporations such as eBay, DropBox and Sony Pictures have all recently had their vulnerabilities exposed by cunning hackers, leaving companies of all sizes fearing that they too could fall victim to cybercriminals.
Nearly one million new malware threats were released online every day in 2014. In an era where even the most sensitive corporate data is often stored in mobile apps or online, it is vital for companies to take the appropriate steps to protect their digital assets. Failure to do so could lead to the extortion or theft of private data causing disruption to not just the company in question but also for its employees and customers.
An increase in mobility has had a profound effect; the advent of smartphones and tablets has guided us into an ‘always on’ society, and the number of access points sending and receiving data is constantly increasing. In our personal lives, this has given us the added convenience of being able to shop, browse, download and share from almost anywhere at any given time of day. For enterprises it has opened the doors to more flexible working, and the possibility for employees to access corporate data and networks when working remotely – in some cases from their own devices. Ask any IT manager what their biggest security headache is today and it’s a safe bet that managing and securing data accessed remotely will feature highly on the list.
Last year, research by Intercede revealed that almost a quarter of UK workers are completely unaware of their corporate mobile access policies, yet over 40 per cent of them can access data on mobile devices without obtaining prior consent. Despite recent high profile hacks, a large number of employees continue to be able to put their company’s corporate data at risk. CIOs are in a difficult position where they must either implement a robust mobile strategy or face the consequences. Turning a blind eye to the issue is not option.
Mobile App security
Gartner estimates that by the end of 2015, 75 per cent of mobile applications will fail basic security tests. It further predicts that by 2017, 75 per cent of mobile security breaches will be as a direct result of app misconfiguration. For enterprises allowing mobile working, especially where BYOD (Bring Your Own Device) is an option, this could mean malware embedded within an infected app could export sensitive data or potentially infect corporate networks directly from an employee’s mobile device.
Why is this figure so high? While Apple has an established process for reviewing apps submitted to the iOS App Store, the Android platform is more open in its nature. This is a great productivity advantage for genuine app developers, but it also means that hackers posing as genuine app developers have an opportunity to release malware to the Android community. According to Strategy Analytics, the Android operating system is now present on 84 per cent of global smartphone shipments. Given this, it’s no surprise that Apple lost a small share of the enterprise market to Android last year. Improved security on the Android platform could provide Android with the boost it needs to become the platform of preference for the enterprise market too.
Implementing stronger methods of authentication to verify the identity of workers accessing corporate networks and systems, could allow enterprises to immediately increase their cybersecurity levels, be it for an iOS device or Android. Two factor authentication, a method which combines a physical token (‘something you have’) with a locally validated PIN (‘something you know’) or fingerprint (‘something you are’), is an established solution to this problem. This level of authentication is the same type of technology that has proved so successful with chip and PIN credit cards. Using an external token such as a smart card with a phone is highly inconvenient though and has not generally been well received. Instead, using secure cryptographic key stores on the phone itself is widely regarded as the most practical way to improve security without compromising ease of use.
Further protection of corporate resources can be achieved through the use of data isolation within the mobile device. This can be achieved through the use of enterprise ‘silos’ using either native enterprise app signing keychain separation, or one of the many enterprise mobile management products currently available. For example, using a specific web browser to access client-authenticated corporate resources, any browsing history, cookies and cached files are segregated from the native browser that may be used for personal web access.
The Trusted Execution Environment
Considering the Android platform specifically, robust security facilities already exist but are greatly under used. The ARM Trustzone is present in almost every Android device as part of the chipset design. An increasing number of handset vendors are now adding the software and tools necessary for app developers to take advantage of this secondary secure operating system.
As its name implies, the Trusted Execution Environment (TEE) offers a secure operating environment for apps dealing with sensitive data and critical user interactions. Based on Global Platform specifications, the TEE provides key storage and protected memory for cryptographic operations. To take advantage of these features however, app developers need to split out critical elements of their apps into ‘Trusted Applications’ (TAs) and then enable the secure installation and running of these TAs within the TEE on each user’s device.
The TEE makes a number of ‘slots’ available to trusted applications. These are secured by master keys that are installed during the device manufacturing process. Each TA then needs to negotiate permissions for an operating slot from the master keyholder. This process is achieved through the use of a Trusted Application Manager such as Intercede’s MyTAM cloud service.
Through hardware protected isolation, the TEE acts as a ‘bank vault’ for trusted applications, keeping their contents and activities separate from the main Android OS. Any app deployed into the TEE remains locked away in a ‘safety deposit box’ and is protected further by software and cryptographic isolation. The trusted user interface available from the TEE adds further security by ensuring that the keyboard and screen are completely locked out from other apps when performing sensitive data input or display. This ensures the apps – and any transaction or activity associated with them – are kept safe from whatever else may be present on the handset. For organisations looking to enhance their mobile or BYOD policy, the TEE offers a means to protect corporate data from hackers eavesdropping via other apps on the device.
If we have learned anything from the multitude of high profile cyberattacks last year, it is that even the largest corporations and governments aren’t safe from hackers. While there is no one-size-fits-all solution for enterprise security, small, simple steps such as implementing strong authentication and utilising the TEE to augment enterprise apps will immediately strengthen a company’s security.
Technology has evolved at a startling rate, but so too have the approaches being adopted by hackers. The biggest vulnerability is not the technology, but the user of the technology. If an employee downloads a malicious app to their device, that’s out of the employer’s control.
What the employer can control, however, is securing the apps used to access corporate data by utilising the TEE, discrete apps and siloed data to minimise the ability of such malware to compromise the enterprise.
Chris Edwards is CTO of Intercede.