Selecting a Secure Wireless Device and Operating System
Security considerations remain the single biggest limitation to the more aggressive roll-out of mobile devices in many organisations. It is crucial that companies consider device selection based on its inherent platform security capabilities, in particular around the security embedded within the device Operating System (OS).
Deployment of mobile or wireless access within organisations is growing at an accelerating rate, this has been achieved through a number of factors including attractive pricing, faster, less costly and a more reliable wireless network both in the UK and globally, which are being continually deployed over wider areas. Add to this the now abundant range of business functions and applications and it’s easy to understand the take-up.
However for the more alert organisation there is uncertainty or an inherent fear of data loss and leakage, specifically those with regulatory compliance or enhanced security requirements (e.g., financial, insurance, investment, legal, and public sector). Such organisations cannot afford to deploy anything that could compromise their data or records security or prevent them from meeting such regulatory compliance. Mobile devices are easily misplaced or stolen, this represents a risk that while real, can be managed with proper planning and foresight. The first and most important decision a company can make in ensuring a safer mobile working environment for both end user and business is to select a device that exhibits high levels of inherent security. As in life, not all devices were created equal, it is imperative that companies evaluate devices based on its intrinsic platform security capability, particularly around the security embedded within the device Operating System (OS).
There are a number of important components that make an OS secure and safe for business use, this article will explore the key components necessary in selecting, deploying and managing a mobile operating (OS) so that enterprise use of the device will not compromise the integrity of the company’s security efforts and put it at risk for costly legal or governmental action. The article will compare these attributes on three operating systems, BlackBerry OS from Research in Motion (RIM), the iPhone OS from Apple and the Windows Mobile OS from Microsoft.
Authentication; users should not be able to work on any device without adequate levels of authentication to prove that he/she is the owner of the device. Passwords and two factor authentication are being deployed currently, with biometrics being added in the near future. Any device that can’t force user authentication through enforced IT policies should not be considered a security ready business class device.
BlackBerry OS allows the company IT department, through the use of the BlackBerry Enterprise Server (BES), to set a robust policy making it mandatory that the user logs into the device via a strong password, furthermore BlackBerry allows token-based two factor authentication and secure peripheral devices to be added (e.g., card reader). The user does not have the ability to change or bypass this policy once set by the IT department. The policy is also extremely granular (e.g. by user, group, entire company) this ensures that different users can have unique policies specifically addressing their need or indeed job role. The iPhone provides a log-in password that allows locking of the device and the characteristics of the password can be set by the IT department by deploying a policy to the device. However it is possible to override this IT policy if the user chooses – which kind of defeats the object. Certain policies can be enforced if using ActiveSync for Exchange connectivity.
All iPhones require connection to a PC running iTunes for initial activation on the network, the iPhone when connected with iTunes will create a complete backup of the device on that PC. Therefore the data on the device could be accessible from the PC, this posses a potential security threat. It’s also worth noting that many of the enforced policies require that the company is running Exchange 2003 or 2007 with ActiveSync. Windows Mobile via ActiveSync and Exchange can also enforce password locking in a strong manner, and once set users are not able to bypass. However full policy setting requires the use of Microsoft System Centre Mobile Device Manager (MSCMDM), a product that requires purchase and is not integrated into other Microsoft products.
Reliability; any enterprise class mobile OS should display the reliability end users expect from a robust business device, this means that the device should never simply decide not to work, or require unexpected re-boots. In a business spec device any irregularity with the OS (e.g. crashes, freezing) may cause more than just inconvenience, they will cause lost work, lower productivity, raised support costs not to mention end user frustration something that is often overlooked. Any device or OS being considered within an organisation needs to be examined for its ability to withstand the organisations working model.
BlackBerry consistently delivers a high level of stability and an almost complete lack of freezing or crashing, as a result few users report problems with lost work and devices rarely require a re-boot, the upshot being a very limited support cost. Similarly iPhone’s OS has had very few unexpected interruptions and works well for most users. Windows Mobile, much like its PC OS counterpart is well known for OS crashing, whilst newer versions are improving this tag users still report annoying application crashing and frequent loss of data, with most crashes requiring a device re-boot.
Tamper resistance; it is critical to know immediately if a devices OS has been hacked or whether attempts have been made to alter the base level OS. Although malware isn’t prevalent on smartphones, it will be and many hackers view this as an attractive and new sector to attack. The more resistant the OS, the less likely malware can infect the platform, this reduces risk to the device and the spread of infection within the business. Operating Systems that allow applications deeply into the core of the OS represent a higher risk than ones that run applications at a higher level.
BlackBerry is extremely difficult to hack, the OS must boot in a known state with a known signature before the device will initiate, this means the OS itself is checked before each boot. All third party applications run in a Java virtual machine meaning that hacking into the base OS of the device is extremely difficult if not impossible. The iPhone is difficult to access on the device, however there have been a number of successful attacks against the Safari browser compromising the device. Applications run in administrator mode meaning that should the device be compromised by an infection, it has almost unlimited access to the whole OS.
There have been recent examples of malware emerging for Macs and as the iPhone OS has a similar core code as the AppleMac OS X it is expected attacks on the iPhone OS will increase. It is fair to say that this OS has some maturing to do to be classed as robust and secure, organisations should also be cautious as the popularity of the device will undoubtedly increase its target! Windows Mobile has always displayed hacking friendliness in the past as many of its core functions are exposed, there are currently a number of third party applications for anti-virus and malware protection. With increased malware attacks in the PC world it is likely the volume and frequency of attacks to Windows Mobile will also increase.
Security vs. usability; pretty much all OS can be totally locked down preventing any interaction with the OS, however whilst it is key to maintain security levels it must be done in an environment that enables maximum usability. Companies considering highly secure devices should test-drive the security in conjunction with the usability of the system and whether the end users find the OS easy to use, navigate and customise for personal preference. It’s fair to say that one size does not fit all and the level of security must be balanced against user needs, however the final choice should always be weighted towards security than usability should a trade-off be required.
BlackBerry provides an extensive number of policies all from the control of the BES and these can be deployed over the air (OTA). The BES is the central control point for all features and policies and no user can override them ensuring full IT control. This mode of security makes it transparent to the end user, as it is fully integrated within the OS and requires no knowledge or intervention on the part of the user and as with the authentication component it is all very granular meaning different levels can be applied depending on employee and/or job function. Whilst the iPhone does have some capability for device management and policy setting, the number and type are very limited.
The profiles have to be delivered to the iPhone either via users surfing to a secure webpage or installing the profile through delivery in an email message, this user intervention places a burden on the user and an obvious risk of non-compliance. Also the iPhone allows users to reconfigure any device through menu screens thus overriding IT settings, this is a very insecure way of configuring a device. Windows Mobile devices can be managed through the deployment of MSCMDM, providing many management functions available within Exchange, for example, device encryption, device wipe etc. As MSCMDM isn’t integrated into standard system management tools and requires possibly several standalone servers, there is an additional cost, support and impact to the solution.
Meeting security validations; many industries require that a device be validated and approved by governmental agencies to ensure they meet security testing and specification before deployment. Whilst many devices ‘claim’ to be compatible with certain security standards, it is absolutely crucial that they have been approved and validated and not just be simply compatible, this applies not just to current standards but to the constantly evolving requirements placed on security from industry and government agencies. The key starting point is the OS, no device can meet these strict security guidelines unless the OS is capable of achieving the stringent approval process.
The clear leader in this section is BlackBerry, having applied for and attained a wealth of certificates and validations for its devices and operating system, including FIPS 140-2, NATO restricted classification, UK CAPS restricted classification, and common criteria EAL 2+ certification. In addition BlackBerry provides the functionality to select the most common encryption algorithms (e.g. AES, 3DES) to protect data on the device, and provides complete remote device wipe.
Apple have not declared any intention to seek regulatory certification or validation of the iPhone, furthermore key features such as remote device wipe require ActiveSync and Exchange 2003/2007 deployment at the company, Apple also recommends having the device plugged into a mains charger when wiping… No on board data encryption is available for the iPhone, therefore it is fair to say that with these handicaps the likeliness of the iPhone achieving any of the security validation requirements in the near future is extremely slim. Windows Mobile 6 devices provide encryption for common standards such as 3DES and AES and also provide a remote device wipe through ActiveSync when used with MSCMDM and Exchange. Whilst Microsoft is pursuing validation for its devices for FIPS it is yet to be broadly recognised by other validation bodies.
In summary it is fair to say that wireless mobile devices pose a security challenge for organisations with a highly mobile workforce, but this risk can be carefully managed by selecting an enterprise class platform with an OS that includes the key features to secure the device and its data. Based on the comparison detailed above I summarise that the most secure platform for business use is the BlackBerry platform. Windows Mobile continues to improve and has implemented some significant enhancements to its recent version, but still not of the calibre of BlackBerry, it may however be a viable option for companies able or willing to work with third party add-ons to avoid its shortcomings. The iPhone has serious difficulties when it comes to business class security, and at this stage in its evolution I would not recommend the iPhone for any organisation concerned about protecting the security and integrity of its mobile data and especially for any organisation that must adhere to strict industry regulation.
Companies should remain alert and ensure they balance user wants and needs for a device with the necessary requirements to protect company confidential information through the deployment of platforms designed for security and their corresponding technologies behind the firewall, failure to do so may produce serious problems resulting in fines, regulatory non-compliance, legal challenges and ultimately a loss in revenue.