“ILTA’s 2015 Technology Survey Published: Security is King, Queen and Pawn” – Jobst Elster, InsideLegal
Security is on the minds and the agendas of Legal IT teams. It’s no wonder. The Legal profession is no different than the rest of the business world. Experian, Trump Hotels, Ashley Madison and the FBI are just a few of the organizations to suffer from major data breaches in 2015. Continue reading
Iikura-san in Japan kindly translates all of our Mobile Helix press releases to Japanese and posts them to his site. Take a look.
Or, read our press release on our new LINK Second-Factor Authentication in English.
【LINK Mobileアプリは、弁護士が、スマートフォンやタブレットを使用して、法的なワークフローを、容易で、セキュアにする。】 ‘16.01.14
Mobility in the enterprise has taken off and it’s headed in only one direction. I’ve read the hand-wringing in the press about the lagging adoption of enterprise mobility. I suppose that it makes for provocative headlines. But that’s not what we are experiencing in our business as an enterprise mobility solutions provider. We see professional services organizations moving forward with requirements, timelines, and budget.
They can’t wait any longer. The business demands it.
Beyond Email, At Last
For years the concern has been that enterprise mobility had not moved beyond Email, Contacts, and Calendar. Fortunately, a couple of leading enterprise software companies have shared their real-world data and colorful charts. Let’s take a look at the data.
Good Technology’s “Mobility Index Report” for Q2 2015 shows that their typical customer has deployed 3.43 apps in addition to Email.
The theory goes something like this. Mobile apps are the unregulated Wild West. Users are unable to make informed choices about which apps are “safe” and “appropriate” for work and therefore cannot be trusted. IT must assume the worst and create a “blacklist”1 of risky applications that that cannot be downloaded to any personal mobile device “approved” for work. This ensures the enterprise remains safe and free from infection while allowing employees to work using personal mobile devices. IT can sleep easier at night, employees are happy. Well, not really…
The App store had 1.3 million applications available for download in September 20142. This number is growing rapidly, from 1 million in October 2013. Then there is the Google Play store, the Windows store and others. How in practice can the IT team of any average company stay current on this vast app offering, blessing the good and weeding out the bad apples? Well they cannot. As fast as IT blacklists, enticing new apps appear. IT has no choice but to blacklist indiscriminately – preventing employees from using many powerful and completely benign mobile apps to do their jobs. An exercise in futility indeed. So, is app blacklisting worth the considerable effort required to implement and enforce?
Not only is app blacklisting an exercise in futility, it is also directly contrary to the compelling reasons to embrace enterprise mobility in the first place. Recent research from Citrix3 shows that two of the five most commonly blacklisted mobile apps are Dropbox (for file access and sharing) and personal email. Does blacklisting Dropbox and personal email access help or hinder the enterprise?
Employees need access to their enterprise files to work. Accessing personal email on a personal mobile device is a critical need. Why are users downloading Dropbox and personal email to their personal mobile devices? Is it so they can maliciously infect enterprise networks and threaten sensitive corporate data or is it so they can work more and be more productive in their personal time while outside the office? The answer is pretty obvious.
The majority of employees are motivated by good. They want to work as productively and effectively as possible. They want to use their down-time efficiently and get work done. This is why they are willing to use personal mobile devices that they purchase and pay for themselves to do so.
Blacklisting is a brute force approach that provides a false sense of security for IT. Blacklisting penalizes the most committed and valuable workers, punishing them for wanting to be more productive using their own personal mobile device. Something is very wrong here.
We have written previously about the “Legal Mobility Disconnect”. App blacklisting contributes to this significant productivity gap. The answer is for IT to lead and provide users with the mobile tools they need to do their job and get work done. This starts with file access and email. These IT provided solutions must be intuitive and easy to use. They must be secure and they must be readily available without imposing unreasonable restrictions on personal mobile device use outside of work.
If this post resonates, please explore Link by Mobile Helix and see if it offers you an alternative and more practical path to sustained, secure enterprise productivity. For those who remain unconvinced and plan to continue blacklisting, then you may want to read about Sisyphus4, who was engaged in a similar exercise in futility thousands of years ago – in his case for eternity.
We would love to hear what you think so please let us know.
Notes and Links:
Apple has long held the reputation as the most trusted device vendor in the new BYOX World. iPhones and iPads are the devices that corporate executives demand most, and, fortunately, they are also the devices that corporate IT is most likely to trust. Generally that trust relies on Apple’s approach to the app store – a supposed “walled garden” that keeps the malware out, and allows only well-written and productive apps in. Although the actual merit of that trust is open to debate , trust in Apple has endured.
On Friday, Apple released iOS update 7.0.6 and iOS 6.1.6 without much fanfare and with the advice that users should install it to “fix an issue with SSL verification”. So far, the patch has been issued for iOS but not for OSX, which is also impacted by the vulnerability. Read the details of the vulnerability, and it is clear that this is a serious vulnerability that merits a serious response. Should this vulnerability be a wake-up call to IT to rethink that trusted view of Apple?
How significant is the problem? Should users be concerned?
The short answer is, very significant, and yes users should be very concerned.
The problem lies in Apple’s implementation of a critical aspect of the SSL/TLS (secure socket layer, or its newer revision called transport layer security) protocol – a key foundation of Internet security that allows sensitive information to be exchanged securely over public networks. It turns out that Apple software isn’t performing SSL certification verification properly. This vulnerability leaves iPhone, iPad and Mac computer users open to a potentially serious man-in-the-middle (MITM) attack.
The flaw is caused by a very simple coding mistake in the SSL certificate verification code in Apple’s Secure Transport library. It appears that this flaw has existed since iOS 6, and was still present in the latest beta version of iOS 7.1. Certificate verification is the implementation for one of SSL’s most fundamental precepts – end-to-end trusted communications. The idea behind the SSL certificate mechanism is that an SSL client (e.g., your web browser) can verify the authenticity of a website that it is communicating with by requesting a certificate. This certificate is similar in spirit to a passport – it is a unique, cryptographically secure mechanism for declaring a website’s identity, and, much like passports, certificates are issued by trusted entities called Certificate Authorities. Certificate Authorities take responsibility for ensuring that certificates are only issued to deserving recipients – legitimate businesses whose intentions are not malicious or illegal.
If certificate verification is not functioning properly, the entire system of chained trust falls apart enabling MITM attacks.
In such an attack, a malicious entity is able to intercept “secure” communications between an individual and the intended recipient or website. The attacker is able to read, insert and modify the data in the intercepted communication. The malicious entity can also impersonate a trusted website to install malware or steal valuable data like login credentials and passwords.
A worst-case scenario would look something like this: An unsuspecting user connects to a public WiFi hotspot. If that hotspot had a malicious listener attached to it, that listener could intercept traffic intended for an e-commerce or electronic banking site and steal usernames, passwords, account numbers, credit card numbers, etc. The user would have no warning that this theft was happening, and from the user’s perspective browsing to the malicious site would appear no different than browsing to the legitimate site. This is a dangerous vulnerability indeed.
So what are the implications of this troubling news?
No software is immune from vulnerabilities, and many serious vulnerabilities are uncovered that receive little or no attention in spite of the fact that their impact may be as severe as this issue in iOS and OSX. Apple is perhaps unfairly held on a pedestal, and from that pedestal even the slightest mistake can easily turn into a media storm. However, Apple has made a serious mistake in this case, and it is not the vulnerability itself.
The difference between those vendors that “get” security and those that don’t is in how they respond when vulnerabilities are inevitably discovered. Microsoft has been down this road and back, and prior to Bill Gates’ “Trustworthy Computing” memo Microsoft was the worst offender of all, both in terms of the number of vulnerabilities in their software and their repeated poor responses to them. However, Microsoft realized that growing their business in the enterprise required trust, and building trust with their largest customers meant getting serious about security. The result is not 0 vulnerabilities – that is impossible. The result is proactive, clear processes for communicating vulnerabilities and their impacts to customers and a patching process that allows IT to update effected software without forcing IT to broadly apply major upgrades that may have other, unintended and unwanted consequences.
Unlike Microsoft, Apple’s largest customers are not corporate entities that demand a robust security strategy. Apple builds devices for consumers, and it is these tens of millions of individual customers who are now forcing IT to embrace Apple devices, regardless of whether or not IT has any relationship with or influence on Apple. To some degree, Apple’s response to this issue shows that they are in tune with their customers, and, unfortunately for IT, IT is not Apple’s customer. Apple is not alone in its allegiance to consumers; Google and the Android ecosystem is the same, if not worse. So what is IT to do?
To keep data protected and secure, IT must retain control of the technology that ensures data security and that means entrusting the sanctity of sensitive corporate data with a company that views corporate IT as its most important customer. This does not mean that forcing all end users to Windows Phone is a good, or even viable idea.
Consumerization is here to stay. That means that IT has to adjust to the reality that end users are making device choices, not IT. Device centric security, however, in a consumer-driven mobile market, delivers a very troubling false sense of security.
The solution? A data focused security approach that remains fully under the control of IT and provides the appropriate level of protection and control that IT needs to keep data safe. In this case, when a security vulnerability appears, which it inevitably will, IT has the necessary tools, relationships, and control at their disposal to diagnose and fix the problem on their own timeline for their own users.
Unfortunately, this won’t be the last time that we see stories like this about potentially serious security vulnerabilities in software that we rely on and use every day. However, we do have the option to retake control of the solutions we use to secure our most sensitive data, and to ensure that our sensitive data is fully protected and under our own control.