Securing the Mobile Enterprise

October 6, 2009

WinMobile receives much needed facelift .. but still disappoints

Filed under: Mobile Security,smartphone — Balaji Prasad @ 6:52 pm

Microsoft released its latest incarnation of its mobile platform.  However I hope this is the last iteration of the aging WinMobile 6 platform. The latest version gives end-users access to mobile applications like Facebook and Netflix through the Windows Marketplace.It will be interesting to see how Microsoft can control the security of its app store. It is not clear whether the vetting process will be as rigid as Apple or relatively lose like the Android app store.

On the enterprise front. the platform is tightly coupled with its enterprise software brethren like Exchange (with pushmail and calendaring) policy enforcement and remote wipe). Additionally it offers the ability to view (eventually edit) office apps including PDF. I was expecting better integration with the popular Sharepoint platform however that is not the case. A useful freebie is the ability to backup the mobile device using the MyPhone wireless backup utility, something Apple charges $99 using the MobileMe functionality.

Disappointingly there was no announcement regarding improvements to mobile search. You would assume that a company with access to resources like Bing, would implement a half decent search functionality on their phone ….  Google has just released Android 1.6 (‘Donut’) that makes vast improvements to the search experience both on and off the phone. Even the  Apple  iPhone is also streets ahead when it comes to universal search using Spotlight.

All in all, Microsoft needs to follow this up with a more robust offering if it needs to stay relevant in marketplace. It will seriously need to revamp this with a more competitive architecture or risk losing out to the iPhone and Android, which are at least 1 generation ahead of it.

September 17, 2009

Context Aware Mobility – 2 : Access Control

Context awareness is intricately coupled with location awareness to some extent. The security and access considerations mainly apply at the network layer as this is the only aspect of the device that crosses a trust boundary. All access control frameworks are built around the concept of “Trust” between various entities and agents participating in the network. According to the ISO 10181,

Trust is a relationship between 2 elements, a set of operations and a security policy, P where element X trusts element Y only if X has confidence that Y behaves in a well-defined way that does not violate the P.

Most hierarchical trust models incorporate his central concept. In such models, one or more superior (i.e. more trusted) entities grants credentials to the participating peers. One example of this model is the public key infrastructure (PKI) built around X.509 digital certificates which forms the backbone of all internet security. However modern network access control frameworks, especially those designed for fixed/mobile LANs are adopting a distributed intelligence approach where the NAC environment is dynamically structured to fit the users and data that is accessed. The Juniper Networks UAC solution is one such instance. This system allows administrators to encode users and data on-the fly through a rich and granular policy management framework. The decision engine then defines the policy (contract) after evaluating the user (permissions, clearance), the network (access-method, resource properties) and the endpoint properties (OS, patch version, anti-virus programs etc.).

Let us now look at the mechanism by which a mobile device ‘attaches’ to the network. To begin with recall the behavior of a Windows PC when it first connects to a new network. The user is required to choose whether it is a private, business or public network. Based on the option selected Windows firewall will apply the appropriate firewall profile. Subsequent visits to the same network will automatically apply the same policy without manual intervention. Context awareness takes this concept to the next level. Now applications and services can also become “aware” of the network and tailor their behaviors accordingly. The ultimate goal here is to identify and authenticate the network location. At the protocol level the application or service authorizes the network access provider (usually a DHCP server), which is a form of entity authentication. From the standpoint of privacy we have to ensure that the client remains sufficiently anonymous in order to protect the mobile user before and during the network access. In the standard Wifi access operation the client and the network use 802.1X protocol that is backed up by public key certificates. 802.1X allows piggy-backing of new authentication methods e.g. EAP-TLS for authenticating with TLS/SSL or EAP-SIM for authenticating against GSM-SIM or EAP-JUAC, for Juniper’s custom UAC method. In all these methods the client’s privacy is protected by authenticating the server and then performing the client authentication inside the secure channel.

September 13, 2009

Context Aware Mobility -1

Context Aware  Computing is next big thing on the horizon.  It is alternatively known by the much more cooler moniker “Ambient Computing“. From an architectural standpoint context aware services (CAS) usually have a component-based design with basic constructs like components, connectors, contracts and interfaces. Components provide the core functionality of the application and use connectors to communicate with other components in the system. Contracts and interfaces ensure a specific behavior in a given situation. “Awareness” is programmed into the system by rewiring the interfaces and contracts when the context changes. The context could be changed by changing one or more of the following parameters – userID, activity, geospatial information (location, direction, speed etc.), Temporal Information (timeOfday, date), ServiceVicinity (presence of other devices or services) etc. A simple manifestation of this is the popular app “Locale“.

Major universities  are furiously researching and developing technologies to incorporate context awareness in SOA environments. Such applications benefit from technology that connects everyday objects and provides opportunities to collect and use context specific information from various sources and present them on increasingly sophisticated mobile platforms. Enterprises have only recently started looking into how CAS applications can provide real-time benefits. In fact Cisco has recently announced mobile context aware framework running on the 3300 MSE (Mobility Services Edge) that enterprises can incorporate   into their existing SOA framework.

That’s it for a high level overview of context aware mobility. In the next article I will talk about some of the unique security constraints that have to be addressed in CAS environments.

September 2, 2009

Kaspersky releases mobile security suite

Filed under: Mobile Security,security,smartphone — Balaji Prasad @ 10:28 pm
Tags: , , ,

Kaspersky has announced what is by far the most promising security suite for Symbian and Windows Mobile phones. Besides providing a regulation firewall and anti-virus it offers unique features like anti-theft and SIM-Watch modules. Remote Device wipe is nothing new, Blackberry and Windows Mobile devices (via ActiveSync) have had this feature for years. However this is the first time we are having a device wiping solution for a mobile device that is not tethered to the enterprise. The device wipe in this case happens by sending an SMS message to the lost/stolen phone causing it to digitally self-destruct. The unique anti-theft module locks your data if a new SIM card is inserted into the device. Additionally it sneaks an email back to you with the telephone number of the new SIM card!! Truly ingenious. Enough data about the performance/battery-life implications of running this suite is not available as yet but if Kaspersky engineers it similar to their desktop solution, that should not be too much of a performance hog.

Blog at