This is not the first year that we at the SRI SOKB have been organizing remote access to corporate data from mobile devices and we know that remote work is not an easy issue. Under the cut, we will tell how our solutions help to safely manage employees’ mobile devices and why it is important for remote work.
What does an employee need to work remotely?
A typical set of services that you need to provide remote access for full work is communication services (e-mail, messenger), web resources (various portals, for example, service desk or project management system) and files (electronic document management systems, version control etc.).
We cannot hope that security threats will wait until we finish fighting the coronavirus. Remote work has its own safety rules that must be observed even during a pandemic.
Information that is important for business cannot simply be sent to an employee’s personal email so that they can easily read and process it on their personal smartphone. You can lose a smartphone, you can install applications that steal information on it, in the end, children who are at home all because of the same virus can play it. So the more important the data the employee is working with, the better they need to be protected. And the protection of mobile devices should be no worse than stationary.
Why is antivirus and VPN not enough?
For stationary workstations and laptops running Windows, installing an antivirus is a justified and necessary measure. But for mobile devices – not always.
Apple device architecture interferes with the communication between applications. This limits the possible scale of the consequences of infected software: if the vulnerability of the mail client is used, then the actions cannot go beyond the scope of this mail client. At the same time, such a policy reduces the effectiveness of antiviruses. Automatically check the file that came by mail, will not work.
On the Android platform, both viruses and antiviruses have more prospects. But still the question arises of expediency. To install malware from the application store, you will have to manually give a lot of permissions. Attackers gain access rights only from those users who allow applications everything. In practice, it’s enough to prohibit users from installing applications from unknown sources so that tablets for free installed paid applications do not “cure” corporate secrets from confidentiality. But this measure goes beyond the functions of antivirus and VPN.
In addition, VPN and antivirus will not be able to control how the user behaves. Logic suggests that at least a password should be set on the user device (as a protection against loss). But the presence of a password and its reliability depend only on the user’s consciousness, which the company cannot influence in any way.
Of course, there are administrative methods. For example, internal documents, according to which employees will be personally responsible for the lack of passwords on devices, installing applications from untrusted sources, etc. You can even force all employees to sign an amended job description containing these items before going to remote work. But let’s face it: the company will not be able to verify how this instruction is executed in practice. She will be busy with urgent restructuring of the main processes, while employees, despite the implemented policies, will copy confidential documents to their personal Google Drive and open access to them by reference, because it is more convenient to work together on a document.
Therefore, the sudden remote work of the office is a test for the stability of the company.
Corporate Mobility Management
From the point of view of information security, mobile devices are a threat and a potential breach in the security system. To close this gap are solutions of the EMM class (enterprise mobility management).
Corporate mobility management (EMM) includes the functions of managing devices (MDM, mobile device management), their applications (MAM, mobile application management) and content (MCM, mobile content management).
MDM is a necessary “whip”. Using MDM functions, the administrator can reset or block the device if it is lost, configure security policies: password availability and complexity, disabling debugging functions, installing applications from apk, etc. These basic features are supported on mobile devices of all manufacturers and platforms. More subtle settings, for example, the prohibition of installing custom recovery, are available only on devices of individual manufacturers.
MAM and MCM are the carrot in the form of applications and services to which they provide access. By providing sufficient security for MDM, you can provide secure remote access to corporate resources using applications installed on mobile devices.
At first glance, it seems that managing applications is a purely IT task, which boils down to elementary operations such as “install the application, configure the application, update the application to a new version or roll it back to the previous one”. In fact, here is not without security. It is necessary not only to install and configure the necessary applications for work on devices, but also to protect corporate data from loading into your personal Dropbox or Yandex.Disk.
To separate corporate and personal, modern EMM-systems suggest creating a container on the device for corporate applications and their data. The user cannot unauthorizedly remove data from the container, so the security service does not need to prohibit “personal” use of the mobile device. On the contrary, this is beneficial for business. The more the user understands his device, the more efficiently he will use working tools.
Let’s get back to IT tasks. There are two tasks that cannot be solved without EMM: rollback of the application version and its remote configuration. Rollback is needed when the new version of the application does not suit users – it has serious errors or is simply inconvenient. In the case of applications on Google Play and the App Store, rollback is not possible – only the latest version of the application is always available in the store. With active internal corporate development, versions can be released almost every day, and not all of them are stable.
Remote configuration of applications can be implemented without EMM. For example, make different builds of the application for different server addresses or save the settings file in the public memory of the phone, then change it manually. All this occurs, but it can hardly be called best practices. In turn, Apple and Google offer standardized approaches to solving this problem. It is enough for the developer to build in the necessary mechanism once, and the application will be able to configure any EMM.
We bought a zoo!
Not all mobile use cases are equally useful. Different categories of users have different tasks, and they need to be addressed in their own way. The developer and the financier need specific sets of applications and, possibly, sets of security policies due to the different confidentiality of the data they work with.
It is not always possible to limit the number of models and manufacturers of mobile devices. On the one hand, it turns out to be cheaper to make the corporate standard for mobile devices than to understand the differences between Android from different manufacturers and the features of displaying a mobile UI on screens of different diagonals. On the other hand, the purchase of corporate devices in a pandemic is becoming more complicated, and companies have to allow the use of personal devices. The situation in Russia is further aggravated by the presence of national mobile platforms that are not supported by Western EMM solutions.
All this often leads to the fact that instead of one centralized solution for managing corporate mobility, a diverse zoo of EMM-, MDM- and MAM-systems is operated, each of which is serviced by its own personnel according to unique rules.
What are the features in Russia?
In Russia, as in any other country, there is a national legislation on the protection of information, which does not change depending on the epidemiological situation. So, in state information systems (GIS), protective equipment certified according to safety requirements should be used. To meet this requirement, devices accessing GIS data must be managed using certified EMM solutions, which include our SafePhone product.
Long and incomprehensible? Not really
Enterprise-level tools such as EMM are often associated with slow implementation and lengthy pre-project preparation. Now there is simply no time for this – restrictions due to the virus are being introduced quickly, so there is no time to tune in to remote work.
In our experience, while we have implemented many projects to implement SafePhone in companies of various sizes, even with local deployment, the solution can be launched in a week (not counting the time for negotiating and signing contracts). Ordinary employees will be able to use the system within 1-2 days after implementation. Yes, for flexible product setup, you need to train administrators, but training can be carried out in parallel with the start of operation of the system.
In order not to waste time installing in the customer’s infrastructure, we offer our customers a cloud-based SaaS service for remote control of mobile devices using SafePhone. Moreover, we provide this service from our own data center, which is certified to meet the maximum requirements for GIS and personal data information systems.
As a contribution to the fight against coronavirus, the SRII SOKB on a free basis connects small and medium-sized businesses to the server Safephone to ensure the safe operation of employees working remotely.