As of this writing, no mobile devices support virtualization in the manner just described, but vendors such as VMWare have publicly announced their intentions of building such products. Figure 13-2 shows a happy virtual workplace running more than one OS in the form of virtual machines (VMs). Note especially the presence of a hypervisor, which is a software module running on the device that allows more than one OS to run on the device at a time. A hypervisor is what enables virtualization of servers as well, allowing them to run multiple operating systems, such as Windows and Mac OS X, in parallel virtual machines.
Figure 13-2: Multiple operating systems running together on mobile devices.
Accounting for Personal Devices at Work
Today’s workplace is full of high-tech devices that may or may not be under IT control. Many companies find that employees are bringing their personal smartphones and other mobile devices like tablets into the work environment. One way of handling personal devices in a corporate environment is to deploy a corporate sandbox to the device that provides secure application access, protected from other apps that reside on the device. Many enterprises deploy such products that provision a corporate environment separate from the rest of the device, which can host private data and applications belonging to the employee. These products allow secure browsing, e-mail, and application access shielded and protected from other apps on the device.
This separation of personal and corporate footprints on a mobile device is beneficial to employees as well, who would no longer have to carry more than one device around.
Some vendors discussed in Chapter 15 include sandboxing features that allow the mobile users to browse web content, e-mail, and other app data from within a particular vendor’s app. The data in these apps is protected and shielded from other third-party apps installed on the device. This is one example of a sandbox solution. When virtualization hits the market for mobile devices, that could be another option, too, enabling you to deploy a virtual machine on an Android device shielded from the rest of the employee’s personal device.
Until virtualization becomes a reality for smartphones, be sure to check out some of the vendor solutions discussed in Chapter 15 for your specific sandboxing needs.
Sandboxing Combined with On-Device Security
Running a sandboxing application on your mobile device can be an advantage if the application protects the user data and device from mobile threats. Some apps available in the market provide sandboxing capabilities for particular features such as e-mail. For example, Good Technology (www.good.com) provides application sandboxing for e-mail, which maintains e-mail securely within the application and protects it from access by other applications.
However, as mentioned earlier, sandboxing by itself is not a substitute for real mobile security. You need to complement sandboxing with appropriate mobile security to protect the entire device, and not just the sandbox. Malicious apps can still attack a device even if one or more apps have sandboxing implemented. Chapter 9 describes some mobile security threats that a smartphone or tablet device are vulnerable to.
An ideal corporate solution includes such a sandboxing or application security solution combined with an on-device mobile security solution that provides protection from viruses, malware apps, and spam. The sandboxing solution provides application security to your corporate apps as well as to the user’s data in private apps downloaded from an app store. The mobile security solution complements this application security by ensuring that files and data received or sent by the device are free of viruses or threats to data or applications.
Be sure to check out the vendors discussed in Chapter 15, many of whom provide application sandboxing or security policy features, or mobile security features, or both.
Part V
The Part of Tens
In this part . . .
Where else can you get 20 tidbits of information that are so helpful? Where else but the Part of Tens! Chapters 14 and 15 cover ten of the best places to go online for more info and ten mobile security vendors to help you with your special circumstances, respectively.
If we haven’t covered it already, it’s here in the Part of Tens.
Chapter 14
Top Ten Online Information Sources
In This Chapter
Researching the latest threats to mobile device security
Finding the latest solutions to combat mobile device security threats
With this book, we wanted to condense and present all the prevalent threats and solutions as they pertain to mobile devices, but it goes without saying — we’ll say it anyway, though — that the types of threats change by the hour.
To secure your mobile devices, you must keep abreast of the latest types of threats and solutions. What better place to go and find this late-breaking information than the Internet? Of course, surfing aimlessly and looking for self-professed experts on this topic may not be a judicious use of your time. Therefore, we compiled this list of trusted online information sources.
Tech SANS
www.sans.org
SANS (SysAdmin, Audit, Network, Security) is the precursor to all things security and is a great resource for topical white papers, weekly bulletins and alerts, training, and security vulnerabilities. What makes SANS so unique is that its membership consists of more than 165,000 security professionals, auditors, system administrators, and network administrators that share lessons and solutions to the challenges they face. They’ve embraced the mobility wave, and you’ll find a healthy dose of mobile topics on the Tech SANS website.
Dark Reading
www.darkreading.com
The Dark Reading website is devoted to all things security. In-depth security analysis on all aspects of security — including mobile — is its claim to fame. You’ll also find frequent webcasts with leading industry luminaries. Tweets, RSS feeds, e-mail . . . there are dozens of ways to keep up with content. The topic of mobility security is starting to appear more frequently on the Dark Reading website, so the good news is that you can keep up with threats. However, the bad news is that this means the threats keep coming.
F-Secure Security Threat Summaries
www.f-secure.com/en_EMEA-Labs/news-info/threat-summaries
F-Secure is one of the oldest mobile security companies around. Its threat summaries are comprehensive, yet succinct. Periodically published, they’re a great resource to find out about the latest and greatest threats — both as a look back as well as a harbinger of things to come.
Infosecurity Network
www.infosec.co.uk
This site is a great collection of blogs, events, and pithy videos on all things security. And the topic of mobile security is a big part of what this site reports on.
National Institute of Standards and Technology (Security Research)
http://csrc.nist.gov/groups/SNS/index.html
NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation’s first federal physical science research laboratory. Over the years, the scientists and technical staff at NIST have made solid contributions to image processing, DNA diagnostic chips, smoke detectors, and automated error-correcting software for machine tools. NIST sponsors three groups that do cutting-edge security research:
Cryptographic Technology: This group develops standards and researches how to keep secure what needs to be secure.
Systems and Emerging Technologies Security Research: This group helps to define “emerging” for the rest of us so we can just read the highlights.
Security Management and Assurance: This group works with other federal organizations in search of consensus so there are single standards, not multiple ones.
Each group dabbles with mobility, and you’ll be ahead of the game if you can find a few moments each day to keep up with the plethora of information published.
Vendors’ Websites
www.juniper.net/us/en/dm/mobilesecurity/
Juniper Networks has state-of-the-art security offerings, and its si
te is a treasure trove of information for enterprise, mobility, and consumer. The case studies in this book were based on Juniper’s security offerings.
http://blogs.mcafee.com/mcafee-labs
McAfee has great blogs that bring today’s security information into focus. This is a good site to see what’s happening today in the security world.
http://us.trendmicro.com/us/solutions/enterprise/security-solutions/endpoint-security/index.html
Trend Micro can shed light onto any endpoint security issue you’re having —or may have, when your network gets big enough. If you’re still confused about the importance of endpoint security, stop here.
www.symantec.com/business/theme.jsp?themeid=mobile-security-management
Symantec is another established name in security and computing. Explore its site to see how the company is constantly adapting its products to a changing world.
ICSA labs
www.icsa.net
The International Computer Security Association (ICSA) has a website with lots of white papers, pointers, and other useful information for anyone who handles IT security issues. Even though the site isn’t targeted specifically at mobile-related issues, it provides broad coverage of a wide range of security issues, some of which are mobile related.
CERT
www.cert.org
The CERT program is part of the Software Engineering Institute’s CERT Coordination Center, a federally funded research and development center at Carnegie Mellon University. Primarily focused on responding to major security incidents and analyzing product vulnerabilities, it has also embraced development and promotion of the usage of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.
US-CERT
www.us-cert.gov
US-CERT is the United States Computer Emergency Readiness Team and coordinates between the government and the public against both small and massive cyber attacks. This site provides important information about the latest threats and vulnerabilities. You can find a good white paper on mobile security at www.us-cert.gov/reading_room/TIP10-105-01.pdf.
GSM Association
http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and-security/index.htm
The GSMA represents the interests of the worldwide mobile communications industry. Spanning 219 countries, the GSMA unites nearly 800 of the world’s mobile operators as well as more than 200 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers, Internet companies, and media and entertainment organizations. Security has become a topic du jour of late, and the website covers some good mobile-specific security topics.
Chapter 15
Top Ten Mobile Security Vendors
In This Chapter
Exploring leading mobile security and device management solutions
Figuring out where to look for more research
If you’ve followed along so far, we’ve explored the nuts and bolts of what makes up mobile device security. Now we look at some leading solutions available in the market. These are potential candidates for you to research and consider deploying in your organization.
The mobile device landscape is evolving rapidly, thanks to new devices hitting the market virtually every week. Therefore the vendor solutions we describe in this chapter are expected to evolve just as rapidly to keep in sync with the latest market trends. Be sure to research each solution from the corresponding vendor’s website and, ideally, follow up with a trial of the software.
The solutions we describe in this chapter are in alphabetical order, and not necessarily in order of merit or authors’ recommendation.
AirWatch
www.air-watch.com
AirWatch has a broad solution spanning the Apple iOS, Android, Windows Mobile, BlackBerry, and Symbian platforms. Its solution covers a broad array of mobile device management features. If you’re looking for a centralized management solution to configure and deploy policies for all five of these device platforms, you might want to take a look at AirWatch.
Good Technology
www.good.com
Good Technology offers Good Mobile Control, a mobile device management solution for devices running the Apple iOS, Android, Windows Mobile, Nokia Symbian, and HP Palm OS platforms. It offers configuration management, loss and theft protection, and password policy features, among others. Good is reputed to be in the mobile device management space for a long time.
Juniper Networks
www.juniper.net/pulse
Juniper Networks is a leading vendor of networking solutions, including a broad range of routing, switching, and security products and services. Its Junos Pulse Mobile Security Suite includes a combination of its market-leading SSL VPN capabilities combined with mobile security and device management features. The Junos Pulse Mobile Security Suite clients are available for Apple iOS, Android, Windows Mobile, Nokia Symbian, and BlackBerry platforms. Along with mobile device management features, Juniper’s solution provides security features, such as antivirus, antispam, and a personal firewall, as well as SSL VPN integrated in the same mobile clients.
Mobile Active Defense
www.mobileactivedefense.com
Mobile Active Defense’s Mobile Enterprise Compliance and Security (MECS) product provides a good choice of mobile device management features for Apple iOS, Windows Mobile, Nokia Symbian, and Android devices. Its solution enables the management of mobile device inventory in an enterprise. The MECS solution also includes smartphone firewall capability and policy management features.
McAfee
www.mcafee.com
McAfee has long provided security antivirus and antispyware software for Windows PCs. McAfee now offers security software for mobile devices through McAfee Enterprise Mobility Management. Its mobile device management and security software is available for Apple iOS, Windows Mobile, and HP WebOS, with limited support for Android.
MobileIron
www.mobileiron.com
MobileIron’s Virtual Smartphone Platform provides mobile device management for Apple iOS, Android, BlackBerry, Windows Mobile, Windows Phone 7, and Nokia Symbian devices. This product provides remote provisioning, mobile device management, and deployment capabilities to manage mobility policies for a broad range of platforms.
Sybase
www.sybase.com
Sybase’s Afaria provides a rich suite of mobile device management features for Apple iOS, Android, BlackBerry, Windows Mobile, HP Palm OS, and Nokia Symbian platforms. The Afaria product includes a number of mobile device management and provisioning features that allow an enterprise to manage policies and applications for mobile devices.
Symantec
www.symantec.com
Symantec’s Mobile Management solution includes security features (antivirus, antispam, and firewall) for Windows Mobile and device management features for Apple iOS, BlackBerry, Android, Nokia Symbian, and Windows Mobile devices. Symantec’s solution extends its security features, such as antivirus and firewall, from Windows to mobile platforms.
Tangoe
www.tangoe.com
Tangoe’s Mobile Device Management product provides a good breadth of mobile device management features for Apple iOS, Android, BlackBerry, and Windows Mobile devices. Its solution also includes device monitoring features and the ability to control applications installed on corporate smartphones.
Zenprise
www.zenprise.com
Zenprise provides Zenprise MobileManager, an end-to-end lifecycle management solution for BlackBerry, Apple iOS, Android, Windows Mobile, and HP Palm devices. Zenprise’s solution includes expense plan management, service plan management, and infrastructure monitoring services in addition to mobile device management features, such as policy enforcement and loss and theft protection.
Getting information from the experts
To deploy an effective mobile security and device management solution,
be sure to read what the experts and analysts are saying, too. Gartner (www.gartner.com) publishes regular reports on mobile device management and security vendors. Their reports are useful for analyzing the various offerings in the market.
To access the cheat sheet specifically for this book, go to www.dummies.com/cheatsheet/mobiledevicesecurity.
Find out "HOW" at Dummies.com
Table of Contents
Cover
Table of Contents
Title Page
Foreword
Introduction
Part I: Living Securely in the Smart World
Chapter 1: What's So Smart About a Phone, Anyway?
Chapter 2 : Why Do I Care? The Mobile Device Threat
Chapter 3 : Planning for Mobile Devices in the Enterprise
Part II: Implementing Enterprise Mobile Security
Chapter 4: Creating Mobile Device Security Policies
Chapter 5: Managing and Controlling Devices
Chapter 6: Conforming to Corporate Compliance Policies
Part III: Securing Smart Device Access
Chapter 7: Securing Data in Transit with VPNs
Chapter 8: Connecting to Wi-Fi Networks
Part IV: Securing Each Smart Device
Chapter 9: Device Security Component Overview
Chapter 10 : Hacker Protection and Enforceable Encryption
Chapter 11: Protecting Against Loss and Theft
Chapter 12: Educating Users about Backing Up Data
Chapter 13: Securing Mobile Applications
Part V: The Part of Tens
Chapter 14: Top Ten Online Information Sources
Mobile Device Security For Dummies Page 30