• United States



Senior Staff Writer

Samsung’s potential government deal signals new era for mobile security

Jul 19, 20138 mins
AppleApplication SecurityData and Information Security

Samsung is close to inking a deal with the FBI and the U.S. Navy for mobile devices --placing a foot into the door that was previously blocked by BlackBerry (formerly Research in Motion).

The news comes according to a report in The Wall Street Journal, citing sources familiar with the matter. According to the report, Samsung is negotiating a large deal with the FBI for devices, and hopes to land a smaller deal with the U.S. Navy. Terms of those deal proposals were not disclosed, but it’s still a step forward. It’s also evidence that Samsung wasted no time in attempting to gain some traction with the government since the Galaxy S2, S3, and S4, as well as the Galaxy Note, and Galaxy Note II were FIPS certified in April.

[Which smartphone is the most secure? Android verse IOS]

Samsung isn’t the only vendor that’s available to replace BlackBerry as a device vendor. Last October the Pentagon said that they were planning to open the doors and allow other device makers a chance to bid for business.

The announcement was a blow to BlackBerry. The Pentagon’s plans hit BlackBerry after weeks of bad press, setbacks, and lackluster support for their software and devices. The Pentagon’s announcement was then followed by one from the U.S. Immigration and Customs Enforcement that they were replacing their BlackBerry devices with iPhones.

Once of the reasons cited by the Pentagon’s move to open its doors to other device manufacturers was the need to support and use “new and innovative applications” in the military’s evolving requirements. At the time, a spokesperson for the Defense Information Systems Agency said that while BlackBerry wasn’t out of the picture, the DISA’s planned mobile management capability that “will support a variety of mobility devices.”

During an interview with CSO Online, David Goldschlag, the CEO of MobileSpaces -- a startup that focuses on securing both private and public apps on mobile devices, said the recent news is a good indicator that Apple and Google are meeting the security bar that BlackBerry set early on with IT administrators.

In addition, he added, since Google and Apple are both working to bake government-grade security into their products, this helps IT remain comfortable “with the use of these consumer-first devices in the enterprise.”

“The mobile world has shifted from being email oriented to a more app centric user experience. With that comes increasing IT requirements for data protection against leakage and loss, because richer corporate data now resides on the mobile device that is of higher value and of higher risk than just email,” Goldschlag explained.

Earlier this year, a report sponsored by EMC, VMware, Cisco, and Carahsoft, singled out the fact that federal employees were using personal devices for work and play. Because they’re taking advantage of the consumerization aspects of IT, the various agencies’ these workers represented were facing increased risk.

Moreover, 85 percent of the respondents admitted to downloading apps to their smartphone or tablet (the same one used for work in the Federal space), that exposed the device and the data held on it to a larger degree of risk than if there was a clear separation of usage. This separation, which clearly defines apps for work and play, and keeps the device from crossing over between the two, is part of what Samsung is offering.

Samsung is pushing a solution called KNOX when they make their bid for secure mobile devices. It sits on top of a hardened install of Android, and includes an app container that will enable administrators to split personal apps and data off from the confidential data and business apps. In addition to the separation that comes from the app container, the KNOX file system leverages AES-256 to ensure that the files stored on it are protected, and there’s the ability to use the per-app VPN client.

Samsung’s offering is a progressive step forward when comparing mobile security these days with what existed a decade ago. However, when it comes to mobile security overall, its level of maturity is still lacking when compared to desktops and servers. So what are administrators looking for?

CSO asked that question of Swarna Podila, the Senior Manager for the Enterprise Mobility Group at Symantec.

“From a high level, there are really two approaches to keeping business data on mobile devices secure. The first is protecting data at the device level and the second is protecting it at the app level. Protecting it at the device level -- via tools such as MDM -- is great for IT, but also results in a heavy footprint on devices, which can fly in the face of the hoped for user benefits of mobility, such as increased productivity and greater work flexibility,” she said during an interview.

A key alternative to this, Podila added, is protecting data from an app level. Traditionally, this has been done with sandboxing (which is part of Samsung’s KNOX, and a key provision for other solutions), and that worked out fine when mobile apps for business were limited to email.

“However, as organizations rely more and more on mobility, this approach falls short. Any corporate app that needs protection has to be built in or modified to fit into the sandbox. With the diversity of apps available, this approach is very limiting and even the earl proponents of this technology are moving on to other strategies,” Podila said.

Those other strategies include mobile application management, which as Symantec’s expert explained, addresses the limitations of sandboxes while still meeting corporate security needs. MAM technology allows companies to wrap their corporate apps and the data tied to them in their own security and management layers.

Another crossover displayed by Samsung, Apple, and Google’s development of secure mobile enhancements is that it gives enterprises the chance to leverage government-grade security. According to some experts however, that might not be needed, if it’s even possible at all.

“Actually, implementing government-level security for mobile devices in the enterprise might not be all that relevant. The key objective for most enterprises is to enable their mobile users with the right productivity tools without compromising information security. However, government agencies on the other hand must have a greater focus on security and compliance by necessity, given the level of sensitivity surrounding their data,” Podila told CSO.

The point being that government-grade security may be a bit too-heavy handed for most enterprise operations.

“Enterprise IT cannot be as security prescriptive as their government counterparts because security cannot trump functionality,” Goldschlag added, somewhat mirroring Symantec’s take on the topic. In addition, some verticals may have stricter auditing processes, so implementing government-grade security may take them out of compliance in some areas.

When asked his opinion, Dirk Sigurdson, the director of engineering for Rapid7’s Mobilisafe, a mobile risk management offering from the security firm, said that it wasn’t hard to implement government-level security, as long as the company really wanted to lock down employee devices.

“The more difficult aspect in this process is finding the right balance between control and employee freedom. If company employees rebel or are discouraged after the tight security controls are set in place, it’s probably not going to help the organization in the long term,” he said.

Once thing all of the experts consulted for this story agreed on was the fact that if the processes isn’t planned out -- securing mobile devices can do more harm than good.

Security needs to be frictionless, and there is a cost associated with it. As Sigurdson put it, “… if the total cost of the security solution (including reduced employee productivity) is greater than the risk that the solution is trying to mitigate, then the security solution has done more harm than good.”

Adding to that, Goldschlag pointed out that most mobile IT vendors can only secure a few dozen apps. This seems like a good thing until one compares that offering to the millions of apps currently in Google Play and the Apple App Store.

“This severely handicaps IT’s ability to support a variety of workflows needed to make every employee productive. It’s compounded by the fact that basic apps built-in to the device such as the native email client and camera cannot also be leveraged,” he said.

Again, when it comes to mobile security, balance is the key.

“The foremost reasons users have been flocking to mobile devices to do work-related tasks are the simplicity, ease of use and flexibility the devices offer. These benefits can only be achieved if the user experience is preserved. If security policies are so heavy-handed that the user experience gets affected adversely and the device or app becomes almost unusable, it almost defeats the purpose of mobility altogether,” said Podila.