barefoot cybersecurity

security… mobility… cloud… technology… whatever…

Leave a comment

Mobile Device Management 101

Like it or not, smartphones and tablets are all over our enterprise networks. Users now expect to be able to carry around their mobile devices and have instant access to their corporate email account and documents. As business leaders we mostly embrace this change and welcome mobility into the work environment. We want to empower our users to work from anywhere and increase productivity levels using technology they enjoy carrying. However, those of us with at least one foot in the security department understand the greater risks of letting users loose to roam the globe carrying the companies’ most sensitive information on the world’s most steal-able devices.


Times where that only remote users and exec level employees would be issued with a company owned device. But when a technically savvy general population where able to buy their own smartphone and Apple devices started to make their way into the boardroom, we saw the introduction of BYOD. Bring Your Own Device. The move towards mobile working for all is here.


BlackBerry brought mobile email to mass business market so we installed enterprise servers to enforce some security and increase user experience (who needs to know how to configure an IMAP server on a phone anyhow?). The landscape has changed and most businesses trying to manage devices from Apple, Samsung, BlackBerry, Nokia to name a few, will struggle without some kind of enterprise software solution to roll out configurations and enforce security.

This is the primary function of a Mobile Device Management (MDM) solution. Manage which devices belong to each user and configuration policies based on various criteria. For instance is the device owned by the company or the employee, what is its operating system and what is the confidentially level of the information the user is accessing. These policies are enforced with rules that specify the consequences of being out of policy including blocking further email to the device or sending SMS and email notifications to the user and IT administrators informing them of policy violations.

Furthermore leading MDM solutions understand the source of the data residing on each device and therefore which data belongs to the user personally and which belongs to the business. This is extremely useful when an employee leaves the business to ensure that not only is their access to corporate resources revoked but the companies data residing on their device is wiped whilst preserving the user’s personal email, docs, photos and music. This is known as a selective wipe of the device which may be done in preference to an entire wipe of all data if, for instance a device was permanently lost.

Basic security

According to, $2.7 billion worth of smartphones were lost in 2011. It’s fair to say that the majority of those phones did not have even the most basic of security measures applied, a simple PIN code to protect privacy. Businesses today invest money and effort enforcing data leakage controls on their networks to protect company information so it stands to reason that if a user is to read their corporate email on their phone, a security policy should be applied. Of course you could just tell a user to please enable a PIN and encryption but it would be impossible to police against users turning it off because of the inconvenience. MDM enforces these policies and has the capability to wipe all the corporate data if users do not comply.

WiFi/Email/VPN Settings

Imagine the time and effort involved in supporting every new user on multiple difference mobile operating systems configure their Exchange email account, connect to the WiFi, configure the VPN. With MDM, these configuration settings can be distributed, over-the-air to each new user that is registered on the MDM server.

Application Control

Another key benefit of MDM is the integrated ability to manage mobile apps for business users. Businesses typically want the ability to securely manage which mobile applications are installed on their devices. Administrators select which applications are required, allowed or disallowed. The company’s preferred CRM and VoIP app may be recommended to all uses whilst it difficult to think of good reason why Angry Birds should be installed on a company owned iPad!

Document Control

Then there is the Dropbox problem. Unless users are provided legitimate methods to carry around the documents they require, the will inevitably find an alternative way. Dropbox and Gmail give users exactly that opportunity which is why leading MDM solutions provide access to, storage and viewing of documents from email and SharePoint and enable the business to protect these documents from unauthorised distribution.

…and the rest

Of course, MDM can deliver much more. Depending on the solution used, you may disable certain features like the camera or Bluetooth on company owned devices. Ensure that devices only connect to WiFi networks with adequate security and can be located on maps if lost. Often there are cost control features to warn or prevent excessive usage and roaming charges. The detection of jailbreaked or rooted devices that are more susceptible to malware is another important feature.

In all of this, it is key to remember to work with a vendor that can support all your operating systems and preserve the user experience. One thing is for sure, today’s users are as smart as their devices and if their user experience is spoilt by a poor implementation of MDM, they will look for a way to bypass it.

Leave a comment

The Basics for Hard Disk Encryption

So you realise you (or your staff) are walking about with all that confidential company data on a laptop drive. OK, so it’s password protected but that will not prevent an attacker from booting the system from a thumb drive or removing the hard disk to access it from another system. Without some kind of hard disk encryption that data is easily readable to anyone with access to the drive.

There are three basic solutions to protect the confidentiality of a hard disk’s contents. Here’s a brief overview of these options.

1. Software based file/folder/partition encryption

One simple approach is to specify a directory or partition on your disk to write any sensitive data. Using software based encryption any data written to this location will be encrypted “on the fly”. Permission to access this data (through authentication) is typically provided using a password (maybe your Windows login).

One benefit to this approach is that your operating system can remain on an unencrypted disk location which maintains performance and avoids complications associated with OS maintenance and patching. However, you are reliant on the user writing their data to this secure location. Often a disk can be partitioned and the user instructed to store all their classified information there but habits dictate that email attachments still end up on the desktop and vulnerable. Open-source tools like Truecrypt are frequently employed to freely provide this kind of functionality although without commercial support.

Safend provide a unique solution for Windows that automatically encrypts user generated content whilst avoiding system and program files which goes someway to solving this.

2. Software based full disk encryption

With full disk encryption, pretty much everything on the drive is encrypted meaning that the choice is no longer the users’ to make. However, the performance and maintenance issues mentioned above now come into consideration.  Also the boot loader remains unencrypted (note I said pretty much everything) to allow the key to be available for the password authentication process, and this remains vulnerable to attack.

To protect these keys further, one can use the Trusted Platform Module (TPM) which is standard on today’s PCs. The TPM is a secure hardware device (or chip) on the motherboard which will enforce the drive can only be read by that specific system. Generally speaking hardware based security offers more protection than software.

Microsoft now includes their BitLocker encryption on Enterprise and Ultimate editions of Windows 7 and in Pro and Enterprise editions of Windows 8 which can be used in conjunction with a TPM.

Other leading enterprise solutions are available from the likes of McAfee, Sophos and CheckPoint.

3. Hardware based full disk encryption

Hard disk security has evolved further, pushed security deeper into the hardware layer with the new generation of self-encrypting drives (SED).

With SEDs the encryption key is embedded in the drive controller itself. Authentication takes place as the drive is powered on with a BIOS password which can also become a single sign-on to the domain. Therefore from the moment the drive starts, all data is encrypted on the way in and decrypted on the way out. No performance issue and no software based authentication.

It is not possible to access the stored key without physical destruction of the drive and the data cannot be read without the encryption key.

Wave Systems and Seagate pioneered SEDs to support the OPAL standard developed by the Trusted Computing Group (TCG) and today Hitachi, Samsung, and Toshiba all produce OPAL compliant drives.

At the time of writing, SEDs can be purchased for as little as $20 more than the equivalent specification non-encrypting drive.