Mobile matters and cyber espionage
By Gabey Goh November 9, 2012
- Citrix will continue its investment into enabling mobile workstyles and cloud services for enterprises customers
- With cyber espionage on the rise, large multinationals which have a wide open system exposed to the Internet can definitely expect to be hacked
FOR technology solutions provider Citrix Systems, the continued rise of mobile and cloud computing, along with the bring your own device (BYOD) movement, has translated into a sharpened focus on meeting the demands of clients dealing with a changed IT environment and workforce.
According to the company’s chief security strategist Kurt Roemer (pic), continued investment will be made in enabling mobile workstyles and cloud services.
“We want to make sure that we’re keeping up with the trends from a BYOD perspective,” he said.
Part of this strategy involves ensuring the company’s universal software client, Citrix Receiver, is up to date with all the latest devices in the market.
“So even if someone goes out and buys the latest device on the day of release, we will have a way for them to get access to their virtualized desktop apps and data. That’s a big thing to be able to say,” said Roemer.
The client now purportedly supports more than three billion devices, including the recently released Windows 8 and Windows Phone 8 platforms by Microsoft.
When asked for his take on the latest iteration of Windows Phone, Roemer said he had yet to personally try the device extensively but it “looks very interesting”, calling it “a big step forward” for Microsoft.
When asked about the security levels of current mobile platforms, Roemer said that from an out-of-the-box perspective, Apple’s iOS has been the favorite for many users.
“There are no security configurations necessary basically, just a couple of privacy settings and to turn on the passcode. And you’re leaps and bounds ahead of where most other people are in terms of security on mobile,” he said.
Google’s Android operating system “requires some tuning” via a security suite or additional software.
Roemer shared that the American Department of Defense (DoD) has a secured version of Android that’s approved for use on DoD networks.
“So with Android you can get in and tinker with it and secure it very strongly, but [this] requires quite a bit of work,” he said.
Microsoft, Roemer said, has taken a hybrid approach of the two, having advanced the general security of the Windows platform and also offering built-in features such as anti-virus in both Windows 8 and Windows Phone 8.
“So you always have it available and it will definitely make it easier for people to use the platform securely,” he said.
However, Roemer noted that there will always be security issues with platforms.
“That’s a given, you’ve seen it through the years with Windows and Macs. You need to keep in mind that, if there is something too sensitive to have on a mobile device in the first place, keep it off the device,” he said.
He admits that in the past, it was “easier said than done”, but points to advancements done with Citrix’s own suite of products, such as CitrixShareFile with StorageZones.
ShareFile supports enterprise client-side security; corporate data accessed on personal devices is encrypted, and can be remotely wiped by the business at any time if the employee leaves the company, or the device is lost or stolen.
Another investment the company has made is in developing its CitrixMe@Work mobile app suite with offerings such as @WorkMail and @WorkWeb.
@WorkMail is a native iOS and Android email, calendar and contacts solution. Users will be able to attach ShareFile docs to emails, save attachments back to ShareFile, open attachments and web links with @WorkWeb, and schedule meetings with GoToMeeting, all while staying inside the secure container on the mobile device.
“We’ve been making investments in these solutions, using them internally and with our customers to address some of these issues a lot better than we could have before,” he said.
The 5 Ws of access
With the proliferation of mobile devices now accessing company networks from a variety of locations, identity management and authentication becomes a key facet for managing an organization’s BYOD program.
Fortunately with BYOD and new consumer technologies, said Roemer, there are now a lot more access factors to utilize to allow people to either access an application or not.
“In past, you were relying on whether an enterprise knew the device, owned and managed the device and knew if the device was allowed on the network or not. That was appropriate back then,” he said.
“But these days, people are using many different networks and in fact most don’t care which network they are accessing as long as they get access be it via a WiFi signal. So we obviously have to transition access,” he added.
Roemer points to the ‘five Ws of access’ (Who, What, When, Where and Why) as a yardstick for IT departments in determining access to employees.
“If you can make every decision based on those five Ws, you can make very strong access decisions that are very appropriate to a transaction and have a fine-grained set of access controls,” he said.
Roemer likens the process to the procedure banks follow if a financial transaction is made here in Malaysia, with another made five minutes later from a location across the world. The activity will be flagged as suspicious with a call made to the account holder for verification.
“We need to start doing that for access to sensitive data as well, where we can,” he said.
Organizations and the cyber arms race
Cyber-espionage has been increasing over the last two years. DNA asked Roemer what organizations, especially large multinationals, can do to protect themselves.
For such instances, organizations have to realize that they will be targeted or attacked and these are very specific attacks that are almost impossible to stop in most cases, he said.
“You have to be able to segment those attacks so that you don’t have a wide open network,” he said.
To help protect against such threats, organizations cannot rely on just physical security measures or a single set of user credentials to access sensitive information.
“Stuxnet happened because there was a very well understood capability within Siemens PLCs. You can get into firmware and change things very easily. I could do that with your TV back home to and make it do interesting things,” he said.
Roemer added that such systems were designed for a very specific trust level and that level has changed in many organizations. Now, verification must be done to check that the firmware hasn’t changed, no new hardware been added and that the OS hasn’t been changed at the system boot level.
“We have the capabilities to do that. Intel has introduced trusted platform modules with the ability to do full attestation of a platform as it boots; if those capabilities are essential to an organization’s security, then they need to make sure it’s there,” he added.
Roemer said that organizations which have a wide open system exposed to the Internet can definitely expect to be hacked.
“To do that is criminal. You can’t rely on the idiosyncrasies of these platforms thinking no one will ever figure this out. Of course they will, if it’s worth their time or they’re bored enough, they’ll figure it out. So you need to plan for that and put in place security measures that are layered so you do have some security even if James Bond walks in through the front door,” he said.
Roemer added that the situation is only going to get worse, especially with people now sitting around trying to figure out how to hack into somebody’s car, “that’s pretty significant.”
“There are some really smart people out there, whether they are well motivated, well paid or very bored, they’re going to do very creative and incredible things with technology and often times very destructive things as well,” he said.
Previous installment: Time to get serious about BYOD