White Paper - Securing Mobile Access to enterprise data
Over recent years, small and large businesses alike have seen the proliferation of mobile applications accessing enterprise data. These applications are either introduced by employees through word of mouth or developed by internal teams without further coordination. This trend is compounded by an increasing push from employees to use their personal mobile devices to access enterprise data. This paper describes the approach AIQ takes to securely manage and protect enterprise data.
<ul><li>1.Over recent years, small and large businesses alike have seen the proliferation of mobile applications accessing enterprise data. These applications are either introduced by employees through word of mouth or developed by internal teams without further coordination. This trend is compounded by an increasing push from employees to use their personal mobile devices to access enterprise data. This paper describes the approach AIQ takes to securely manage and protect enterprise data. SECURING MOBILE ACCESS TO ENTERPRISE DATA An Appear Whitepaper </li></ul><p>2. SECURITYPOSITIONINGWHITEPAPER 1 Introduction Over recent years, small and large businesses alike have seen the proliferation of mobile applications accessing enterprise data. These applications are either introduced by employees through word of mouth or developed by internal teams without further coordination. This trend is comforted by an increasing push from employees to use their personal mobile devices to access enterprise data. Analysts agree that businesses should embrace these trends rather than work against them, as they can increase employees' productivity and job satisfaction as well as ensure a higher quality of service and improve compliance with regulations in place. In the Forrester report "How Consumerization Drives Innovation", Ted Schadler, vice-president and principal analyst at Forrester Research, confirms: "Allowing employees to use available devices and applications is a key driver to solve new customer and business problems". However, the availability of enterprise data in the field is extending the boundaries of businesses' IT infrastructures and adds additional risks and strains on the IT departments. At Appear we are convinced that businesses will be better equipped to succeed when empowering their employees with devices, applications and data that match their needs. However, it is critical that enterprise data remains carefully managed and secured. To achieve this, businesses need more than legacy mobile device management (MDM) solutions. Today, businesses need the ability to promptly address the requirements for new mobile solutions, which may be initiated by customers, employees or competitors. This requires an infrastructure to quickly and securely build, integrate and deliver to market new mobile solutions that will allow those businesses to adjust to fast moving competitive landscapes. At Appear, we develop the Appear IQ (AIQ) mobility platform, which enables businesses to securely build, integrate and manage enterprise mobile applications. Keeping information secure on mobile devices is critical for any business. Because all data is important, the platform has been built to maintain a high level of security without compromising the user experience. The AIQ platform has been designed with security at its core. This document describes the approach AIQ takes to securely manage and protect enterprise data. 3. SECURITYPOSITIONINGWHITEPAPER 2 Appear IQ Architecture The Appear IQ Mobility Platform simplifies the development and management of mobile applications, as well as their integration with enterprise systems. It enhances the creation of secure application portfolios through the following key functionality. Secure mobile application development Communication frameworks The platform offers synchronous and asynchronous frameworks (including data synchronization and messaging) which abstract connectivity and integration challenges. The platform's asynchronous frameworks ensure that the relevant data is securely available on the device, ready for consumption by authorized mobile applications. This guarantees full offline functionality in a secure manner, which is critical for the successful introduction of mobile applications. The platform's synchronous frameworks guarantee that all communications to backend enterprise systems are securely tunnelled through the platform. Cross platform applications The platform simplifies the development of cross-platform1 applications using a hybrid2 architecture. Secure application deployment User management The platform integrates with enterprise directory services to authenticate and authorize mobile and back-office users based on corporate policies. App management The platform simplifies the approval, distribution and removal of cross-platform mobile applications. Secure and scalable delivery model The development and management platforms are normally available as a service using Appears public or private clouds, which reduces deployment costs, infrastructure investment and reduces update complexity. For customers that require more control, the platform can also be deployed outside the Appear clouds in a more traditional private IT environment. Appear IQ key components Figure 1 below depicts the key components of the platform. 1 Cross-platform applications are applications developed once, and available across different operating systems like Android, iOS and Windows Phone. This significantly shortens the development times required to support different devices and manufacturers. 2 Hybrid applications combine different technologies. At Appear, we enrich cross-platform web applications with additional functionality exposed by the platform or the underlying hardware. This combines the portability of mobile web applications with the performance and functionality of a native layer. 4. SECURITYPOSITIONINGWHITEPAPER 3 FIGURE 1 - APPEAR IQ HIGH LEVEL ARCHITECTURE The key components of the Appear IQ mobility platform are: Mobility platform The Mobility Platform offers an administrative console which allows authorized administrative users to manage mobile and back-office users, applications and devices in a secure environment. In addition, it connects mobile applications with enterprise systems by managing data to/from mobile devices and terminating the communication frameworks. It is available as a hosted service, or on-premise. Integration adapter The integration adapter (IA) enables the interworking between the AIQ mobility platform and the back end systems within the organisations IT infrastructure. It is responsible for securely adjusting the data coming to/from the enterprise systems in a mobile friendly format, and then distributing it to mobile devices through the Mobility Platform. It is an optional component, typically dedicated to each customer. The integration adapter can be deployed within Appear public and private clouds, as well as in on-premise deployments embedded as OEM component to software products. Mobile app container The mobile app container is a native application installed on mobile devices. It is responsible for securely managing data, applications and policies configured in the Mobility Platform. It also includes a user interface, from which mobile users can access their enterprise application portfolio. 5. SECURITYPOSITIONINGWHITEPAPER 4 User Authentication and Authorization Any user that needs to access enterprise data must be authenticated and authorized. The Mobility Platform integrates with enterprise directory services to authenticate mobile and back-office users as well as extract profile information that can be used to define permissions on resources3 within the deployment. Table 1 below lists the supported directory services. Supported Directory Service Notes Microsoft Active Directory Windows 2008 Server and later. Generic LDAP Directory Support for LDAP v3 directory servers. Internal Directory User directory available within the Mobility Platform. Custom Directory Developers can develop custom plugins to integrate with other directory services as of Q4 2014. TABLE 1 - LIST OF SUPPORTED DIRECTORY SERVICES User authentication and profile extraction The Mobility Platform can authenticate mobile users against enterprise directory services and extract relevant profile information. Upon successful authentication, this profile information can be stored in the platform to alleviate further administrative activities (ie. user group management, fine grained permissions management). User and profile synchronization The Mobility Platform can be configured to replicate a sub-part of an enterprise directory service in order to alleviate administrative activities. This allows the pre-loading of mobile and back-office users in the platform prior to their initial enrolment. In this case, the user authentication remains delegated to the enterprise directory service. User authorization The Mobility Platform allows authorized administrators to define user roles and link them to permissions on system resources. Roles can be assigned to user groups or individual users. Permissions define the accessibility of resources within the deployment. 3 A resource can be a component ie. mobile, administrative user interface; or a functionality ie. mobile application, sub-part of the platform's administrative user interface. 6. SECURITYPOSITIONINGWHITEPAPER 5 Secure Application Management Over recent years, the consumerization of enterprise mobility trend has led to a proliferation of new applications that increasingly need to access enterprise data. This is adding tremendous pressure on IT departments to standardize and support new applications, guarantee their compliance as well as make them easily available to employees. Mobile application management The Appear IQ platform includes Mobile Application Management (MAM), which simplifies the unified management of standalone and legacy applications as well as the development and integration of new ones. This provides IT departments with full control over the lifecycle of their chosen applications, avoiding the unreliable, lengthy and distracting approval processes from public consumer app stores. Role-based application distribution The platform allows for role-based application distribution. Applications are distributed and made available only to authorized users, defined through the Appear IQ platform. Access is granted to all applications that match the users' assigned roles, either based on their group membership or their individual assignment. From there on, employees no longer need to look for the relevant applications, they are made easily discoverable through the Appear Click&Run technology. Enabling in-application permissions Lastly, the platform exposes users' permissions as well as context information to applications, which can adjust their behavior accordingly. Data Confidentiality and Integrity For any business, confidentiality and integrity of enterprise data is critical. For that reason, the Appear IQ mobility platform ensures the encryption of the data end to end. Secure data on devices Data at rest on the device is sandboxed within the Mobile App Container. All enterprise data and HTML5 applications are managed by the Mobile App Container and held securely in a database residing within it. The Mobile App Container makes sure that enterprise data is available to authorized applications only. The container ensures the isolation of enterprise data and restricts access of HTML5 applications to the subset on which they have the rights. The sandbox also ensures that data stored on the file systems is not directly accessible to unauthorized applications. In addition, the Mobile App Container can be configured to add an additional layer of 256-bit AES encryption of the database files. When enabled, cryptographic keys are stored in the operating system's secure KeyChain and KeyStore. 7. SECURITYPOSITIONINGWHITEPAPER 6 The Mobile App Container makes use of the Address Space Layout Randomization (ASLR) functionality that protects against malicious access to data loaded in memory4 . Lastly, Mobile App Containers for Android and Windows Phone can be configured to use external storage. In this case, it can be configured to automatically encrypt data stored at this location. With that said, Appear recommend against storing sensitive data on these media. Secure data in motion Data in motion between the device and the mobility platform, or between the mobility platform and the backend (possibly represented by the Integration Adapter) are transferred over HTTPS. The Appear IQ Mobility Platform requires by default TLS v1.2 for encrypted communications with both mobile (128-bit key) and backend components (128-bit or 256-bit key). Besides, the Appear IQ Public and Private clouds can host dedicated JVM-based Integration Adapters (IA), on behalf of the businesses. Assuming the IA requires connectivity with businesses' enterprise systems, communications can be encrypted using TLS v1.2. Alternatively, a dedicated SSL tunnel can be established between the IA and the businesses' datacenter. Secure data in the platform The platform allows businesses to keep full control over what data will be stored in the Mobility Platform, and what data shall only securely transit through it. Data at rest in the Mobility Platform is stored in a central database, which has access restricted to the Mobility Platform at the network level. The central database is provided by our cloud hosting partner. Please refer to the section Cloud Compliance for a list of the certifications and attestations of our hosting partner. Both the default Appear IQ Public and Private clouds are hosted within the EU zone and fall under EU data privacy regulations. Alternative locations are possible for setting up Appear IQ Private clouds. In addition, when using the Appear IQ Private cloud, businesses can decide to enable SSL encryption between the Mobility Platform and the database. Lastly, the Appear IQ Mobility Platform is security hardened. Our security experts are continuously monitoring and addressing possible security risks found or publicly announced in underlying components. 4 ASLR is available on all supported iOS devices, Android devices running Android 4.0 and later. 8. SECURITYPOSITIONINGWHITEPAPER 7 Cloud Compliance At time of writing, the Appear IQ Public and Private Clouds are deployed in Amazon AWS. The default Appear IQ Public and Private clouds are hosted in Ireland. Alternative locations are possible for setting up Appear IQ Private clouds. The Amazon AWS infrastructure has been designed and is managed in alignment with industry regulations, standards and best practices. Table 2 lists the third party attestations, reports and certifications that have been officially granted to the infrastructure. Please contact your Appear representative to access the official attestations. Certifications Notes HIPAA For entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA). SOC 1/SSAE 16/ISAE 3402 (formerly SAS70) The SOC 1 report audit attests that the control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. SOC 2 The SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPAs Trust Se...</p>