Mobile Device Security A TechStone Soft White Paper

915 Highland Pointe Dr., Suite 250 Roseville, CA 95678

Phone: (916) 724-5301 Fax : (916) 724-5303

http://www.mobiwee.com/ By: Amira Samaha, Marketing Director

2 | P a g e

Contents Introduction 3 Trends in Mobile Security 3 The MobiWee Solution 5 Implementation 6 Company Information 8

Introduction A brief case for an end-to-end mobile device security solution.

Trends in Mobile Security & Key Players in Mobile Security An overview of common use-cases for mobile device security and their current solutions.

The MobiWee Solution A brief overview of the common pain points associated with mobile information management.

Implementation The MobiWee suite of security services in detail.

Company Information More about TechStone Soft.

Mobile Device Security

3 | P a g e

here are many ways to approach mobile security, and in this white paper, we will endeavor to

explore each aspect, its current technology and key players, and ultimately form an end-to-end solution that encapsulates these factors. Location services ensure the phone is simply misplaced rather than lost or stolen, potentially saving the user time, resources, and in some cases unnecessary worry for their employer. In the case of sensitive information on the device, there are two vulnerabilities to consider: authentication and the sensitive data itself. While crucial for ensuring security, authentication straddles the line between tedious and practical. When choosing an authentication method, the importance of simplicity cannot be stressed enough. The process must require minimal user input yet provide DNA match accuracy in return. In the event of an authenticity breach, the data itself is often secured by means of encryption. In this case, the user’s information is rendered unreadable to anyone without the pin code that serves as a key to decrypt the device. While this is likely the most thorough form of data security, this process renders the data unsearchable to third party tools and devices that do not use security native to the OS. While this may not be drawback for those who do not intend to use the data on a daily basis, doctors, lawyers and professionals alike whom habitually access sensitive data find this limiting and often choose to leave their device unencrypted for the sake of practicality. Ideally, the option to encrypt would be most favorable after a loss or theft, so as to give the proper authorities the

necessary time to locate and retrieve the device. Unfortunately, this straightforward solution has no direct line consequence to the respective IT department in the event of data loss. Even with corporate policies enforcing after-loss encryption, the lack of IT department motivation is often transferred to the IT-uneducated employee who remains ignorant of the encryption remedy. Rather than implementing costly employee seminars or relying on an unmotivated IT department, the ideal resolution would include a simple yet effective remote encryption method that the employee would administer in lieu of an IT department. If a device is determined to be lost or stolen with no hope of recovery, it becomes a veritable treasure trove of sensitive data that could put clients, employees, corporations, and countless others at risk. Social security numbers, payroll data, and other security risks are instantly made vulnerable to identity theft and fraud in addition to the resulting hostile publicity that would be associated with any corporation that allowed such a folly. Unfortunately, this is a commonplace incident, and the first to hear of such an event are often the clients, who become disillusioned at best. The best recourse under the circumstances would be to simply wipe the device, alleviating concerns all around. Even when such a solution exists free of charge, it is often difficult to carry out, relying on a carrier, manufacturer, or advanced user knowledge. Ideally, the owner of the mobile device would have the means to remotely wipe their mobile device with minimal effort or product knowledge (such as the device IMEI, etc). For prosumers and employers alike, access to [often live] company data is integral to any mobile security policy. Most corporate and educational institutions employ a digital signature that binds together a public key with an identity- this is called a certificate. The setup associated with a certificate often requires a dedicated IT staff or advanced knowledge of the mobile device, limiting the scope of such a solution. While laptops are ubiquitous and relatively invariable, other mobile devices such as smartphones often require a unique skill-set (each

T

Mobile Device Security

4 | P a g e

phone has a slightly different UI) and IT support is often requested to carry out proper configuration. The capability to easily import and export certificates directly to the employee’s phone would eliminate costly IT assistance and assure proper configuration. Additional security measures that would drastically boost security such as Smartcards, One Time Password devices and the like are generally under-utilized due to budgetary constraints and the simple lack of legal requirement (unlike the military and other government institutions). Typically, these multifactor authentication methods require additional physical devices, software, drivers, and an IT department trained to troubleshoot the security system and its interaction with other programs and tools. Even with these provisions, employees often undermine security measures for the sake of expediency by permanently gluing they smartcard into their computer or pasting the key code to their OTP device on the device itself. Ideally, any multifactor authentication standard would forego a costly physical device yet deliver the same security. Some 2-factor authentication methods have been created for just this purpose, requiring a username and password (first factor) and calling the user and asking the user to dial a number or unique pass code. This authenticates the user and the device, operating on the assumption that whoever has found or stolen the device does not know the username and password. Unfortunately, many find the user name and password to be a nuisance and simply leave

their device logged in, eliminating a significant portion of its functionality. To eliminate any user interference, offer maximum security and realistically address business continuity, a digital badge in lieu of more complex solutions would be ideal. A digital badge is easy to provision, install, and can be linked back to corporate infrastructures such as active directory/LDAP (which also ensures that access is no longer granted to former employees). These remedies, while useful in their own right, offer a disjointed and independently lacking solution. As the proverb goes, “a chain is as strong as its weakest link,” and a collection of disjointed remedies do not always create a comprehensive, end-to-end solution. To create a comprehensive, end to end solution, two issues must be addressed: the components and their individual merit, and how well they interact with one another. For example; an authentication system might not allow for remote certificates to be installed. When these issues arise, many solutions lack the technical support or knowledge to address such compatibility issues. For this reason, it is important to consider how the programs or solutions interact with one another before implementing a security system. The much simpler, more cost effective solution is simply to look for a preconfigured security suite that offers all of the above security components. That’s where MobiWee comes in: unlike other solutions, MobiWee addresses all of the above issues to provide a complete, preconfigured, end-to-end solution that is at once cost effective and easy to use.

Mobile Device Security

5 | P a g e

The MobiWee suite of cloud services (www.mobiwee.com) is the user-centric solution to the most common pain points associated with mobile information management:

• Traditional syncing tethers users to their computer

o MobiWee provides OTA/cloud collaboration from any PC, Mac, or mobile device.

• Mobilizing data is risky

o MobiWee secures sensitive data with remote lock/wipe, remote data encryption (using the native OS security), remote certificate export/installation, and remote device location services- even when the mobile device is lost, stolen, or the SIM card has been replaced.

• Business continuity

o MobiWee is non-intrusive and easy to use; business continuity is not put at risk with complex security that is impossible to implement when away from the office.

• Ex: When a VP/Manager is away on a business trip and the Smartcard/OTP device is wiped, troubleshooting is impossible without an IT department.

• MobiWee remote certificates can be implemented worldwide, through the IT department or self-service.

• High Cost for Services and Support

o MobiWee reduces costs by utilizing a scalable cloud computing model (host servers do not require regular maintenance or a dedicated IT staff).

• Usability & User Experience

o MobiWee offers compelling services that require little to no technical expertise to personalize, collaborate, and secure mobile devices.

Users have the freedom to remotely access, backup, sync, and secure their phone over the 3GSM or Wi-Fi network- no matter what phone, operating system, or computer the user is running (currently running on Windows 6.0 & higher with Android, Symbian, iPhone, Palm Pre, and Blackberry on the way).

MobiWee allows users to remotely locate their lost or stolen phone, forward it to any number, retrieve any data, media, or contact list, then lock, wipe, encrypt, or delete certificates (for prosumers) - even if the SIM card has been replaced.

MobiWee also reduces the hassle of phone upgrades by facilitating Exchange, POP3/IMAP email configuration. With one click on the email icon, MobiWee sends your email settings to your device over the 3G or Wi-Fi network.

Mobile Device Security

6 | P a g e

Location Service:

Whether on the bus, at the airport, or simply left at work, with the mobile

device location service, you’re never left guessing. If your mobile device is

out of range, the MobiWee location service will keep trying until it finds it.

Multifactor Authentication:

MobiWee can provide automated, customized multiform authentication

using a variety of credentials that require little to no user contribution.

Remote Encryption/Decryption:

Ensure your sensitive information is protected against data breaches.

MobiWee Encryption/Decryption services ensure that your data is

safeguarded, on and off your corporate network. Encrypt your Smartphone

from the MobiWee website before or after you lose it.

Mobile Device Security

7 | P a g e

Remote Lock/Wipe:

Defend yourself against identity theft with the remote lock/wipe service,

no matter where you left your phone. Just log in to MobiWee.com and

click to lock or reset your device and external memory to factory settings-

from any computer.

Remote Certificate/Digital Badge:

Take the work out of security while securing your work by exporting and

installing certificates remotely from any PC. With MobiWee, your

identity is verified every time, from any mobile device, PC, or Mac.

Mobile Device Security

8 | P a g e

About the Company:

TechStone Soft was established with a vision to serve the global business and technology

needs. We provide a sophisticated suite of solutions for achieving superior business results and

enable our clients to rapidly lead technology markets, and enhance customer services and

experience.

Our applications portfolio includes automation solutions which has the ability to extend

the enterprise capabilities beyond boundaries through state-of-art technology collaboration.

TechStone also has a workflow collaboration framework that can enable customers to have full

control of their personal devices and data stored and accessed within these devices.

TechStone Soft 915 Highland Pointe Dr., Suite 250 Roseville, CA 95678 Phone: (916) 724-5301 Fax : (916) 724-5303 e-Mail: admin@techstonesolutions.com