Keeping Your Boat Afloat with a Cloud Access Security Broker

By Prasidh Srikanth, Senior Product Manager, Bitglass

boat on an Alpine lakeIf you were on a sinking ship that was full of holes of various sizes, which ones would you patch first? Probably the big ones. Now, consider this: As an enterprise, you’ve been successfully sailing and securing your corporate data on premises for some time. However, now you’re migrating to the cloud, looking for increased productivity, collaboration, and cost savings. In this new ocean, organizations must decide how to prioritize security concerns so that they can prevent data leakage.

There are two schools of thought on how organizations should accomplish the above. The first entails beginning by securing your most-used SaaS apps (Office 365BoxG SuiteSlack, et cetera). This is ideally done through a multimode cloud access security broker (CASB) that secures data access in real time via proxy, and secures data at rest in the cloud through API integrations. As these major apps are the primary locations to which your data is flowing, they are your first responsibility to address.

From there, a shadow IT discovery tool can be used to identify the other, less frequently used SaaS apps that employees are accessing. When these uncommon, less widely known apps are discovered, you may then choose to perform policy-based remediations; for example, coaching users to sanctioned alternatives, making shadow IT apps read only, or blocking access altogether. In this way, the larger security gaps are addressed before the smaller ones, meaning that your boat is successfully patched and gets to sail onward.

The other approach to cloud security says that organizations should perform shadow IT discovery before they begin to secure major SaaS applications and enforce data protection policies. In other words, you have to identify everything before you can begin securing anything. With this approach, you start by hunting down every minuscule security gap before beginning to address the apps that represent the largest data leakage threats, meaning that your boat is allowed to take on water.

Gaining insight into SaaS app usage is helpful for the enterprise; however, there’s a handful of apps that act as the gateway to your cloud journey. Addressing these commonly used applications first is the right way to secure your cloud migration. Once you have your bases covered in this way, you can further strengthen your security posture by performing shadow IT discovery and securing the other apps that represent the metaphorical small holes in your boat. With this measured and methodical security approach, you can confidently continue to transform your business and sail into the cloud.

How to Do the Impossible and Secure BYOD

By Will Houcheime, Product Marketing Manager, Bitglass

Mission Impossible: Securing BYOD report coverThe use of cloud tools in the enterprise is becoming increasingly common, enabling employees to collaborate and work incredibly efficiently. On top of this, when employees are allowed to work from their personal devices (known as bring your own device or BYOD), it makes it even easier for them to share information and complete tasks. However, BYOD also makes it more difficult for businesses to oversee and protect the flow of corporate data. In light of this, Bitglass surveyed IT experts to learn about what organizations are doing to secure BYOD.

According to the report, 85 percent of organizations enable BYOD, making those that do not grant personal device access the minority. Additionally, BYOD is no longer limited to employees’ personal devices – data is also being accessed by contractors, partners, customers, and suppliers on their own private endpoints. As such, adopting a security solution built for BYOD (like an agentless cloud access security broker) is imperative for any organization seeking comprehensive data and threat protection. While companies are quick to enable BYOD because of its numerous benefits, failing to do so securely will inevitably leave the enterprise exposed to a variety of threats.

Despite the fact that there are many reasons to adopt BYOD, a handful of companies still refuse to do so. Our survey shows that the primary reason for this is an uncertainty over the ability to protect data flowing to personal devices. Employees typically reject the agent-based security tools (MDM, MAM, etc.) that organizations try to install on their personal devices when they want to secure BYOD. This is because agents can invade their privacy and harm their user experience. Our advice: Look for an agentless CASB that gives organizations comprehensive visibility and control over their data – even when it is being accessed by personal devices

In Mission Impossible: Securing BYOD, learn why companies are adopting BYOD, how they are securing it, and much more.

Australia’s First OAIC Breach Forecasts Grim GDPR Outcome

By Rich Campagna, Chief Marketing Officer, Bitglass

map showing GDPR and OAIC areasThe first breach under the Office of the Australian Information Commissioner’s (OAIC) Privacy Amendment Bill was made public on March 16. While this breach means bad press for the offending party, shipping company Svitzer Australia, more frightening is the grim outcome it forecasts for organizations subject to GDPR regulations, which go into effect on May 25, 2018.

In the Svitzer case, 60,000 emails containing sensitive personal information on more than 400 employees were “auto-forwarded” to external accounts, a not uncommon way for employees to “get access” to their work emails from outside of the office. While the details of why these auto-forwarding rules were set up, and whether the intent was malicious or benign, in many cases, the objective is to avoid IT management of the user’s device while still gaining access to sensitive data.

Another common scheme to bypass unwanted IT controls is to set up sharing of one’s cloud file sharing drive to a personal email account. Both of these challenges are easily solved with Cloud Access Security Brokers (CASBs), which can secure employee devices without taking management control (helping to avoid auto-forwarding outcomes), and control the flow of data into/out-of cloud apps (including external sharing control).

The outcome in this case is bad press for Svitzer, causing loss of goodwill and perhaps some customers. It could have been worse, however. Under the Australian scheme, when OAIC if notified of the breach, which Svitzer has apparently done, the breach is made public but there are no direct financial penalties. If Svitzer hadn’t notified, they would have been subject to fines of “up to $1.8 million.” Penalties initially start with public apologies and compensation payments to the victims, with continued examples of non-notification ratcheting up fines to a maximum of $1.8 million.

What does all of this have to do with GDPR? Simple. With the upcoming GDPR enforcement deadline, some organizations are scrambling to reach compliance, while others are taking a wait-and-see approach. Once we pass the deadline, there WILL be companies with similarly simple issues that have a breach. The difference is in the penalties with GDPR. Rather than starting with simple fixes such as apologies and victim compensation, GDPR comes with severe penalties of up to €20 million or 4% of annual revenue, whichever is greater. Depending on the size and health of the organization, penalties like this could be terminal.

My prediction? We’ll quickly see the first examples, like Svitzer, and before the end of 2018, we’ll see the first bankruptcy as a result of GDPR fines and loss of business.

Too Many Employees Ignore BYOD Security

By Nina Seth, Accellion

Considering the risks that BYOD mobile activity can pose to enterprises, CIOs have a right to be dismayed by two recent surveys showing just how little some employees care about protecting data on mobile devices.

A recent survey by Centrify found that:

  • 43% have accessed sensitive corporate data on an unsecured public network.
  • 15% have had their personal account or password compromised.
  • 15% believe they have little or no responsibility to protect the data stored on their personal devices.

Imagine 150 employees of a 1,000-person company casually using public Wi-Fi hotspots and downloading risky public-cloud file sharing services and other risky apps. While they may not be concerned about protecting the corporate data on their devices, a single breach could potentially cost the organization millions of dollars.

A separate survey conducted by Absolute Software found that:

  • 25% of employees in industries such as banking, energy, healthcare, and retail feel that it’s not their problem if they accidentally leak confidential data.
  • About 33% of employees who had lost their phones did not change their habits afterwards.
  • 59% of employees estimated the value of the corporate data on their phones to be less than $500.

Employees are far too sanguine about the value of corporate data: even 50KB of the right data can be worth a lot more than $500. A study of data breach costs by the Ponemon Institute and Symantec found that the cost of a single breached healthcare record in 2013 was $233, not counting any additional costs from penalties imposed by the HHS and the FTC. Across all industries, the cost of a single breached record in the U.S. was estimated at $188.

Leaking confidential data such as product plans or partner contracts can erode an organization’s competitive advantage, costing potentially millions of dollars. Clearly, employees need to be reminded about the true value and costs associated with corporate data.

Knowing that many employees are lackadaisical about data security, CIOs should invest in mobile security solutions that do not rely on end users following best practices or being security-minded. A mobile security solution that keeps corporate data separate from personal data is a crucial choice for enterprises, especially when employees are casual, if not careless, about data security and compliance.

How secure is Mobile Device Management anyway?


Researchers have successfully breached the Good Technology container. MDM software can only be as secure as the underlying operating system.


As the adoption of smartphones and tablets grows exponentially, one of the biggest challenges facing corporate IT organizations is not the threat of losing the device – likely owned by the employee – but the threat of a targeted attack stealing sensitive corporate data stored on these mobile devices. As a first line of defense, an increasing number of companies rely on Mobile Device Management software and Secure Container solutions to secure and manage corporate data accessed from these mobile devices. However, a recent analysis conducted by Lacoon Mobile Security – presented a few weeks ago at the BlackHat conference in Amsterdam – shows that the leading secure container solution Good Technology can be breached and corporate email stolen from Apple iOS and Android devices.

Lacoon CEO Michael Shaulov, spoke with me about the shocking results of this research and made it clear that no matter what MDM software you deploy, you are in danger. MDM and Secure Containers depend on the integrity of the host system. “Ask yourself: If the host system is uncompromised, what is the added value? If the host system is in-fact compromised, what is the added value? We’ve been through this movie before”, referring to the underlying endpoint management philosophy inherited from the previous PC era.

In their presentation “Practical Attacks against Mobile Device Management (MDM)”, Michael Shaulov and Daniel Brodie, Security Researcher, explain the details of how they penetrated the Good Technology container to exfiltrate sensitive corporate email – Good Technology did not respond to my request for comment:

Android 4.0.4 device – Samsung Galaxy S3:

1. The attacker creates a “two-stage” application which bypasses the market’s malicious app identification measures such as Google Bouncer or other mobile application reputation systems. The app is then published on Google Play or other legit Android appstores. By using the “two-stage” technique, the attacker can publish a seemingly innocent application and, once the victim installs the app, the app itself refers to the malicious code which is then downloaded.

2. The app exploits a mobile OS vulnerability which allows for privilege escalation. For example, the vulnerability in the Exynos5 chipset released in December 2012 that affects the drivers used by camera and multimedia devices.

3. The malware creates a hidden ‘suid’ binary and uses it for privileged operations, such as reading the mobile logs, as discussed in the next step. The file is placed in an execute-only directory (i.e. –x–x–x), which allows it to remain hidden from most MDM root detectors.

4. The malware listens to events in the ‘adb’ logs. These logs, and their corresponding access permissions, differ between Android versions. Note that for Android version 4.0 and higher root permissions are required in order to read the logs.

5. The malware waits for a log event that signifies that the user is reading an email.

6. The malware dumps the heap using /proc//maps and /mem. Accordingly, it can find the email structure, exfiltrate it and send it home – perhaps uploading it to an unsuspected DropBox account.

Apple iOS 5.1 device – iPhone:

Malware targeting iOS based devices needs to first jailbreak the device, and then installs the container-bypassing software.

1. The attacker installs a signed application on the targeted device, through the Enterprise/ Developer certificate. This may require physical access but there are known instances when this has done remotely.

2. The attacker uses a Jailbreak exploit in order to inject code into the secure container. The Lacoon researchers used the standard DYLD_INSERT_LIBRARIES technique to insert modified libraries into the shared memory. In this manner, their (signed) dylib are loaded into memory when the secure container executes.

3. The attacker removes any trace of the Jailbreak.

4. The malware places hooks into the secure container using standard Objective-C hooking mechanisms.

5. The malware is alerted when an email is read and pulls the email from the UI elements of the app.

6. Finally, the malware sends every email displayed on the device to the remote command and control server.

The analysis performed by the Lacoon analysts exposes the security limitation of the secure container approach. Shaulov believes that MDM provides management, not absolute security. It is beneficial to separate between business and personal data in a BYOD scenario. Its main use case is the selective remote wipe of enterprise content and Copy & Paste prevention.

Secure containers rely on different defense mechanisms to protect the corporate data. Generally these include iOS jailbreaking and Android rooting detection, prevention of the installation of applications from third-party markets in order to protect against malware and, most importantly, data encryption. However, these measures can be bypassed. On one hand there is a quite active community involved in jailbreaking/rooting efforts. On the other hand the jailbreaking/rooting detection mechanisms are quite restricted – see for example xCon, a free iOS app to defeat jailbreak detection. Usually, checks are performed only against features that signify a jailbroken/rooted device. For example, the presence of Cydia, a legit iOS app which allows the downloading of third party applications not approved by Apple, or the SU tool used on Android to allow privileged operations. More importantly, there are no detection mechanisms for exploitation. So even if the secure container recognizes a jailbroken/rooted device, there are no techniques to detect the actual privilege escalation.

MDM software and Secure Containers are supposed to detect jailbroken iOS and rooted Android devices but “they are dependent on the underlying operating system sandbox, which can be bypassed”, Shaulov says.

MDM not so secure after all

Sebastien Andrivet, Co-founder and director of ADVTOOLS, took a different approach to auditing the security of MDM products and performed a thorough analysis of the server components, such as the administrative console, and their communications with the mobile devices. I met Andrivet in London at the Mobile and Smart Device Security Conference 2012, where he presented the alarming results of his research. Among other, Andrivet found persistent cross-site scripting and cross-site request forgery vulnerabilities in two leading MDM solutions – he would not publicly disclose the names of these products but I saw the screenshots of the trace logs and spotted some of the leading brands mentioned in the Lacoon report.

Andrivet openly stated that, despite being marketed as security tools, MDM products are not “security products” and in fact not so secure after all. However, he is also a bit skeptical about the significance of the findings of the Lacoon research. “Frankly, it is not so easy to penetrate these products, especially on iOS”, says Andrivet. For example, to break into the Good container in the way described above, you need physical access to the device and the password. With an iPhone 4, it is still possible to break a 4-digit pass code. But it is not currently feasible to do the same with iPhone 4S and iPhone 5. Andrivet also observes that it is true that it is possible to repackage an existing iOS application and sign it with your own enterprise certificate. But to install it on the device, a victim will have to accept explicitly the installation of the certificate and then of the application itself. With social engineering, this might be possible, but definitely not so easy. Andrivet points out that the Lacoon researchers have not broken the secure container encryption. They found the information in clear somewhere else – i.e. in memory. What is important is that they found a way to get the data. How they did it (breaking or not the secure container) is not so important. They “breached” the container, even if they didn’t “break” it.

The truth is that MDM products, as any other piece of software in the world, suffer from actual security vulnerabilities. But the Lacoon research is making headlines based on old versions of these products. “The risk is to provide misleading information”, warns Andrivet. In fact, even military-grade spyphone products like FinFisher cannot infiltrate the most recent versions of mobile devices like iPhone 4S or 5 as it is far easier to attack an Android device than an iOS one.

MDM is no silver bullet

Mobile security is a complex topic, and there is no silver bullet. This is true of security in general and mobile is no different, says Ojas Rege, Vice President Strategy at MobileIron, one of the leading MDM software mentioned in the above researches. The challenge many organizations face is that they compromise user experience in the name of security. For mobile, that’s the kiss of death, because users will not accept a compromised experience.

The key is to divide the problem into two: reducing the risk of data loss from well-intentioned users and reducing the risk of malicious attack, continue Rege. The former is, for example, giving users a compelling but secure way to share files instead of using consumer-grade services such as DropBox. The latter is what these researches are really about. MDM is important as a baseline but a full security program is going to require a great deal of education as well. “Jailbreak/rooting is a cat and mouse game”, according to Rege. The reality is that these devices will always have personal use – no matter who owns them – so the chances of malicious software making its way into device are high. The level of sandbox security built into the core OS is a key determiner of what other protections might be needed and what the resulting risk might actually be.

The point about MDM not offering absolute security is a bit cavalier, according to David Lingenfelter, Information Security Officer at Fiberlink, another leading MDM product mentioned in the Lacoon research. Anybody in the security community who is touting or expecting absolute security has missed the point. Cybercriminals only have to be right once. While targeted attacks are definitely a reality, containers are designed for more than just stopping a targeted attack. They help with data leak prevention, blocking users from “accidentally” distributing corporate information through their personal apps.

For better or worse, corporate IT still has to work in the confines of a world dominated by compliance. Adding controls around corporate information by using containers helps risk and compliance teams show their auditors that they are taking what is in essence a consumer-grade device and adding corporate level processes to those devices, continue Lingenfelter.

Infection is inevitable

The lesson learned from trying to secure traditional endpoints may be applied here. The general consensus among the security community is that controls on endpoints are not sufficient anymore to protect from targeted attacks. We can expect the same in the mobile world.

“Infection is inevitable”, continue Shaulov. As demonstrated by our research, MDM and Secure Containers do not and cannot provide absolute security. These are certainly useful tools to separate between business and personal data. As such, they should be part of a baseline for a multi-layered approach. Quoting an RSA report, Shaulov argue that “mitigating the effects of malware on corporate data, rather than trying to keep malware off a device entirely, may be a better strategy”.

This new approach requires thinking outside of the box and the industry is now starting to wake up to this challenge and looking at the network level for threat mitigation. For example, solutions like FireEye, Damballa, Fidelis and Checkpoint – just to name a few – can look at different network parameters and aberrant behavior to detect a compromised device in the process of exfiltrating data. Parameters may be traffic to well-known C&C servers, heuristic behavioral analysis which signify abnormal behavior, sequences of events and data intrusion detection.

Lingenfelter agrees that approach to security has been, and needs to remain, an approach of layers. However, he warns that while other technologies that are based on heuristic style monitoring and detection of malicious activity have come a long way, they too are far from absolute security. Companies have to realize that most mobile technology has been designed for consumers. It has the security focus of consumer devices and applications, which is to make it as easy for the end user as possible. To say that there is going to be one single technology or approach to change this and make these devices have the security level of corporate devices is reckless.  The true objective with mobile device security and management is to add on as much security, in layers, as possible without a significant impact on end user experience.

Have you deployed MDM to your mobile users? Do you trust mobile secure containers with your corporate data? How confident are you that your CEO’s iPhone is not jailbroken – or that it never was? Can you detect a compromised tablet spying on your company’s next board meeting?

About the Author

Cesare Garlati is one of the most quoted and sought‐after thought leaders in the enterprise mobility space. Former Vice President of Mobile Security at Trend Micro, Cesare currently serves as Co‐Chair of the CSA Mobile Working Group – Cloud Security Alliance. Prior to Trend Micro, Mr. Garlati held director positions within leading mobility companies such as iPass, Smith Micro Software and WaveMarket. Prior to this, he was senior manager of product development at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E‐Business Suite.

Cesare has been frequently quoted in the press, including such media outlets as The Economist, Financial Times, The Register, The Guardian, ZD Net, SC Magazine, Computing and CBS News. An accomplished public speaker, Cesare also has delivered presentations and highlighted speeches at many events, including the Mobile World Congress, Gartner Security Summits, IDC CIO Forums, CTIA Applications, CSA Congress and RSA Conferences.

Cesare holds a Berkeley MBA, a BS in Computer Science and numerous professional certifications from Microsoft, Cisco and Sun.

He lives in the Bay Area with his wife and son. Cesare’s interests include consumer electronics in general and mobile technology in particular.