Overnight, remote work has become a popular and necessary format. All because of COVID-19. New measures to prevent infection appear every day. Temperatures are being taken in offices, and some companies, including large ones, are moving workers to work remotely to cut losses from downtime and sick days. And in this sense, the IT sector with its experience of distributed teams wins.
We at the Research Institute of SOKB have been organizing remote access to corporate data from mobile devices for several years and we know that remote work is not an easy issue. Under the cut, we will tell you how our solutions help to securely manage employees' mobile devices and why this is important for remote work.
What does an employee need to work remotely?
A typical set of services that need to be provided with remote access for full-fledged work are communication services (e-mail, instant messenger), web resources (various portals, for example, a service desk or a project management system) and files (electronic document management systems, version control and so on.).
We cannot hope that security threats will wait until we finish fighting the coronavirus. When working remotely, there are safety rules that must be observed even during a pandemic.
Business-important information cannot be simply sent to an employee’s personal email so that he can easily read and process it on his personal smartphone. A smartphone can be lost, applications that steal information can be installed on it, and, in the end, children who are sitting at home can play it because of the same virus. So the more important the data an employee works with, the better it needs to be protected. And the protection of mobile devices should be no worse than stationary ones.
Why is antivirus and VPN not enough?
For stationary workstations and laptops running Windows, installing an antivirus is a justified and necessary measure. But for mobile devices - not always.
The architecture of Apple devices prevents communication between applications. This limits the possible scale of the consequences of infected software: if a vulnerability in an email client is exploited, then actions cannot go beyond the scope of this email client. At the same time, such a policy reduces the effectiveness of antiviruses. It will no longer be possible to automatically check a file received by mail.
On the Android platform, both viruses and antiviruses have more prospects. However, the question of expediency still arises. To install malware from the app store, you will have to manually give a lot of permissions. Attackers get access rights only from those users who allow applications everything in a row. In practice, it is enough to prohibit users from installing applications from unknown sources so that “pills” for free installed paid applications do not begin to “treat” corporate secrets from confidentiality. But this measure goes beyond the functions of an antivirus and VPN.
In addition, VPN and antivirus will not be able to control how the user behaves. Logic dictates that at least a password should be set on the user device (as a protection against loss). But the presence of a password and its reliability depend only on the user's consciousness, which the company cannot influence in any way.
Of course, there are administrative methods. For example, internal documents, according to which employees will be personally responsible for the absence of passwords on devices, installation of applications from untrusted sources, etc. You can even force all employees to sign an amended job description containing these items before going to work remotely. But let's face it: the company will not be able to check how this instruction is implemented in practice. She will be busy with an emergency overhaul of core processes, while employees, despite the implemented policies, will copy confidential documents to their personal Google Drive and share them via a link, because it is more convenient to collaborate on a document.
Therefore, the sudden remote work of the office is a test of the stability of the company.
Enterprise Mobility Management
In terms of information security, mobile devices are a threat and a potential security breach. Solutions of the EMM (enterprise mobility management) class are called upon to close this gap.
Enterprise mobility management (EMM) includes the functions of managing devices (MDM, mobile device management), their applications (MAM, mobile application management) and content (MCM, mobile content management).
MDM is a necessary "whip". With the help of MDM functions, the administrator can reset or block the device if it is lost, set up security policies: the presence and complexity of the password, the prohibition of debugging functions, installation of applications from apk, etc. These basic features are supported on mobile devices of all manufacturers and platforms. More subtle settings, such as preventing the installation of custom recovery, are only available on devices from certain manufacturers.
MAM and MCM are "carrot" in the form of applications and services to which they give access. With sufficient MDM security, you can provide secure remote access to corporate resources using applications installed on mobile devices.
At first glance, it seems that application management is a purely IT task, which comes down to elementary operations like “install an application, configure an application, update an application to a new version or roll it back to a previous one”. In fact, there is no security here either. It is necessary not only to install and configure the necessary applications on devices, but also to protect corporate data from being uploaded to your personal Dropbox or Yandex.Disk.
To separate corporate and personal, modern EMM systems offer to create a container for corporate applications and their data on the device. The user cannot unauthorizedly remove data from the container, so the security service does not need to prohibit the "personal" use of the mobile device. On the contrary, it is beneficial for business. The more a user understands his device, the more effectively he will use working tools.
Let's get back to IT tasks. There are two tasks that cannot be solved without EMM: application rollback and remote configuration. A rollback is needed when the new version of the application does not suit users - it has serious errors or is simply inconvenient. In the case of apps in Google Play and the App Store, rollback is not possible - only the latest version of the app is always available in the store. With active internal development, versions can be released almost every day, and not all of them are stable.
Remote application configuration can also be implemented without EMM. For example, make different builds of the application for different server addresses or save the file with settings in the phone's public memory in order to change it manually later. All this occurs, but it can hardly be called the best practices. In turn, Apple and Google offer standardized approaches to solving this problem. It is enough for a developer to embed the necessary mechanism once, and the application will be able to configure any EMM.
We bought a zoo!
Not all mobile use cases are created equal. Different categories of users have different tasks, and they need to be solved in their own way. The developer and the financier need specific sets of applications and possibly sets of security policies due to the different privacy of the data they work with.
It is not always possible to limit the number of models and manufacturers of mobile devices. On the one hand, it turns out to be cheaper to make a corporate standard for mobile devices than to understand the differences between Android from different manufacturers and the features of displaying mobile UI on screens of various diagonals. On the other hand, procurement of corporate devices during the pandemic is becoming more difficult, and companies have to allow the use of personal devices. The situation in Russia is further aggravated by the presence of national mobile platforms that are not supported by Western EMM solutions.
All this often leads to the fact that instead of one centralized solution for managing corporate mobility, a motley zoo of EMM, MDM, and MAM systems is operated, each of which is served by its own staff according to unique rules.
What are the features in Russia?
In Russia, as in any other country, there is national legislation on information protection, which does not change depending on the epidemiological situation. So, in the state information systems (GIS) the means of protection certified according to security requirements should be used. To meet this requirement, devices accessing GIS data must be managed by certified EMM solutions, such as our SafePhone product.
Long and incomprehensible? Not really
Enterprise-level tools such as EMM are often associated with slow implementation and lengthy pre-project preparation. Now there is simply no time for this - restrictions due to the virus are introduced quickly, so there is no time to switch to remote work.
In our experience, and we have implemented many SafePhone implementation projects in companies of various sizes, even with local deployment, the solution can be launched in a week (not counting the time for agreeing and signing contracts). Ordinary employees will be able to use the system within 1-2 days after implementation. Yes, administrators need to be trained for flexible configuration of the product, but training can also be carried out in parallel with the start of operation of the system.
In order not to waste time on installation in the customer's infrastructure, we offer our customers a SaaS cloud service for remote control of mobile devices using SafePhone. Moreover, we provide this service from our own data center, certified for compliance with the maximum requirements for GIS and personal data information systems.
As a contribution to the fight against coronavirus, the Research Institute of SOKB connects small and medium-sized businesses to the server free of charge to ensure the safety of employees working remotely.
Source: habr.com