The rapid development of portable electronics and, in particular, smartphones and tablets, has created a host of new challenges for corporate information security. Indeed, if earlier all cybersecurity was based on the creation of a protected perimeter and its subsequent protection, now, when almost every employee uses their own mobile devices to solve work tasks, it has become very difficult to control the security perimeter. This is especially true for large enterprises, in which each employee has a login and password for e-mail and other corporate resources. Often, when purchasing a new smartphone or tablet, an employee of the enterprise enters his credentials on it, often forgetting to log out on the old device. Even if there are only 5% of such irresponsible employees in the enterprise, without proper control by the administrator, the situation with the access of mobile devices to the mail server very quickly turns into a real mess.
In addition, quite often mobile devices are lost or stolen, and subsequently used to search for compromising evidence, as well as access corporate resources and data that is a trade secret. As a rule, the greatest harm to corporate cybersecurity is when attackers gain access to an employee's email. Thanks to this, they can access the global list of addresses and contacts, the schedule of meetings in which the unlucky employee was supposed to attend, as well as his correspondence. In addition, attackers who gain access to corporate mail can send phishing or malware-infected emails from a trusted email address. All this together gives attackers almost unlimited opportunities to carry out cyberattacks, as well as use social engineering to achieve their goals.
In order to control mobile devices included in the security perimeter, there is ABQ technology, or Allow/Block/Quarantine. It allows the administrator to control the list of mobile devices that are allowed to synchronize data with the mail server, and, if necessary, block compromised devices and quarantine suspicious mobile devices.
However, as any administrator of the free Zimbra Collaboration Suite Open-Source Edition knows, its ability to interact with mobile devices is severely limited. Strictly speaking, users of the free version of Zimbra can only receive and send emails using the POP3 or IMAP protocol, while not having the built-in ability to synchronize data from the diary, address books, and notes with the server. Not implemented in the free version of the Zimbra Collaboration Suite and ABQ technology, which automatically puts an end to all attempts to create a closed information perimeter in the enterprise. In conditions where the administrator does not know which devices are connected to his server, information leaks may occur at the enterprise, and the likelihood of a cyber attack according to the scenario described earlier increases sharply.
The Zextras Mobile modular extension will help solve this issue in the Zimbra Collaboration Suite Open-Source Edition. This extension allows you to add full support for the ActiveSync protocol to the free version of Zimbra and, thanks to this, opens up a lot of opportunities for interaction between mobile devices and your mail server. In addition to various other features, the Zextras Mobile extension has full support for ABQ.
We will immediately warn you that since an incorrectly configured ABQ may lead to the fact that some users will not be able to synchronize data on their mobile devices with the server, you need to approach the issue of setting it up with the utmost care and caution. ABQ is configured from the Zextras command line. It is on the command line that the ABQ mode of operation in Zimbra is configured, and device lists are also managed.
It is implemented as follows: After the user logs into corporate mail on a mobile device, he sends authorization data to the server, as well as the identification data of his device, which encounter an obstacle in the form of ABQ on its way, which looks through the identification data and compares them with those , which are available in the lists of allowed, quarantined, and blocked devices. If the device is not in any of the lists, then ABQ treats it in accordance with the mode in which it operates.
ABQ in Zimbra provides three modes of operation:
Permissive: In this mode of operation, after user authentication, synchronization is performed automatically upon the first request from the mobile device. In this mode of operation, it is possible to block individual devices, but all others will be able to freely synchronize data with the server.
Interactive: In this mode of operation, immediately after user authentication, the security system requests device identification data and compares it with the list of allowed devices. If the device is on the allowed list, sync automatically continues. If this device is not on the white list, it will be automatically quarantined so that the administrator can later decide whether to allow this device to synchronize with the server or block it. The corresponding notification will be sent to the user. Informing the administrator occurs regularly, once in a customizable period of time. At the same time, each new notification will contain only new devices that have been quarantined.
Strict: In this mode of operation, after user authentication, it immediately checks whether the device's identification data is in the allowed list. In the event that it is listed there, synchronization automatically continues. In the event that the device is not on the allowed list, it immediately gets into the blocked list, and the user receives a corresponding notification by mail.
Also, if desired, the Zimbra administrator can completely disable ABQ on his mail server.
Setting the ABQ operating mode is carried out using the commands:
zxsuite config global set attribute abqMode value Permissive
zxsuite config global set attribute abqMode value Interactive
zxsuite config global set attribute abqMode value Strict
zxsuite config global set attribute abqMode value Disabled
You can find out the current mode of operation of ABQ using the command zxsuite config global get attribute abqMode.
If you're using ABQ's interactive or strict modes of operation, you'll often need to work with lists of allowed, blocked, and quarantined devices. Let's assume that two devices have connected to our server: one iPhone and one Android with the corresponding identification data. Later it turns out that the iPhone was recently purchased by the CEO of the enterprise and decided to work with mail on it, and Android belongs to an ordinary manager who does not have the right to use work mail on a smartphone for security reasons.
In the case of Interactive mode, all of them will be quarantined, from where the administrator will need to move the iPhone to the list of allowed devices, and Android to the list of blocked ones. To do this, he uses the commands zxsuite mobile abq allow iPhone ΠΈ zxsuite mobile abq block Android. After that, the CEO will be able to fully work with mail from his devices, while the manager will still have to view it exclusively from his work laptop.
It is worth noting that when using the Interactive mode, even if the manager on his Android device correctly enters his login and password, he will still not get access to his account, but will enter a virtual mailbox, in which he will receive a notification that his device has been quarantined and he will not be able to use mail from it.
In the case of strict mode, all new devices will be blocked and after it turns out to whom they belonged, the administrator will only have to add the CEO's iPhone to the list of allowed devices using the command zxsuite mobile ABQ set iPhone Allowedleaving the manager's phone number there.
The permissive mode of operation is poorly compatible with any security rules in the enterprise, however, if there is still a need to block any of the allowed mobile devices, for example, if the manager suddenly quit with a scandal, this can be done using the command zxsuite mobile ABQ set Android Blocked.
If the company provides employees with service gadgets for working with mail, then with the next change of its owner, the device can be completely removed from the ABQ lists in order to subsequently decide again whether to allow it to synchronize with the server or not. This is done using the command zxsuite mobile ABQ delete Android.
Thus, as you can see, with the help of the Zextras Mobile extension in Zimbra, you can implement a very flexible system for monitoring the use of mobile devices, suitable for both enterprises with a fairly strict policy on the use of corporate resources outside the office, and for those companies that are quite liberal in their use of mobile devices. this plan.
Source: habr.com