Vulnerabilities / Threats

2/13/2018
02:30 PM
Satish Shetty
Satish Shetty
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Can Android for Work Redefine Enterprise Mobile Security?

Google's new mobility management framework makes great strides in addressing security and device management concerns while offering diverse deployment options. Here are the pros and cons.

Google's new enterprise mobility management framework Android for Work (AfW) allows employers to effectively manage and mobilize all devices used in the workplace, even when employees use their own devices. Business-owned or single-use devices for specific employees and customers can incorporate IT controls to improve security and end-user functionality.

A dedicated Android enterprise mobility management (EMM) solution with an integrated AfW offering is especially critical for the modern enterprise, considering the rising adoption rates of Android devices, as verified by recent IDC research:

While AfW is still evolving into a stable, widely supported ecosystem, it makes great strides in addressing security and device management concerns while offering diverse deployment options and global availability. The program, developed by Google, allows businesses and employees to use Android-based devices for customized work-specific purposes. Through integration with an EMM provider like Codeproof, AirWatch, and others, the Android for Work solution lets IT managers and employees enable tailored capabilities and restrictions in the way the data, apps, and devices can be used for work purposes. AfW features also include a range of privacy and productivity features to the device, which may belong to an employee or provisioned by the employer.

Prior to the AfW service offering, there was no standardized set of mobile device management (MDM) API in the core Android operating system. Several OEMs developed their own set of APIs to enable report management of the device. Popular examples include the Samsung Knox enterprise mobility management APIs on top of the Google Android operating system and the LG Gate, developed as its own set of EMM APIs. As a result, each EMM provider needed to work individually with each OEM and manage the devices through the OEM's EMM stack. For IT and security managers, this meant an ever-increasing number of management portals to handle, at increasing licensing costa and low effectiveness.

Google's Android for Work fills this gap by eliminating the OEM-related API dependency, and offers the same set of APIs in the core operating system. These APIs are available for EMM providers to control and manage Android devices across all the OEMs.

Provisioning Methods
IT managers can use AFW with EMM services to provision and enroll devices for employees in several ways, including:

  • NFC: Enables quick and easy configurations onto new devices by simply tapping them together.
  • EMM Tokens: Using codes provided by IT, end users can install specific apps or EMM agents onto their devices from a remote location.
  • QR codes: Enables devices to scan an image and enroll a device from a setup wizard without any hands-on support from IT for EMM enrollment.
  • Zero-Touch Enrollment (for corporate-owned devices): Enables simplified, large-scale deployments with support for multiple device manufacturers without any manual setup, allowing end users to use their preconfigured device out-of-the-box. This includes limited support for enforced management apps for certain device and OS versions.

Device Modes and User profiles

  • Business Only: This device mode is available for corporate devices and offers MDM functionality for individual users, who may be employees, contractors, or other partners. This allows organizations to maintain and configure the same device with unique configurations for every different device owner.
  • Personally Enabled: This capability is enabled on employee-owned BYOD devices that are connected to the corporate network and enrolled via the EMM. With the Profile Owner mode enabled, the employer or IT manager only gets to access certain work-related data, apps, and features on the employee BYOD device.
  • Single Use: This mode of operation focuses on the purpose of device functionality as opposed to the end user. As such, IT managers can establish an operating mode with certain features turned on and the rest blocked. These options are useful when the device is used to perform a specific purpose, no matter who gets to use it.

BYOD Challenges & Downside Risks
Striking a happy medium between user satisfaction and enterprise security is key to success in the modern mobility landscape. Single-phone corporate environments benefited from standardized security policies and unified interfaces, but BYOD support increases security risks because it fundamentally changes the nature of the architecture. App- or device-specific vulnerabilities may circumvent an existing security policy, and the more devices (and variety of devices) that are networked together, the greater the risk.

Limiting device interaction reduces risk but hamstrings employees who are accustomed to the flexibility provided by BYOD solutions. This may lead to worsening habits and policies as employees opt to use unsafe workarounds that further expose enterprise networks to malicious or vulnerable apps. All of the above increases the difficulty of managing the mobile environment since your IT department loses a layer of control on user-owned devices. There are also hidden costs to BYOD programs, including spikes in data usage (especially for employees who travel) and increased support costs for a wider variety of devices and apps.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Satish Shetty is CEO and founder of Codeproof Technologies, an enterprise mobile security software company. Shetty has more than 20 years of security and enterprise software development experience. A recognized leader in the mobile device management space, Shetty also has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
42Gears
50%
50%
42Gears,
User Rank: Apprentice
4/15/2018 | 11:20:13 AM
AFW and MDM Collaboration
For MDM solution providers, AFW is a boon that allows their solutions to manage enterprise Android devices. From business only or single-use devices to employee-owned devices, AFW limits the risk of enterprise data leak and helps businesses adopt a mobility architecture more confidently. 
DannyS301
50%
50%
DannyS301,
User Rank: Apprentice
2/14/2018 | 3:30:18 AM
Can Android for Work Redefine Enterprise Mobile Security?
Thanks for sharing this informative article. One of my friends from https://qanda.typicalstudent.org/ team referred Darkreading.com for reading valuable article. Keep Sharing!
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.