Mobile Security  



EXECUTIVE SUMMARY
Security is a common concern for enterprises deploying mobile devices and applications, and rightfully so. With proprietary information being delivered to increasing numbers of mobile workers engaged in activities beyond the physically secure perimeter of a corporate campus, greater potential exists for unauthorized access and use of proprietary information.
As the leading provider of mobile enterprise solutions, AvantGo enables secure access to corporate data from casually connected mobile devices anywhere in the world. Through technology licensing and optimized system architecture, AvantGo provides a solution that ensures communications and transactions—from the mobile device to the corporate
datacenter—are kept secure. AvantGo solutions ensure the security of vital enterprise data using the most technologically advanced encryption schemes available. In addition, AvantGo infrastructure software, including the AvantGo M-Business Server and AvantGo Client, safeguard corporate data with end-to-end security for the broad range of devices based on Microsoft Windows-powered Pocket PC, Palm OS and RIM BlackBerry Wireless Handhelds.
Critical to maintaining end-to-end security is managing authentication, authorization and encryption from the mobile device, over the transport medium, into the corporate datacenter. Using proven and widely adopted Virtual Private Network (VPN) technology, AvantGo software enables mobile access to information with the same degree of security as that provided by a local area network (LAN). This blog details the methodologies and technologies used by AvantGo to secure mobile access to corporate data using any of the following device connectivity scenarios:
•Secure synchronization using desktop cradles: AvantGo software supports secure interchange of data and transactions between mobile devices and network-based applications using periodic connections through desktop computers and synchronization cradles (wireline connections and a physically secure environment).
• Secure use of public sync stations: AvantGo solutions can authenticate individuals, enabling the use of shared,public synchronization cradles by multiple people in an otherwise physically secure environment. No trace information resides on the public sync station.
• Secure communication over a VPN: AvantGo software supports widely adopted VPN solutions that can establish secure, end-to-end connections between mobile devices and network-based applications.
• Secure communication over wireless networks:Together with support for VPN solutions, data encryption provided by wireless service operators and Public Key Infrastructure (PKI) authentication, individuals with mobile devices and AvantGo software can securely
communicate over wireless networks.

AvantGo M-Business Server is designed to enable organizations to rely on the same security solutions that have been employed for use with desktop and laptop computers on local area, wide area and wireless networks, when using mobile and wireless devices.(See Fig 1)

DEFINING SECURITY
All mobile security concerns can be grouped by three basic questions:
1. How do we know who is accessing corporate data remotely?
Authentication mechanisms are used to properly identify users accessing corporate data. This can range from simple usernames and passwords to special single use passwords from electronic tokens to cryptographic keys and certificates from public key infrastructures (PKI).
2. How do we know individuals are only accessing the data they are allowed to access?
After the user is properly identified, authorization mechanisms are used to determine what data and applications the user can access. These are often called policies or directories and are handled through databases that can jointly authenticate users and determine their permissions to access specific corporate information.
3. How do we know that others are not accessing the corporate data?
Once the identified user is granted access to the appropriate corporate data, it is important to make sure that the data cannot be intercepted. Encryption is used to protect information not only in transit across a network, but also as it resides on a device or server.
AVANTGO SUPPORTS EXISTING AUTHENTICATION AND AUTHORIZATION MODELS
In a mobile environment, data is exchanged through three primary components: (Fig 2)
The AvantGo M-Business Server bridges data from a variety of corporate applications to a variety of mobile devices. Data for the devices and servers can be exchanged through periodic synchronizations or real-time wired or wireless access. AvantGo applies security measures to safeguard data from the handheld device to the datacenter.

The AvantGo M-Business Server bridges data from a variety of corporate applications to a variety of mobile devices. Data for the devices and servers can be exchanged through periodic synchronizations or real-time wired or wireless access. AvantGo applies security measures to safeguard data from the handheld device to the datacenter.Since many enterprises contain multiple applications and it would be cumbersome to manage separate user profiles across multiple applications, technology is available to provide corporate wide authentication and authorization services. Administrators can manage a single username and password for each user that will provide access to multiple applications on the corporate network. This greatly speeds the process of adding and deleting users in addition to providing better security. With a single login, users no longer need to remember different login credentials for each application and when a user is deleted from the central database—their access is immediately removed for all applications within the enterprise. Popular implementations of this technology are NT domains, RADIUS and LDAP. These are all extensions of the username and password login process and AvantGo fully supports this technology for mobile transactions. For extremely sensitive applications, it may not be wise to trust users with even a single password to remember. Passwords are often stolen or otherwise compromised because they are too short, too easy to guess or simply written on a sticky note on the back of a mobile device. Companies such as RSA Security have developed one-time passwords that are generated through small electronic tokens carried on a key chain or in a wallet and are supplemented with an additional personal identification number (PIN) code. This provides what is known as two-factor authentication with "something you have"—the password generator, and "something you know"—the PIN code. One-time passwords are also used as an extension to the username/password mechanism where the password field is derived from what is visible on the token’s screen at a particular 60 second interval plus the user’s PIN code. Without both of these
elements, access is simply not possible. The AvantGo M-Business Server provides support for these one-time password facilities on mobile devices.
AVANTGO SEAMLESSLY INTEGRATES WITH EXISTING AUTHENTICATION SYSTEMS
AvantGo M-Business Server provides a secure gateway between mobile devices and network-based applications,content and services by isolating network-based resources from mobile devices that have not been authenticated or authorized to access those resources. The credentials that were used to establish a network connection are never assumed to be valid. Any individual who wishes to access network-based applications and content served by an AvantGo M-Business Server must first be authenticated by the AvantGo M-Business Server. Specific applications or services may further challenge the individual to present an application-specific username and password or negotiate an alternate security protocol. Once the mobile user has been properly authenticated and given authorization for access to corporate data and applications, the AvantGo M-Business Server exchanges corporate data through standard HTTP or SSL communication.
AUTHENTICATING INDIVIDUALS
To properly authenticate and authorize a user for remote access to corporate data, usernames and passwords are commonly used by enterprise applications as a login mechanism. Each application may have its own user management system (e.g. Intranet Web Server, Microsoft Exchange, Lotus Notes, Siebel CRM, etc.), which is used to properly authenticate and authorize corporate transactions. The AvantGo M-Business Server allows mobile devices to use any of these native username and password mechanisms.

AVANTGO M-BUSINESS SERVER AUTHENTICATION AND AUTHORIZATION
The AvantGo M-Business server integrates with Active Directories, NT Domains, LDAP servers, a standalone embedded directory or custom directories containing user account and password information. For each synchronization or online session that is established, an individual user will be challenged and authorized to access applications through an AvantGo M-Business server using a valid username and password. The M-Business Server administrator can create individual user accounts, define groups, control group membership and enable access to specific content and applications for individuals and groups. More fine-grained control over
information access and control at an application level is controlled by each individual application. Once authenticated, the M-Business Server limits access to only those applications, services and content that an administrator has authorized for that individual. To provide extra protection against eavesdropping on user names and passwords, SSL can be employed to securely transfer the information between an AvantGo Client and AvantGo M-Business Server. Not passing this information as plain text may be particularly important for installations deploying Windows NT Domain Integration, which uses single sign-on authentication. When Windows NT Domain Integration is turned on, the password is not sent as a digest.
AVANTGO SUPPORTS APPLICATION-SPECIFIC AUTHENTICATION AND AUTHORIZATION
Authorization is performed optionally by each and every application that is accessible through the AvantGo M-Business Server, through the use of cookies and/or more elaborate, application-specific protocols. The AvantGo M-Business Server supports all forms of application-level authentication including, for example:
• HTTP Authentication: commonly used to protect content, the login screen that appears on a desktop also will appear on a user’s device.
• Windows NT LAN Manager: applications that employ this form of authentication will present the same password login screen that appears on a desktop computer and on a mobile device.
• Custom application authentication: often presented as a login dialogue requiring a username and password for enterprise applications such as Siebel e-Business and Oracle.
• Lotus Notes/Domino: each individual is authenticated against the native Lotus Notes/Domino directory.
INFORMATION ACCESS CONTROL
To provide both centralized administration and management of remote devices, AvantGo M-Business Server allows an administrator to establish Access Control Lists that govern access to any resources made available through the M-Business Server. After an individual is authenticated, the M-Business Server can limit access to only those resources that have been made available to that individual. The key design components include:
• Users: individual accounts identified by username. For large organizations that choose to deploy M-Business Server with NT Domains or other directory servers, users represent the individual entries in the directory.
• Groups: named by the central administrator to aggregate users. By assigning individual users to specific groups and authorizing groups to access applications, administrators can greatly reduce administrative overhead.Administrators can choose to allow creation of a "Public" group, in which every user will be automatically assigned membership.
• Channels: generically refers to network based resources such as content, applications and web-based services.
• Administrators: each M-Business Server enables administrators to create accounts, groups and channels. In addition, administrators control the level of access that each individual may have, e.g. limiting the total amount of content that can be stored by an individual, cache update frequency, etc.
• User-level control: administrators can optionally allow individual end-users to create personal channels.
• MIME-type (data type) control: administrators can restrict the types of data that can be delivered to mobile devices to automatically filter out document attachments or potentially harmful types of executable files.
AVANTGO EMPLOYS LEADING INDUSTRY STANDARDS FOR SECURITY
AvantGo software is compatible with the encryption employed by VPN software and wireless carriers, which maintains the integrity and security of data communication on public telecommunications networks. To provide an added measure of security, AvantGo Client software communicates with AvantGo M-Business Servers through secure sessions that are established using industry-standard security protocols.
SECURE SESSIONS
The user’s client-to-server session can be secured by the time-tested industry- standard 128-bit SSL (Secure Sockets Layer) protocol (version 3.0), or by TLS (Transport Layer Security) protocol (version 1.0), the next generation version of SSL. SSL first uses public key cryptography to establish a handshake. For efficiency, AvantGo M-Business Server supports
the standard SSL session resumption protocol: the identifier is cached in the database for up to a week so full handshakes are not required with every connection to the server. Yet the link remains secure for desktop syncs, wireless syncs, or real-time wireless browsing. By providing a secure client-to-server link, SSL protects the integrity of channel requests, so that information is only accessible to AvantGo Client and AvantGo M-Business Server. Furthermore, a nonce protects the AvantGo M-Business Server from replay attacks (duplication of client messages) of both secure and insecure client messages.

ECC (Elliptical Curve Cryptography) uses an efficient algorithm for negotiating the client-to-server connection and minimizes the resource burden on both sync servers and devices. For that reason, the TLS protocol that AvantGo M-Business Server uses for wireless syncing and surfing (with devices such as Kyocera’s smartphone) supports only ECC. The 163-bit ECC provided by Certicom also meets HIPAA standards for health care applications. AvantGo M-Business Server makes use of RSA encryption for communication between the M-Business Server and other computers and applications on the network. Customers obtain RSA certificates from a web-based Certification Authority, such as Thawte® or Verisign®. Again, the result is a handshake between client and server that leads to a full SSL-encrypted exchange of data.
Organizations that have deployed networks running Microsoft® Windows NT® LAN Manager can take advantage of WinInet to securely handle network and proxy setup for connected mobile devices. (Fig 3)

ADDITIONAL SECURITY PROVIDED WITH VPN AND WIRELESS ENCRYPTION
Although AvantGo software can provide end-to-end security of information between mobile devices and the networkbased resources they access, additional security may be provided through the use of third party VPN products and encryption employed by wireless service operators. AvantGo software essentially provides an encrypted pipe to secure data communications; VPN products (e.g. Certicom MovianVPN) and wireless encryption provide additional security for that encrypted pipe. For example, customers using RIM BlackBerry Wireless Handhelds benefit from encryption of data transmitted by the wireless carrier. Every packet that the wireless network transmits is encrypted using a unique RC4 key—a symmetric key encrypted under a 3DES (Triple Data Encryption Standard) master key that changes with each response from the server. This key itself is encrypted under a 3DES master key that appears on the device, changing after each desktop synchronization (secure synchronization).

END-TO-END SECURITY FROM THE DEVICE TO THE DATACENTER
PHYSICAL SECURITY OF THE AVANTGO M-BUSINESS SERVER
AvantGo software automatically compresses all information before it is transmitted and supports secure, encrypted transmission of data between the device and the data center. In addition, the AvantGo M-Business Server is designed to also ensure the complete security of the AvantGo M-Business Server itself. AvantGo M-Business Server is physically deployed behind a company’s protective firewall, rather than outside. By design, the key components of AvantGo M-Business Server have been limited to network servers needed for the server’s public services, its database, and a secure shell. Customers can protect AvantGo M-Business Server further by using time-tested industry standard procedures: physically isolating the server in a locked location, restricting access, and installing monitoring software (such as Tripwire® for Servers) to detect intrusion. To further enhance the physical security of the AvantGo M-Business Server, administrators are advised to:
• Avoid deploying other applications on the same server as AvantGo M-Business Server,
• Restrict physical access to the server, and
• Install all recommended operating system patches.
PHYSICAL SECURITY DATA ON THE MOBILE DEVICE
As mobile devices proliferate, some will inevitably be lost or misplaced. Fortunately, there are a number of mechanisms and approaches that can provide a high level of physical security without creating a high level of degree of inconvenience for end users. For example, solutions include:
• Encrypted data storage: AvantGo software automatically stores content that is accessed through the AvantGo Client in a tightly compressed, binary format. Data stored in on-device databases may be stored in an encrypted format by third party database products. In addition, third party products such as Certicom MovianCrypt™ can be used to encrypt data for other applications on mobile devices.
• Device access: most mobile devices can be configured to automatically lock the device after a period of inactivity,requiring correct password entry before any feature of the device can be used. Commercially available third party products such as PDA Restrictor™ from IS/Complete can be used to lock data and applications.
• Application-specific access: applications that are viewed using the AvantGo Client may automatically time out after a period of inactivity and require the correct entry of a username and password prior to enabling access to the application. Organizations can require that individuals provide a valid username and password to be able to gain access to any content or application that is accessed through the AvantGo Client software.
• Administrative lockout: once an AvantGo administrator is notified that a device has been lost, the M-Business Server can erase all of the AvantGo data on the device the next time it attempts to connect and lock out further access. Third party products such as Xcellenet Afaria can be used to erase both data and applications from a lost or stolen device during the next connection.
SECURE COMMUNICATION BETWEEN M-BUSINESS SERVER AND AVANTGO CLIENT
Transmission checks

To be sure that data entering AvantGo M-Business Server from the client is secure, the server monitors all transmissions that are received. By checking the incoming data stream, AvantGo M-Business Server confirms that the designated security protocol is in place. Customers can choose to have the server monitor the default port 443 (the SSL standard protocol) or can change the configuration to instead or additionally monitor port 80 (the HTML standard).
Cookie encryption
AvantGo M-Business Server also protects information stored within its database. Because the server actually provides the completing piece of the web browser functionality that is rendered by AvantGo Client, it is the server that is responsible for managing the web cookies that channels use to recognize users. To restrict access to cookie data,AvantGo M-Business Server uses a 128-bit key for encryption. So this sensitive information is not stored in the clear.
AvantGo does not transmit or store cookies on the device, so anyone wishing to hack cookies would need to break into the AvantGo M-Business Server rather than the physical device.
SECURE COMMUNICATION BETWEEN M-BUSINESS SERVER AND NETWORK-BASED SERVICES
AvantGo M-Business Server also ensures the security of its own communication requests to network-based applications and the security of responses it receives.
Secure connections
Again, the proven industry standard SSL protocol provides the means for communicating the client's secure channel request from where it has been uploaded on the server to the web host identified in that request. AvantGo M-Business Server creates a secure SSL client connection to the proper web server. This protects client information by not broadcasting it, but, instead, targeting it. The AvantGo M-Business Server thus provides an encrypted pipe between itself
and other servers, through which mobile devices can conduct secure HTTPS transactions.
Trusted hosts
Before connecting AvantGo Client to a website, AvantGo M-Business Server first authenticates the identity of the web server, to be sure that it is the one requested by the user. The means of identification is a certificate sent to AvantGo M-Business Server by the web server. AvantGo M-Business Server checks the web host server's certificate against AvantGo M-Business Server’s trusted host file, which lists all of the Certificate Authorities that have been approved by the customer.Customers can edit the trusted host file in AvantGo M-Business Server, as needed, to add or remove Certificate Authorities. The customer's own ECC or RSA certificate, obtained to establish secure syncs from client-to-server, is stored in a separate file.
SUMMARY
As the leading provider of mobile enterprise solutions, AvantGo provides the highest level of security for accessing corporate data from casually connected mobile devices anywhere in the world. Through technology licensing and optimized system architecture, AvantGo provides a solution that ensures communications and transactions—from the mobile device to the corporate datacenter—are kept secure.AvantGo solutions ensure the security of vital enterprise data using the most technologically advanced encryption schemes available. In addition, AvantGo infrastructure software, including the AvantGo M-Business Server and AvantGo Client, safeguard corporate data with end-to-end security for the broad range of devices based on
Microsoft Windows Powered Pocket PC, Palm OS and RIM BlackBerry Wireless Handheld devices.


[get this widget]

AddThis Social Bookmark Button