I have previously shared with you some personal views on the two cutting-edge technologies that may be used in the Intranet security field (sandbox that has not been widely used, and access control that has become more mature, today, I will discuss with you a topic that may be more cutting-edge for domestic enterprises: the threat that mobile device applications pose to Intranet security.
Over the past two or three years, I-Pad, Blackberry, Android, and other mobile devices have continuously appeared in the daily life of the public. They make the storage and dissemination of information more convenient and fast, with the help of mobile devices, online life is possible anytime and anywhere.
Similarly, the existence of mobile devices not only changes the way of life as an individual, GigaOm's latest report shows that, 38% of enterprises surveyed have applied mobile devices to different degrees in IT, while 43% of enterprises surveyed plan to introduce mobile device applications within one year, while 500 of fortune 65% Enterprises, i-Pad has been deployed to varying degrees. Users are used to using Blackberry to send and receive emails, using tablets for demonstration, using mobile devices to remotely access the enterprise network to obtain information, communicate online, or share schedules.
Mobile devices are used as new carriers for storing, using, and transmitting information. They face the same information security risks as traditional devices such as Laptops and Desktops, because mobile devices have some new features different from traditional IT applications, mobile device applications pose new security challenges to organizations. Intranet security enterprises must also adapt to this trend.
Refined device use authorization based on device Feature Recognition Technology
From the first U disks, mobile hard disks, to digital cameras, players, to the latest smartphones and tablets, let alone their software applications, most of these devices have massive storage space. From the early several hundred MB to the current tens of GB, a 32G I-Pad may be enough for smaller enterprises to store all their data and be easily transferred. With the popularization of Bluetooth, wifi, USB and other technologies, information transmission between devices has become more convenient than ever before. If the Organization implements strict IT security policies, mobile devices may be completely disabled, including USB ports and Bluetooth devices. However, for organizations with less strict information security policies, the mobile device policy, which is totally negative, sacrifices availability. At this time, it is inevitable to precisely differentiate authorization for different mobile devices.
We have always advocated the concept of refined management. The IP-guard developed by our team has already achieved refined control over USB devices, such as the distinction between USB mouse keys and USB storage, and identify and control the connection to the host through various ports. In the future, with the widespread adoption of smartphones and tablets, the identification technology of different devices by Intranet security enterprises will be more accurate and in-depth, including identification based on hardware, operating systems and other information.
Improvement of Mobile Device Access Control Technology Based on 802.1x Access Control Technology
A major feature of mobile devices is convenient access to wireless networks. With the help of wireless networks, smart phones, tablets, and other devices can access the enterprise's internal network through the LAN or even the Internet to access and use information resources in key network locations, the most common application is Email.
In addition, based on the current general trend of cloud computing, more and more applications are processed and run on the cloud rather than locally, whether on the public cloud, private cloud, or SaaS, all you need is a terminal that can be connected to the cloud. Imagine whether it is CRM, ERP, or other business systems, as long as they are on the cloud, all you need is simple device access like I-Pad or smart phone, and then process the business process. This will undoubtedly greatly accelerate the informatization process and information processing speed of enterprises.
However, as described above, if there is revolutionary progress, there is a corresponding risk. Network Access is undoubtedly a more important role for mobile device access in the context of cloud computing.
Compared with the current mature 802.1x access control mechanism, it is more difficult to manage mobile devices connected to the Intranet. Most 802.1x technologies are combined with AD Domain Management Based on Windows, while I-OS, Android, and other popular mobile systems are essentially different from those of Windows. Therefore, most IT administrators place the connected Mobile devices into guest accounts under 802.1x management, which means that these devices are restricted from accessing the internal network and cannot meet the actual needs.
In view of the above problems, A feasible trend is to identify the MAC, hardware, and system fingerprints of mobile devices and map them to existing access systems based on 802.1x and group policy configuration. At present, some companies have initially implemented this function, such as Amigopod Visitor Management Appliance (VMA) of Aruba Networks ). This product identifies fingerprints of different devices based on monitoring DHCP and HTTP information, and maps the information to the correct access control policy to achieve access control.
It can be seen that to achieve precise access control for mobile devices, it is a prerequisite to master the 802.1x access control mechanism, and the lack of access control mechanisms, it is a common weakness of Intranet security products based on host access control. Gradually improving the access control mechanism based on 802.1x and the linkage between gateway and client is urgently needed. This is also the focus of IP-guard's efforts. I believe that in the near future, new achievements will be made in the control of mobile device access.
Combination of Content Analysis-based DLP and boundary blocking and encryption technologies
Data transmitted between an internal network and a mobile device is often classified into confidential information to a certain extent, and information leakage protection must be carried out during transmission and use. Currently, the mainstream information leakage prevention technologies in China are generally based on blocking and encryption technologies. The application on PCs is indeed accessible, but the emergence of mobile devices, this poses a challenge to the current information leakage prevention technology.
Mobile applications themselves aim to accelerate and facilitate the transmission of information, and blocking may weaken this convenience. Cloud computing applications make more and more applications on the cloud rather than local implementation. Host-Based blocking and encryption mechanisms have certain limitations.
How can we solve the problem of information leakage prevention raised above? Beyond the host level, further data analysis, filtering, and interception are a possible trend. At this point, foreign DLP products that are longer than content analysis and filtering provide us with inspiration.
Unlike the domestic plugging and encryption mechanisms, DLP products outside China, represented by Symantec and coffee, are used for content analysis and filtering technology to prevent information leakage. By deploying devices on the border, DLP products can analyze the content transmitted through the network and port, identify the confidential information that meets the preset confidentiality characteristics, and filter or block the information. In the past, the Information Leakage Prevention market in China was primarily designed to prevent active leaks. Therefore, the DLP technology of Symantec and other products was useless. With the development of mobile devices and cloud computing, this technology of balance between convenience and security will be better recognized.
Whether it is blocking, encryption, or content analysis and filtering, the essential purpose is to prevent information leakage, but to balance security and convenience. As a product positioned for Intranet security, IP-guard has become increasingly mature in the field of blocking and encryption. In order to better adapt to user needs and technology development, we have also begun to study the content analysis-based filtering mechanism and hope to combine it with the original blocking and encryption mechanism in the future to create a complete information leakage prevention system for users.
Focus on the implementation of security measures for mobile devices
Mobile device manufacturers are aware of the importance of mobile device security. For example, I-Pad introduces a wide range of security mechanisms, including password mechanisms, device encryption, encrypted network connections, and Remote Data erasure, this greatly improves the security of mobile devices.
However, users who use mobile devices are greedy for convenience and may not strictly use the security measures provided by mobile devices. As deployment and management of mobile devices, IT managers should take security measures taken by mobile devices to play a greater role. Unified Registration of access management, especially for mobile devices to develop secure app applications, strict audit of mobile device security policies. We have always stressed the combination of technology and management. These management methods that adapt to the mobile application era are essential for ensuring the Intranet security of mobile devices.
As the birthplace of advanced information technology, mobile device applications are now more common in the United States and other developed countries, and this type of application in China is still in its infancy. However, this does not mean that we can ignore the security threats posed by mobile devices. The rapid growth in the smartphone and tablet markets over the past two years proves that, mobile device security will sooner or later become a leading position for Intranet security. It is always the right option to plan ahead.
This article is from the "Huang kai" blog