Protecting corporate information on mobile devices with Oracle Mobile Security Suite
Over the past few years, mobile devices have thoroughly entered our lives, so we don’t imagine how we used to do without them. Everyone remembers that uncomfortable feeling when the phone is forgotten at home or dead. Smartphones and tablets help us in all spheres of life and now more and more business processes are connected with the use of these devices. At the same time, companies face a rather serious problem - the protection of corporate information. Imagine that you forgot your smartphone on a table in a cafe or left a tablet in the airport's waiting room, your mail, contact list, remote access to the company's internal network, all this can be in anyone's hands. And really very sad perspectives are drawn at the thought that your phone can be pulled out of your pocket purposefully to get this information.
When deciding the issue of protecting a mobile device, there is also the question of the convenience of its protected use. For example, how many times a day will you have to enter a password to access the phone and what will happen to your personal information if, if you lose, you need to delete confidential working documents?
')
In this article, we will look at how Oracle's mobile strategy helps protect corporate applications and sensitive data in a mobile environment. There are several approaches to the issue of providing mobile access to employees and there will be two main options - Mobile Device Management (MDM) and Mobile Application Management (MAM).
It is not necessary to protect the entire smartphone, but you need to protect the basic data and applications. You need to give employees convenient mobile applications, and not just secure access to e-mail.
• Mobile Device Management - mobile device management, this approach uses the entire device remote control, including the management of hardware functions. MDM is needed when you want to prevent the user from using the device’s camera or taking screenshots. By installing the MDM on a mobile device, the owner agrees to transfer the device to the MDM administrator of the system. This does not mean that the administrator will have access to personal information, it means that in case of loss of the device, it will be possible to send a signal to return to the factory settings, and in this case all information, both corporate and personal, will be erased. The problem of loss of personal information is reduced if the user has configured cloud synchronization, contacts, photos, notes, and even the progress of passing some games can be restored and clouds.
• Mobile Application Management - management of mobile applications, with this approach the rights to the entire device are not granted, and management is limited only to applications and data related to these applications. In case of loss of the device, the administrator sends a signal to erase only corporate information from the device or block user input only to the corporate workspace and corporate applications. If the owner finds his lost phone or tablet, in this case he will not lose anything personal. MAM allows you to conveniently use the corporate device as personal, corporate information and corporate applications while in a so-called “container”, while personal information and personal applications are outside the container.
Many companies want to use both approaches at the same time, either providing employees with an independent opportunity to choose a connection method, or dividing employees into groups depending on job responsibilities, because not all employees have access to confidential information and not all require increased control.
Oracle's mobile strategy provides the ability to use both approaches, both MAM and MDM. In both cases, the employee will install the container application on the mobile device — this is the working area containing a set of other corporate applications, providing single sign-on to these applications and content protection. Only if you install the MDM option, you will have to install an additional profile / certificate, thereby confirming that you agree to remote control the device.
Oracle Mobile Security Suite allocates a container in which corporate data is isolated. Inside the container - discipline and order, the container supports remote cleaning and updating policies. All corporate data is stored inside the container, their transfer to other areas is prohibited.
After you install the container, several ready-made applications appear in it:
• The corporate browser is designed for use with internal resources, the administrator determines what will be allowed to view through this browser. Access to internal web resources and web applications of the company is configured so that you can get there only from the corporate network or from a browser inside the mobile container.
• mail client for corporate mail;
• document editor and file manager for working with corporate documents;
• enterprise business applications - any applications that are placed in a container;
• corporate application catalog - in order to get containerized applications on a smartphone, there is a separate directory that is not similar to the App Store or Play Market.
But at the same time, the browser remains at the user's disposal for ordinary Internet resources; ordinary mail client for personal mail; familiar applications and access to the App Store or Play Market.
All corporate documents are stored on the device in encrypted form. An attacker or a random person who has got a smartphone running Oracle Mobile Security Suite will not be able to access the applications and documents in the container. And even if the smartphone is not connected to the network and can not be remotely cleaned, then hacking it and receiving the documents will not be able to read them, they will open in an unreadable form.
Policies define many parameters: the authorization method for a given group of users, on which devices and operating systems it is allowed to use the container, which applications will be available in the user's directory, whether to allow access from a specific geo-location and at a certain time, what timeout the session will have, etc. d. Also, policies control all functions when transferring data between a container and an unprotected area of the phone — data storage, copy-paste, email, instant messaging, video conferencing, social networks, printing, launching programs, dragging data from one application to another (AirDrop), media gallery, contacts. Each authorized user is a member of a group, one or several policies are applied to the group.
If you need to remotely erase the data when the smartphone is lost, the employee contacts the administrator, the administrator sends a push notification to the smartphone, and when using the MAM option, the data related to the container and its applications are deleted from the device. In the case of MDM - the entire device returns to the factory settings.
Oracle Mobile Security Suite uses various mechanisms to detect Jailbreak and root devices. Using policies, the administrator determines if he allows users with hacked devices to install a container. In addition, you can allow users to see certain applications only from certain devices or using certain versions of iOS and Android, which will be useful if the application may not work on all versions of the operating system.
One of the ways to provide access to internal resources is to organize a VPN connection from a mobile device. Oracle Mobile Security Suite does not use a VPN connection; instead, a mutually authenticated SSL tunnel opens from the application or from the container to the server side. Access to the internal network is opened only for applications from the "white" list - and in the case of a VPN connection, any applications downloaded by the user would get access from the smartphone to the corporate network.
The application's tunnel is optimized for mobile traffic, and the solution supports transparent switching between Wi-Fi and 3G - that is, if you left the Wi-Fi zone while working on the go and your smartphone switched to 3G, you can continue to work , the connection will not be interrupted and the session will not be lost.
Oracle Mobile Security Suite immediately gives you everything you need to work safely with web applications — namely, a secure browser. If you need to use stand-alone applications in the information system of your enterprise, they will have to be carried out through the containerization process.
To containerize an application, you need to sign it with a special certificate - in the case of iOS, this is the official developer certificate of Apple. To do this, Oracle Mobile Security Suite includes a containerization tool that has only two functions: sign the application and inject its code into it — create a so-called wrapper for the application. Before the application makes a call to the operating system, this wrapper intercepts this call and checks the policy - can this action be performed by this user? To containerize an application of an independent developer, you need to contact him and get an unsigned version of the application without a certificate. The administrator downloads the signed application to the corporate directory, after which any employee with the right of access will be able to install the application on his device - and not just on the device, but in a protected container.
The code for the underlying security mechanisms of Oracle Mobile Security Suite is obfuscated to make it difficult to decompile. Keys that encrypt protected content and applications are managed and stored only in the device’s RAM and are safely deleted when they are no longer necessary.
The new OMSS release is tightly integrated with other Oracle products. The management interfaces of Oracle Mobile Security Suite and Oracle Access Manager are combined into a single policy management console.
This integration allows you to centrally administer products and use OAM features on mobile devices. For example, OMSS can use Oracle Access Manager to perform context-based, step-based, risk-based authentication during user registration or when a user logs into a protected application. Step-by-step authentication is an addition to the main password; it can be performed in the form of answers to test questions or in the form of an additional input of a one-time password. This feature is available if the protected application is configured to use OAuth2.
Oracle Mobile Security Suite can be installed together with the Oracle Identity Governance self-management console. When using such integration in one interface, you can see who has access to which company systems, which employee uses which mobile devices and which applications are installed on them.
Oracle information security solutions are certified by the Federal Service for Technical and Export Control (FSTEC of Russia), you will see them by reference - this is the Oracle Information Security Blog.
When deciding the issue of protecting a mobile device, there is also the question of the convenience of its protected use. For example, how many times a day will you have to enter a password to access the phone and what will happen to your personal information if, if you lose, you need to delete confidential working documents?
')
In this article, we will look at how Oracle's mobile strategy helps protect corporate applications and sensitive data in a mobile environment. There are several approaches to the issue of providing mobile access to employees and there will be two main options - Mobile Device Management (MDM) and Mobile Application Management (MAM).
MDM and MAM
It is not necessary to protect the entire smartphone, but you need to protect the basic data and applications. You need to give employees convenient mobile applications, and not just secure access to e-mail.
• Mobile Device Management - mobile device management, this approach uses the entire device remote control, including the management of hardware functions. MDM is needed when you want to prevent the user from using the device’s camera or taking screenshots. By installing the MDM on a mobile device, the owner agrees to transfer the device to the MDM administrator of the system. This does not mean that the administrator will have access to personal information, it means that in case of loss of the device, it will be possible to send a signal to return to the factory settings, and in this case all information, both corporate and personal, will be erased. The problem of loss of personal information is reduced if the user has configured cloud synchronization, contacts, photos, notes, and even the progress of passing some games can be restored and clouds.
• Mobile Application Management - management of mobile applications, with this approach the rights to the entire device are not granted, and management is limited only to applications and data related to these applications. In case of loss of the device, the administrator sends a signal to erase only corporate information from the device or block user input only to the corporate workspace and corporate applications. If the owner finds his lost phone or tablet, in this case he will not lose anything personal. MAM allows you to conveniently use the corporate device as personal, corporate information and corporate applications while in a so-called “container”, while personal information and personal applications are outside the container.
Many companies want to use both approaches at the same time, either providing employees with an independent opportunity to choose a connection method, or dividing employees into groups depending on job responsibilities, because not all employees have access to confidential information and not all require increased control.
Oracle mobile security suite
Oracle's mobile strategy provides the ability to use both approaches, both MAM and MDM. In both cases, the employee will install the container application on the mobile device — this is the working area containing a set of other corporate applications, providing single sign-on to these applications and content protection. Only if you install the MDM option, you will have to install an additional profile / certificate, thereby confirming that you agree to remote control the device.
Oracle Mobile Security Suite allocates a container in which corporate data is isolated. Inside the container - discipline and order, the container supports remote cleaning and updating policies. All corporate data is stored inside the container, their transfer to other areas is prohibited.
After you install the container, several ready-made applications appear in it:
• The corporate browser is designed for use with internal resources, the administrator determines what will be allowed to view through this browser. Access to internal web resources and web applications of the company is configured so that you can get there only from the corporate network or from a browser inside the mobile container.
• mail client for corporate mail;
• document editor and file manager for working with corporate documents;
• enterprise business applications - any applications that are placed in a container;
• corporate application catalog - in order to get containerized applications on a smartphone, there is a separate directory that is not similar to the App Store or Play Market.
But at the same time, the browser remains at the user's disposal for ordinary Internet resources; ordinary mail client for personal mail; familiar applications and access to the App Store or Play Market.
All corporate documents are stored on the device in encrypted form. An attacker or a random person who has got a smartphone running Oracle Mobile Security Suite will not be able to access the applications and documents in the container. And even if the smartphone is not connected to the network and can not be remotely cleaned, then hacking it and receiving the documents will not be able to read them, they will open in an unreadable form.
Politicians
Policies define many parameters: the authorization method for a given group of users, on which devices and operating systems it is allowed to use the container, which applications will be available in the user's directory, whether to allow access from a specific geo-location and at a certain time, what timeout the session will have, etc. d. Also, policies control all functions when transferring data between a container and an unprotected area of the phone — data storage, copy-paste, email, instant messaging, video conferencing, social networks, printing, launching programs, dragging data from one application to another (AirDrop), media gallery, contacts. Each authorized user is a member of a group, one or several policies are applied to the group.
If you need to remotely erase the data when the smartphone is lost, the employee contacts the administrator, the administrator sends a push notification to the smartphone, and when using the MAM option, the data related to the container and its applications are deleted from the device. In the case of MDM - the entire device returns to the factory settings.
Oracle Mobile Security Suite uses various mechanisms to detect Jailbreak and root devices. Using policies, the administrator determines if he allows users with hacked devices to install a container. In addition, you can allow users to see certain applications only from certain devices or using certain versions of iOS and Android, which will be useful if the application may not work on all versions of the operating system.
Tunnel application
One of the ways to provide access to internal resources is to organize a VPN connection from a mobile device. Oracle Mobile Security Suite does not use a VPN connection; instead, a mutually authenticated SSL tunnel opens from the application or from the container to the server side. Access to the internal network is opened only for applications from the "white" list - and in the case of a VPN connection, any applications downloaded by the user would get access from the smartphone to the corporate network.
The application's tunnel is optimized for mobile traffic, and the solution supports transparent switching between Wi-Fi and 3G - that is, if you left the Wi-Fi zone while working on the go and your smartphone switched to 3G, you can continue to work , the connection will not be interrupted and the session will not be lost.
Application containerization
Oracle Mobile Security Suite immediately gives you everything you need to work safely with web applications — namely, a secure browser. If you need to use stand-alone applications in the information system of your enterprise, they will have to be carried out through the containerization process.
To containerize an application, you need to sign it with a special certificate - in the case of iOS, this is the official developer certificate of Apple. To do this, Oracle Mobile Security Suite includes a containerization tool that has only two functions: sign the application and inject its code into it — create a so-called wrapper for the application. Before the application makes a call to the operating system, this wrapper intercepts this call and checks the policy - can this action be performed by this user? To containerize an application of an independent developer, you need to contact him and get an unsigned version of the application without a certificate. The administrator downloads the signed application to the corporate directory, after which any employee with the right of access will be able to install the application on his device - and not just on the device, but in a protected container.
The code for the underlying security mechanisms of Oracle Mobile Security Suite is obfuscated to make it difficult to decompile. Keys that encrypt protected content and applications are managed and stored only in the device’s RAM and are safely deleted when they are no longer necessary.
Integration with Oracle Access Manager and Oracle Identity Governance
The new OMSS release is tightly integrated with other Oracle products. The management interfaces of Oracle Mobile Security Suite and Oracle Access Manager are combined into a single policy management console.
This integration allows you to centrally administer products and use OAM features on mobile devices. For example, OMSS can use Oracle Access Manager to perform context-based, step-based, risk-based authentication during user registration or when a user logs into a protected application. Step-by-step authentication is an addition to the main password; it can be performed in the form of answers to test questions or in the form of an additional input of a one-time password. This feature is available if the protected application is configured to use OAuth2.
Oracle Mobile Security Suite can be installed together with the Oracle Identity Governance self-management console. When using such integration in one interface, you can see who has access to which company systems, which employee uses which mobile devices and which applications are installed on them.
Certification
Oracle information security solutions are certified by the Federal Service for Technical and Export Control (FSTEC of Russia), you will see them by reference - this is the Oracle Information Security Blog.
Source: https://habr.com/ru/post/262557/
All Articles