Security administrators use many different technologies to protect their mobile devices. In this video, you’ll learn about MicroSD HSMs, Unified Endpoint Management, Mobile Application Management, and SEAndroid.
A hardware security module is a physical device that provides cryptographic features for your computer. This can also be applied to mobile devices through a much smaller form factor of the HSM called a microSD HSM. This means that we can associate a piece of hardware with the cryptographic functions for encryption, key generation, digital signatures or authentication.
This additional hardware is truly tying these cryptographic features to these physical tablets or smartphones. We can also store information securely in these microSD HSM. We can keep different encryption and decryption keys in the HSM or we might want to store our cryptocurrency as part of the hardware of our mobile device.
We rarely use any single type of system during our normal day to day work. We might have a laptop on our desk, we might use a tablet when we’re in a meeting. And we might have our smartphone as we’re traveling back and forth to the office.
To be able to have exactly the same data available across all of these devices. And to maintain security across all of these devices, we can take advantage of a unified endpoint management solution or a UEM. This allows us to easily manage the security posture across all of these different devices. And it allows us to use applications in different places. But still ensure that all of the proper security features are in place.
So we might work on our laptop when we’re in the office or our smartphone when we’re at home. But we’re providing exactly the same security posture in both of those environments. This is almost required for the way that we work these days. We certainly don’t think about using a laptop or a tablet, or smartphone we’re more interested in knowing that we can use a particular application.
So our security policies and the management of these devices need to have the same philosophy as well. And there may be quite a few corporate applications on our mobile devices that we are constantly using. But there has to be some way to maintain these applications make sure that they’re patched and they stay up to date. And the way that you do that is by taking advantage of mobile application management or MAM.
You would still use your mobile device manager to manage the device itself. But you would use the mobile application management to be able to manage the applications that are running on those mobile devices. For example, your organization might maintain an app catalog that’s specific to your enterprise.
So you can connect to your corporate app catalog, download the applications that you need to use as part of your job. And those will then be available on your mobile device. Thanks to the use of your mobile application management.
The administrator of the MAM can also monitor how the applications are being used and if there are any problems with the applications. If the applications are crashing or users are not properly authenticating to the application all of those events can be seen on your mobile application management.
Your MAM can also provide you with very fine grained control of the data that’s on these mobile devices. So it may be able to delete data associated with one particular application. But leave all of the other data on that mobile device intact.
If you’re using Android on your mobile device you’re probably using the security enhancements for Android or SEAndroid. This is effectively taking the SELinux functionality and including it as part of the Android operating system. This provides some additional access controls security policies and includes different policies for configuring the security of these mobile devices.
Well, if there’s an organization that needs to provide a secure mobile device it would be the NSA or the National Security Agency here in the United States. This was the organization that really pushed the SEAndroid functionality. And it is an addition to their already popular SELinux distribution.
The goal of this project was to provide security across the entire Android operating system. So you’ll see enhancements to the kernel to the userspace and to the configuration settings in the security policy. SEAndroid is now the default version of Android that runs on our systems since version of 4.3 that was released in July of 2013.
SEAndroid prevents any direct access to the kernel of the Android operating system by protecting these privileged demons that are running inside of SEAndroid. It also changes the way the data is accessed on these mobile devices by default Discretionary Access Control or DAC was used. And that has been changed to Mandatory Access Control or MAC. This removes the user from being able to control what type of access someone might have to the system. And instead puts that in the control of the administrator.
The administrator can assign object labels and then assign users with minimum access to those specific labels. This also creates sandboxes between the applications running in the operating system. So that it can isolate data from one application from data that is created and stored by a different application. And SEAndroid provides a centralized area for policy configurations. So that all of the security features can be administered from one central point.