Does Android Dream of Enterprise Adoption? · Android - Fragmented Friend or Foe? It’s an Android...

Does Android Dream of Enterprise Adoption?


http://maas360.com

http://http://www.maas360.com/resources/white-papers

2


Copyright © 2012 Fiberlink Communications Corporation. All rights reserved.

This document contains proprietary and confidential information of Fiberlink. No part of this document

may be used, disclosed, distributed, transmitted, stored in any retrieval system, copied or reproduced

in any way or form, including but not limited to photocopy, photographic, magnetic, electronic or other

record, without the prior written permission of Fiberlink.

This document is provided for informational purposes only and the information herein is subject to change

without notice. Please report any errors to Fiberlink. Fiberlink will not provide any warranties covering

this information and specifically disclaims any liability in connection with this document.

This document is subject to the terms of the MaaSters Partner Program Agreement. Fiberlink reserves the

right to administer this Program at its discretion. Fiberlink may make any of the benefits in this document

available to any MaaSters Partner Program Participant, and/or withhold any benefits from any Program

Participant without obligation to offer or withhold such benefits to or from any other Program Participant,

pursuant to the MaaSters Partner Agreement terms and conditions.

Fiberlink, MaaS360, associated logos, and the names of the products and services of Fiberlink are

trademarks or service marks of Fiberlink and may be registered in certain jurisdictions. All other names,

marks, brands, logos, and symbols may be trademarks or registered trademarks or service marks of their

respective owners. Use of any or all of the above is subject to the specific terms and conditions of the

Agreement.

Copyright © 2012 Fiberlink, 1787 Sentry Parkway West, Building Eighteen, Suite 200, Blue Bell, PA 19422.

All rights reserved.


http://www.maas360.com

3


Table of Contents

Introduction: Android - Fragmented Friend or Foe? ................................................... 4

Managing Unruly Androids ................................................................................. 5

How to Control Unruly Androids .......................................................................... 6

Android - The Security Sieve .............................................................................. 6

Stemming the Android Security Holes ................................................................... 7

Android 4.0: Better — Not Best ........................................................................... 8

MaaS360 and Android ....................................................................................... 8

Android Can Live in the Enterprise – With Help ........................................................ 9



4


Android - Fragmented Friend or Foe? It’s an Android world. Sixty percent of the mobile device market is dominated by this leading mobile open-source

operating system. As Bring Your Own Device (BYOD) gains rapid momentum, IT is left with the Catch-22 of satiating

employees’ thirst for using the Google based juggernaut while addressing the very real concerns of protecting

corporate data and providing standardized management.

There are now more than 550 Android device types, 48 manufacturers, and a multitude of carriers worldwide. To

complicate things further, many of these manufacturers and carriers installed custom variants of the OS and added

software to differentiate their offerings from the rest of the continuously growing Android herd. This is great news

for consumers, but sends chills up the spines of IT professionals who have relied for years on efficient management

through standardization.

Each version of Android has improved management and security capabilities, but the vast array of devices on the

market means it’s unlikely your enterprise will ever deal with only one version or device type.

This doesn’t negate the validity and power of Android in the enterprise; it simply means IT departments must arm

themselves with the right protective measures.



5


Managing Unruly AndroidsThe heterogeneity of the Android platform means that enterprise admins have a multitude of management

uncertainties across manufacturers when it comes to device controls, data usage, and the dreaded upgrade

patch for the OS and apps.

User Management: There is no inherent capability in the Android platform for extending and revoking

privileges to individuals, tracking their usage, or notifying IT when devices violate policies and action must

be taken. This is a stark contrast to the standardization offered by Apple iOS.

Exchange ActiveSync (EAS) Support: Android natively does not support many of the EAS policies, leaving

the responsibility to the manufacturer and the IT administrator to figure out what does and doesn’t work.

This fragmentation also adds to the confusion as to what EAS policies can be configured.

Upgrades and Patches: Google routinely issues upgrades and patches for Android, but it places responsibility

for implementing those patches on the manufacturer, which may elect to delay their introduction.

Application developers also push out upgrades and patches, which often require user consent and action. As a

result, updates may languish for months. Also, “the latest and greatest” version of an application or OS is not

always great for enterprises, as it can cause conflicts with a slew of corporate systems.

Data Consumption: The more recent versions of the Android platform support 4G Long Term Evolution (LTE)

IP networks, which consume data with a voracious appetite. As many carriers charge by gigabytes consumed

as well as minutes of talk time, the enterprise can be liable for significant overage charges if a device goes

over the limits. Users are often unaware of how much data they’re using. Additionally, many devices can

be used as mobile hotspots or “tethers,” effectively acting as a Wi-Fi modem for other devices, giving away

data to all who come in range. There are no inherent controls in EAS or other mobile email platforms to help

prevent overages.

Roaming: The same is true of roaming off a carrier’s networks, which can carry charges in the thousands of

dollars. The user, or his employer, can unwittingly become liable for these charges when out of network.



6


How to Control Unruly AndroidsThe only way to truly control an unruly Android is to implement a Mobile Device Management (MDM)

platform that offers features like the following:

• Managing Users: MDM platforms allow enterprises to offer different functionality to different users

through policy controls. Some executives may be allowed to roam internationally, or run certain

applications, while other employees might not, for instance.

• EAS Support: Choose an MDM program that can provide access controls (e.g. quarantine) for Android

devices trying to connect to the Exchange environment until approved. Also, your MDM solution

should allow for enforcing minimum versions of the Android OS to connect. In addition, your MDM

provider should integrate with best-of-breed secure email apps that ensure EAS policies can be

configured and can secure email data.

• Upgrades and Patches: MDM platforms can manage updates across multiple manufacturers

and app developers from a centralized control panel, and enforce version control and upgrade

compliance by blocking devices that do not meet minimum requirements (such as accepting the

latest security patch).

• Data Consumption and Roaming Management: By setting policy controls in the MDM platform, such

as maximum data use or “no roaming,” users can be notified when they are nearing the allowable

cap of data consumption or are about to incur charges for roaming.

Android - The Security Sieve There are numerous security gaps in the Android platform that vary with each platform version. The most

common chinks in the armor include:

Lack of Encryption: Encryption of digitally transmitted data is a requirement for many enterprises, from

the standpoints of corporate policy as well as industry compliance. Before the release of Android version

3.0 (codenamed “Honeycomb”) in February 2011, Android devices did not have any kind of hardware

encryption. Sadly, Honeycomb was solely for Android tablets. A year later, close to 80 percent of the

existing Android phones on the market are running Android versions that do not support encryption, with

the most prevalent being versions 2.2 and 2.3 (“Froyo” and “Gingerbread”).

This presents a substantial risk for email, calendar, and contact information being compromised by prying

eyes. The latest version of Android 4.0 (codenamed “Ice Cream Sandwich”) does support device encryption

and runs on both tablets and smartphones, but as it was released late in 2011, so it’s not running on most

devices. As a result, enterprises must take extra measures to encrypt Android devices.



7


Rooting: Users can overcome protections on the Android OS and “root” the device by accessing its Unix

core, which allows them to install virtually any application, including malware, and subvert application-

level controls. A device that is “rooted” can expose the corporate network to the same malware that is

loaded on the device and override data-loss protections.

Data in transit: Any time data moves from one device to another, it’s vulnerable. Devices with removable

SD cards and USB connections can easily lose data, even if the data is encrypted. Wandering into an

unsecure WiFi zone is also hazardous, and there are no built-in protections against this.

Stemming the Android Security HolesThere are several approaches enterprises can take to resolve Android’s inherent security issues.

Encryption: Commercial software is available to encrypt email, contact, and calendar apps. However,

this software does not cover other aspects of device management. The good news is that this software is

sometimes bundled with MDM platforms.

Rooting: In February 2012, Google released a malware-scanning application called Bouncer, which

scans all applications posted to the Google application store, Google Play. This makes it less likely

that a downloaded application will be malicious, but it does not protect an organization from rooted

device vulnerabilities. Some MDM platforms can detect and block rooted devices once the MDM client

is on the device.

Data in transit: Devices should be protected with passcodes to prevent data from passing to an

unauthorized third party. Luckily, MDM software can enforce passcode best practices. Additionally,

devices with cameras can be remotely locked down using contextual management and geofencing if

they enter areas where sensitive information can be photographed.

Minimum OS: Because of security vulnerabilities in Android versions lower than 3.0, enterprises may wish

to specify a minimum acceptable OS version in order to allow a device to access the corporate network.

This can be enforced through an MDM platform.

Blacklisting and whitelisting: Certain commercial applications open up communication channels on

devices that can cause data leakage, particularly file sharing apps such as Dropbox. Enterprises should

develop a “blacklist” of forbidden applications. IT admins can then use this list to configure policies

to block devices that download blacklisted apps from accessing corporate networks, or notify users to

remove the malicious app. Similarly, “whitelisted” (acceptable) and “required” application lists can

also be specified through the policy controls of some MDM platforms.



8


Android 4.0: Better — Not BestWith the introduction of Ice Cream Sandwich (Android 4.0), some of the largest security gaps have been

resolved. Still, it will be some time before most users have Android 4.0 devices. In fact, recent studies

show that only 11% of the Android market has adopted 4.0, with over 80% still on 2.2 and 2.3.

On the operating system side, Android 4.0 supports encryption, a new public keychain framework for

authentication management, and protection from sophisticated attacks, such as memory exploits.

The top three manufacturers, Samsung, HTC, and Motorola, are moving forward with more enterprise-grade

protections on their upcoming devices, such as SD card remote wipe and file encryption, enterprise-class

WLAN security, and the ability to support open and encrypted information simultaneously on a single device.

These platforms are also opening up more control layers, which will allow more granular policy enforcement.

However, enterprises will still need an MDM platform to coordinate these capabilities. An MDM platform can

set policies for individual users, groups, and device types; perform mass enrollments and upgrades; and

manage and monitor user plans from one common interface. These capabilities will inevitably be necessary

in an organization of any size, whether the corporation owns the devices or employees bring their own.

MaaS360 and AndroidMaaS360 mobile device management (MDM) for Android provides the visibility and control enterprises

needed to safely deploy Android smartphones and tablets. MaaS360 supports Android OS versions 2.2 and

higher, offering:

• Flexible enterprise application management, which lets enterprises distribute and update in-

house apps as well as whitelisted or required Google Play apps.

• Automated security rules, continuous device monitoring, and problem detection.

• Cost controls, including real-time monitoring and tracking of data usage.

• Dashboards highlighting real-time compliance metrics, as well as granular details on device and

network use.

• IT management capabilities, including the ability to manage upgrades and patches, remotely

block and wipe devices, report on all devices connected to the infrastructure, enforce passwords

and encryption, and implement third-party security software, such as anti-malware and email/

calendar/contact encryption.

• A compliance engine with contextual management rules that can automatically take action as

soon as a policy violation occurs.

• The ability to perform mass enrollments and reliable scaling through a cloud-based infrastructure.



9


Android Can Live in the Enterprise – With Help Android is here to stay, especially as BYOD programs gain popularity. To remain secure and compliant with

industry standards, enterprises need a way to protect and manage the wide range of available devices,

versions, and idiosyncrasies of the world’s most popular mobile operating system. The open-source nature

of Android means the platform has more inconsistencies and vulnerabilities than more tightly controlled

competitors; however, its sheer size and scale demand that it be accommodated and managed. Through

MDM platforms such as MaaS360, which take advantage of native device and OS controls, over-the-air

policy enforcement, and cloud-based scalability, a stable universe of Android devices can be securely

deployed to your workforce.

To learn more visit:

http://www.maas360.com/products/mobile-device-management/android/

All brands and their products, featured or referred to within this document, are trademarks or registered trademarks of their respective holders and should be noted as such.

For More InformationTo learn more about our technology and services visit www.maaS360.com.1787 Sentry Parkway West, Building 18, Suite 200 | Blue Bell, PA 19422Phone 215.664.1600 | Fax 215.664.1601 | [email protected]

WP_201206_0037



Does Android Dream of Enterprise Adoption? · Android - Fragmented Friend or Foe? It’s an Android...

Documents

Transcript of Does Android Dream of Enterprise Adoption? · Android - Fragmented Friend or Foe? It’s an Android...