How to control corporate mail on the mobile devices IOS and Android
Question of control of corporate mail on mobile devices under the administration of the most widespread platforms Android and iOS – one of the most relevant at conferences on data protection from leak. Practically all of them participants are disturbed by risk of information leak of limited access through corporate and personal mail with mobile BYOD- devices.
Active use of personal mobile devices in the working purposes, and first of all for operational communications by e-mail, considerably simplifies practical use of corporate data in production processes, increases labor productivity of employees, their mobility and working capacity. It is impossible to break this trend of distribution of BYOD devices in corporate information systems not only, but also it is counterproductive for business.
However, in terms of information security support, there is a dilemma between providing access to office mail and corporate information and ensuring its protection when using on mobile devices.
As the solution of this problem most often in the market solutions of the class application wrapper in which technologies of the isolating containers for mobile applications allow to provide data protection at loss of the mobile device, and all mail communications of corporate applications – to redirect through a VPN tunnel to office network of the organization where for control of content of "container" mail the DLP gateway is used are proposed. Other option applicable in a limited segment of crucial ICs – the expensive "the protected phones" which, in fact, are specialized hardware-software MDM solutions based on the cut-down version of Android. Also attempts to create the DLP-like agent for the mobile devices Android where traffic observation actually comes down to its redirection in a VPN tunnel are noted. The general for all these options of protection of corporate mail is use of the DLP gateway or server of monitoring of the mail traffic received from mobile devices on VPN tunnels.
The important factor affecting architecture of solutions on data loss prevention from mobile personal devices is that for various reasons modern mobile operating systems do not provide reliable functioning of DLP agents. The IOS platform does not provide access to annexes to OS kernel whereas Android, on the contrary, is the open platform, so, any user can by the simple procedure get full administrative access to the Android device and delete the application – in this case the hypothetical DLP agent, thereby having turned off control of transmitted data and prevention of leaks of valuable information. At last, it is impossible to forget that personal devices always remain personal, even being provided by the organization – there is a lot of restrictions of both organizational, and technical character. It is necessary to consider complexity of access, impossibility of the automated centralized deployment, lack of administration control of the personal device by service IT, etc.
The Setecentrichny DLP solutions standing behind corporate gateways and VPN tunnels in many domestic goods are limited to function of monitoring of mail communications, and for the MAPI and Lotus protocols are inapplicable at all – proprietary enciphering in these protocols essentially excludes a possibility of the analysis of contents of e-mails after their sending. In case of MAPI and Lotus the analysis of content is possible only until sending that it requires use of agency DLP architecture and interception of messages by means of implementation of native code in an address space of processes of an e-mail client.
Other dynamically developing cybersecurity direction is providing access to data assets of the company through remote connection to the sterile working environment created using solutions for virtualization of working environments and applications. In relation to prevention of leaks in mail communications on Android and IOS devices it is implemented by means of providing remote access to corporate servers in general and office mail in particular through terminal sessions. At the same time control of mail communications of each terminal session is exercised by the DLP agent working at a terminal server. The e-mail client for work with corporate mail is published in this model as the virtualized application: for example, in the environment of Citrix XenApp the user can work with an e-mail client from any device – including the mobile devices Android and IOS, and DLP control is implemented directly in corporate environment of virtualization on a terminal server. For this purpose on the personal device the terminal client is established by the user or IT department of the organization (for example, Citrix Receiver) or instead of it any web browser supporting HTML5 can be used.
On user side in the organizational plan the model of access to an e-mail client through a terminal session is implemented rather simply – Citrix Receiver is available both in App Store, and in Play Market and without any difficulties is installed on any versions of IOS and Android, and the instruction for connection to a corporate e-mail client as to the virtualized application will be quite compact.
The last, most important part of the described model is the DLP system controlling mail communications in the environment of virtualization. The agent of the software package DeviceLock DLP, being set on a terminal server, provides control of a context and content filtering of network communications of each session of virtual corporate environment. The DeviceLock Virtual DLP technology allows to intercept e-mails directly from the application e-mail client published in Citrix XenApp, access to which the user gets through a terminal session, and in real time to perform check of a context of the message (existence of investments, verification of mail identifiers) and content (content contents) of messages and investments on their compliance to the DLP politicians set for this user. In case of violation identification transaction of data transmission of limited access is blocked for the purpose of prevention of their leak, at the same time the corresponding log entry and the shadow copy of the transferred message with investments is created and also the disturbing notification for processing within the procedure of management of incidents of cybersecurity is generated.
The difference of Virtual DLP from the ways of solving the task described above with redirection of traffic in a VPN tunnel and the analysis of mail communications at the level of the DLP server first of all consists that the user gets access not to data in e-mail clients as such, and to their graphical representation in a terminal session. Besides, Virtual DLP uses agency option of control of network communications when functions of control are performed directly in a point of emergence of traffic. Only in such architecture are possible interception of data before their enciphering by proprietary protocols as in mail, such, for example, as MAPI, and in messengers (for example, Private Conversations in Skype). Besides, check of contents of the data transmitted through the clipboard and removable drives redirected from the personal device to a terminal session of a desktop or the application that is not less important for protection against leaks of corporate data from BYOD devices, than control of mail is in real time provided.
It should be noted that DeviceLock DLP allows to control all widespread post office protocols – SMTP/ SMTP over SSL, MAPI and IBM/ Lotus Notes, and on the mobile device of users will be required to set and configure only the application for terminal access. Moreover, thanks to DeviceLock Virtual DLP technology full control of various options of use of personal mobile devices in different models of use of the solutions of virtualization (BYOD, "home office", thin clients) constructed on virtualization platforms and terminal access from is provided Microsoft Citrix, VMware and other producers – the companies can control completely not only mail communications, but also in general the corporate environments of virtualization transferred to any personal devices of employees including mobile, as well as any other remote devices on any operating systems.