This tip is a part of the SearchSecurityChannel.com resource guide, Securing mobile devices: A resource guide for solution providers.
For security solution providers,
Understanding native Android management and security
To identify and capitalize on new opportunities, security solution providers must appreciate the management and security capabilities that Android-powered devices bring to the table.
Unlike IT-favorite BlackBerry or upstart iOS 4 for Apple iPhones, Android lacks native device management. Instead, Android device users must establish personal Google accounts with which to synchronize contacts and calendars and purchase applications from the Android Market, which are then installed over-the-air. Android updates are also delivered over-the-air by cellular network operators that sell Android-powered devices, adding OS levels and capabilities that vary depending on each device’s manufacturer and model specifications.
The native Android email client is not sufficiently rich. Solution providers can offer a one-two punch by reselling third-party email clients such as Good for Enterprise or NitroDesk TouchDown.
However, enterprises can exert remote IT control over Android devices. Android 2.2 added an Android Device Administration API that lets third-party developers write code for reading and writing security attributes. The native Android email client uses this API to enable Exchange Active Sync policy enforcement (e.g., requiring a PIN or password, initiating remote wipe). Corporate email messages, contacts and calendars can also be synchronized with Exchange, using either native Android or third-party apps.
In Android 2.2 (code named "Froyo"), limited capabilities are available to software developers with this API: enable password, set password minimum length, require alphanumeric password, set max failed password attempts, specify inactivity timeout lock, prompt for new password, lock device now and wipe device (i.e., reset device, but not SD card, to factory default).
Android 3.0 (code named "Honeycomb") is available in the XOOM tablet and will be on other tablets later this year, but is not available on smartphones yet. This version adds control over encrypted storage, password expiration, password history and password complexity. In addition, device manufacturers like Samsung and Motorola are adding proprietary APIs to enable value-added management and security features, such as certificate installation and application blacklisting.
Tapping into the Android security eco-system
Solution providers can take advantage of native Android security capabilities in many ways. Such as:
- Outside consultants can help enterprise and SMB customers map business needs to Android capabilities. For example, this may include creating acceptable use policies for business use of employee-liable Androids and specifying minimum OS level and proprietary feature requirements for authorized Android devices. In particular, customers may seek guidance on policies surrounding IT invocation of remote wipe. (e.g. when can this be done, who is responsible for backing up business and personal data, etc.)
- Consultants can also help enterprises determine how to integrate Android devices into existing corporate infrastructure. For example, this might include designing processes to enroll employee-purchased Android smartphones and Android tablets in ActiveDirectory and using group membership to enforce password policy through Exchange Active Sync. To help SMB customers, solution providers can resell hosted Exchange services (such as those offered by GoDaddy, 123Together and SherWeb, to name a few) that support synchronization with Android devices.
- For many businesses, the native Android email client is not sufficiently rich. Solution providers can offer a one-two punch by reselling third-party email clients, such as Good Technology Inc.’s Good for Enterprise or NitroDesk Inc.’s NitroDesk TouchDown, which deliver richer messaging and offer stronger messaging security. For example, the TouchDown client can be configured to encrypt all corporate messages, contacts, calendar entries and tasks stored on an Android device – no matter who owns it. If an employee should quit, a remote text or email message can be sent to the Android, removing the client and all of its corporate data, without completely wiping the device or removing personal data.
Android for enterprise: Building on Android to deliver value-added security
As Android devices (especially tablets) are more fully embraced by businesses, security will be required to protect more than messaging. By jumping onto the Android bandwagon today, solution providers can get ready to reap future benefits. Let’s review why in the following scenarios:
- IT may need to track devices and prove a lost or stolen device was remotely wiped. When a user forgets his or her Android password, IT will need tools for secure password reset. Solution providers can fill these gaps by reselling third-party security suites and services. SMBs can often be satisfied with stand-alone security suites such as McAfee Inc.’s WaveSecure or Lookout Inc.’s Lookout Mobile Security. Enterprises are more likely to seek third-party mobile device management (MDM) products, available from vendors like AirWatch LLC, Boxtone, MobileIron and Sybase Inc.
- Reselling Android-capable MDM products or offering managed MDM services can create many additional revenue opportunities. Today, these MDMs are moving quickly to support multiple mobile device types, meaning a solution provider can deliver service offerings that handle not only Android, but Apple iOS as well. In addition to managing security, MDMs can often facilitate automated device enrollment, provisioning, over-the-air enterprise application management and wireless expense management. In particular, application management can ease security concerns over user-initiated app downloads from the Android Market.
- Solution providers can help address security needs that Android itself does not satisfy and perhaps never will. Even though Android 3.0 provides a storage encryption API, existing Android devices do not offer hardware encryption. As such, self-encrypting applications and file/folder encryption are now the only options for protecting Android data. Furthermore, Android does not come with personal firewall or antimalware capabilities – but third-party security suites can be installed to add them. Other security capabilities that can be added to Android devices include SMS phishing filters, browser URL checkers, and application integrity checkers. Market demand for these add-ons will only grow as more Android malware appears.
These are just a few of the ways solution providers can profit from consumer excitement over Android smartphones and tablets. Enterprise and SMB customers need to identify and mitigate Android risks to enable safe, productive use of these devices, no matter who owns them. Well-informed solution providers can play a key role in making that happen.
About the author:
Lisa Phifer is President of Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year network industry veteran, Lisa has been involved in mobile wireless security since 1996. She is a technical editor for Information Security Magazine, site expert for SearchNetworking, and frequent contributor to many other TechTarget websites.
This was first published in May 2011