Contain Mobile Security ThreatsMoka5's Ian McWilton on How to Improve Security, User Satisfaction
Mobile security is no longer about managing devices, says Ian McWilton of Moka5. The real trick is to secure corporate assets through containerization solutions that reduce costs and improve user experience.
When many security professionals discuss mobility, it's all about device management. But that's the wrong approach, says McWilton, Moka5's chief architect.
"What we're saying is 'We're not going to manage that device,'" McWilton says. "What we do is we say: Never let that endpoint on your corporate network. If you need people to bring [the device] in, bring it in and put it on the guest wi-fi. ... The endpoint is untrusted, so even if it does have a nasty virus on it, well, who cares? You're just on the Internet. When you need to do your work, you're doing it within a trusted container ... and within that container you have all the a/v, protections and all the things you'd have within a standard laptop. So, as the user works there, they're working within a secure environment."
In an interview about mobile and PC security, McWilton discusses:
- The evolving enterprise landscape;
- Successful approaches to containerization;
- Security strategies that reduce costs and raise end user satisfaction.
McWilton works with Moka5's largest customers to architect their deployments, but also serves as the company's evangelist. In this role, he shares the company's business value and technical specifics with audiences of all levels. In his previous role of engineering leader, he was instrumental in the creation of Moka5's core product set. As the company moved externally facing, McWilton moved into the position of vice president of customer experience.
Prior to joining Moka5, he was with the VMware engineering team on Workstation, ESX and Virtual Center. He also served as director of engineering with Tablus, which was acquired by EMC.
Mobile and the Changing Enterprise Landscape
TOM FIELD: To give us context, talk a little bit please about how the mobile revolution has permanently changed the enterprise landscape?
IAN MCWILTON: Five years ago when you joined a company, you were given the standard company brick and you also were given maybe a BlackBerry if you were lucky. That was all you got. There was no deviating from that and IT was locked down. The idea was IT was managing the device and that can be a very well-defined perimeter.
But something happened that really broke that open. It's really transformed the IT landscape, possibly more than anything else in the last 30 years. It started with the iPhone. Everybody went out and bought the new iPhone. They had to have it and they had to be able to do their corporate e-mail on it. They wanted to bring that into the organization and that was really to fit into the age. Then the MacBook Air came out and now we've got to worry about OSX. Then the iPad came out, along with all of the Android variations of tablets and phones. We've seen the device proliferation, plus we've seen the desire for people to bring their own consumerization of IT. If you think about it, the enterprise landscape has gone through one of its massive fundamental shifts in the last five years compared to the previous 30.
FIELD: It occurs to me that, even in the past two years, we've seen enormous change. In this new environment, what does BYOD really mean now?
MCWILTON: That's an interesting point. For most people, BYOD really means enabling the customer on new platforms. If you think about it, phones or tablets are usually where people sit when they think about BYOD. But there's also another aspect to BYOD which is a massive cost-saving, which is bringing your own computer. As you travel around the country and you jump on planes, if you look around, the majority of the laptops that are being used on those planes are Macs, and Macs generally aren't supported by corporate IT. It's people's own devices. If you think about it, it's perfectly feasible that the company laptop can go the way of the corporate car. Ten or 20 years ago you used to join a job and, if you were at a certain level, the company gave you a car. Now you wouldn't think twice about the company giving you a car; you've got your own car. Why would you need another one from the company? That seems like such an odd concept. What we're going to see increasingly is the trend is going to go towards the idea that the employee provides the device and maybe there's some kind of stipend, much like paying for miles with your car today when using it for company business.
Securing Mobile Devices While Saving Money
FIELD: I've got a big question for you. How do you secure both mobile devices and PCs in a way that can save money for the organization but also improve the end-user experience?
MCWILTON: That's an interesting one and you include a couple of key things in there. You talk about the end-user experience and you talk about securing those devices. Let's tackle each one. With end-user experience, there were certain solutions out there that say, "We're going to put the desktop or maybe some apps in the data center." That's fine, but it doesn't really save money. It shifts costs from the endpoint, but it really creates a very big infrastructure and puts those costs straight back in the data center. You're not really saving anything and, frankly, the user experience isn't that good. You can't go offline and you can't get access to your data when you're offline either. That's not the best, but if you have a container which deploys on the endpoint, you don't actually have to worry about securing the endpoint.
That was the other piece of the question, which is how to secure the endpoint. Frankly, you don't really want to be in a position where you're going to have to deal with the multitude of devices that are out there. How am I going to put my AV stack? How am I going to deal with files and deal with all of the different things that I need to worry about for the endpoint out there. I don't want to be in a position where I have to deal with that. We say don't worry about that. Work with a container which is secured and can be trusted; it's going to execute locally but it's managed centrally. That's the best way to go forward. That can save you money.
FIELD: Talk to me about this concept of containerization. How can you deploy it as a flexible security strategy?
MCWILTON: The idea is that we don't really care about managing the device. You've got device proliferation. It's very much an old-world concept. What we're going to do is manage the container. Those containers are going to look different on different devices. For example, if you've got x86, IOS devices or Android, it's going to look radically different between them. For the Moka5 solution on x86, we use virtualization on the endpoint so it's a full blown OS and app stack. On data consumption devices, we use data access and we never really let the endpoint on the network. What a lot of security guys are worried about is the idea of you bringing a BYOD device and plugging into my corporate network. What we're saying is we're not going to manage that device.
So how can that possibly be secure? You're going to bring it in; you're going to plug it in. Who knows what nasty websites you've been to and what kind of material or viruses you might have on your machine? We completely agree with that. What we say is, "Never let that endpoint on your corporate network. If you need people to bring it into the office, bring it in and put it on the guest Wi-Fi. The guest Wi-Fi is happily churning away but the endpoint is untrusted. Even if it does have a nasty virus on it, who really cares? You're just on the Internet. When you need to do your work, you're doing it from within a trusted container and that trusted container has a mechanism of pulling back in so that it's coming straight back in via secured channel. Within the container, you have all of the AV, protections and things that you would in a standard laptop vision. As the user works there, they're working in a secure environment.
FIELD: I wonder if you might be able to discuss for a few minutes how some of your customers have deployed your solution. Give us some input on their best practices.
MCWILTON: Let's talk about a pretty typical customer setup. We've been working with a lot of the Fortune 50. This particular customer is one of the top Fortune 3 and they've got 60,000 contractors. What they have to do today is they have to give each one a company laptop. If you assume $1,000 per laptop just to make the math easy, they're spending $60 million on laptops. They're just about to go through a refresh from XP to Win7 as many people are, or it could just be an ongoing refresh. They're looking at this big Capex thing. But now they're thinking, "If we go down a central solution, it's going to be a big spend in the data center. But if we use this Moka5 stuff, we're going to be in a situation where we're not going to spend on the laptops anymore and our infrastructure is fairly minimum. Once we account for some licensing, we're going to be saving tens of millions of dollars by not doing this spend."
The company saves the money, but also the employee is happier. Let's say the contractor works for Accenture or some other company. They've got an Accenture laptop to do their Accenture work, plus they've also got another company laptop from this other company. Now I'm carrying two. I'm going to go through airport security and it takes me about four hours because I've got to unload what essentially looks like a mobile data center from my laptop bag. But not anymore. Now they can just go out, use one laptop and they're able to use that one laptop. Maybe they choose the Accenture laptop, or, if they don't need access to that, maybe what they're doing is going and buying their own MacBook Air which is nice, lightweight and easy, and putting it on there. We don't really care. As long as it's x86, we're in. That's really how most customers are using our product today.
We also have another mechanism where you can put a secure container onto a corporate asset, our own operating system that ... runs on a container for very locked down and secure scenarios. But ultimately, most of our customers fall into one of those two buckets.
Complimenting Existing Security Controls
FIELD: How does your approach compliment an organization's existing security and management infrastructures?
MCWILTON: The nice thing is we're actually piggy-backing off of it. For example, with our x86 container, what we say is you've probably got a VPN today. If you've got a laptop, you've got a mechanism by which that laptop can securely get back into the organization when it's out and about, when it's out in the road. It's a mobile device. What we do is piggy-back off of that and, with the secure container, put a VPN agent within the secure container on the x86 platform and it would tunnel straight back in using the mechanisms you've been using for the last 20 years, 10 years or five years, depending upon when you last upgraded your VPN infrastructure.
That's a tried and tested flow. We don't want to reinvent the wheel, but basically we want to make sure that the security guys are happy with what's in place. We're enabling BYOD but we're also utilizing the flow that security is already happy with. If you've made an investment today in a more centralized virtual desktop infrastructure, Moka5 can also work with that as well. Some people decide that they have certain use cases and they want to be able to have those use cases accessed centrally for which they justify the spending for the big infrastructure. Maybe you have remote workers and you want to tackle those remote workers. Maybe they're traveling executives; maybe they're sales people on the road a lot. Connectivity is a challenge. We will happily set alongside existing implementations and coexist.
Mobile Security Best Practices
FIELD: Let's take a step back. You get the opportunity to see lots of organizations and lots of deployments. What are some of the basic mobile security best practices that you would recommend now?
MCWILTON: I think the cat is out of the bag in terms of trying to have all of your endpoints be trusted. If you're trying to follow that, you're going down the wrong avenue. Our point is assume that you have untrusted endpoints. Put them out on the corporate network. When you execute a container, you need to make sure that they're secure. In Moka5's case, we actually have antivirus built into the player, and we also have a host check script mechanism so if there is anything that you want to check for on that endpoint before you execute the container, you can code that to anything you want. Any data that you have out you obviously want to make encrypted, but you don't want to be encrypting your own devices. That's why our containers are encrypted with AES-256.
Use what's known to work. Don't try and reinvent the wheel and create this entire new infrastructure. We just talked about the existing VPN tunnel; that's a classic example. You need to have policy control that you can have a strong presence of deployment, but you can also change post-deployment if you need to. For example, with the containers you want to be able to drag and drop or copy and paste. You want to be able to access devices like USB devices on the host. You want to be able to print. Those are all things that you should be able to change.
You need to think about forensics. Forensics is very important today. You have a model in place where - say you know someone is up to no good - you simply make a request, you get your corporate machine back and then forensics can do an analysis. You need to make sure that you have that forensic capability. Moka5 containerization enables you to do that.
The final thing is you need to have flexibility. On-boarding and off-boarding can often be a painful process at large enterprises. Moka5's on-boarding is a self-provisioning process, as long as the user has a link, password and maybe a second factor, or they can provision themselves. When they leave the organization, you can choose to just press a button on our management infrastructure and wipe the container from that device. Those are all things that I would think about when thinking about best practices.
Mobile Security Pitfalls
FIELD: The flip side of that question: What are some of the pitfalls that organizations really must avoid?
MCWILTON: The biggest pitfall that I see today is sticking your head in the sand. If you don't have a solution that formally enables BYOD, and you say, "We don't allow BYOD," then you're not adjusting to the new reality. Basically, you never want to allow an untrusted device on your network, and that's happening today if you don't have a solution similar to Moka5. People are bringing their own devices whether you like it or not.
Getting Started with Mobile Security
FIELD: As you know, organizations are at differing levels of maturity when it comes to mobility. What's the starting point? In other words, where should an organization begin, no matter where they're now, if they want to head down this path toward improved mobile security?
MCWILTON: Starting with a solution that works and coexists with a lot of the business process flows that you have in place today is the right place to start. That's why Moka5 is so successful out there because we do that. You don't have to completely change the way that everything works. We leverage a lot of your existing security infrastructure and enable you to take that first step without a massive spend. That's the right way to go. Frankly, if you want customer enablement of phones and tablets that's all IT spend, you need to also look for the offset to that, which is the IT save. With Moka5 being able to get you out of the hardware business, we can save you a lot of money which you can then repurpose for enablement projects.