Does Android Dream of Enterprise Adoption?

Does Android Dream of Enterprise Adoption?

2
Does Android Dream of Enterprise Adoption?
Copyright 2012 Fiberlink Communications Corporation. All rights reserved.
This document contains proprietary and confdential information of Fiberlink. No part of this document
may be used, disclosed, distributed, transmitted, stored in any retrieval system, copied or reproduced
in any way or form, including but not limited to photocopy, photographic, magnetic, electronic or other
record, without the prior written permission of Fiberlink.
This document is provided for informational purposes only and the information herein is subject to change
without notice. Please report any errors to Fiberlink. Fiberlink will not provide any warranties covering
this information and specifcally disclaims any liability in connection with this document.
This document is subject to the terms of the MaaSters Partner Program Agreement. Fiberlink reserves the
right to administer this Program at its discretion. Fiberlink may make any of the benefts in this document
available to any MaaSters Partner Program Participant, and/or withhold any benefts from any Program
Participant without obligation to offer or withhold such benefts to or from any other Program Participant,
pursuant to the MaaSters Partner Agreement terms and conditions.
Fiberlink, MaaS360, associated logos, and the names of the products and services of Fiberlink are
trademarks or service marks of Fiberlink and may be registered in certain jurisdictions. All other names,
marks, brands, logos, and symbols may be trademarks or registered trademarks or service marks of their
respective owners. Use of any or all of the above is subject to the specifc terms and conditions of the
Agreement.
Copyright 2012 Fiberlink, 1787 Sentry Parkway West, Building Eighteen, Suite 200, Blue Bell, PA 19422.
All rights reserved.
3
Does Android Dream of Enterprise Adoption?
Table of Contents
Introduction: Android - Fragmented Friend or Foe? ................................................... 4
Managing Unruly Androids ................................................................................. 5
How to Control Unruly Androids .......................................................................... 6
Android - The Security Sieve .............................................................................. 6
Stemming the Android Security Holes ................................................................... 7
Android 4.0: Better Not Best ........................................................................... 8
MaaS360 and Android ....................................................................................... 8
Android Can Live in the Enterprise With Help ........................................................ 9
4
Does Android Dream of Enterprise Adoption?
Android - Fragmented Friend or Foe?
Its an Android world. Sixty percent of the mobile device market is dominated by this leading mobile open-source
operating system. As Bring Your Own Device (BYOD) gains rapid momentum, IT is left with the Catch-22 of satiating
employees thirst for using the Google based juggernaut while addressing the very real concerns of protecting
corporate data and providing standardized management.
There are now more than 550 Android device types, 48 manufacturers, and a multitude of carriers worldwide. To
complicate things further, many of these manufacturers and carriers installed custom variants of the OS and added
software to differentiate their offerings from the rest of the continuously growing Android herd. This is great news
for consumers, but sends chills up the spines of IT professionals who have relied for years on effcient management
through standardization.
Each version of Android has improved management and security capabilities, but the vast array of devices on the
market means its unlikely your enterprise will ever deal with only one version or device type.
This doesnt negate the validity and power of Android in the enterprise; it simply means IT departments must arm
themselves with the right protective measures.
5
Does Android Dream of Enterprise Adoption?
Managing Unruly Androids
The heterogeneity of the Android platform means that enterprise admins have a multitude of management
uncertainties across manufacturers when it comes to device controls, data usage, and the dreaded upgrade
patch for the OS and apps.
User Management: There is no inherent capability in the Android platform for extending and revoking
privileges to individuals, tracking their usage, or notifying IT when devices violate policies and action must
be taken. This is a stark contrast to the standardization offered by Apple iOS.
Exchange ActiveSync (EAS) Support: Android natively does not support many of the EAS policies, leaving
the responsibility to the manufacturer and the IT administrator to fgure out what does and doesnt work.
This fragmentation also adds to the confusion as to what EAS policies can be confgured.
Upgrades and Patches: Google routinely issues upgrades and patches for Android, but it places responsibility
for implementing those patches on the manufacturer, which may elect to delay their introduction.
Application developers also push out upgrades and patches, which often require user consent and action. As a
result, updates may languish for months. Also, the latest and greatest version of an application or OS is not
always great for enterprises, as it can cause conficts with a slew of corporate systems.
Data Consumption: The more recent versions of the Android platform support 4G Long Term Evolution (LTE)
IP networks, which consume data with a voracious appetite. As many carriers charge by gigabytes consumed
as well as minutes of talk time, the enterprise can be liable for signifcant overage charges if a device goes
over the limits. Users are often unaware of how much data theyre using. Additionally, many devices can
be used as mobile hotspots or tethers, effectively acting as a Wi-Fi modem for other devices, giving away
data to all who come in range. There are no inherent controls in EAS or other mobile email platforms to help
prevent overages.
Roaming: The same is true of roaming off a carriers networks, which can carry charges in the thousands of
dollars. The user, or his employer, can unwittingly become liable for these charges when out of network.
6
Does Android Dream of Enterprise Adoption?
How to Control Unruly Androids
The only way to truly control an unruly Android is to implement a Mobile Device Management (MDM)
platform that offers features like the following:
Managing Users: MDM platforms allow enterprises to offer different functionality to different users
through policy controls. Some executives may be allowed to roam internationally, or run certain
applications, while other employees might not, for instance.
EAS Support: Choose an MDM program that can provide access controls (e.g. quarantine) for Android
devices trying to connect to the Exchange environment until approved. Also, your MDM solution
should allow for enforcing minimum versions of the Android OS to connect. In addition, your MDM
provider should integrate with best-of-breed secure email apps that ensure EAS policies can be
confgured and can secure email data.
Upgrades and Patches: MDM platforms can manage updates across multiple manufacturers
and app developers from a centralized control panel, and enforce version control and upgrade
compliance by blocking devices that do not meet minimum requirements (such as accepting the
latest security patch).
Data Consumption and Roaming Management: By setting policy controls in the MDM platform, such
as maximum data use or no roaming, users can be notifed when they are nearing the allowable
cap of data consumption or are about to incur charges for roaming.
Android - The Security Sieve
There are numerous security gaps in the Android platform that vary with each platform version. The most
common chinks in the armor include:
Lack of Encryption: Encryption of digitally transmitted data is a requirement for many enterprises, from
the standpoints of corporate policy as well as industry compliance. Before the release of Android version
3.0 (codenamed Honeycomb) in February 2011, Android devices did not have any kind of hardware
encryption. Sadly, Honeycomb was solely for Android tablets. A year later, close to 80 percent of the
existing Android phones on the market are running Android versions that do not support encryption, with
the most prevalent being versions 2.2 and 2.3 (Froyo and Gingerbread).
This presents a substantial risk for email, calendar, and contact information being compromised by prying
eyes. The latest version of Android 4.0 (codenamed Ice Cream Sandwich) does support device encryption
and runs on both tablets and smartphones, but as it was released late in 2011, so its not running on most
devices. As a result, enterprises must take extra measures to encrypt Android devices.
7
Does Android Dream of Enterprise Adoption?
Rooting: Users can overcome protections on the Android OS and root the device by accessing its Unix
core, which allows them to install virtually any application, including malware, and subvert application-
level controls. A device that is rooted can expose the corporate network to the same malware that is
loaded on the device and override data-loss protections.
Data in transit: Any time data moves from one device to another, its vulnerable. Devices with removable
SD cards and USB connections can easily lose data, even if the data is encrypted. Wandering into an
unsecure WiFi zone is also hazardous, and there are no built-in protections against this.
Stemming the Android Security Holes
There are several approaches enterprises can take to resolve Androids inherent security issues.
Encryption: Commercial software is available to encrypt email, contact, and calendar apps. However,
this software does not cover other aspects of device management. The good news is that this software is
sometimes bundled with MDM platforms.
Rooting: In February 2012, Google released a malware-scanning application called Bouncer, which
scans all applications posted to the Google application store, Google Play. This makes it less likely
that a downloaded application will be malicious, but it does not protect an organization from rooted
device vulnerabilities. Some MDM platforms can detect and block rooted devices once the MDM client
is on the device.
Data in transit: Devices should be protected with passcodes to prevent data from passing to an
unauthorized third party. Luckily, MDM software can enforce passcode best practices. Additionally,
devices with cameras can be remotely locked down using contextual management and geofencing if
they enter areas where sensitive information can be photographed.
Minimum OS: Because of security vulnerabilities in Android versions lower than 3.0, enterprises may wish
to specify a minimum acceptable OS version in order to allow a device to access the corporate network.
This can be enforced through an MDM platform.
Blacklisting and whitelisting: Certain commercial applications open up communication channels on
devices that can cause data leakage, particularly fle sharing apps such as Dropbox. Enterprises should
develop a blacklist of forbidden applications. IT admins can then use this list to confgure policies
to block devices that download blacklisted apps from accessing corporate networks, or notify users to
remove the malicious app. Similarly, whitelisted (acceptable) and required application lists can
also be specifed through the policy controls of some MDM platforms.
8
Does Android Dream of Enterprise Adoption?
Android 4.0: Better Not Best
With the introduction of Ice Cream Sandwich (Android 4.0), some of the largest security gaps have been
resolved. Still, it will be some time before most users have Android 4.0 devices. In fact, recent studies
show that only 11% of the Android market has adopted 4.0, with over 80% still on 2.2 and 2.3.
On the operating system side, Android 4.0 supports encryption, a new public keychain framework for
authentication management, and protection from sophisticated attacks, such as memory exploits.
The top three manufacturers, Samsung, HTC, and Motorola, are moving forward with more enterprise-grade
protections on their upcoming devices, such as SD card remote wipe and fle encryption, enterprise-class
WLAN security, and the ability to support open and encrypted information simultaneously on a single device.
These platforms are also opening up more control layers, which will allow more granular policy enforcement.
However, enterprises will still need an MDM platform to coordinate these capabilities. An MDM platform can
set policies for individual users, groups, and device types; perform mass enrollments and upgrades; and
manage and monitor user plans from one common interface. These capabilities will inevitably be necessary
in an organization of any size, whether the corporation owns the devices or employees bring their own.
MaaS360 and Android
MaaS360 mobile device management (MDM) for Android provides the visibility and control enterprises
needed to safely deploy Android smartphones and tablets. MaaS360 supports Android OS versions 2.2 and
higher, offering:
Flexible enterprise application management, which lets enterprises distribute and update in-
house apps as well as whitelisted or required Google Play apps.
Automated security rules, continuous device monitoring, and problem detection.
Cost controls, including real-time monitoring and tracking of data usage.
Dashboards highlighting real-time compliance metrics, as well as granular details on device and
network use.
IT management capabilities, including the ability to manage upgrades and patches, remotely
block and wipe devices, report on all devices connected to the infrastructure, enforce passwords
and encryption, and implement third-party security software, such as anti-malware and email/
calendar/contact encryption.
A compliance engine with contextual management rules that can automatically take action as
soon as a policy violation occurs.
The ability to perform mass enrollments and reliable scaling through a cloud-based infrastructure.
9
Does Android Dream of Enterprise Adoption?
Android Can Live in the Enterprise With Help
Android is here to stay, especially as BYOD programs gain popularity. To remain secure and compliant with
industry standards, enterprises need a way to protect and manage the wide range of available devices,
versions, and idiosyncrasies of the worlds most popular mobile operating system. The open-source nature
of Android means the platform has more inconsistencies and vulnerabilities than more tightly controlled
competitors; however, its sheer size and scale demand that it be accommodated and managed. Through
MDM platforms such as MaaS360, which take advantage of native device and OS controls, over-the-air
policy enforcement, and cloud-based scalability, a stable universe of Android devices can be securely
deployed to your workforce.
To learn more visit:
http://www.maas360.com/products/mobile-device-management/android/
All brands and their products, featured
or referred to within this document, are
trademarks or registered trademarks of
their respective holders and should be
noted as such.
For More Information
To learn more about our technology and services visit www.maaS360.com.
1787 Sentry Parkway West, Building 18, Suite 200 | Blue Bell, PA 19422
Phone 215.664.1600 | Fax 215.664.1601 | sales@fberlink.com
WP_201206_0037