Mobile Device Management (MDM) solutions have served as the point of the spear in the mobile arms race. The question is, “Are they sufficient to ensure the security of your mobile environment?” MDM solutions definitely provide important capabilities such as deploying applications, securing content, wiping devices, and so on. The challenge comes in the area of mobile certificates and keys. Although MDM solutions can automatically provision certificates for mobile devices, the security and protection of mobile certificates and keys extend beyond the scope of MDM solutions.
Certificates and keys can potentially be copied from mobile devices once they’re provisioned. In addition, MDM solutions are not the only way to issue certificates to users and mobile devices. Because of the diversity of use cases, device types, and applications, many organizations have erected enrollment portals so that users can register to receive certificates. And an increasing number of mobile applications and systems are capable of requesting certificates directly from Certificate Authorities (CAs).
Certificates are a critical component of mobile security and the security of your corporate systems and data. Attackers are targeting certificates and keys because they realize that once they obtain access to a certificate and key that an organization trusts, they can rapidly circumvent other security mechanisms, increasing the success rate and potential breadth of their attacks. If attackers obtain access to a certificate that your Wi-Fi or Virtual Private Network (VPN) systems trust, they gain access to your corporate network and can directly target specific systems.
MDM solutions represent an important element of any mobile security program, but to effectively secure and protect the certificates and keys that ensure strong authentication you need a solution that spans across your environment—a solution that enables you to prevent, detect, and respond to attacks that target those certificates and keys. The sections that follow outline the capabilities this solution should provide.
Prevention
-
Enforce Policies: As mentioned earlier, users do not always receive mobile certificates through an MDM solution. Because users may request certificates using other tools (such as enrollment portals) or even multiple CAs, you must implement a solution that is capable of enforcing certificate and key policies consistently across your entire environment. MDM solutions may provide policy enforcement but only for the certificates they issue, and often these policies are defined and managed by individuals that are not part of the Public Key Infrastructure (PKI) group responsible for setting up and enforcing corporate-wide policies for certificates and private keys.
-
Limit Trust: Attackers are targeting the systems that users access through their mobile devices. An important prevention measure is to ensure that those systems trust only necessary CAs. If an extraneous CA is then compromised, these systems are not vulnerable.
-
Manage all of your company’s certificates: Application servers, appliances, other servers, and infrastructure systems are outside the scope of MDM solutions. Your solution must provide visibility into all the CAs trusted in your environment so you can detect attacks and take preventive action.
-
Limit Key Usage: When an attacker compromises a certificate, its usefulness is limited by the defined “key usage” of that certificate. You need a solution that ensures that certificate templates and key usages are appropriately enforced so that certificates have limited application and value to attackers if they’re compromised. Again, MDM solutions provide the ability to select key usages for the certificates they issue but not for certificates that are obtained through some other means.
-
Establish Consistent Enrollment Processes: Certificate enrollment is a prime target for attackers, especially if inconsistent or diverse processes allow attackers to request and receive approval for a fraudulent certificate. Based on the needs of various business applications and organizational constraints, mobile certificates may be requested and provisioned outside of MDM solutions. It is critical to enforce enrollment policies and oversight across all enrollment methods.
-
Limit Certificate Issuers: The diversity of mobile environments increases the likelihood that unapproved CAs will be used—thereby increasing the risk that a CA will be compromised. Interestingly, although many organizations have spent millions of dollars securing their internal CAs, their mobile groups have begun issuing certificates from the CAs embedded in their MDM solution. It is important to have oversight and control that extend beyond an MDM solution to ensure that only approved CAs are used.
Detection
-
Map User Certificates: When an employee is terminated, you must be able to identify the certificates issued to that employee, whether they were provisioned through an MDM solution, Windows auto enrollment, an enrollment portal, or another method. In addition, if that employee was responsible for managing certificates on devices, you must be able to quickly identify those certificates so they can be replaced and revoked.
-
Detect Anomalies and Vulnerabilities: A key element in preventing potential attacks is detecting anomalies and vulnerabilities so you can take preventive action. To do this, you need visibility across your entire certificate environment and the ability to report on and analyze your certificate inventory across all enrollment and provisioning methods.
Response
-
Immediately Revoke Certificates: When an employee is terminated or resigns from the company, you must be able to rapidly revoke all certificates that were issued to that employee. It’s critical to realize that wiping a device or container using your MDM solution is not sufficient because the employee could have made a copy of the certificate and key before leaving the company. Rapid revocation of all certificates, whether provisioned through an MDM solution or some other means, is paramount in these situations.
-
Replace Managed Certificates: If a system administrator is terminated or resigns from the company, the security risk is greater. The former employee may have had access to and made copies of certificates and private keys on mission-critical systems. Consequently, you must notify employees who are responsible for these systems so the certificates and keys can be reassigned, replaced, and revoked. Although infrastructure certificates that employees manage are outside the scope of an MDM solution, they are a critical element that must be addressed when a system administrator leaves the company.
As mentioned earlier, MDM solutions are a critical element to mobile security. To ensure the security and protection of your environment, however, you must augment them with a solution that provides broader oversight and control of certificates and keys.