The following excerpts were taken from an interview with SpydrSafe co-founder and CTO, Kevin Sapp, discussing mobile security and app control. He was asked to answer a few questions about how SpydrSafe is addressing some of the big security issues surrounding the use of BYOD/Corporate-Owned smartphones and tablets in the enterprise.
Interviewer: A lot MDM companies are talking about how MDM solutions can securely enable BYOD/the use of corporate-owned smartphone and tablets in the enterprise. Would you care to comment?
Mr. Sapp: I view MDM solutions as mobile-oriented versions of traditional end-point management systems – that’s what MDM was intended to do and that’s what it does well. Remember, I built an MDM solution that was sold to McAfee/Intel in 2010, so I understand the problem space and the technology. The issue with MDM is that it does little to address application and data security. It doesn’t separate personal and corporate apps and data. Enterprise mobility isn’t really about devices per se. It’s about mobilizing applications and data to make employees more productive.
Interviewer: So, given the risk to the enterprise, how have these devices been “allowed” (for lack of a better term) to gain access to sensitive corporate information with no (apparent) security controls?
Mr. Sapp: That’s an interesting question – I think it’s related to a phenomenon I call “app creep”. In the early days of enterprise mobility there were only a handful of smartphones available and a handful of people using them. To the enterprise IT department, the issue was one of managing devices and enabling them connect to basically only one enterprise app – email. For a while, people were only lighting up email. But, a couple of things happened pretty quickly and at about the same time which changed the playing field – there was a rapid proliferation of enterprise-oriented apps and many of the data services to which these apps connected were no longer in the enterprise datacenter – they were in the cloud. Probably the two best known of these cloud-based enterprise apps are Salesforce for CRM and Box (or DropBox) for content management. Add into the mix the substantial penalties associated with violations of Sarbanes-Oxley rules and the increased enforcement by the U.S. Health and Human Services of the Health Information Privacy rules under the HIPAA regulations, and what resulted was a “perfect storm” vis-à-vis the problems being created for enterprise IT, whose responsibility was to safeguard the corporate and other information. It is these security issues that SpydrSafe’s mobile app security solution addresses – issues that are not and cannot be addressed through simple MDM solutions.
Interviewer: Can you give me an example of how you address these security issues – a practical one?
Mr. Sapp: Sure. Here’s a simple example of a data breach that SpydrSafe deals with – breaches that occur across corporate America all the time. I have a smartphone that has a native email client on it which is connected to my corporate exchange server. I receive an email with a sensitive document attached, like a patent drawing, or an HR related file, or a patient chart – a document that shouldn’t leak outside of corporate control. When I open this document on the device, it’s very easy to “share it” to another application. I can even share it via Bluetooth in some cases, or save it to an SD card. In this example, however, I share it to a consumer app like Evernote. Once I do this, Evernote automatically backs it up to the cloud! The enterprise data has left the building, so to speak, and that, under Sarbanes-Oxley or HIPAA or most any well-structured enterprise security policy, is a data breach – a reportable breach as well. I’m not picking on Evernote, this problem holds true for many apps – Sugar Sync, Dropbox, Twitter, you name it.
Interviewer: So, how does SpydrSafe solve this problem and why aren’t MDM players doing enough to solve this problem in your opinion?
Mr. Sapp: Let me answer the easy question first – MDM companies don’t solve this problem because their function is essentially to configure mobile devices. They do little to secure the data or the apps on these devices. What SpydrSafe does to solve the problem is to control the behavior of the apps that operate on the devices – what apps can and cannot do, whether apps can or cannot share information, and so on. Since we control the behavior of the apps, we control the data to which the apps have access. That’s the fundamental differentiating factor that makes SpydrSafe a unique capability.
Interviewer: Can you be specific? For example, in the “breach example” you just explained, what does SpydrSafe do?
Mr. Sapp: Of course – in the case of a sensitive document attached to an email, we would specify in the policy that manages the email apps on the device that email is a “protected app”. Therefore, a user would not be able to share data out of email to an unprotect app, like the consumer app. If they attempt to do so, we block that action locally (on the device) and present a training message to the user that this action is prohibited by IT policy.
Interviewer: Okay, so what’s to stop a user from just forwarding the email to an “unauthorized user” or location? How does SpydrSafe prevent that?
Mr. Sapp: That’s a simple answer – we don’t prevent that because that’s not our job. There are a number of well-known companies who sell Network DLP solutions and that is what Network DLP does. It monitors documents moving around in the enterprise, and Network DLP controls that. Where the problem lies is at the mobile end-point. If you have applications on devices and they are sharing among each other locally or via personal networks, like Bluetooth, NFC, etc., that doesn’t traverse the enterprise network, then the network DLP does not see that action. That’s where SpydrSafe comes in – we are complimentary to Network DLP solutions.
Interviewer: There are several well-known companies offering so-called “secure container” solutions who say that they handle “mobile DLP”. Would you agree with their self-assessments?
Mr. Sapp: There are a number of companies that describe themselves as mobile DLP companies trying to solve this problem with containers or “sandboxes”. These products provide varying levels of data security. However, this approach is not a good general-purpose solution to securing the wide, and rapidly expanding, variety of apps being used in the enterprise. They have a fundamental scaling challenge in that it is not feasible for them to provide secure versions of all possible enterprise apps
Interviewer: Okay, so how about so-called, “app wrappers”? They seem to have solved this problem in a different way. But, something tells me you will have some thoughts on ‘app-wrappers’ as well.
Mr. Sapp: Now, why would you think that? (smiling) To provide context, ‘app-wrappers’ take a custom app that has been developed by IT for internal use, and “wrap” them with security controls to provide similar types of data leakage and app control features one might find in container solutions. The problem with app-wrappers is that they are limited to applications that are developed “in-house”. But, they don’t work with native apps (apps on the device when you buy it) or apps downloaded from the commercial app stores. A huge limiting factor unless you want to build every app you ever use on a mobile device.
Interviewer: Thanks Kevin. It has been interesting and informative. Any final thoughts?
Mr. Sapp: Thanks – I appreciate your time. I hope I was able to clarify what can be a confusing market given all of the claims that are being made by the various vendors. So, let me close with this:
Our core value and fundamental differentiating factor versus other solutions in the market is that Spydrsafe manages the behavior of apps on smartphones and tablets – any app on those devices regardless if it’s baked into the phone, downloaded from an app store, of developed in house. The solution has applicability to both BYOD and corporate owned devices in the workplace. The technology provides data leakage prevention, app white listing, black listing, malware prevention/avoidance, etc. SpydrSafe’s mobile app control platform is powerful and far surpasses the capabilities of containers, virtual desktop infrastructure solutions, mobile device management, mobile application management and app wrapping solutions. Thank you.