NetworkWorld: Averail Access aces mobility management test

NetworkWorld published a review of Averail Access solution. 

http://www.networkworld.com/reviews/2014/012014-mobility-management-test-277796.html?page=1

An excerpt from this article:

“Ease-of-use, central control, policies enforced by the client, reports and audit trails, (very) rapid deployment, and, oh yes, low cost: just $10 per month per user. I literally could not find anything to dislike, and, while the service itself continues to evolve rapidly, Averail Access should absolutely be on your list of mobility management solutions to consider.”

Securing business content in light of increasing information security threats

By Rahul Sharma @rashrtwit and Babu Srinivasan

There has been recent news and discussions around companies ramping up encryption and security controls to protect corporate and personal data from prying eyes, spying, hacking and interception. Refer to the links at the end of the article. Enterprises, users and service providers (Google, Microsoft, Facebook, Yahoo, Twitter) are rightly enraged that both consumer and corporate data is getting is at risk and getting compromised. Microsoft has even equated such recents security incidents to “earthquake in the tech sector”. Tech companies and enterprises are now looking at ways to ramp up information security.

For enterprises, corporate digital information is business critical and with the increased threat perception, they are looking for ways to secure and protect information. However adding to their concerns, mobility and increasing adoption of cloud for compute and storage have increased the threat vectors for information even further.  Enterprises are also trying to figure out if storing corporate documents on cloud services (Box, Office365, Google Drive) is secure or not. Also, whether they should allow BYOD devices to access corporate information and data. Intersection of all these trends (increased security incidents, cloud, mobility) has created business challenges for enterprises.

We, at Averail, are in the business of securing information for our enterprise customers and users. To keep information protected from security threats, we recommend that enterprises put the following security controls and mechanisms in place:

Retain control on your data/documents: As employees, customers and partners for a business access, share and collaborate on information, enterprises must put in place security policies and mechanisms to control, audit, track information items and documents. Such policies and controls must include “who in what context and where” (role, location, business process, workflow) using which device and application is authorized to access and share a sensitive document. These security controls must protect and track a document throughout its lifecycle and restrict/disallow duplication. At any time, an information owner should be able to track and audit actions and activities on a document and determine who have copies of that document and wipe/revoke access.

Decide where content is stored based on security classification of information. This includes decision around whether enterprises should let their business documents be stored on consumer or enterprise-grade cloud storage. Consumer cloud storage solutions have now become ubiquitous across users and devices—almost every mobile user can access these services and use them to store and sync both personal and business content. Some of these consumer cloud storage repositories continue to have security issues. Many of these consumer cloud storage systems are not enterprise-grade in terms of security given their focus on usability and productivity of consumers. Given these services store content in their cloud storage, security threats for both data-in-transit, data-at-rest, residency, privacy, unauthorized access apply to the business content stored therein. So as an enterprise, you must understand the classification of your information assets. If documents are meant to be publicly shared with customers and partners, use of cloud repositories is a good medium. However, for confidential and sensitive documents tied into existing business processes and workflow keeping documents secure and associated with original enterprise-grade source repository (whether on-premise or cloud) is recommended.

Keep the documents associated with its source: Documents must not be dissociated from their system of record and original source. This also applies to enterprise sync-and-share solutions that copy documents to sync server/hub for further synchronization with sync endpoints on devices. Anytime a document gets duplicated to another local or cloud repository, it creates a vector for information leakage and enterprises can potentially lose control of that document.

Encrypt data-at-rest and data-in-transit: Corporate documents need to be encrypted both at-rest and in-transit as these get shared and collaborated. Such encryption must be end-to-end and document must not be in clear on any untrusted storage and across communication protocols and traffic paths. Such encryption must use cryptographically strong keys (RSA 2048 for all certificates, AES 256 bit encryption) and ideally meet FIPS 140-2 requirements for both at-rest and in-transit. Perfect Forward Secrecy must be required. Perfect Forward Secrecy (PFS) provides additional security by separating authentication from the Key Exchange: RSA certificate is used for authentication of the server and ephemeral diffie-hellman used for key exchange. While PFS doesn’t prevent an active man-in-the-middle attack by someone who has access to the RSA private key, the ‘Forward’ in PFS says that it is not possible to decrypt previously archived encrypted SSL traffic even if you have the RSA private key. The keys are ephemeral, used for the duration of session and deleted.

Manage and control your encryption keys: Most cloud-based repositories and cloud-hosted enterprise content management systems either keep the content unencrypted or encrypt the content with keys owned by the service provider and not keys owned and managed by the content owner. The rationale being requirements and mechanisms needed for document indexing for search, performance and de-duplication. Whenever content is encrypted, the big question is—who controls the lifecycle of encryption and master keys—the latter in the case of split key encryption. Enterprises must retain ownership of their content and encryption keys across these repositories and require business sensitive content to be encrypted with an option to allow fine-grained control over key revocation and rotation. The same control on encryption keys should be applied to mobile applications (targeted for access to business content) that cache/store and encrypt business documents as users access/view/edit them.

Averail’s solution

Averail provides a solution that applies the above security controls and mechanisms to secure business information and documents for enterprise customers.

Unlike trying to create yet another cloud-based content management system, we started with a fundamental disruptive tenet that Averail must secure, enforce policies, control and track content throughout the lifecycle of access, sharing and collaboration; from any device, any source or repository (on-premise or cloud); without  duplicating or dissociating that document from its origin and system of record; thereby enabling enterprises to retain control of their content and to allow them to choose where content is stored based on its security classification.

Along the goal to secure documents across any repository, Averail enables secure access to documents across on-premise SharePoint, Box, Office365, Dropbox, SalesForce, network/shared drives and any WebDAV storage. Averail Quick Connect supports end-to-end secure tunnel for documents in transit as these get accessed from smartphones and tablets from on-premise information sources. While Averail Cloud service manages and enforces policies and controls on content (and hence acts as a content control and policy management plane), the content and documents are never duplicated or copied to Averail cloud service from the original source repository of the documents. This is unlike cloud repositories or hybrid/on-premise sync-and-share solutions that duplicate or migrate the document to the cloud; and thereby break the association of the document with its origin and associated policies, permissions and business processes. Averail Access application acts as a secure content container that enforces policies and document controls, manages document encryption and key management and supports remote content management queries and commands (for selective content wipe, application deactivation or block etc.). Admin or information owner can use Averail admin console to define and manage user/device/document-level policies for access and sharing of content; provision and manage users and content sites; publish content to users and dynamically keep content updated with associated notifications; control access to a subset of repositories; audit, trace and remote manage content on mobile devices.

Averail also enables enterprises to encrypt documents stored on Dropbox and other cloud repositories and retain control on storage and management (generation, revocation) of encryption keys. So if such cloud repository gets compromised, security risk is mitigated as first, the content is encrypted and second, encryption keys cannot be compromised as these are controlled by the enterprise and not by the cloud service.

In conclusion, as these information security threats increase, Averail can help business customers secure and protect their information. More about Averail on our website http://www.averail.com.

Pointers:

Microsoft, suspecting NSA spying, to ramp up efforts to encrypt its Internet traffic http://www.washingtonpost.com/business/technology/microsoft-suspecting-nsa-spying-to-ramp-up-efforts-to-encrypt-its-internet-traffic/2013/11/26/44236b48-56a9-11e3-8304-caf30787c0a9_story_1.html

Forward secrecy at Twitter https://blog.twitter.com/2013/forward-secrecy-at-twitter-0,

Yahoo vows to encrypt all its users personal data: http://news.yahoo.com/yahoo-vows-encrypt-users-personal-data-193109865.html.

How does NSA break SSL: http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html

USA tech companies call for more control on surveillance: http://www.chicagotribune.com/business/sns-rt-us-usa-security-surveillance-20131209,0,7050486.story

Great team and people build amazing products

 

Image

Blog by Rahul Sharma

In my preview blogs, I have discussed various aspects of Averail’s technology, architecture and product. It indeed takes a great team to create and build amazing products that WOW users and customers in every way. Great team,  people and culture are what we have at Averail. We have a team that works hard, does great things and has fun too—see for yourself in these photos that I have been collecting along the way. We innovate, create, build and execute hard. Being an ex-Sun/Java Software, it reminds me of the Sun way of “kick b*** and have fun”—and that is what we are doing every day at Averail. Fun is a big part of that too. 

My Thanks to Aman, Babu, Ivan, Josh, John, Jennifer, Melissa, Nandini, Pronob, Sangeetha, Sanjeev, Shereen, Sonu, Stanislav, Sundeep, VenkatA, VenkatM and Vikram for making us a great team.

Designing Averail Admin Console

By Rahul Sharma @rashrtwit and Vikram Bhatla @vikrambhatla

As we discussed in an earlier blog http://blog.averail.com/2013/08/28/how-averail-enables-mobile-productivity-and-control-of-business-content , Averail Access solution enables enterprise IT administrators and information owners to use the web-based admin console to manage and control business content. IT administrators can use the Averail admin console to define and manage user/device/document-level policies for access and sharing of business content; provision and manage users and content sources; publish content to users and dynamically keep content updated with push notifications, control access to repositories; audit, trace and remote manage content on mobile devices; manage Averail services and much more.  You can see a demo of Averail admin console here http://www.averail.com/How-it-Works.

When we started with the design of Averail Admin console, we talked (and have been regularly doing so since then) to many prospective customers and target users (specific information owners and IT admins) to clearly understand their requirements and feedback on such admin console.  Combining our prior experience on web-based admin consoles, we also looked at many widely used consoles to understand the best-in-class UX and designs—specific to understand what works v/s not; what are the best practices and designs. This feedback and analysis led to the following design principles and requirements behind the Averail Access admin console and its underlying cloud service. These principles are applicable to any admin console for a SaaS service:

Ease of use: Averail Access solution is a cloud powered SaaS solution for enterprises to manage and secure their business content. Along the design principles of any cloud powered SaaS solution, Averail admin console is easy to use, easy to administer and manage for IT administrators and information owners. The idea is that an enterprise user or admin can sign-up with Averail service on http://www.averail.com/?q=node/143 request an admin account and then get started quick and be productive. With enterprise IT and users expecting the some ease of use as consumer apps, there are no 500-1000 pages admin guides and manuals to read and refer to get started or going through high-touch walkthroughs and sessions. Admin can get started quickly after the initial sign-up and become starter-to-expert on the admin console—the goal of admin console being self-service and self-provisioning.

Simple yet powerful: Unlike admin consoles that make administration and management functions complex and cluttered (as if administration and management are hard tasks to do and require major dedicated cycles), Averail admin console is designed with simple and elegant user experience. At the same time, we ensure that simplicity does not constrain the power of its users. First, there is no clutter of distracting UI elements—the focus is clearly on representation of managed objects/services and actions in the admin console view without any unneeded UX elements or distractions. Just a simple way to assess the UX of Averail admin console is see to how much whitespace is in each screen as against screens and forms cluttered with multitude of managed objects and actions. In the following snapshot, it is clear that admin only sees objects and actions as applicable to a specific screen and flow.

Image

Image

Streamlined Object and task-oriented user experience: The screens and flows in Averail admin console are structured around managed objects and services (devices, content sites, user and groups, managed services, policies and configuration, settings) and management actions and tasks admin can perform on these objects. Admin can start from the top-level and in an intuitive way get to a specific managed object/service and then the corresponding tasks/functions. For tasks that go across multiple managed objects (for example, applying policies to specific group of users, devices or sites), these are tied together across screen in a linked workflow. We focused on making sure that users don’t have to go across unrelated screens (hence has to read manuals or remember the steps) when completing a single task-oriented flow—the screens and flows should be simple and intuitive for the user.

UX scales and adapts: The real power and usability of any admin console is tested in terms of whether it can scale to a massive number of managed objects and associated actions—an single enterprise account can have 10-100s of content sites, 1000s of users and devices and millions of documents. Also, how the UX is as useful to an enterprise admin when he/she signed up for a trial account with a few users to when 1000s of enterprise users are operational in the system. Not all users are the same either—an IT administrator performs actions and tasks different from an information owner. Admin console UX should scale and adapt to users and their roles. Depending on the user role, user should only sees objects, services and actions useful to that user as against a one-size-fits-all approach seen in many admin consoles.

Rich content-centric Insights and auditing: With our focus on security and manageability, Averail admin console enables admin to get an auditable trail of activities performed by the users within their enterprise account. Admin can also get actionable insights on devices, users and documents—for example: which user has edited a specific document on which device and when. Admin uses these insights and activities to perform content management and security actions—for example: admin can selectively delete an expired document from a specific user on the corresponding devices or wipe the business content from a lost device.

Standards-based: Averail Admin console is developed using HTML5, CSS, JavaScript with all underlying services mapped to REST interfaces. We chose to stay away from Silverlight or Adobe Flex/Flash based UX given their cross-browser compatibility issues and versioning issues. We use jQuery and Twitter Bootstrap framework http://getbootstrap.com/2.3.2/ as against using web frameworks (example: extJS) that lockdown and constrain implementation and design. Use of standards and open web frameworks enables us to leverage the best of the open source and community while focusing our efforts on what we do best towards creating a compelling and customer-focused admin console for secure mobile content management.

Fluid and elegant: With the explosion of smartphones and tablets, no longer admins want to be constrained to use PC browsers to perform actions on an admin consoles. They want and expect admin consoles to be usable on tablets and even smartphones. A fluid user experience that retains its elegance across different form factors and screen sizes is a must. Averail admin console is usable across all common browsers (IE8, IE9, IE10, Chrome, Firefox, Safari) and also on tablets form-factors and browsers.

In conclusion, we have followed the above design principles throughout our design and implementation of Averail admin console and continually look for more feedback from users towards that. We invite you to try Averail Access solution for secure mobile content management by signing up here http://www.averail.com/?q=node/143.

iOS7: Just an incremental release or an accelerator for Enterprise Mobility?

iOS7 logo Apple

By Rahul Sharma @rashrtwit

With the excitement around the upcoming release of iOS7 on Sept 18 and new devices iPhone 5s and 5c, let’s take a look at what iOS7 brings to enterprise mobility and management of mobile devices, applications and content. The big question is—is iOS7 just an incremental release with added features and enhancements or a major accelerator for enterprise mobility?

The biggest change in iOS7 is around the reimagining of the user experience. In iOS7, apps and core UX look flatter with more focus on content as against chrome and UX elements, clearer text and fonts, lucid icons, visual layering to add depth and translucency among many such enhancements.  An enhanced and updated UX and look-and-feel will definitely enhance iOS7 appeal among enterprise users.

iOS7 enhances multi-tasking APIs by adding support for apps to a) update content in the background by being launched periodically and b) to use push notifications to make users aware that new content is available and then fetch the content in the background. These multi-tasking API enhancements make the experience of content-driven applications fluid as content download can happen in background before the application is launched by the user.

iOS7 adds support for shared keychain (shared across apps from the same vendor) and single sign-on (SSO) across apps—including support for Kerberos.  SSO is controlled via configuration profiles (which contains info around account, apps, URL prefixes) distributed via mobile device management (MDM) solution. iOS7 also includes enhancements around data-at-rest security with support for automatic protection of data for installed apps. iOS7 also signals plans for FIPS 140-2 certification for data-at-rest, though more details are not available yet.

For enterprise mobility management, iOS7 enhances support for MDM solutions by adding mechanisms and building blocks for: [Note these are only highlights not the complete set]:

  1. Silent installation of managed apps distributed by an MDM
  2. Support for managed Open In for managed apps. Now enterprises can control which other apps can open documents and attachments by restricting business content to managed corporate apps versus personal apps.
  3. Managed applications also get support for simplified configuration and feedback via dictionary entries. These can be used to update app settings, enterprise–specific URLs or any other app-specific configuration. For example, an enterprise IT administrator can configure URLs for Intranet Portal and SharePoint sites using such managed configuration. Application can also send feedback with error and usage statistics via the feedback mechanism.
  4. An application in iOS7 can establish a per-app VPN to remote services as compared to using a device-wide VPN in iOS6. Such per-app VPN gives finer-grained control on data as secure business data (via the corresponding business app) can always be routed via VPN through enterprise network. Personal apps can route their data directly without going through enterprise networks. Such per-app VPN will be configured and managed through MDM solutions. For example, per-app VPN can be restricted to specific apps.
  5. iOS7 also introduces new restrictions that can be managed and distributed via MDM configuration profiles—these include use of cellular data by apps, host pairing, iCloud keychain sync, and over-the-air PKI updates. MDM protocol also supports enabling of mobile hotspot, Do Not Disturb, Find My Phone, setting of custom lock screen etc.
  6. For enterprises provisioning applications to their employees through Volume Purchase Program (VPP), iOS7 introduces new enhancements and changes on app store volume purchase program. Instead of using hard-to-manage codes, now licenses are used. Apps can be installed via MDM commands and are considered managed apps. Apps can also be revoked. MDM solutions can use VPP APIs to provision licenses, associate licenses with users, registering VPP users, get licenses assigned to a user, get a list of all users, get a list of purchased licenses among other APIs. The goal is to streamline the application licensing, distribution and provisioning via MDM solutions and VPP.
  7. iOS7 also introduces a streamlined device enrollment process for enterprises that enables enterprises to simplify and customize device enrollment to organization’s MDM server.

When looking at all these new iOS7 services, capabilities and APIs, a question comes up—is Apple encroaching on MDM and mobile application management (MAM) solutions by adding more to iOS7 and hence reducing the need for such enterprise mobility management solutions? My answer is No. These enhanced platform capabilities and services will even further accelerate adoption of iOS7 devices in enterprises and will enable MDM solutions to add more services and differentiation to their solutions. However, Apple is clearly emphasizing managed apps and more streamlined distribution, licensing and provisioning of apps for enterprises. This creates some overlap with MAM solutions that focus on application containers or separation of corporate and business applications via personas or containers. This will be an interesting space to watch.

Averail and iOS7

We (at Averail) are working hard to update our application UX for iOS7. More on it in a later blog when we release our updated iOS7 app.

Presently the Averail Access iOS application supports a) updates of documents and sites published to users by information owner, b) updates of offline documents, and c) push notifications for updates to published documents. The background update mechanism provides an option (as we extend support for iOS7 incrementally) for Averail Access application to update documents, policies and content in the background.

iOS7 further enhances our Averail Access secure content management solution. Support for managed apps, managed Open In, per-app VPN, streamlined VPP are specific iOS7 services and APIs that will add to the security and manageability of our solution for our enterprise customers. As few of these capabilities require integration with MDM vendors, we have started work with our MDM partners to integrate these enhanced management capabilities and services to our MDM-integrated Averail Access solution.

Mobility and new class of security threats for business content

By Rahul Sharma

As mobile employees demand continuous mobile productivity and smartphones/tablets become pervasive in enterprises, a new class of threats has emerged for the security of business content. While security threats around privacy, unauthorized access, data-at-rest and data-in-transit, confidentiality, leakage, auditing and regulatory compliance for business content still apply, mobility adds additional dimension to these security threats. It is important to understand security threats (specific in terms of threat modeling) and risks before considering protection and mitigation solutions. In this blog article, I will describe these new class security threats as enterprises adopt mobility and cloud storage:

The ubiquitous Consumer Cloud problem: Consumer cloud storage solutions have now become ubiquitous across users and devices—almost every mobile user can access these services and use them to store and sync both personal and business content. Some of these consumer cloud storage repositories continue to have security issues. Many of these consumer cloud storage systems are not enterprise-grade in terms of security given their focus on usability and productivity of consumers. Given these services store content in their cloud storage, security threats for both data-in-transit, data-at-rest, residency, privacy, unauthorized access apply to the business content stored therein.

Content leakage from mobile applications: Employee can use applications on mobile device to intentionally or even inadvertently copy or move content to consumer cloud storage or unauthorized (from their enterprise policies perspective) repositories. Once moved, content proliferates and gets dissociated with the source enterprise repository and creates issues for enterprises around traceability, auditing and regulatory requirements. Enterprise also loses control of the content as the content moves to these repositories, which enterprise cannot access or manage given the account belongs to the user. The security issues become even more acute and business impacting if the content is confidential and business sensitive.

Pervasive email workaround: Employee sends the document as an attachment to him/herself via email (either to a corporate or consumer email account) from a device that has authorized access to enterprise content repository. Next, user accesses the same email attachment on the device (outside the trusted environment) and now has access to the document. So email becomes the mechanism to workaround security controls around business content. In fact, increasingly as consumer-grade email services provide multi-GB of storage and value-add functions around search and meta-tagging, these services are becoming the new content storage systems. Users send emails with document attachments and let these documents remain in their mailboxes for access across devices.

Data-at-rest in clear: Most cloud-based repositories and cloud-hosted enterprise content management system (focusing on those integrated with mobile devices) either keep the content unencrypted at rest or encrypt the content with keys owned by the service provider as against keys owned and managed by the owner of the content. The rationale being requirements and mechanisms needed for document indexing for search, performance and de-duplication. First, this adds to threats around data-at-rest—what if cloud repository key management system gets compromised. Second, enterprises definitely want to retain ownership of their content across these repositories and want business sensitive content to be encrypted with an option to have them control crypto keys and ability to revoke/rotate these keys at a fine-grained level.

Many mobile applications (targeted for access to business content) also keep content and user credentials in clear on the device exposing these to security threats around data-at-rest and unauthorized access to business content.

Mobile applications problem: Smartphone and tablet OS (specific iOS, Android and Windows Phone) have a sandbox application model. For example, iOS places each app (including its preferences and data) in a sandbox. Each app sandbox directory contains its own set of directories and structure for storing app-specific data. https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/TheiOSEnvironment/TheiOSEnvironment.html. The goal of the application sandbox is to limit the attack on an application from other malicious or compromised applications. An application can export and import data to-and-from another app using “Open In” facility provided in iOS and thereby create copies of document in each app’s own sandbox. As users export and import documents from one application to another, another vector for content leakage opens up. For example, user can copy a business sensitive document from a secure trusted enterprise-authorized application to another non-secure application.

Mobility across trusted and untrusted environments: Employees use their mobile devices across both trusted enterprise-connected environments and untrusted off-premise locations on public WiFi and cellular networks. Any business content accessed in a trusted environment still remains on the device and can be accessed/shared as user/devices moves to an untrusted environment. For example, a confidential document may still remain on the device (as user/device moves to an untrusted environment) in an unencrypted form and accessible offline without requiring the user to authenticate and get authorization for access to this document.

Lost mobile device: Even when we as mobile users are so much tied to our smartphones and tablets, sometimes these devices do get stolen or left behind in a cab or a restaurant. This leads to threat around unauthorized access to applications and business sensitive content-at-rest on the device. For example, a malicious user can jailbreak the device or use a still valid application session to access business applications or content. There are easily available tools to look at directory structure and content on a device by simply tethering the device to a laptop. While MDM solutions do provide solutions for device-level protection for lost or stolen devices, these solutions don’t have much content-level protection.

Content synchronization issue: Cloud storage services are increasingly supporting automatic synchronization of content from mobile applications to the cloud storage services. The rationale is to provide auto-backup and cross-device synchronization of content, thereby making it easy for users to access content everywhere. As an example, iCloud is integrated with iOS and supports synchronization of content to iCloud cloud storage at the operating system level. https://developer.apple.com/library/mac/documentation/General/Conceptual/iCloudDesignGuide/Chapters/iCloudFundametals.html#//apple_ref/doc/uid/TP40012094-CH6-SW3. iOS7 extends this to support synchronization of keychain and passwords across devices via iCloud. While such iCloud integration makes sense from usability perspective and these facilities can be managed via configurable settings and MDM solutions, it raises security issues from enterprise perspective for security of business content. Such content and credentials synchronization across devices and to iCloud create another security threat vector for content leakage and unauthorized access to business content.

Unauthorized and uncontrolled document sharing and collaboration: A mobile user can use applications on smartphone/tablet to intentionally or inadvertently access and share a confidential document with others users. For example, a user puts a confidential document into Dropbox and creates a public share URL to share with a customer or business partner. Once the document is on a public share accessible with a URL, there is not much control or traceability left on that document. Receiver of the document can further share that document with other users.

These new mobility-driven security threats do raise  concern among enterprises around a) whether they should let mobile employees access and share business content, and b) whether they should completely block and restrict v/s balance user productivity and content security and control. We (at Averail) fundamentally believe that blocking mobile content access and sharing is not the answer. It is more about having a solution that balances employee productivity with security and control of business content for enterprises. We dedicate significant research and product development effort to understand and analyze these security threats as part of threat modeling and security architecture, and apply security mechanisms and capabilities, security processes and best practices to protect our enterprise customers and users against both existing and new mobility-related threats for business content. Our security whitepaper [link here] describes the security architecture and implementation for Averail Access solution.