Last week Gabe and I spoke to Mobilisafe, a Seattle-based startup that does mobile risk management. What is mobile risk management? For Mobilisafe it means inspecting traffic that flows from mobile devices to corporate applications and using it as a means to control unmanaged BYO mobile devices. does traffic inspection, as a way of controlling unmanaged devices. Their eponymous product is in beta, and today they released an updated report of findings from their trial.
After four months of private beta trials, the report that Mobilisafe released today indicates that about half of the mobile devices discovered in the trial had out of date OSes, causing security concerns. (Big surprise, we know!) Seriously though, the numbers they reported were that 71% of the devices had “high severity operating system and application vulnerabilities” and that 70% of those could be fixed by updating device firmware.
If only all the users would just keep up on their firmware upgrades, there would be no need to worry, right? But since that’s never going to happen, Mobilisafe has technology to make sure that personal devices with out-of-date OSes cannot access sensitive corporate applications.
How Mobilisafe works
The application that Mobilisafe works with is Exchange ActiveSync (EAS). I’ll get to how Mobilisafe does its magic in a little bit, but first, some background on EAS. While EAS has some basic MDM capabilities, it’s a rough tool at best. EAS can specify baseline security requirements for mobile devices, it can be turned on or off, it can wipe devices, and password and encryption requirements can be set. However, there’s not much of a view into the actual device.
This is where Mobilisafe comes in—it sits on an IIS server and watches the EAS traffic in order to learn more about the devices that are accessing each mailbox. Mobilisafe can identify the device, and using information pulled from Active Directory, figure out what user it belongs to.
How does the Mobilisafe agent learn the characteristics of the device? It looks at the characteristics of the actual traffic to and from the device. Some devices actually report lots of information, like their name, and OS version, while other devices have to be watched and compared to known device.
This is where the security part comes in—as we all know, a huge number of security holes could be closed by just keeping devices up to date. The intelligence that Mobilisafe brings is being able to determine which of the devices accessing EAS are out of date. Jailbroken devices often have their own characteristics that Mobilisafe can recognise, as well.
The crunching of the traffic-watching data happens on Mobilisafe’s servers in the cloud. They have to keep their finger on the pulse of all the latest patches for pretty much any mobile device that has an EAS client. Only the generic info of what the traffic looks like is transmitted off-premise, not the actual content of the EAS messages. The admin console also is in the cloud, and it pulls a just enough information from Active Directory to be able to cross reference devices with users events and create the management interface.
With better and more complete information about devices that are accessing mailboxes through EAS, administrators can then make decisions about access to EAS for certain users and devices. Mobilisafe is set up to be able to turn off access for particular devices, or instead of just blocking devices entirely, it’s possible to send users an email requesting that they update their device’s OS, or face having it be blocked after a certain period of time. For devices that Mobilisafe can’t identify (they said that there are a few), administrators can request that users self-report their devices.
Mobilisafe for BYOD
The end result is that administrators can achieve a granular level of control over EAS connections to unmanaged devices that is otherwise not possible. For environments that want to go completely unmanaged, Mobilisafe can be a way to ensure compliance to a degree beyond regular EAS capabilities. For environments with managed devices (whether corporate or personal), Mobilisafe would make a good partner, providing a glimpse into non-managed devices, including ones that are accessing EAS from outside of the corporate network.
Mobilisafe is an especially interesting option for controlling personal devices, considering how many of them get plugged into Exchange environments without any management at all.