Enterprise mobility promises to make employees more productive, empowering them

to address business issues in a timely, untethered manner. But for security-minded

organizations—those using strong security methods to authenticate users trying to ac-

cess confidential information and data (smart cards or Kerberos with PKI certificates)—

numerous security concerns emerge when enterprise access is extended to and from

smartphones and tablets.

The primary issue is this: how to replicate the “trust” that exists inside a corporate net-

work and extend it to a “foreign device” (i.e., a device that is employee-owned and runs

one of the many available mobile operating systems).

Existing Solutions Fall Short

Historically, companies would have used a device level, mobile VPN to extend remote

access to mobile devices. While, some mobile VPNs support X.509 certifi cates, tradi-

tional mobile VPN solutions are problematic:

• Open Tunnel: Device-level VPN exposes the corporate network to nefarious apps,

malware, and viruses that may have been downloaded by the user;

• Man-in-the-Middle: use of constrained delegation in the demilitarized zone (DMZ)

creates a proverbial “Man-in-the-Middle” between the mobile device and the trust-

ed active directory in the enterprise;

• No PIN Protection: PKI certificates stored in device keychain are accessible to any

device user; without a proper PIN there is no “two-factor” authentication.

Moreover, mobile devices do not natively support Kerberos, and each mobile OS has its

own peculiarity about security and authentication, making the consistent deployment of

security standards nearly impossible. It’s no surprise, then, that these issues give CIOs

cause for concern about allowing Bring Your Own Device (BYOD) solutions inside a se-

curity-minded enterprise.

There has to be a better way...

CONTENTS:

• Existing Solutions Fall Short

• Why Should Enterprises Care About Strong Authentication & Secure Remote Access

• Security in a BYOD World Has New Rules

Authentication Challenges in a Mobile WorldA new option for securing intranet access from

mobile devices using Kerberos/PKI

© 2012 Bitzer Mobile

Bringing personal devices to work is an unstoppable trend. As workers embrace the benefits of BYOD and consumerization of the enterprise becomes a generally acceptable practice, enterprises must address security issues such as remote control of corporate data and enterprise data-leakage prevention (DLP). Security vigilance is all the more important given the fact that users can offl oad or transfer data from a mobile device to removable media like Micro SD cards placed in the device, a USB-connected PC or hard drive, or a remote storage solution such as iCloud, Dropbox, Box.net, or Skydrive.

Many enterprises combat DLP by prohibiting attachments in email as a best practice and providing links to internal SharePoint or Documentum hosted documents instead of attachments. This document-access schema requires that the mobile client (e.g., a smart-phone or tablet) be properly authenticated before the link in the secure email can actually access and serve the secure document to the specific validated mobile device.

Bitzer Mobile’s BMAX-SA Addresses the Problem

Bitzer’s Mobile Access Xcelerator with Strong Authentication (BMAX-SA) solution provides a secure container on your employee’s mobile device. The Bitzer Mobile secure container acts as a virtual smart card for authentication purposes. BMAX-SA enables three major differen-tiators that set its functionality and fl exibility far beyond current mobile VPN solutions:

1. Device trust vs. gateway; device trust is more secure and easier to maintain;2. PIN protected certifi cates vs. device password; PIN protection preserves the consum-

er user experience;3. AppTunnel™ vs. device-level VPN, preventing rogue apps on devices from gaining direct

access to your enterprise.

Figure 1: Complicated and insecure solution with mobile VPN and MDM. 1. Gateway trust, 2. Device password, 3. Device-level VPN

Figure 2: BMAX security through simplicity. 1. Device trust, 2. PIN protection, 3. AppTunnel™

Why Should

Enterprises

Care About

Strong

Authentication

& Secure

Remote

Access

1

1

2

2

3

3

© 2012 Bitzer Mobile

1. Device Trust vs. Gateway TrustBMAX extends your network’s Kerberos authentication trust directly to the user’s device in-

stead of stopping at a gateway server sitting in the DMZ.* Bitzer’s patent-pending technology

is signifi cantly more effi cient and secure than implementing constrained delegation offered

by VPN providers. This differentiation is critical: a constrained delegation solution is not only

less secure but also more cumbersome to set up and maintain.

If the insecurity of a constrained delegation solution doesn’t offer reason enough to pause

and consider alternatives, keep in mind that, to enable gateway trust, your enterprise must

confi gure and maintain long lists of all the internal servers that accept this trust. In a large

organization, the list could contain hundreds of continually and dynamically changing serv-

ers. Confi guration and maintenance can represent an administrative nightmare of signifi -

cant proportions. Bitzer’s device-trust approach eliminates the need to maintain additional

lists of internal servers; administrators continue to authorize users and servers only in Active

Directory, as they do today.

2. PIN Protected Certifi cate vs. Device Password The continual battle between IT and end users regarding the tradeoff between usability

and security is magnified when dealing with consumer devices and BYOD** programs.

Corporate IT requires strong PINs to protect the certificate and corporate data on BYOD

devices; conversely, users want simple PINs—or preferably no PIN at all—so they can easily

access Facebook® and other consumer apps.

Requiring a device password is frustrating for users, as they are constantly using the device

for non-enterprise purposes that don’t require enterprise authentication. As a matter of

compromise for executive BYOD users (the people who access the organization’s most

confidential IP and data), IT loosens password requirements for mobile devices, resulting in

a lowest-common-denominator security solution.

Unfortunately, mobile devices are the most vulnerable devices; they are more subject to

loss and theft and are susceptible to CDMA/GSM/LTE/WiMAX scanning technology. These

devices should, therefore, utilize your strongest authentication solution, not your weakest.

Bitzer’s solution provides the necessary balance between security and usability when deal-

ing with BYOD programs.

Bitzer’s Solution Solves the Certificate-Security Problem

By holding the certificate inside a secure container app, Bitzer enforces PIN protection only

when the user is trying to access corporate resources. The Bitzer secure container elimi-

nates the battle between usability and security. Users can still access their consumer apps

without any device password, and enterprises can enforce password policies to PIN protect

only when enterprise authentication is required.

* Demilitarized Zone — DMZ

** Bring Your Own Device — BYOD

© 2012 Bitzer Mobile

Bitzer’s solution also includes a remote Mobile Container Management (MCM) component

that can enforce policy and remotely lock or wipe the secure container on the employee’s

mobile device instantaneously. Policies can include authentication and access to certain

resources. Access can be restricted to certain locations or time windows, affording the

enterprise control over intranet access by whom, with what, from when, and from where.

3: AppTunnel™ vs. Device VPN

Device-level VPNs provide a trusted, secure tunnel between a user’s device and a corpo-

ration’s network. Yet device-level VPN solutions are problematic: they are more appropri-

ate for corporate-owned and secured endpoint devices such as laptops than for consumer

mobile devices. The stark reality is that once a mobile-device VPN tunnel is open to your

network, any app on that device has access to this secure tunnel. This is a huge security hole

and a pathway to danger.

With the near-exponential rise in mobile application malware, spyware, viruses, and general

nefarious code, can any enterprise ensure that consumer-focused BYOD users have not

unintentionally or intentionally downloaded a rogue app onto their devices? Does your

organization really need the additional overwhelming, if not impossible, task of monitoring

and managing all the content on all your employees’ mobile devices?

Secure AppTunnel™ Talks Only to the Secure Container

With Bitzer’s secure AppTunnel™, the connection from the mobile device to the enter-

prise intranet exists only between the secure container and enterprise servers. The solution

redefines enterprise mobility.

Security in a BYOD World Has New Rules

Your organization has invested significantly in implementing secure Kerberos/X.509 authen-

tication, both inside your enterprise and for laptop remote access; however, the complexity

of authentication challenges is exacerbated with mobility, consumer devices, and especially

BYOD programs. Security-conscious IT professionals must look beyond current solutions to

ones designed for the new challenges that accompany changing realities.

Create a far more secure solution while simplifying deployment and preserving the user

experience. Bitzer can make the difference for your organization.

BITZER MOBILE440 N. Wolfe Road

Sunnyvale, CA 94085, USA

www.bitzermobile.com

sales@bitzermobile.com

1-(866) 603-8392

Follow us on @bitzermobile

Join us on | | Bitzer Mobile