Sensitive Data on Mobile Devices Stays Secure with New PlatformJune 2013
The Army and many other MITRE customers are increasingly interested in using mobile devices to run mission critical applications. But with new data security threats emerging all the time, how can government agencies deploy mobile tools while safeguarding critical information?
"Agencies are grappling with the best way to integrate these devices into their larger IT infrastructures," says Dave Keppler, a MITRE cybersecurity researcher. Security is one of their most important issues, since mobile applications for soldiers' tactical use could include mapping and exchanging sensitive data such as medical records.
Currently, mobile device security efforts apply the same techniques that secure data on laptop and desktop computers—an approach that can leave mobile devices vulnerable to compromise.
"The similarities between smartphones and desktops are superficial," Keppler says. "They're structured differently, so they will be attacked differently. Taking the desktop approach and porting it over to a smartphone leaves gaps that a motivated adversary will exploit."
These security concerns have so far kept some government users from deploying mobile tools such as smartphones. MITRE is researching various ways to capitalize on mobile devices' continual network connections, along with thin client technology and cloud services, to improve mobile security. (Thin client technology enables any computer to access common office applications from any Web browser over the Internet or a corporate intranet. This reduces the number of applications on the mobile device itself.)
One of these research teams developed the Secure Virtual Mobile Platform (SVMP), which protects mobile access to enterprise data by bringing the advantages of thin client technology to mobile devices, such as smartphones.
Data Remains Secure in the Cloud
SVMP improves upon current approaches of securing mobile data via legacy techniques inherited from desktop operating systems. Security tools, such as antivirus software, are limited by the design of mobile operating systems and the constraints of devices with small batteries and small screens, such as smartphones.
"The nature of the mobile platform limits options for security. The main benefit of our approach is that instead of trying to defend data on the device, we make sure that sensitive apps and data are not on the device," Keppler explains. By contrast, other methods of securing data leave certain information and credentials housed on the device itself. This leaves the data open to compromise by malware and, of course, creates a problem if the device is lost or stolen. SVMP keeps critical data securely housed within cloud services. Personnel can also easily operate SVMP via a touch screen, keeping the user experience and productivity advantages of mobile applications intact.
"Phones have 'always-on' network connections—they're always chatting back to a cloud service, which provides an opportunity to improve security," Keppler says. "We realized that one main problem with securing mobile devices has been significant resource constraints, such as short battery life."
Since the cloud has virtually infinite computing resources, the researchers determined they could take advantage of this off-board computing capacity to improve security on the device itself.
Keppler and his team also surveyed existing commercial mobile security solutions and found none that solved this underlying security problem without sacrificing ease of use.
"What we found were mobile apps that let the user connect to desktop-oriented solutions designed for a big monitor and a keyboard," he says.
An Open Source Solution
Taking advantage of available open source technology, the MITRE team designed SVMP to use an Android-based mobile operating system run on a cloud platform or virtualization system, similar to the widely available VMware platform. "We pulled in work done in the open source community for wired connectivity," Keppler says. "The main issue was figuring out how to get the inputs from the phone back to the cloud-based virtual machine."
The research team built protocols to capture multi-touch gestures on the phone, send them across the network, and replay them in the virtual machine. From there, the inputs pass to the actual application on the device. To improve SVMP's performance, the team examined its resource use on the device. There were two main issues. First was minimizing the time it takes to get data from the handset, over the cell network, to the enterprise network, and back. The second hurdle was keeping the data transmit rate low to avoid running up the cost of device contracts and draining the battery.
To address these issues, the team developed a video-streaming solution. With real-time video encoding, the data streams over the network to the device, then replays on the device. Mobile device handsets have the capability to decode and play back compressed video using special purpose hardware, which improves battery life.
The goal is to make SVMP function for all mobile userswhich would support the "bring your own device" scenario.
"It's a difficult process because you have to customize Android to handle many different devices," says Dave Bryson, an information systems engineer who works on the project. "This is what we're working toward. Ideally, people can use their own device for work in a secure fashion using our technology." Government personnel are particularly interested in Android-based mobile security solutions because open source developers are doing a large amount of work on Android applications.
Going forward, the MITRE team is exploring ways to transition the existing SVMP work to sponsors or into the open source community.
"The real benefit is that we gain all the security of the thin client remote desktop solution, but keep the productivity benefits of the mobile solution," Keppler says. "We get the best of both worlds."
—by Maria S. Lee