This post is from the Apperian blog and has not been updated since the original publish date.
Mobile security issues: DAR, DIU, DIM
Protecting data - whether it’s the cell phone number to reach your kids’ teacher or nuclear reactor control codes - is much the same today as it was fifty years ago. Although the working environment is different, the same fundamental principles apply. For any secure system, three factors need to be addressed:
- Data at rest (DAR)
- Data in use (DIU)
- Data in motion (DIM)
If all of these aspects are properly protected, you can rest assured your system is reasonably secure. However, all three do have to be provided to avoid security leaks.
As always, the only truly secure system is one locked away from any contact with the outside world. However, such a system is useless for nearly all practical purposes. A reasonably secure system needs to have the data it contains accessible to authorized users yet protected from unauthorized access or manipulation. Traditional computer systems have often used physical security in place of true data security with a fair degree of success. The proliferation of portable and hand-held terminals including laptops, tablets, and cell phones, has effectively removed physical security from protected system design. Not only are mobile devices used outside of the protected physical spaces of the past, they are also much more liable to loss or theft. While today’s mobile systems place new and often more challenging constraints on data and mobile app security, the underlying principles remain the same: protect your data in each of its three phases to achieve a reasonably secure system design.
Data at rest (DAR)
When your data is stored for later retrieval, on slips of paper or on a hard disk system, it’s considered to be “at rest” with its own set of security requirements. Hand written notes are not likely to be compromised if they are kept in a drawer with an adequate lock, but data on a laptop’s hard disk or in a mobile device’s non-volatile memory can be easily read if it’s not protected.
The easiest way to protect DAR is to encrypt the data before it is written to the storage system. Even if an unauthorized user gains access to the encrypted data, unless they have the encryption key and algorithm, all they will see is noise. Furthermore, illicit manipulation of the stored data becomes effectively impossible since an attacker won’t know where to write what substitute information to have it decrypted into the resulting values they want to insert or replace.
Encrypting DAR may be the most straight-forward way of protecting it, but the encryption system must be properly designed, implemented, and tested to assure the data will be secure. An effective system should be based on well-tested algorithms that have been subjected to extensive testing by independent agents.
Data in use (DIU)
While you are working with your data, manipulating it in a spreadsheet, or pasting between documents, it’s said to be “in use” and is much more vulnerable to interception or manipulation than DAR. Unless you can do the complex mathematical manipulations required for decryption in the optic nerves between your eyes and brain, what you have to read from the screen is “plain text” data in its unprotected form.
Most of the protection of DIU has to come from the operating system of the device where it’s being used: the OS has to block access from one program’s memory space into another to prevent data leaks or corruption. Fortunately, modern hardware provides physical layer support, and modern operating systems use those hardware features to keep each application in its own “sandbox” that only has access to the resources it is authorized to access.
There are times when, by design, the walls of an application’s sandbox break down, such as when data is copied from one application and pasted into another. If the first application is part of a secure system and the second is not, then the transfer has to be considered a “leak” of the secure data, something the secure system’s design should prevent.
For a mobile device protected using a traditional mobile device management (MDM) system, there is no restriction on data sharing between secure and insecure applications: while the device itself might be secured, none of the applications include any security features and “leakage” is an unrecognized concept. However, in a bring your own device (BYOD) working environment, employees are unlikely to consent to giving their employer total control over their smartphone, and using an MDM system to provide security will not work. In that case, an application-level security system must be used, such as a mobile application management (MAM®) platform, resulting in a mix of secure and insecure applications on the device.
With a MAM environment on a device, a secure system must provide a mechanism for preventing data leaks from secure applications to insecure ones. Once again, encryption comes into play. Before sending data to another application, the secure one must encrypt the data and send the encrypted version to the other application. If the receiver is also a secured application, it will be able to decrypt and use the data as expected. However, if the data is pasted into an insecure application, all that will be received is what appears to be noise - if the transfer is allowed in the first place.
DIU protection is more than just preventing unauthorized copy-and-paste operations: it also covers opening email attachments with insecure applications, sending secure documents using unprotected programs, and a host of other possible loss vectors. Building a system with an exhaustive DIU policy is a task requiring attention to many details. It also needs to be tested by a wide range of naive users to be sure the protection covers a reasonably complete set of use cases.
Data in motion (DIM)
Any time you send your data to an external system, it becomes “in motion” and has its own set of security constraints. Providing protection for DIM may be easier than for DIU since it’s expected to be attacked, intercepted, and/or compromised.
Whether it’s easier to protect or not, security for DIM is once again best built with encryption. The algorithms and constraints of the encryption system are different than those used for DAR - a streaming cypher is employed instead of a block one, and a DIM system must provide for recovery from interruptions and errors introduced by the transmission system.
When implementing a system where both end points are secure (e.g., a data provider and a mobile application accessing the data), an encrypted channel can be constructed between them with the data “natively” encrypted in the channel. However, when a mobile device is remotely accessing a corporate network whose traffic is unencrypted, a system such as a virtual private Network (VPN) must be used to encrypt the traffic sent over the public network. In addition to ensuring protected data is only sent through the VPN, a DIM system must also prevent data from being sent to the public network until the VPN has been established, or if it is interrupted or terminated.
Protect what matters most
With ubiquitous access to data through mobile devices, physical security can no longer be considered part of a protected system’s design. Instead, the data itself must be protected. Through defense of DAR, DIU, and DIM, secure data systems can and are being built today using encryption, encryption, and encryption. These new ones are actually more secure than past systems whose design relied heavily on protection of the computer hardware itself to achieve data integrity and limit unauthorized access.