When Android Is Secure Enough for the Enterprise
Enterprises are increasingly looking at Android as an alternative to Apple iOS mobile devices, but concerns about security and support often act as roadblocks. We illustrate how security and risk management leaders should counter security concerns linked to fragmentation, with diligence.
Overview
Key Challenges
· Enterprise security values consistent mobile platforms. Confidence that a mobile device will consistently respond in the same manner to the same commands is harder to obtain for enterprises than reaching a basic threshold of security functionality, which modern mobile platforms already widely provide. The Android platform fragmentation has been a barrier for enterprises trying to reach that consistency.
· Enterprises still struggle to find Android devices that are easy to support, are patched quickly and stay up-to-date for a long time. This is still the case, even though several initiatives have launched over the years to strengthen the security and reduce the fragmentation of the platform.
· While Android provides many possibilities for deep customization that can allow organizations to reach very high levels of security assurance and compliance, setting them up may require expertise, investment and time. In many cases, the out-of-the-box security obtained from iOS might be a more practical option, putting enterprises that would like to select the Android platform in front of a difficult choice.
Recommendations
Security and risk management leaders responsible for endpoint and mobile security should:
· Minimize fragmentation, support and inconsistency issues by establishing strict, frequently updated minimum standards for device makes and models, OS versions, and security patch levels for both bring your own device (BYOD) and enterprise devices. Prefer Android Enterprise Recommended and Samsung Knox devices among the various options for Android.
· Decide between Android and iOS as a preferred mobile platform not simply by comparing price tags for devices, but by evaluating the total cost of ownership (TCO) and customization needs to reach the desired level of security assurance.
· Optimize the security posture by establishing proper configuration management, including a minimum security baseline, choosing between work profile mode and managed device mode, and planning for mobile threat defense (MTD).
Introduction
Android is the dominant mobile operating system today. Driven by BYOD demand, as well as to find a viable alternative to iOS, security leaders are increasingly considering allowing Android devices to access and process enterprise data. Security concerns, linked to the fragmentation of the platform, are often the primary reason driving enterprises to choose iOS over Android as their primary mobile OS. This research provides the elements to evaluate when Android adoption is a viable enterprise choice from a security standpoint, and outlines how to go about it securely.
Analysis
Evaluate the Total Cost of Ownership Before Deciding That Android Is the Most Cost-Efficient Option
The first point often made in this discussion is that mobile malware is targeting the Android platform, while iOS is virtually free from malware. Other arguments compare the strength of encryption of iPhones and Android devices. To date, there are no credible reports of significant enterprise breaches due to mobile malware on either platform.
While it is tempting to focus on the purely technical comparison of iOS versus Android security, above a certain threshold of basic security functionality that most modern mobile platforms already provide, enterprise security is about consistency. It is about confidence that the mobile device will always respond in the same manner to the same commands. For instance, when sending a remote wipe command, it is about knowing that the command will be effective on any device of the fleet without exceptions.
By design, Android is an open platform. One of the consequences of this openness is Android's fragmentation: there are various flavors of the same Android version, each adapted to a specific device manufacturer, device model and network carrier. Inevitably, each flavor will have a slightly different behavior. Some devices may not support specific apps, for example; or they may not respond in the same manner to a mobile device management (MDM) command. This makes it more challenging to achieve this level of consistency, and an enterprise can only identify unexpected behavior through extensive testing. Troubleshooting and support issues will also multiply.
Additionally, because of the complexity of the process, manufacturers will stop issuing updates for older devices, especially for cheaper ones, but sometimes for higher-end ones as well. This leads to a device fleet with a variety of Android versions running at the same time, and older ones could bear severe vulnerabilities.
Ensure Your Android Devices Are Security-Patched and Up-to-Date
If you decide to allow Android in the enterprise, it is fundamental to only enroll devices that are up-to-date and free from vulnerabilities before defining any additional enterprise security mechanism on top. Because of Android's fragmentation, this task will be more challenging than for iOS devices.
Some improvements will make the task easier compared to the recent past, making it possible for more enterprises to open up to Android today. For example, Google decoupled Android security patches from more general-functionality OS updates, in an attempt to speed up updates. Its Google Play Services also provide remediation, as they allow to quickly apply patches to apps such as Chrome browser, to protect from vulnerabilities between updates. More recently, Google introduced the Android Enterprise Recommended program, which aims to reduce fragmentation and to streamline selection of Android devices for enterprises. The program is not Google's first attempt to alleviate the fragmentation of Android device versions. However, the enterprise focus of the latest initiatives could have a greater positive impact for enterprises. Even though Google's moves in this space are in the right direction, it will take time for enterprises to be able to reap the benefits.
To maintain a fleet of Android devices patched, enterprises need to set minimum acceptable standards. Enterprises seeing Android as a BYO option should define a restricted set of models. However, enterprises considering Android as their possible mobile OS of choice should ideally settle on a single Android model (or, at maximum, a set of two or three models, sometimes assigned based on tasks and seniority) to minimize self-induced fragmentation.
Devices purchased directly from Google (such as the Google Pixel), rather than a carrier, will provide quicker updates. However, these devices are not globally available, and many enterprises will continue to procure their devices from a carrier, as part of a larger service. Even though not part of Google's Android Enterprise Recommended program, we still see Samsung devices as a good choice, based on their track record in terms of security updates. Either way, it is essential to ensure that the enterprise's risk posture can accept a window of 30 to 90 days where mobile devices are left without the latest security patches.
Configure Android Devices to Satisfy Security and Usability Requirements
There are three possible modes when configuring Android devices for management: Device Administration (Admin), Profile Owner and Device Owner (the last two are more commonly referred to "work profile mode" and "managed device mode"). Google is deprecating Device Admin mode. Enterprises should prefer the two latter ones, which as part of Android enterprise, contain a set of management policies that should reduce support and fragmentation issues. These policies are part of the Android platform and should be available and standardized on all devices starting from Android 6.0, including Android Go devices.
The Android platform provides a series of active security mechanisms to identify unwanted or malicious behavior on behalf of apps and other resources. These mechanisms include Google Play Protect (which is part of Google Mobile Services), SafetyNet and Verify Apps, and run transparently to the user and the enterprise.
Similar to iOS's Secure Enclave, Android provides a hardware root of trust called Trusted Execution Environment (TEE). The TEE mechanism can be leveraged by apps or device management tools to ensure the integrity of the device and perform a limited set of delicate operations.
