Password protection and application security are high on the list of security concerns as more organizations move to mobile first and Bring Your Own Device (BYOD) strategies.
I recently spoke with Jonathan Dale, director of marketing for Fiberlink (recently acquired by IBM), and James Brown, chief digital technologist at Compuware Professional Services, and they answered some questions concerning the blacklisting and whitelisting of apps and password security.
Creating app blacklists and whitelists
According to Jonathan Dale, "File sharing apps are the most common blacklisted apps in the enterprise. The top five blacklisted apps include Dropbox, SugarSync, Box, Facebook, and Google Drive." Fiberlink's app data comes from over 4,500 of their customers using a mix of corporate- and employee-owned devices.
Figure A shows the top 10 list of blacklisted iOS and Android apps amongst Fiberlink customers:
The top 10 list of blacklisted iOS and Android apps.Dale says, "The top concern for most corporations is knowing that their data is safe and always in the right hands. Blacklisting can play a role, but we find that there are both right and wrong times to restrict apps. For instance, restricting an app for no reason is a quick way to get your BYOD deployment to backfire. Even corporate-owned devices with blacklisting apps can make employees unhappy."
Right now, blacklisting occurs on 10% of the devices that Fiberlink manages, prohibiting a specific app or apps from running. This means that IT is trying to ensure the intended use of the device and prevent the loss of corporate data, which is considered a major security risk. Dale recommends blacklisting and even whitelisting where appropriate.
Figure B shows the top 10 list of whitelisted iOS and Android apps amongst Fiberlink customers:
The top 10 list of whitelisted iOS and Android apps.
James Brown offers the following advice about blacklisting and whitelisting:
"First, define the purpose for creating the blacklist. Many assume that blacklisting is a practice predominantly utilized for security purposes, but businesses also blacklist time-wasting applications — such as Angry Birds — to manage employee productivity. Blacklisting can also help with those apps that dramatically increase data-transfer demands on the network, such as Netflix.
"Second, create a rubric for scoring apps or criteria for deciding which apps should be blacklisted. Once it has been decided whether the focus is to compliment security or to decrease distraction among employees, define success criteria and establish the rubric. For example, if the concern is employee productivity, one may want to allow (not blacklist) file-transfer apps similar to Dropbox. But if security is the key driver, Dropbox would typically be blacklisted.
"Third, consider whitelisting instead of blacklisting. If security is the main concern, whitelisting is the better option, as it allows businesses to have absolute control over which apps employees are approved to use. With blacklisting, all apps are allowed, except a few that are specifically forbidden — thus, there is more room for employees to work around restrictions and simply utilize apps that aren't on the blacklist. In that sense, blacklisting is the Maginot line of app security. With whitelisting, on the other hand, only approved apps are allowed to be used and all others are forbidden, which makes for a more secure position, but can be politically difficult to manage in the enterprise."
Brown also recommends that the policies must be communicated to the enterprise. In particular, employees need to know why the restrictions have been put in place and how they will benefit the company. Clearly communicating these policies is key to making employees feel comfortable with the restrictions.
Improving password protection over mobile devices
Brown offers the following best practices for employee passwords:
- Require employees to create passwords that are at least 10 characters in length and to use the widest character set possible, including alphabetic (upper and lower case), numeric, and special characters (punctuation)
- Mandate that employee passwords not include words or names, because anything that can be found in a dictionary can be cracked in minutes (even when the word is part of the password — like "James123" — it's easily discovered with modern computing power)
Brown also advocates salted password hashing:
"Manage and protect passwords by employing salted password hashing. Hash algorithms are one-way functions that turn passwords into irreversible, randomized letter combinations. The passwords are stored in a form, which is impossible to reverse. When employees create an account and a password, the password is hashed, the hashed result is stored, and the original plain text version of the password is never stored in the system.
"When the employee tries to login, the hash of the password they entered is compared to the hash of their password in the database. To further protect the password, the hash is salted. Salt is additional complexity added to the hashing process, so that if two people have created the same password, the two hashed versions stored in the database will be different. With salting, if a hacker figures out one employees' password, they can't determine other passwords by looking for matches in the database. Salting also makes the process of reversing a hash much more complicated and time consuming for hackers."
Here are some of Brown's best practices for passwords on employee mobile devices:
- Limit the amount of time an employees' password can exist
- Require users to have different passwords on different devices, accounts, or systems
- Create and enforce a corporate policy that sanctions employees for sharing their passwords with others
As for Fiberlink's research on mobile password security, Dale says:
"We found it surprising that IT has the technology means and power to enforce more complex passcodes on mobile devices but often times allows a basic passcode of only four numbers. Of course, there are some industries that are setting more complex policies, such as public sector organizations. When we looked at a large sampling of the devices we manage for the enterprise, we found that 15% of all devices do not have a passcode being required, and 85% do have a passcode requirement. However, when a passcode is enforced, a basic PIN is the most popular passcode type."
Dale mentions these best practices for governing passwords:
- Encourage employees to have device-level passcodes. Even if this is for personal benefit and not mandated by IT, employees should have some protection for the personal information on their devices. On some operating systems, creating a passcode also enables encryption.
- Require a passcode to access corporate information, such as corporate e-mail and documents. These passcodes can be more complex than the basic four-digit pin at the device level.
- Enforce advanced passwords when accessing very important information. If an employee is accessing a network resource, like SharePoint or their network folder to access a Word document, you should prompt them for their Active Directory credentials. This goes beyond the security level of a four-digit pin.
- The combined approach of these passcodes and passwords will help ensure the device, data, and apps are protected without being overbearing to the employees.
Both Dale and Brown offer some good, actionable advice for enterprises of all sizes about implementing application blacklists and whitelists, plus improving password protection over corporate and BYOD mobile devices.
Does your organization have a passcode requirement, or has it implemented mobile app blacklists and whitelists? Describe your experience in the discussion thread below.
Will Kelly is a freelance technical writer and analyst currently focusing on enterprise mobility, Bring Your Own Device (BYOD), and the consumerization of IT. He has also written about cloud computing, Big Data, virtualization, project management applications, Google Apps, Microsoft technologies, and online collaboration for TechRepublic and other sites. Will also works as a contract technical writer for clients in the Washington, DC area and nationwide. Follow Will on Twitter: @willkelly.