Password protection and application security are high on the
list of security concerns as more organizations move to mobile first and
Bring Your Own Device (BYOD) strategies.

I recently spoke with Jonathan Dale, director of marketing for Fiberlink (recently acquired by IBM), and James Brown, chief digital technologist at Compuware Professional Services, and they answered some questions concerning the blacklisting and whitelisting of apps and password security. 

Creating app blacklists and whitelists

According to Jonathan Dale, “File sharing apps are the most common blacklisted apps in
the enterprise. The top five blacklisted apps include
Dropbox, SugarSync, Box, Facebook, and Google Drive.” Fiberlink’s app data
comes from over 4,500 of their customers using a mix of corporate- and employee-owned devices.

Figure A shows the top 10 list of blacklisted iOS and Android apps amongst Fiberlink customers:

Figure A

The top 10 list of blacklisted iOS and Android apps.

Dale says, “The top concern for most corporations is knowing
that their data is safe and always in the right hands. Blacklisting can play a
role, but we find that there are both right and wrong times to restrict apps.
For instance, restricting an app for no reason is a quick way to get your BYOD
deployment to backfire. Even corporate-owned devices with blacklisting apps can
make employees unhappy.”

Right now, blacklisting occurs on 10% of the devices that
Fiberlink manages, prohibiting a specific app or apps from running. This means that IT is trying to ensure the intended use of
the device and prevent the loss of corporate data, which is considered a major
security risk. Dale recommends blacklisting and even whitelisting where appropriate.

Figure B shows the top 10 list of whitelisted iOS and Android apps amongst Fiberlink customers:

Figure B

The top 10 list of whitelisted iOS and Android apps.

James Brown offers the following advice about blacklisting and whitelisting:

“First,
define the purpose for creating the blacklist. Many assume that blacklisting is
a practice predominantly utilized for security purposes, but businesses also
blacklist time-wasting applications — such as Angry Birds — to manage employee
productivity. Blacklisting can also help with those apps that dramatically
increase data-transfer demands on the network, such as Netflix.

“Second, create a rubric for
scoring apps or criteria for deciding which apps should be blacklisted. Once it has been decided whether the focus is to compliment
security or to decrease distraction among employees, define success criteria
and establish the rubric. For example, if the concern is employee productivity,
one may want to allow (not blacklist) file-transfer apps similar to Dropbox.
But if security is the key driver, Dropbox would typically be blacklisted.

“Third, consider whitelisting
instead of blacklisting. If security is the main concern,
whitelisting is the better option, as it allows businesses to have absolute
control over which apps employees are approved to use. With
blacklisting, all apps are allowed, except a few that are specifically forbidden — thus, there is more room for employees to work around restrictions and simply utilize
apps that aren’t on the blacklist. In that sense, blacklisting is the Maginot
line of app security. With whitelisting, on the other hand, only
approved apps are allowed to be used and all others are forbidden, which makes for a more secure position, but can be politically difficult
to manage in the enterprise.” 

Brown also recommends that
the policies must be communicated to the enterprise. In particular,
employees need to know why the restrictions have been put in place and how they
will benefit the company. Clearly communicating these policies is key to making
employees feel comfortable with the restrictions.

Improving password protection over mobile devices

Brown offers the following best practices for employee
passwords:

  • Require employees to create passwords that are at least 10 characters in length and to use the widest character
    set possible, including alphabetic (upper and lower case), numeric, and special
    characters (punctuation)
  • Mandate that employee passwords not include
    words or names, because anything that can be found in a dictionary can be cracked in
    minutes (even when the word is part of the password — like “James123” — it’s easily discovered with modern computing power)

Brown also advocates salted password hashing:

“Manage and protect passwords by
employing salted password hashing. Hash algorithms are one-way functions that turn passwords into irreversible, randomized letter combinations. The passwords
are stored in a form, which is impossible to reverse. When employees create an
account and a password, the password is hashed, the hashed result is stored, and
the original plain text version of the password is never stored in the system. 

“When the employee tries to login, the hash of the password
they entered is compared to the hash of their password in the database. To
further protect the password, the hash is salted. Salt is additional complexity added to the hashing process, so that if two people have created the same password, the two hashed versions
stored in the database will be different. With salting, if a
hacker figures out one employees’ password, they can’t determine other
passwords by looking for matches in the database. Salting also makes the
process of reversing a hash much more complicated and time consuming for
hackers.”

Here are some of Brown’s best practices for passwords
on employee mobile devices:

  • Limit the amount of time an employees’ password
    can exist
  • Require users to have different passwords on
    different devices, accounts, or systems
  • Create and enforce a corporate policy that sanctions employees for sharing their passwords with others

As for Fiberlink’s research on mobile password security, Dale says:

“We found it surprising that IT has
the technology means and power to enforce more complex passcodes on mobile
devices but often times allows a basic passcode of only four numbers. Of
course, there are some industries that are setting more complex policies, such
as public sector organizations. When we looked at a large sampling of the devices we manage
for the enterprise, we found that 15% of all devices do not have a passcode
being required, and 85% do have a passcode requirement. However, when a
passcode is enforced, a basic PIN is the most popular passcode type.”

Dale mentions these best practices for governing passwords:

  • Encourage
    employees to have device-level passcodes. Even if this is for personal
    benefit and not mandated by IT, employees should have some protection for the
    personal information on their devices. On some operating systems, creating
    a passcode also enables encryption.
  • Require a
    passcode to access corporate information, such as corporate e-mail and
    documents. These passcodes can be more complex than the basic four-digit
    pin at the device level.
  • Enforce advanced
    passwords when accessing very important information. If an employee
    is accessing a network resource, like SharePoint or their network folder to
    access a Word document, you should prompt them for their Active Directory
    credentials. This goes beyond the security level of a four-digit pin.
  • The combined
    approach of these passcodes and passwords will help ensure the device, data,
    and apps are protected without being overbearing to the employees.

Conclusion

Both Dale and Brown offer some good, actionable advice for enterprises of all sizes about implementing application blacklists and whitelists, plus improving password protection over corporate and BYOD mobile
devices.

Does your organization have a passcode requirement, or has it implemented mobile app blacklists and
whitelists? Describe your experience in the discussion thread below.