Nukona Policy Management An approach to managing applications and securing corporate data on smart mobile devices Chris Perret CEO Nukona,Inc. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 1
Table of Contents Purpose of Document... 3 Overview... 3 Policy Management Basic Concepts... 5 Policies That Can Be Enforced... 7 How the Policy Engine Works... 8 Summary... 11 Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 2
Purpose of Document In this paper we will describe the basic theory of operations of the Nukona Policy Engine, a critical component of Nukona App Center TM, Enterprise Edition. The paper will outline both the concepts and the process required to deploy secured and managed native and web applications to smart mobile devices, in particular ios and Android devices, and detail the types of policies and security that can be applied to the apps. Overview Nukona s App Center product has been designed from the ground up to allow large enterprises to reliably and at scale deploy apps to their employees that are using either ios or Android devices for work purposes. Unlike competitive products, Nukona s products allow Enterprise IT to set the policies and information assurance they care about without requiring any modifications to the source code of apps. This approach was taken by Nukona to ensure that apps deployed by Enterprise IT are not reliant on internal or third-party app developers to be compliant with the policies and compliance needs of the organization. This approach also allows organizations to apply policy across hundreds, if not thousands of apps, being deployed across multiple geographic regions to thousands of employees. A change in policy, or an update to app logic can be deployed to the entire employee community with a simple push of a button from the management console. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 3
In the above diagram, an app is developed, sourced or modified (1). If the app is coming from a developer, the new app is delivered to the appropriate IT administrator with a simple notification. If the app is sourced, the IT administrator can simply upload the app directly. The IT administrator creates sets of policies and selects the appropriate policy set to be applied to the app, based on the target audience and the information that the app accesses (2). A Nukona Policy Container is invoked around the app logic and the app is provisioned in the Enterprise App Store to be accessed by employees and other approved users. When installed on the user s device (3), the wrapped or containerized app is subject to the policy controls set by Enterprise IT, both at launch-time and while it is running. Using this model, all manner of policies can be set, from simple access and authentication policies, to keys management strategies, off-line access policies, re-authentication and refresh policy, and even policies related to single-sign on for related productivity apps. Since the container controlling the policy is delivered with the app and any data written locally on the device is being policy-managed, an enterprise can immediately support BYOD (Bring Your Own Device) using this approach. The corporate policy-managed apps and data can be co-resident on a device with personal apps and data. The remainder of the paper will provide detail on the concepts behind policy management, exactly what policies can be applied and more detail on how the wrapping of apps actually works in order to deliver the full policy management functionality outlined above. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 4
Policy Management Basic Concepts There are a few fundamental concepts that are key to understanding the operation, power and benefits of the Nukona Policy Engine: Apps may come from any source Nukona s policy management capability is not limited to internal apps. Any application where the IT department has access to the object code (.IPA file for ios,.apk file for Android) can have policy applied. Additionally, Nukona s Policy Engine can support applying policy to both internal and external web apps. Separation of app logic from policy Fundamental to corporate application governance is the requirement to be able to separate corporate policy from the application logic. The policy sets are created independently and applied on an app-by-app or app group basis. When policies change, the IT Administrator simply updates the apps with the new policy and re-deploys. No SDK or API s required Fundamental to the Nukona approach is the premise that an enterprise s ability to manage apps at scale is impossible if an SDK is required. Therefore the Nukona Policy Engine was designed to sit outside the app and not require any code changes whatsoever. This approach has the added benefit of not requiring application developers to have to learn about the complicated and often arcane world of mobile security, keys management and identity. The Policy Engine takes care of all those critical aspects prior to app deployment. Per-app container When Nukona Policy Engine applies a set of policies to an app, it is wrapped in a container prior to deployment. The container keeps the app completely independent from any other corporate or personal app that may be resident or running on the user s device. Therefore it is entirely feasible to concurrently be running multiple corporate apps that have different security profiles. The same app can also have different policies applied for different roles or groups of users. Policy control through distribution Apps are deployed via Nukona s enterprise app store that may be privatebranded to suit the enterprise or service provider. The enterprise app store provides the capability for full tiered access controls, role/group management and can be easily integrated with an organization s identity infrastructure such as Active Directory. Since the policies are applied statically to the apps before distribution, it is guaranteed that the policies will be in force when the users run the apps. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 5
App revocation The app container includes logic that will check on launch if the app is still current and also self-destruct code. Therefore the IT Administrator can revoke an app and the next time a user tries to launch the app it will delete all its data and itself. None of the other corporate or personal apps, or their data, is impacted. Policy updates When a policy is updated (e.g. a requirement to enforce encryption on all corporate data), the apps can be updated by the IT Administrator with no requirement to go back to the app developer or third party. If an app has already been distributed with policy management enabled, then the updated app is effectively pushed to the user since one of the features of the container is its ability to version check at launch. The actual mechanism employed is simply that the app is revoked and then redeployed. Future-proofing The design of the Policy Engine is such that the policies enforced can be extended based on changing requirements. Any functions that make system calls to the mobile operating system and any API s used by the apps can be controlled. So it is anticipated that the initial set of policies outlined below will be extended to meet future enterprise requirements. External app store / marketplace apps Nukona s App Center includes a store pointer capability to allow IT Administrators to include external apps from sources such as the itunes store or Android Market in the set of apps that a user can access. Note however that policies cannot be applied to apps downloaded from external stores. In order to apply policy to third party apps, an organization needs to acquire the rights to distribute the app through its own enterprise app store. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 6
Policies That Can Be Enforced In Nukona App Center, Enterprise Edition v2.0, the following policies can be enforced on an app-by-app basis: User authentication and re-authentication Before the app launches, the user is required to enter their credentials based on the identity infrastructure (e.g. Active Directory) Re-authentication on a periodic basis (e.g. every 30 minutes) can also be enforced Local storage rules Whether the app is allowed to write data to the local device If so, whether the data is required to be encrypted. If encryption is selected, the device s operating system encryption libraries are used but the keys for decryption are stored by default off the device in the App Center, thus delivering a dramatically improved level of security. Offline access rules Whether the app can be accessed offline If so, whether PIN access is required for authentication before launching the app Document sharing Whether document sharing from within the app is allowed. This is increasingly used by many apps to support file-sharing and collaboration apps such as Dropbox, Box.net, Evernote, etc. All major document sharing API s can be blocked or enabled: inter-app, itunes, icloud API access Whether specific API s are allowed. The initial set is: - copy / cut / paste: prevent user from being able to use editing functions - openurl: prevent app from being able to open any web page Jailbroken devices Whether to allow the app to launch on jailbroken devices or not Restrict Network Connections o Limit the application s ability to connect to only certain IP addresses / servers / ports Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 7
How the Policy Engine Works The key to the delivering on the promise of per app policy control is Nukona Policy Engine s ability to wrap or containerize an app. Let s take a closer look at how this works: 1 2 The application is uploaded into the App Center. This may be done by the developer or the IT Administrator. The IT Administrator creates appropriate sets of policies that can be applied to different groups of apps depending on the level of security required. For example: A policy for apps accessing no sensitive data with limited security requirements (e.g. an expense reporting app) o User authentication required? NO o Allow local storage? YES Enforce encryption? NO o Offline access allowed? YES Require PIN? NO o Restrict document sharing? NO o Restrict copy/cut/paste? NO o Restrict openurl? YES o Restrict network connections? YES Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 8
A policy for apps accessing sensitive data with high security requirements (e.g. a client billing app) o User authentication required? YES Re-authentication? Every 15 minutes o Allow local storage? YES Enforce encryption? YES o Offline access allowed? NO o Restrict document sharing? YES o Restrict copy/cut/paste? YES o Restrict openurl? YES o Restrict network connections? YES 3 4 The IT Administrator selects which policy set is appropriate for the app and applies it. Nukona Policy Engine then automatically opens up the app, replaces any of the relevant standard library calls (e.g. file open, file write) with policy-managed versions, creates the container for the app and re-certifies the app with the enterprise certificate. The app is now ready for distribution. The IT Administrator drags and drops the app into the enterprise app store and selects which users or groups of users should get access to the app. The icon for the app is badged to indicate that this a policy managed version. First time users are notified via email to download the App Center Client, after which they can download the apps to which they are entitled. After that, a notification that new or updated apps are available will come on their mobile device: Updates to apps which have been policy managed can be pushed automatically (assuming offline access is not enabled or being used). Apps which are not policy managed require the user to choose to update. Web Applications Web apps can be policy managed in the same way that native apps are. When the web app is selected, the container that Nukona Policy Engine wraps around the app is a secure browser that has been specifically enabled to manage policies. The user will download the app in the same way that they do with native apps. Unlike normal web clip apps that launch in the local browser (e.g. Chrome, Safari), the policy-managed web apps launch in the secure browser and so policy integrity is maintained. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 9
Mix of Corporate and Personal Apps When the policy-managed apps are running on a user s device, each corporate app is running with its own set of policies and all of the data written locally is under the control of the policy libraries. Thus the co-mingling of business and personal apps and data on any corporate-owned or employee-liable device is fully supported without risk of corporate data loss or compliance issues. Additionally, specific apps may be revoked by the IT Administrator on an app-by-app basis. The data associated with the app is also deleted without having to have the entire device wiped. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 10
Summary Enterprises are already increasingly dependent on smart mobile devices to run their business. The combination of new apps being specifically designed to run on devices such as the ipad together with the current wave (which is going to become a tidal wave) of BYOD means that IT needs to be in a position to take control of corporate apps and data as they are deployed on these devices. For that control to scale to support dozens, hundreds and eventually thousands of apps it is essential that corporate policies can be applied to all the apps that are required for the business native and web, in-house, third-party or COTS (commercial-off-the-shelf) apps and that these policies can be updated without recourse to an SDK or the requirement to have access to the source code in any way. This is what the Nukona Policy Engine is set up to deliver. In this model, all manner of policies can be set, from simple access and authentication policies, to keys management strategies, off-line access policies, reauthentication and refresh policy, and even policies related to single-sign on for related productivity apps. And the sound architectural approach of separating policy from application logic means that the ability to scale to thousands of apps and tens of thousands of users is built into the model. Symantec, Inc., 2012 Nukona Policy Management Whitepaper Page 11