By Will Chow, Mobolize | CTO
If you’re reading this, you’re probably looking for a secure remote access solution for mobile and finding that it is more cryptozoology than cryptography: fast, yet secure, remote access for mobile is practically mythical. Basically, most mobile solutions either use a traditional VPN that exposes your entire intranet to lateral movement, OR use a Cloud Access Security Broker (CASB) or similar web proxy that don’t support all web apps/sites and don’t support mobile apps at all.
So, it’s no surprise that IT is in the midst of a massive shift towards Zero Trust Network Access (ZTNA), with Gartner projecting 60% of enterprises will have switched over to ZTNA by 2023. However, it turns out ZTNA for mobile is just as elusive as Bigfoot, where most vendors only support desktops, some are simply relabeled CASB products, and many claiming to have ZTNA for mobile are really faking it.
At Mobolize, we have over a decade of expertise in delivering secure, high performance connectivity for mobile devices, including ZTNA, so in this post, we’ll tell you how to tell a real ZTNA mobile solution from a cryptid.
Why is secure remote access so hard for mobile?
The list of challenges for existing mobile remote access solutions is very long, but let’s distill it down to the big ones, starting with those for traditional VPNs. As a reminder, a “traditional” VPN is any that tunnels all of the traffic on the endpoint device into your intranet, such as via IPsec, L2TP and SSL tunnels.
Why traditional VPNs are becoming extinct:
Figure 1 – Traditional VPNs send everything thru your corporate intranet
It’s no wonder enterprise IT is now moving away from traditional VPNs, a technology that’s been largely unchanged since the mid 90s!
Continue reading the blog here.
By Will Chow, Mobolize | CTO, Co-Founder
Modern mobile operating systems have done an excellent job of protecting users from harm. But like many things, this is a case of good news and bad news. The good news is that app stores prevent most bad apps from getting onto the device and app sandboxing limits the damage from bad apps that happen to sneak into the app stores.
The bad news: app sandboxing. The same security mechanism that prevents a bad app from accessing data of other apps has also literally boxed out traditional security apps from being able to detect these bad apps. This means that if an app sneaks past the Google or Apple review process, we can be pwned. Unfortunately, this has occurred far too many times, not just with Android (e.g. Stagefright exposed >1 billion devices to takeover via a single MMS), but also iOS (e.g. XcodeGhost trojan horse found in >4000 apps.) These attacks will continue because the rewards are simply too great and, frankly, Google and Apple need help.
The solution? Guard the “front door” of a device with DNS security. After all, when an iPhone or Android is first turned on, it is new and clean (of any malware) and the only way it can be infected is through the Wi-Fi or cellular network. For decades, malware and phishing attacks have been effectively blocked on PCs by using a “filtering” DNS provider that detects malware, phishing sites and other undesirable content before they can be downloaded to a computer. The problem is that one can’t just point a mobile device at the filtering DNS provider of choice since DNS settings are also locked down, ostensibly to prevent malware from changing a device’s DNS. But this also prevents enabling the DNS protection service of choice on ones’ own device.
Well, we at Mobolize have an app for that and this little app (e.g., just 6 MBs on Android) contains our patented Data Management Engine that enables our partners to seamlessly connect their cloud-based services, such as a filtering DNS protection service or Secure Web Gateway (SWG), to any mobile device. By hooking into the network stack using our SmartVPN® technology, our engine has the unique advantage of handling all IP packets on Wi-Fi and cellular traffic without needing a VPN server and can thus support any internet protocol, including TCP, UDP and DNS.
That means the Mobolize Data Management Engine enables our partners to provide a wide range of services, such as encrypting traffic on public Wi-Fi’s, reducing data consumption on cellular networks, and (back to the topic of this blog) protecting users from malware and phishing sites.
Because of this ability, the Data Management Engine becomes a smart data traffic manager that ensures the best connectivity and security on mobile devices, including the ability to leverage third-party DNS protection services or SWG threat and DLP scanning. By routing all IP traffic through our engine, intelligent packet-level decisions can be made regarding malware, phishing and inappropriate content filtering at a fine-grain level that provides real protection against threats on mobile devices.
Continue reading the blog here.