Enable ZTNA at the Mobile Edge

We love to discuss what matters with mobile, especially what happens technically with our Data Management Engine – or as we call it, “a peek under the [data] hood.” Zero Trust Network Access (ZTNA) is a key topic and here are blogs by Will Chow, Mobolize | CTO, about how our Data Management Engine powers ZTNA and Domain Name System (DNS) security for mobile the right way.

A Peek Under the [Data] Hood: Finally, ZTNA for Mobile Done Right – And a Checklist to Make Sure

By Will Chow, Mobolize | CTO

If you’re reading this, you’re probably looking for a secure remote access solution for mobile and finding that it is more cryptozoology than cryptography: fast, yet secure, remote access for mobile is practically mythical. Basically, most mobile solutions either use a traditional VPN that exposes your entire intranet to lateral movement, OR use a Cloud Access Security Broker (CASB) or similar web proxy that don’t support all web apps/sites and don’t support mobile apps at all.

So, it’s no surprise that IT is in the midst of a massive shift towards Zero Trust Network Access (ZTNA), with Gartner projecting 60% of enterprises will have switched over to ZTNA by 2023. However, it turns out ZTNA for mobile is just as elusive as Bigfoot, where most vendors only support desktops, some are simply relabeled CASB products, and many claiming to have ZTNA for mobile are really faking it.

At Mobolize, we have over a decade of expertise in delivering secure, high performance connectivity for mobile devices, including ZTNA, so in this post, we’ll tell you how to tell a real ZTNA mobile solution from a cryptid.

Why is secure remote access so hard for mobile?

The list of challenges for existing mobile remote access solutions is very long, but let’s distill it down to the big ones, starting with those for traditional VPNs. As a reminder, a “traditional” VPN is any that tunnels all of the traffic on the endpoint device into your intranet, such as via IPsec, L2TP and SSL tunnels.

Why traditional VPNs are becoming extinct:

  • Sooooo slow: Everything is rerouted through the corporate network, even non-work activity, so this means many more hops that go thru a congested intranet pipe, with the end result being slow internet access, unusable voice/calling apps and escalating IT bandwidth costs.
  • No real “splitting”: A traditional VPN can only “split” routes based on IP ranges, so you can’t split by domain or hostname patterns. Since internet IPs are vast and constantly changing, this type of splitting isn’t useful and rarely used.
  • No SSO or even MFA: Legacy VPN servers use old-school passwords/keys/certs, which is so insecure that no one should be using them. Very few traditional VPN solutions support 2FA and virtually none have true single sign-on, which all means lower security because of password hell.

Figure 1 – Traditional VPNs send everything thru your corporate intranet

It’s no wonder enterprise IT is now moving away from traditional VPNs, a technology that’s been largely unchanged since the mid 90s!

Continue reading the blog here.

A Peek Under the [Data] Hood: DNS Security is Now Available for Mobile Devices

By Will Chow, Mobolize | CTO, Co-Founder

Modern mobile operating systems have done an excellent job of protecting users from harm.  But like many things, this is a case of good news and bad news. The good news is that app stores prevent most bad  apps  from  getting onto the device  and app sandboxing  limits the damage from  bad apps that  happen to  sneak  into the app stores.

The bad news:  app sandboxing. The same security mechanism that prevents a bad app from accessing data of other apps has also  literally  boxed out  traditional  security apps  from being able to  detect these bad apps. This means that if an app sneaks past the Google or Apple review process, we can be pwned. Unfortunately,  this  has occurred far too many times,  not just  with  Android  (e.g. Stagefright exposed >1 billion devices to takeover via  a single  MMS),  but  also iOS  (e.g. XcodeGhost trojan horse found in >4000 apps.) These attacks will continue because the rewards are simply too great and, frankly, Google and Apple need help.

The solution?  Guard the “front door” of a device with DNS security.  After all, when an iPhone or Android is first turned on, it is new and clean (of any malware) and the only way it can be infected is through the  Wi-Fi  or cellular  network.  For decades, malware and phishing attacks have been effectively  blocked  on PCs  by using a “filtering” DNS provider that detects malware, phishing sites and other undesirable content before they can be downloaded to a computer. The problem is that one can’t just point a mobile device at the filtering DNS provider of choice since DNS settings are also locked down, ostensibly to prevent malware from changing a device’s DNS. But this also prevents enabling the DNS protection service of choice on ones’ own device.

Well, we at Mobolize have an app for that and  this little app (e.g., just 6 MBs on Android)  contains our  patented  Data Management Engine that  enables our partners to seamlessly  connect their cloud-based services, such as a filtering DNS protection service or Secure Web Gateway (SWG),  to  any  mobile  device.  By hooking into the network stack using our  SmartVPN® technology, our  engine has the  unique  advantage of  handling  all  IP packets on  Wi-Fi and cellular  traffic  without needing a VPN server  and can  thus  support any internet  protocol, including TCP, UDP and DNS.

That  means  the  Mobolize  Data Management Engine  enables our partners  to  provide a wide range of services, such as  encrypting traffic on public Wi-Fi’s, reducing data consumption on cellular networks, and (back to the topic of this blog) protecting users from malware and phishing sites.

Because of  this ability,  the  Data Management Engine  becomes  a smart data traffic manager that ensures the best connectivity and security on mobile devices, including the  ability to leverage  third-party  DNS  protection services or SWG threat and DLP scanning.  By routing all IP traffic through our engine, intelligent packet-level decisions can be made regarding  malware, phishing and inappropriate  content  filtering at a  fine-grain  level that provides real protection against threats  on mobile devices.

Continue reading the blog here.