Nowadays, more and more of our endpoints are always on and connected, which represents a unique challenge in our security needs. For highly secured environments, the best and time-proven solution has been to use air-gapped networks; but the need to access these restricted environments from mobile endpoints is growing exponentially.
So how can we provide access to critical data from those mobile endpoints, while ensuring the separation from the Internet and all the cybersecurity risks it potentially represents?
What is an Air-Gapped Network?
An air-gapped network is a highly secure and isolated computer network that is completely disconnected from external networks, such as the Internet or other local networks. This extreme isolation is implemented to prevent any data transfer, whether intentional or accidental, between the air-gapped network and the outside world. Such networks are used in scenarios where the absolute protection of sensitive or classified information is of paramount importance.
When/Where are They Typically Used?
In the realm of military and defense, for instance, air-gapped networks are the go-to solution for safeguarding classified military plans, confidential communications, and sensitive intelligence from potential cyberattacks and espionage. Similarly, critical infrastructure facilities like power plants, water treatment plants, and nuclear reactors utilize air-gapped networks to thwart cyber intrusions that could lead to disastrous consequences for public safety and the smooth functioning of these essential systems. Financial institutions, including stock exchanges and central banks, employ air-gapped networks to secure financial data and transactions, preserving the stability and integrity of financial markets. Government agencies and intelligence organizations rely on air-gapped networks to shield classified information, espionage activities, and diplomatic communications, thereby mitigating the risk of leaks or cyber breaches. Moreover, in the realm of research and development, companies use air-gapped networks to protect proprietary data, innovative research, and trade secrets from potential industrial espionage.
What are the Challenges?
Air-gapped networks provide the highest level of digital security, ensuring that sensitive information remains impervious to external threats and unauthorized access. But deploying mobile devices in an air-gapped environment, where they are intentionally isolated from external networks and the internet, presents several notable challenges.
Firstly, limited connectivity is a fundamental issue as mobile devices heavily rely on internet connectivity for updates, app installations, and synchronization with different cloud services. In an air-gapped environment, these essential functions become severely constrained or entirely unavailable, impacting the usability of the devices. This can affect day-to-day operations, as users rely on connectivity for various tasks.
Managing software updates is another significant challenge. Mobile devices regularly require updates to their operating systems, security patches, and applications, and these updates are typically delivered directly over the Internet. In an air-gapped environment, that is no longer feasible, which potentially exposes the devices to known vulnerabilities that might have been addressed in newer versions. It is critical to find other alternatives to keep the whole mobile fleet up-to-date and secure, even when no Internet connectivity is available.
App management also becomes a complex task in air-gapped environments, as installing and updating applications typically relies on online app stores or repositories. In such environments, distributing and managing applications can be cumbersome.
User experience is a crucial consideration, as they are used to seamless connectivity all the time from any location; the frustration from the restricted functionalities in an air-gapped environment can lead to reduced productivity and user dissatisfaction.
Mobile device compatibility in such scenarios is usually limited to a few mobile manufacturers and device models, usually the more expensive, premium high-end devices, which directly translate into a higher cost compared to a standard deployment.
Mobile Device Management (MDM) solutions usually rely on Internet connectivity to communicate with managed mobile devices as well as cloud-based services, like push notifications services (e.g., Apple APNs, Google FCM) or public application stores (e.g., Apple App Store, Google Play). So, in air-gapped deployments, it is critical to pick a solution that is either specially designed or at least can work in such conditions. Also, alternative methods and procedures, as well as specific, additional tools might be required for day-to-day tasks like device enrollment without Internet access.
Finally, while air-gapped deployments offer enhanced security by isolating devices from online threats, they also introduce security challenges; security measures that rely on real-time threat intelligence and cloud-based analysis are typically not available here, so maintaining the security posture of devices becomes a more complex endeavor, requiring alternative strategies for threat detection and mitigation.
How Can You Deploy and Manage Mobile Devices?
Most vendors do support the deployment and management of mobile devices in air-gapped environments, with no Internet connectivity; some provide a version of their UEM solution specifically designed to work in such environments, while others simply provide support but with a very limited set of features. Common to all of them is app deployment which, instead of relying on vendors’ public app stores like in a standard deployment, will be done using a local app store instead, with UEM solution hosting the binary files that will later be downloaded onto the managed mobile devices.
Mobile devices heavily rely on Internet connectivity for pretty much everything, so not all of them can be used in air-gapped deployments; while some might be able to work even if with limited functionalities, some others will not at all.
Enrolling and managing Apple devices, from iOS and iPadOS mobile devices to macOS computers, requires UEM solution to mandatory use Apple Push Notification service (APNs) cloud-based service to securely communicate with them and manage them remotely. In air-gapped environments with no Internet connectivity, APNs cannot simply be used; there currently are no alternatives from Apple, which eliminates Apple devices as convenient for such deployments.
While Google Firebase Cloud Messaging (FCM) cloud-based service is used for many mobile device management tasks, Android devices can still be used in air-gapped networks with no Internet connectivity as they can instead connect and report back directly to the UEM server, for example over a local Wi-Fi connection.
Samsung provides several on-premises enterprise tools to help deploying and managing mobile devices in air-gapped environments, from offline license management to local device enrollment as well as offline Operating System (OS) updates, making Samsung Knox mobile devices a great option for such deployments.
How to Protect Data in Transit?
In air-gapped environments, access to both UEM server and internal resources is usually done over a local, secure and trusted Wi-Fi network; the use of VPN connection is also supported in some cases, although it is usually neither used nor recommended as it would defeat the whole purpose of using a closed network. However, Wi-Fi is no longer the only wireless network available, as Private Long-Term Evolution (LTE) technology provides organizations with an alternative, dedicated, secure, and high-performance cellular network for these specific needs. It is built upon the same LTE technology that powers public cellular networks but is deployed for private, enterprise-specific applications.
Using private LTE in an air-gapped environment, compared to relying only on Wi-Fi presents benefits but also drawbacks. Private LTE provides dedicated and robust connectivity, ensuring devices remain connected even in challenging conditions, while Wi-Fi can be prone to interference and congestion. They also cover vast areas, including remote locations, making it suitable for the military. They can be highly secure with features like encryption, crucial for protecting sensitive data and allow customization of QoS, ensuring critical applications receive priority.
But it also has drawbacks compared to using Wi-Fi connectivity. First, the cost of implementing and maintaining a private LTE network can be high due to infrastructure and licensing expenses, whereas Wi-Fi often leverages existing infrastructure. It also requires specialized expertise, potentially leading to longer setup times and increased operational complexity. Also, private LTE may not be universally compatible with all mobile devices, not to mention desktop computers, while Wi-Fi is supported on pretty much any device nowadays, including smartphones, laptops, and IoT devices.
How to Protect Data at Rest?
Protecting data-at-rest on mobile devices is critical for safeguarding and preventing unauthorized access to sensitive information in case the device is lost, stolen, or compromised.
A default, mandatory security measure is to enable device-level data encryption. On Android devices, this is achieved using either full-disk encryption (FDE), encrypting the entire storage of the device and ensuring that all data, including the operating system and user files, are protected with biometric authentication, or File-Based Encryption (FBE), providing a more granular approach, for example for personal-enabled devices with both work and personal workspaces.
Samsung Knox Dual DR
Samsung goes beyond that with Knox DualDAR, a mobile security solution designed to protect sensitive data on Samsung mobile devices by using dual-layered encryption, combining hardware and software encryption, creating a secure workspace for work-related apps and data, isolating them from personal content. Access control features like biometric authentication ensure only authorized users can access protected data, and IT administrators can remotely manage and enforce security policies, enhancing device security. It complies with security standards and certifications, making it suitable for industries with stringent data protection requirements, ensuring data remains secure on mobile devices while maintaining usability.
One step further is using a Virtual Mobile Infrastructure (VMI), so no data at all is either stored on the mobile device, removing de facto any threats to the data-at-rest, as there no longer will be any.
Hypori Halo is a highly secure, virtual smartphone solution that lets users perform business tasks on their mobile devices with a containerized-like user experience, but with the particularity that no corporate data ever leaves the company network at any point, nor is any data physically stored (zero footprint) on user devices. Instead, only graphics are sent to the device in an encrypted pixel stream. This solution is often used in industries and environments where data security and compliance are critical, such as healthcare, government, finance, and other sectors with stringent data protection requirements.
Provisioning in an air-gapped environment can be cumbersome, having to work around many imposed limitations to achieve what are usually simple administrative tasks. Thankfully, we at ISEC7 have a proprietary MDM vendor-agnostic tool that greatly simplifies the provisioning of mobile devices in restricted environments, air-gapped included. The experts at ISEC7 have successfully deployed mobile devices in air-gapped environments for dozens of customers and completed a multitude of such deployments for government agencies. Please contact the team at ISEC7 and we would be more than happy to assist you with consulting, design, architecture, and deployment of mobile devices in your air-gapped environment.