Amazon Kindle Fire Meets Enterprise: Security Advice

How do you secure these devices, and prevent them from accessing the network, without help from your mobile device management system?

Michael A. Davis, CTO of CounterTack

September 28, 2011

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Amazon announced its new 7-inch tablet this week to much fanfare. Great price ($199), great specs, and even more important, it runs Google's Android operating system, giving the user access to apps, movies, and a whole slew of other content. Our take: The price point makes this thing a credible iPad killer, but it's also a shot across Google's bow because the Kindle Fire is highly customized by Amazon and does not provide access to Google's Android market. Now it's an Amazon vs. Apple discussion instead of Google vs. Apple.

Smart tactic for Amazon and great for the consumer, but what does it mean for your network? If sales of Hewlett-Packard's doomed TouchPad are any indication, my bet is that it will increase the rate of tablet adoption dramatically. When HP announced a steep TouchPad price drop, weekend hackers started snapping them up and hacking them to run Android, dynamic IT dashboards, and remote-controlled robots. With such a low price for the Kindle Fire, consumers -- read: your end users -- will soon employ them for all kinds of functions Amazon never intended -- and you never imagined, for that matter. Which leads us to the security issues that accompany any fast-paced consumer adoption and how you can address them.

First, the Kindle Fire runs Android, and like all Android devices, you would expect support from the major mobile device management providers. But you'd be disappointed. Amazon has decided that the Kindle Fire will not have access to the Google Android Market, where major MDM vendors put their apps. Only the Amazon Android Store is accessible, and MDM providers do not have their apps available in that store at the moment.

[ Want a closer look at Amazon's Kindle Fire tablet? See Amazon Kindle Fire: Visual Tour. ]

Second, if you do get your hands on an MDM client, it may not function properly on the Kindle Fire, at least at first. The hardware is different from other Android devices, and the OS, while Android-based, is a completely different user interface. Basic security functions your organization may require, such as pass code screens and encryption, may not function either.

On Nov. 16 (the day after the first preorders land on doorsteps nationwide) you will have people walking into the office with their new Kindle Fires and hopping on the company Wi-Fi to show off the sleek-looking tablet to envious peers. And to be fair to the Fire, this problem is applicable to any new consumer device, be it a smartphone, tablet, or netbook.

So how do you secure these zero-day devices, and/or prevent them from accessing the network, without help from your MDM system?

First, find out when your MDM vendor will support the device, and mark that day on your calendar so you can push out updates ASAP.

Second, if you want to prevent access from the Kindle Fire -- or any device -- set your Wi-Fi APs to deny access for the specific Organizationally Unique Identifier. Now, this isn't a perfect solution, because, for example, an OUI linked to Apple may block all iPhones, even though you only want to block iPads. Watch the help desk phones light up.

Third, leverage your vulnerability scanner, such as Nessus or Qualys, and use its operating system fingerprinting function to find devices that match the unsupported profile, and have it blocked via firewall or the access point. This is a manual process but shouldn't be too burdensome.

Fourth, if you're really concerned, get yourself a Wi-Fi intrusion-detection system -- technology that's custom built for the identification and authorization of wireless devices.

Finally, and in my opinion, most important, get your priorities straight. Just let them on and realize that your network is public, but your systems are private. In other words, don't try to prevent the connection to the network, prevent access to the resource, such as the file server or email. MDM vendors provide the capability to default-deny any device that isn't registered with their software. In our Kindle Fire case, if we have this policy enabled, the employee can get access to Wi-Fi and show off but cannot access email, calendars, or the file server until the device is supported.

One other piece of advice from the trenches: If you see a phenomenon like the Kindle Fire coming your way, buy one or three and give them to the security and IT staff to play with, so they know what the device can and cannot do. You might be surprised at your team's ability to develop security controls and provide help desk support once they have had a chance to analyze new hardware. Plus, it helps build morale when the company encourages the "geeking out" of the IT staff via access to a cool new device.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Read more about:

20112011

About the Author

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights