Security Experts:

DHS Working on Cloud-based Root-of-Trust to Secure Agency Email on Mobile Devices

Email Security for Mobile Devices

Short on Technical details, DHS Announces Plan to Strengthen Mobile Device Email Security and Privacy for Corporate Devices in Personal Use

The DHS is partnering with BlueRISC Inc to develop Cloud-based Root-of-Trust (CRoT) technology to keep agency email separate and secure on corporate-owned, personally enabled (COPE) devices, even when the user operates personal email from the same device.

COPE devices are common in government agencies and enterprises. The corporate-owned element ensures a degree of control over the device usage, while the personally enabled element recognizes that users will make personal use of the device. The difficulty is ensuring that the personal use doesn't damage the corporate security. It is a problem that is increasing with the growing incidence of remote working that has been dramatically enlarged with the current pandemic-driven working from home.

Solutions that address the users' communication privacy, while enabling organizations to protect business content are essential to making COPE work for everyone, explains the DHS Science and Technology Directorate (S&T). Its own solution is to partner with BlueRISC in the development of EPRIVO Enterprise 2.0, an app that allows users to securely access both existing personal email accounts and their corporate or government account. 

"The EPRIVO Enterprise 2.0 email system ensures the confidentiality of email in transit, in cloud storage at an email service provider, and when stored on the mobile device, providing both physical and cryptographically based protections," said Kris Carver, BlueRISC Technical Director. "Users can specify controls for the emails they send, including recalling messages or preventing the receiver from forwarding a message."

The concept is not new. "Does Good Technology [acquired by Blackberry] ring a bell?" asks Chris Morales, head of security analytics at threat hunting firm Vectra. "There have been many others since, all providing a method of combining personal and work experience on mobile devices. This is the same thing, which is great for security,  but not always great for user experience when the user prefers using the native or specific email apps."

The problem with the S&T announcement is that it is short on technical details. "S&T's support for BlueRISC's EPRIVO Enterprise 2.0 is providing enterprise security administrators and mobile device users a valuable tool that protects the security and privacy of both business and personal email on corporate- or government- owned mobile devices," said S&T Mobile Security Research and Development Program Manager Vincent Sritapan.

Enterprise security administrators, says the announcement, can use the enterprise administrator's console to set security policy for each user's enterprise email account, ensuring that business messages are protected. But it doesn't say how the security will be provided.

"Unfortunately, this announcement lacks the required technical detail," comments Fausto Oliveira, principal security architect at continuous behavioral authentication firm Acceptto. "It is understandable that DHS might not want to reveal all the mechanisms that this software is using, however, without further information, we have to address two potential risks."

Oliveira's concerns are firstly over the strength of the user authentication, and secondly, how does the approach address the insider threat. "It is not possible," he said, "to ascertain how effective the authentication mechanisms are in this application. I am also concerned with the effectiveness of this software when it comes to address insider threats."

He accepts that the email data -- text or voice -- is encrypted and some sort of tokenization is used to anonymize email data in transit, and that data is encrypted while stored in the user's device. "However," he asks, "what prevents the legitimate user as an insider threat actor from copying the email outside of the encrypted container and dispatching that information over insecure channels?"

With few details of the technology of the S&T app in development, it is difficult to answer such questions. It does seem clear, however, that the idea is fundamentally similar to the Beyond Identity passwordless authentication system launched on April 14, 2020. Here, the app authenticates the user and delivers secure communications, but also provides device information that would allow the enterprise/agency to choose whether to authorize access based on policy.

"BlueRISC uses the Cloud Root of Trust as a security control to enable the attestation of the devices and the use of encryption to protect email data both in transit and at rest in the users' devices. This is an interesting, but not unique, approach," says Oliveira. "It has the potential to secure confidential information in a way that makes it extremely difficult for an outsider to gain access to that information."

Related: Enterprise Mobility: COPE vs. BYOD 

Related: Google Announces Open Source Silicon Root-of-Trust Project 

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks 

Related: NCSC Joins Secure Chorus to Promote End-to-End Secure Communications

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.