CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Cloud Security

DHS Working on Cloud-based Root-of-Trust to Secure Agency Email on Mobile Devices

Email Security for Mobile Devices

Email Security for Mobile Devices

Short on Technical details, DHS Announces Plan to Strengthen Mobile Device Email Security and Privacy for Corporate Devices in Personal Use

The DHS is partnering with BlueRISC Inc to develop Cloud-based Root-of-Trust (CRoT) technology to keep agency email separate and secure on corporate-owned, personally enabled (COPE) devices, even when the user operates personal email from the same device.

COPE devices are common in government agencies and enterprises. The corporate-owned element ensures a degree of control over the device usage, while the personally enabled element recognizes that users will make personal use of the device. The difficulty is ensuring that the personal use doesn’t damage the corporate security. It is a problem that is increasing with the growing incidence of remote working that has been dramatically enlarged with the current pandemic-driven working from home.

Solutions that address the users’ communication privacy, while enabling organizations to protect business content are essential to making COPE work for everyone, explains the DHS Science and Technology Directorate (S&T). Its own solution is to partner with BlueRISC in the development of EPRIVO Enterprise 2.0, an app that allows users to securely access both existing personal email accounts and their corporate or government account. 

“The EPRIVO Enterprise 2.0 email system ensures the confidentiality of email in transit, in cloud storage at an email service provider, and when stored on the mobile device, providing both physical and cryptographically based protections,” said Kris Carver, BlueRISC Technical Director. “Users can specify controls for the emails they send, including recalling messages or preventing the receiver from forwarding a message.”

The concept is not new. “Does Good Technology [acquired by Blackberry] ring a bell?” asks Chris Morales, head of security analytics at threat hunting firm Vectra. “There have been many others since, all providing a method of combining personal and work experience on mobile devices. This is the same thing, which is great for security,  but not always great for user experience when the user prefers using the native or specific email apps.”

The problem with the S&T announcement is that it is short on technical details. “S&T’s support for BlueRISC’s EPRIVO Enterprise 2.0 is providing enterprise security administrators and mobile device users a valuable tool that protects the security and privacy of both business and personal email on corporate- or government- owned mobile devices,” said S&T Mobile Security Research and Development Program Manager Vincent Sritapan.

Enterprise security administrators, says the announcement, can use the enterprise administrator’s console to set security policy for each user’s enterprise email account, ensuring that business messages are protected. But it doesn’t say how the security will be provided.

Advertisement. Scroll to continue reading.

“Unfortunately, this announcement lacks the required technical detail,” comments Fausto Oliveira, principal security architect at continuous behavioral authentication firm Acceptto. “It is understandable that DHS might not want to reveal all the mechanisms that this software is using, however, without further information, we have to address two potential risks.”

Oliveira’s concerns are firstly over the strength of the user authentication, and secondly, how does the approach address the insider threat. “It is not possible,” he said, “to ascertain how effective the authentication mechanisms are in this application. I am also concerned with the effectiveness of this software when it comes to address insider threats.”

He accepts that the email data — text or voice — is encrypted and some sort of tokenization is used to anonymize email data in transit, and that data is encrypted while stored in the user’s device. “However,” he asks, “what prevents the legitimate user as an insider threat actor from copying the email outside of the encrypted container and dispatching that information over insecure channels?”

With few details of the technology of the S&T app in development, it is difficult to answer such questions. It does seem clear, however, that the idea is fundamentally similar to the Beyond Identity passwordless authentication system launched on April 14, 2020. Here, the app authenticates the user and delivers secure communications, but also provides device information that would allow the enterprise/agency to choose whether to authorize access based on policy.

“BlueRISC uses the Cloud Root of Trust as a security control to enable the attestation of the devices and the use of encryption to protect email data both in transit and at rest in the users’ devices. This is an interesting, but not unique, approach,” says Oliveira. “It has the potential to secure confidential information in a way that makes it extremely difficult for an outsider to gain access to that information.”

Related: Enterprise Mobility: COPE vs. BYOD 

Related: Google Announces Open Source Silicon Root-of-Trust Project 

Related: Critical Bluetooth Vulnerability Exposes Android Devices to Attacks 

Related: NCSC Joins Secure Chorus to Promote End-to-End Secure Communications

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...