Cloudflare Launches an eSIM To Secure Mobile Devices (techcrunch.com) 29
An anonymous reader shares a report: Are smartphones ever entirely secure? It depends on one's definition of "secure," particularly when dealing with corporate environments. Most companies with bring-your-own-device policies install apps or agents on workers' smartphones to help secure them, leveraging the management capabilities built into operating systems like Android and iOS. But those might not be sufficient. That's what Cloudflare argues, anyway, in the pitch for the new services it's launching this week. Today, the company announced Zero Trust SIM and Zero Trust for Mobile Operators, two product offerings targeting smartphone users, the companies securing corporate phones and the carriers selling data services. Let's start with Zero Trust SIM. Designed to secure all data packets leaving a smartphone, Zero Trust SIM -- once launched in the U.S. (to start) -- will be available as an eSIM deployable via existing mobile device management platforms to both iOS and Android devices. It'll be locked to a specific device, mitigating the risk of SIM-swapping attacks, and usable either in a standalone configuration or in tandem with Cloudflare's mobile agent, WARP.
In a recent email interview, Cloudflare CTO John Graham-Cumming made the case that Zero Trust SIM can accomplish what VPNs and other secure layers can't: cell-level protection. A SIM card can act as another security factor, and -- in combination with hardware keys -- make it nearly impossible to impersonate an employee, he argued. "Zero Trust SIM provides defense in depth. A VPN layer is one of those components, but doesn't remove the need to still deploy cellular connectivity across all of your mobile devices today, and traditional 'AnyConnect-style' VPNs do nothing to stop attackers moving laterally once they're inside the VPN," Graham-Cumming said. "We continue to see organizations breached due to challenges securing their applications and networks, and what was once a real-estate budget is quickly becoming a 'secure my remote and distributed workforce' budget from an IT security perspective." Specifically, Graham-Cumming said that Zero Trust SIM will enable Cloudflare to rewrite DNS requests leaving a device to instead use Cloudflare Gateway for DNS filtering.
In a recent email interview, Cloudflare CTO John Graham-Cumming made the case that Zero Trust SIM can accomplish what VPNs and other secure layers can't: cell-level protection. A SIM card can act as another security factor, and -- in combination with hardware keys -- make it nearly impossible to impersonate an employee, he argued. "Zero Trust SIM provides defense in depth. A VPN layer is one of those components, but doesn't remove the need to still deploy cellular connectivity across all of your mobile devices today, and traditional 'AnyConnect-style' VPNs do nothing to stop attackers moving laterally once they're inside the VPN," Graham-Cumming said. "We continue to see organizations breached due to challenges securing their applications and networks, and what was once a real-estate budget is quickly becoming a 'secure my remote and distributed workforce' budget from an IT security perspective." Specifically, Graham-Cumming said that Zero Trust SIM will enable Cloudflare to rewrite DNS requests leaving a device to instead use Cloudflare Gateway for DNS filtering.
Rule number one. (Score:5, Informative)
1. Never, ever install any work-related software on your personal device.
2. See rule #1.
If your company ever tells you that your role requires a piece of mobile software to perform - ask for a company device. If they refuse to provide one, leave the company - they are not worth working for.
That's because corporate-grade software can import MDM policies onto your device, making it no longer yours. Through MDM, your company can see every bit of data and activity on your device, or even completely wipe it out remotely, which they very commonly do after you leave the company as a part of a standard "clean-up" protocol, with your own data on the device or not.
OTP generators are fine, though, as long as they are indepent 3rd party generators operating on the standard OTP protocol. This means that Google Authenticator and Microsoft Authenticator do not count. Microsoft Authenticator is particularly bad and can read a lot of personal information, including your phone number, contacts and accurate location.
Re: (Score:1)
Worse than that, they "cancel" a website for accusations made on social media, and similar fascist SJW campaigns.
Re: (Score:2)
What about Android "work profile"? I thought the idea there was to allow your personal stuff and work stuff to coexist?
Seriously asking. I have an Android phone provided by employer as well as my personal one, but I really would prefer to carry just a single device, and if there's some way to isolate corporate stuff to it's own sandbox that would be very nice.
Re:Rule number one. (Score:4, Informative)
In theory - yes, work profiles were created exactly for this use case.
However:
- At the end of the day it is down to a particular configuration imposed by the IT admin to decide which actions/intents are allowed to cross over between work and non-work profiles.
- Another problem is that some apps are not designed in the right way and are therefore not compatible with devices utilising work profiles.
- It's a logistical nightmare because you can't simultaneously use work and non-work profiles. You can be either in work mode or non-work mode while most users want a seamless experience so that they can handle work stuff while being able to text their friends and take personal calls.
- There's also the fact that work-profile apps would still be able to harvest some of the inherent information from your phone, for example your phone number.
Re: (Score:2)
I first offer Corporate devices, everyone balks at carrying two phones and demands to use their own. Then I tell them that I'll be able to see everything on their phone and wipe it if/when I want and that I will be forced to wipe it if/when they leave. Suddenly they are fine with two phones.
Re: (Score:3)
Android has a feature called "Work Profile" for this. It prevents your company taking control of your phone, all they can do it set policies that affect apps installed in the Work Profile. Those apps can't access any of your personal stuff. No contacts, no files, nothing.
You can actually use it to isolate apps you don't trust but need to use for whatever reason. An app called Shelter is open source and makes it easy to do.
Not sure what you mean about Google Authenticator. It uses the standard OTP protocol a
Re: (Score:2)
In theory - yes, work profiles were created exactly for this use case.
However:
- At the end of the day it is down to a particular configuration imposed by the IT admin to decide which actions/intents are allowed to cross over between work and non-work profiles.
- Another problem is that some apps are not designed in the right way and are therefore not compatible with devices utilising work profiles.
- It's a logistical nightmare because you can't simultaneously use work and non-work profiles. You can be either
Re: (Score:2)
At the end of the day it is down to a particular configuration imposed by the IT admin to decide which actions/intents are allowed to cross over between work and non-work profiles.
No it isn't. The isolation is enforced by the OS and cannot be overridden by policies or by apps.
It's a logistical nightmare because you can't simultaneously use work and non-work profiles.
Yes you can. You don't have to switch profile, you just use those apps like any others. Open them along side your personal apps, have their icons on the desktop. That's how I use Shelter.
There's also the fact that work-profile apps would still be able to harvest some of the inherent information from your phone, for example your phone number.
Simply decline to give them the ability to make phone calls, and they cannot access your phone number.
Re: (Score:2)
I think the authenticator comment was just saying it's fine to install and use that app on your personal phone for work. That it's not going to expose your device or data to the company.
Re: Rule number one. (Score:2)
This is nonsense.
A company can NOT see every bit of data on your phone just because they leverage an MDM solution. If, for example, intune on iOS is the platform of choice, then the employee is shown a summary in the comp portal app of exactly what access the employer has, in plain English. If you use any other solution, the mdm capabilities can be viewed in somewhat less plain English in the settings app. âoeRead all data on a deviceâ is not shown on any of mine, and to the best of my knowledge n
Re: (Score:2)
... corporate-grade software can import MDM policies onto your device, making it no longer yours. Through MDM, your company can see every bit of data and activity on your device, or even completely wipe it out remotely, which they very commonly do after you leave the company as a part of a standard "clean-up" protocol, with your own data on the device or not.
I've been using Microsoft Exchange Server for some years. Maybe I'm missing something, but from what I can see there are optional policies pushed to a mobile device pertaining to optional password requirement and complexity, optional encryption requirements, etc. There is an option to remotely wipe a lost phone, either at the device or account-only level. I do not see any way to "see every bit of data and activity" on the device.
Re: (Score:2)
We require a TOTP app (of the user's choice) to allow remote access / WFH.
If they don't want to install that, we don't allow remote access which means no WFH.
It has not been a problem. 0 users to-date have opted to not install the app on their personal device.
Or just get a different device. (Score:1)
If your company ever tells you that your role requires a piece of mobile software to perform - ask for a company device. If they refuse to provide one, leave the company
Alternative, just get a cheap device to throw the company stuff on, and keep your real device separate.
I had a company that had to implement a policy where all employees with access to customer support systems had to have a variety of things like AV and company updates support installed.
So, I directed that installer at an older laptop I had.
Re: (Score:2)
Won't work with some corporate software unless you also get a burner SIM card with it and keep it active. Microsoft Authenticator (again) craps out (or at least used to the last time I tried it) if there's no SIM inside.
Re: (Score:1)
Yeah you'd have to get service also, but a small price to pay to keep the corporate malware off your device. For a professional role $15 a month or whatever is not that bad of a fee to keep your job.
APN? (Score:3)
> Specifically, Graham-Cumming said that Zero Trust SIM will enable Cloudflare to rewrite DNS requests leaving a device to instead use Cloudflare Gateway for DNS filtering.
So is this a Cloudflare APN?
Any protection from SS7 hijacking?
Carrier support required? (Score:3)
Is this a pass-through eSIM (is that possible?) Is it a carrier add-on? Is cloudflare becoming an MVNO?
is this USA only? has roaming? CAN / MEX roaming? (Score:2)
is this USA only? has roaming? CAN / MEX roaming only?
eSIM security (Score:2)
in combination with hardware keys
What are these 'hardware keys' and into which slot in my phone do I install them?
Why? Honeypot policy (Score:2)
Cloudfare is returning back to centralized control. A single point failure.
to bad that some phones are sim locked and in BYOD (Score:2)
to bad that some phones are sim locked and in BYOD setting that can be an issue. Also if forces people into needing to buy FULL unlimited plans / need to buy uncapped roaming costs can add up fast.
Do you really trust CloudFlare? (Score:1)
One hosting provider to rule them all. (Score:2)
Trust us! (Score:2)