InfoSec Institute Interview: Satish Shetty of Codeproof Technologies

March 26, 2013 by Rorot
Satish Shetty

Satish Shetty

Satish Shetty is the founder and CEO at Codeproof Technologies Inc. – a company that delivers the first ever cloud-based software as a service security for mobile devices. Earlier, he worked with companies like McAfee, Microsoft etc. He currently holds 9 patents on software security and software anti-piracy hardening technologies. Before going ahead, I would like to thank him for his precious time and for sharing his valuable thoughts with our community.

Could you explain to our readers what ‘Codeproof’ is all about?

Codeproof is a simple, easy to use, low-cost, SaaS based Mobile Device Management (MDM) and Security Platform. Secure and Manage mobile devices anywhere, anytime.

What kind of real time mobile security risks does Codeproof end point security address? In case of lost or stolen mobiles, what kind of options do the users have?

For Android, apart from mobile device management features, we also have an integrated Mobile Antivirus built into our Android App Codeproof Antivirus for Android blocks malicious apps in real time. For iOS Security, we focus mainly on mobile device management aspects such as app restrictions policy, privacy policy, app deployment and reporting, device asset inventory, remotely locking and wiping the device, sending admin push messages to devices, remote configurations of email, VPNand WiFi, etc.

If the device is lost or stolen, first they can try to locate it and lock it remotely. If they can locate it then they should try to recover the device. If they can’t locate it, then they can issue remote wipe command to wipe entire contents of the device.

From an enterprise perspective, what are the services that you offer?

Codeproof provides a scalable web console for enterprises to manage thousands of devices. Unlike other enterprise MDM providers, Codeproof Console gives you theability to browse each and every device in your organization. Devices are rendered in the console with a device-specific icon in a directory tree structure. Enterprise Admin can configure policy for groups or individual device nodes.

We support policy inheritance, where an admin can configure policies at the root node, and all the devices inherit those policies. Later the admin can override specific policy-setting at the device-node by breaking the inheritance. So the Console is designed in such a way that it can manage a large number of devices with minimal work.

Apart from a scalable device management solution, we support Enterprise App deployment, enhanced Exchange Server ActiveSync Security, and we provide MDM developer APIs where you can programmatically control devices through our web APIs. So Codeproof is more of a platform than a standalone product.

Does your solution support data segregation the out of the box as does the latest Blackberry?

Not in in this first version. Some cool stuff will be coming in the future.

In CodeproofCloud MDM, an admin can log in using the cloud console and manage any device. How secure is the whole implementation? On what basis is the device identified?

Communication from the browser Console to our cloud backend is all SSL-encrypted. Similarly, the fromdevice to cloud backend is also SSL encrypted. Each device is identified by a GUID, which we generate during device enrolment in the app.

What are the advantages of having a SaaS based Mobile Device Management solution over an on-premise solution?

Simplicity: In SaaS based MDM, we host MDM Server in the cloud, install required MDM certificates etc, so that administrator life is easy – they just have to install our app and enroll devices. AnSaaS-based MDM helps SMB businesses a lot where they don’t have a dedicated IT person – or the expertise to manage an MDM server.

In the case of an on-premise solution, the admin sets-up an MDM server inside the corporatenetwork, installs certificates and makes mobile devices connect to the internal MDM Server. A lot of work for an admin, as you can imagine. Most of the time mobile devices are in the cloud and we make them check-in to the corp-net MDM server to get new policies/settings. Not efficient at all.

Cost: According to me, SaaS is the future. Because of the hosted service architecture, SaaS brings costs down. The software sales process gets easier in some way as we don’t have to setup a demo for the customer, etc. Software is always available online for anyone to try it out. If they are happy they can upgrade to premium using a credit-card anytime, anywhere.

Support: In the SaaS model, we just have to support one version of the software. In case of on-premise, each customer can have a different version of the software. Support and maintenance gets a lot harder as the software ages.

I think In the future, more and more complex enterprise on-premise software will be resigned to SaaS model. We may see more and more startups in this area.

Which mobile platforms do you support currently? Going forward, any plans of extending your support to other operating systems?

Majors ones – Android and iOS. Going forward, we do plan on supporting other platforms such as Windows8. We have yet to see who will be the third major platform.

Do you really think corporate equivalent of privacy can be achieved on a mobile device especially with the advent of policies like BYOD?

Yes, it is possible to achieve corporate equivalent of privacy in BYOD. See, mobile devices were originally designed to be consumer friendly devices. The difference between employee owned devices and company owned devices is only “ownership”. So there are no technical differences here. I think most of the employees are not aware of basic mobile security issues. Companies need to bring awareness and educate employees about why they need to have a strong password in the device, etc.

For example, if an employee downloads corporate emails on his personal device, he should take responsibility to secure his device with strong passcode, wipe all emails and corporate data if he transfers the device to someone else, etc. Having corporate MDM software enforces these policies.

An employee needs to inform the IT admin if he/she loses the device (both in case of personal device and company device) so that the IT admin can try to locate it/lock it/wipe it, as the case may be, with MDM Software. Some of these policies have to be a part of the employment agreement. In iOS MDM, Admin can WIPE only corporate software and emails (installed via MDM) and doesn’t have to WIPE the entire contents ofthe device.

A few simple mobile security tips can be found in my quora blog here

What are the main challenges faced by MDM (Mobile Device Management industry) as of now?

A lack of standards. Apple did a somewhat okay job in implementing MDM protocol but needs big improvements. I didn’t see any new MDM feature in iOS 6.0

In case of Android, there is no MDM protocol. Too many vendor-specific implementations of the OSare causing a big mess here.

Is your solution deployable to private cloud – that is UEC or some other MaaS solution for limited connectivity networks?

Yes, Codeproof was designed that way. With minimal config changes, we can deploy our solutions either on a separate AWS instance or customer preferred data centers.

Posted: March 26, 2013
View Profile

Rorot (@rorot333) is an Information Security Professional with 5.5 years of experience in Penetration testing & Vulnerability assessments of web and mobile applications. He is currently a security researcher at Infosec Institute. Twitter: @rorot333 Email: rorot33@gmail.com