IT | Security

LinkedIn Intro: Lines Blurred Between Enterprise Security and End-user Convenience

By: Absolute Editorial Team | 11/4/2013

LinkedIn is a professional networking platform that’s used by more than 220 million globally. As we highlighted in ‘Apps to get you fired or hired’, the use of the mobile application is also encouraged by over 50% of organizations.  This trust came into question when LinkedIn launched their new ‘Intro’ service in October, which they provocatively claimed was ‘doing the impossible on iOS’.

LinkedIn Intro displays the senders profile data directly within Apple’s built-in iOS mail application. This includes their profile picture, job title, and provides a convenient way to connect with them on LinkedIn. The benefits to LinkedIn are clear, more people are using smartphones and tablets to manage their emails (half of all emails are read on a mobile device, up from only 4% four years ago), and this aligns with their vision to ‘work wherever their members work’. While the service does provide some value to end users, it’s the way they achieve this integration that presents a risk to IT security professionals.

The reason for concern is the perceived risk of corporate email flowing through a proxy server that is off the corporate network and controlled by LinkedIn (versus the organization). IT would be unable to protect the corporate content in these emails if a security incident occurred via the proxy server.

Typically settings on iOS devices are remotely managed through configuration profiles and application programming interfaces (API’s). Absolute Manage uses these to remotely configure settings such as email and Wi-Fi. These configuration profiles can automatically configure these settings to connect to your company’s email servers.

However the native iOS email app cannot be extended, so for LinkedIn to add profile data to email messages, a proxy server is used. This is the cause of the controversy. The proxy server sits between your device and your standard email server (a technique known as “man in the middle”), so instead of checking for email messages securely from your company’s email server, it checks for messages on the LinkedIn Intro proxy server where corporate IT has no control.

While LinkedIn Intro doesn’t yet support Microsoft Exchange Server, many organizations have IMAP accounts to provide Outlook Web Access, and if LinkedIn Intro is configured, all of the user’s corporate emails are passed through the LinkedIn Intro servers. LinkedIn assures users that all communications are secure, and once the users download the email message, the encrypted content is deleted from their systems.

This new service highlights the need for visibility across all devices (BYOD and corporate, PC/Mac and mobile) that are accessing corporate data. With Absolute Manage, administrators can easily view all devices that contain the LinkedIn Intro certificate, notifications can be automatically sent and appropriate security actions taken (such as removing corporate data from the device) if deemed necessary.

The reality in this connected business environment is that corporate data is scattered across a variety of diverse systems. It’s important to have visibility across all devices, understand the risks, and weigh them against the benefits to end user productivity.