If you can't beat them

(1)

- secure them

v1.0 – October 2012

(2)

Preface: Mobile adoption

New apps deployed

in the cloud

Allow access to

their networks

Employees use two

or more devices

• Smart phone sales roughly doubled in the last financial year.

• Approx. 80 of the Fortune 100 companies are deploying or evaluating

the Apple iPad® for enterprise .

• By 2014, 90% of organizations will support corporate applications on

personal devices

• Smartphone vendors shipped 153.9 million handsets in Q2 2012,

compared to 108.3 units in the Q2 2011 (Source – IDC)

(3)

Preface: Mobile adoption

Mobile technologies are a standard part of

work life…

• Mobile banking users exceeded 150 million

globally in 2011

• Value of mobile payments to reach $110

billion in 2013, CAGR of 105%

• Sales of Smartphones were up by 42.7%,with

Apple and Samsung together accounting for

83% market share

(Source – Gartner 2012)

• Global Hits from Mobile Devices (Jan 2012)

• 3G Mobile Network Coverage

• Total Mobile Apps Downloaded in 2011

• Expenditure on Mobile Advertising Worldwide in 2011

• Mobile Payments Users in 2011

8.5%

45% of world population 29 Billion Apps

USD 3.3 Billion 14.1 Million

Source: StatCounter Source: ITU

Source: ABI Research

Source: Gartner Source: Gartner.

(4)

Preface: Bring Your Own Device context

Bring your own device (BYOD) is termed as a business policy of employees bringing

personally owned mobile devices to their workplace and using those devices to access

privileged company resources such as email, file servers and databases as well as their

personal applications and data.

2010 177M corp PCs 2015 246M corp PCs

2010 173 M personal PCs 2015 293M personal PCs

2010 300M smartphones 2015 1017M smartphones

2010 15M tablets 2015 326M tablets

Mobile Device Explosion paves way for BYOD

Recent survey

39% 69% 340% 2,170%

(5)

Your worst BYOD Nightmare

The ways in which these technologies interweave work life and personal life raise a major

security challenge for most organizations.

Meanwhile, Cybercrime organisations aggregate and mine user data for new attacks

In this new world, old-fashioned Information Risk Assessment methodology still apply

…is to not realise that the cord has already been cut:

From smart phones to tablets to laptops, mobile technologies have become a standard

part of work life, offering productivity and efficiency gains as well as enhanced

services for customers.

Topics to be discussed over the next few minutes:

o

Risk Assessment in a Mobile world

o

Mobile Reference Architecture on commonly used components of mobile in a

corporate landscape

o

Mobile profile to understand the scope of your clients mobile environment and

related vulnerabilities

o

Threat, Vulnerabilities and Controls database to help identify threats that apply to

your clients situation and which controls would be suitable to mitigate the risks

(7)

BYOD is a reality, requiring executive action

Mobility comes with risks that are different from the standard enterprise IT environment.

• Mobile technologies require a different response from the executives, charged with

defending their enterprise from cyber attacks and enabling the enterprise to improve

operations and expand their markets more effectively

• Few devices know more personal details about people than the smart phones in their

pockets: phone numbers, current location, passwords, personal details etc – and

vulnerabilities abound. They are prone to being lost or stolen, yet very few are encrypted.

• Unlike desktop or laptop computers, smart phones have customized hardware

architectures, and even open source operating systems like Android which comes in

many versions. Often, it’s up to users to accept and install the patches, resulting in an

inconsistent mobile device security posture

• Business needs demanding rapid Mobility enablement: CIO involvement is key

• Mobile malware can enter a device at many points: An end-to-end approach is necessary

(8)

Waking up from my BYOD nightmare…

where am I?

Waking up: Risk Assessment helps us find as-is, and desired to-be

Security Risk assessment such as ISO 27005:2011 is mapped to the a project delivery

lifecycle. After the assessment, a remediation project is typically started to treat the

risks identified, reaching a desired “to-be” status less nightmarish.

Analyse Design

Plan Build & Test

Treat Identify

Establish Context Analyse Evaluate

Establish Risk Assessment

Context

Determine Residual Risk

Evaluate Residual

Risks

Suggest Controls

Document Assessment

Results Determine

Current Landscape

Determine Threats, Vulnerabilities

& Existing Controls

Determine Inherent Risks

Determine Remediation

Approach

Determine Cost Benefit

Analysis

Implement Controls

Measure Performance Validate & Test Implementation

Determine Control Implementation

Transition to RemediationProject / Risk Management Operations

Risk Assessment Initiation Transition to Deploy and Support Phases

Project Management

Information Risk Assessment Project Scope

Follow on remediation Project scope

(10)

Accenture: Added Risk Extensions to the Risk

Assessment methodology

The Risk Extension components can be used in specific steps of the risk assessment

Experience with Mobility helps accelerating Assessment and Remediation phases

Risk Assessment Extension for Mobile Risk Assessment Extension for Mobile

Establish Context Identify Analyse Evaluate Treat

Reference architecture Reference architecture

Mobile Profile Mobile Profile

TVC database TVC database

“Collection of inputs”

Analyse Design

Plan Build & Test

Treat Identify

Establish Context Analyse Evaluate

Establish Risk Assessment

Context

Determine Residual Risk

Evaluate Residual Risks

Suggest Controls

Document Assessment

Results Determine

Current Landscape

Determine Threats, Vulnerabilities

& Existing Controls

Determine Inherent

Risks

Determine Remediation

Approach

Determine Cost Benefit Analysis

Implement Controls

Measure Performance Validate & Test Implementation

Determine Control Implementation

Transition to RemediationProject / Risk Management Operations

Risk Assessment Initiation Transition to Deploy and Support Phases

Project Management

Risk Assessment

Process

Risk Extension

(11)

Mapping risks to architecture landscape

1. Data Storage and Transmission

2. Higher Privileges than required and/or authorized 3. Failure to disable or insecure mobile device platform

features

4. Access without strong authentication 5. Malicious/Counterfeit third-party code

6. Insecure or unnecessary interaction between applications and OS components

7. Un-validated or un-authenticated input

8. Data Leakage

9. Client-side injection and overflows 10. Client-side DoS

(12)

Controlling BYOD: “From woe to go”

Our experience: Core capabilities are required for managing a Mobile solution

(14)

From woe to go: Layered approach

The Network

•Secure and monitor corporate wireless networks

•Demand better security from wireless

network service providers

The Device

•Use an end-to-end approach, from

manufacturing to disposal

•Assume many mobile devices used by

employees will not be secure.

The Application

•Provide layers of security

• If someone bypasses one security measure additional security protects data.

The Back-end system

•Consider

multi-factor authentication (e.g. biometrics plus

password) and host level security and monitoring.

(15)

From woe to go: Standardised approach

• Out-of-the-box, the August 2012 release of the Threat, Vulnerability and Controls (TVC) database contains following information:

• 43 mobile threats

based on various threat reports

• 37 vulnerabilities

based on vulnerability research for the components in the mobile profile and reference architecture

• 40 information assets

based on vulnerability research for the components in the mobile profile and reference architecture

• 70 controls and their attributes

based on analyst reports for functionalities of top-of-class solutions and mobile security controls research

• Elements are cross-referenced in the structure depicted on the right

• Additional elements are added per quarterly release

Accenture developed a solution that takes Assets, threats and

vulnerabilities related to mobile environments, cross-referenced and

mapped to the reference architecture. Likewise, suggested controls are

listed to recommend defense in depth mitigations.

Information assets Information assets

Vulnerabilities Vulnerabilities

Reference architecture Reference architecture Threats Threats

Controls Controls

TVC database

(16)

Safeguard controls for mobile devices

There are 2 approaches to safeguard mobile devices

Mobile Device Management (MDM)

• Secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.

• MDM functionality typically includes over-the- air distribution of applications, data and

configuration settings for all types of mobile devices,

• Key Aspect – MDM only protects and secures the mobile devices. It does not control the applications ,data or transactions.

Mobile Application Management (MAM)

• App Centric strategy is around for developing, securing, deploying, configuring, updating and removing business applications from mobile devices centrally.

• Application Wrapping: MAM functionality

includes wrapping of the enterprise application as per the business policies.

• Key Aspect – MAM provides application level security to maintain both personal and

corporate data with different security levels .

Devices Apps Data

BYOD Success = Mastering BYOD Control Points

(18)

Mobile Device Management (MDM)

Enable

• Activate enterprise access, apps and data easily and automatically

• iOS, Win Mobile, BB, Symbian

Secure

• Protect enterprise data and infrastructure from attack and theft

• Prevent JB, ensure passcodes.

Manage

• Control inventory and configuration with massive scalability

• Tracking the device

(19)

Mobile Device Management (MDM) features

Authentication and Access Control

• Integration with LDAP

• 2 factor authentication

• Single sign on

• Digital certification for mobile device/smartphone authentication (e.g. Managed PKI solution

Information Protection

• DLP for Mobile devices

• Antivirus /Malware protection

• App Center / Cloud for application data management

Device Control and Management

• Managed Device Inventory

• Remote assistance and wipe out

• Compliance /policy enforcement(e.g.

certificate distribution, password management, camera permission, encryption management)

• Device Security - Anti malware /Live updates , SMS anti-spam, location update of devices , Application control.

App Distribution and Collaboration

• Application provisioning as per the business requirements.

• No Protection of the data.

(20)

Mobile Application Management (MAM)

Corporate Computing in Transition

By 2014, 90% of

organizations will support corporate applications on personal devices

By 2013, 80% of businesses will support a workforce using tablets

Source: Gartner

Developer

• Creates apps either

native or web

• Readies it for publishing

• Notifies Admin via App

center

IT Administrator

• Role based permissions and

reporting

• Enforcement of corporate

policies with respect to apps or

content

• Distributed through App

store/cloud

Employee

• Receives notification that

app or doc is available.

• Downloads and runs the

secured app or accesses

the secured doc

• Has familiar app store

experience

(21)

Mobile Application Management (MAM)

features

21

Policy Management

• User authentication and integration with AD/LDAP

• Encryption

• Access control on Jail broken devices

• Restriction to network connections

• Document sharing

• Offline access

• Additional content policies such as versioning and expiry

Secure Browser

• Web apps are tied to specific set of authorized sites (e.g. intranet sites)

• Inter application data transfer protection

• Restricting copy paste / downloading content

Multiple deployment

options

• Cloud based

• On-premise : Private cloud or Virtual appliance

Reporting

• Standard reporting on application usage

• Downloads

• Data access requests

• Users

• Connectivity

• Real -time metrics

Supports Diverse Content

types

• PDFs

• Videos

• Forums

• ePub documents

(22)

Final notes

• Unplugged and Exposed: Rethinking Cyber Security for a Mobile World Accenture

• Best Practices in Securing Endpoint Computing Devices Information Security Forum

• Best Practices for Mobile Device Banking Security ATM Industry Association

• Guidelines on Cell Phone and PDA Security NIST Special Publication

• The CIO’s Guide to Mobile Security Research in Motion Limited

• Gartner’s market overview of Mobile Device Management market.

If you can't beat them - secure them