Mobile computing has become ubiquitous in the consumer space. Now employees require the use of mobile devices in business. How does this affect the risk profile of your company? What new types of threats does your security architecture should cover? The session will cover thee questions and more in away that will allow security professionals to apply the lessons learnt directly in the practice.
2. About me
• Security professional at WorldPay as Head of Security
Solutions
• Non executive director, CSA UK & Ireland
• I love reading books: thrillers (Clive Cusler) and business
management (Jo Owen)
• Apple fan
3. I will cover three topics today
• Consumerisation and appropriate security architecture
• Mobile security challenges
• Practical approach
4. Mobile devices in enterprise
I want to use
Hmm, might
one mobile
be tricky but
device for
here is what
both personal
we can do….
and work stuff
Say yes and give clear
policies, instructions and tools!
Control the access to data and
systems according to risk.
Agree forensic policy and
investigations rules for
personal devices.
5. Classifications of systems as the input into
the access calculation
Managed Un-managed
Compliant Trusted systems Isolated systems
• Domain joined systems • Compliance checks for non-
• Managed and compliant managed devices passed
mobile devices
Strategy: Deliver the application via
Strategy: Can access most secret thin client or access to least sensitive
applications and data* data
Non-Compliant Vulnerable systems Rogue
• Domain joined or managed • Unknown devices
devices • Cannot assess compliance
Strategy: Help with remediation Strategy: Give access at your peril!
and limit access to sensitive
applications
* The access decision is taken based on other factors
7. How to manage access
this applies to any access, not just from mobile devices!
Access decisions based on accuracy of following:
• Identity – Google apps ID vs. Active directory ID, one
factor auth vs. two factor auth
• Role – FTE, contractor, cleaner, executive
• Device – trusted, non-trusted, feature set
• Location – inside fw or outside, US vs. China, changes in
locations in time
• Time – inside working hours or outside,
• Data/Application – business impact, approved apps vs
consumer apps, location in the network
8. Access path definitions
Sit down with business, enterprise architects and security and create access
path definitions for key enterprise applications.
# Source Destination Time Access
1 Employees Any Trusted Confidentia DMZ Web Any Allow
l
2 Employees Any Isolated Internal DMZ Web Any Allow
mobile
3 HR admins Office, UK Trusted PII and Internal Citrix Office hours Allow
payroll MZ
4 Contractors Office Isolated Confidentia DMZ Citrix Any Allow
l
5 Admins Home Isolated Manageme MZ Citrix Any Allow
working nt
6 Customers Any Rogue PII DMZ Web Any Allow
via Facebook
login
10. Revolution in mobile device capabilities
Source: McAfee
• Microsoft Windows Vista
• Blackberry & Palm
• iOS App Store
• iOS ActiveSync email
Apple iPhone launches • Gartner approves iPhone
• Gartner says never for the enterprise
ready for enterprise • Android G1
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1
2007 2008 2009
11. And its acceleration
• iPad2 RIM
• Microsoft Windows 7 Playbook
• Android Honeycomb
with Encryption
• iOS 3GS w/ encryption
iPad • iCloud
launches • iPhone 4s
Android
tablets
• Windows Phone 7
• webOS
• Next gen Blackberry
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1
2009 2010 2011 2012
12. Mobile devices threats
• Web-based and network-based attacks
• Malware
• Social engineering attacks
• Resource and service availability abuse.
• Malicious and unintentional data loss.
• Attacks on the integrity of the device’s data.
13. Mobile platforms – security architecture
• Traditional Access Control: Traditional access control seeks
to protect devices using techniques such as pass- words and
idle-time screen locking.
• Application Provenance: Provenance is an approach where
each application is stamped with the identity of its author and
then made tamper resistant (using a digital signature).
• Encryption: Encryption seeks to conceal data at rest on the
device to address device loss or theft.
• Isolation: Isolation techniques attempt to limit an application’s
ability to access the sensitive data or systems on a device.
• Permissions-based access control: Permission-based
access control grants a set of permissions to each application Source: Symantec
and then limits each application to accessing device
data/systems that are within the scope of those permissions,
blocking the applications if they attempt to perform actions that
exceed these permissions.
In many aspects the mobile device architecture
is more advanced than your typical desktop OS
14. Updating of old devices is an an issue for
Android…
By Michael DeGusta
TheUnderstatement.com
15. Correct approach to mobile security
• Secure Device, Applications and Data
• Use risk based approach for access control decisions
• Less emphasis on whether device is corporate or personal
• Extend DLP to mobile
• Extend security event and forensic services
• Monitor installed apps, jail-breaking and configuration compliance
• Deliver corporate applications via thin clients to mobile devices
Source: McAfee
16. References
• Rethinking Enterprise Security, Toby Kohlenberg, Intel
• “A Window Into Mobile Device Security”, Carey Nachenberg, Symantec, 2011
• McAfee EMM Site
• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011
• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx
• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx
• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft,
• “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011
• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010
• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen
• Windows Phone Platform Security,
http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia
• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft
• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html
• Revolution or Evolution: Information Security 2020,
http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010
• Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html,
Bruce Schneier, September 2010
• Android Orphans: Visualizing a Sad History of Support, http://theunderstatement.com/post/11982112928/android-
orphans-visualizing-a-sad-history-of-support, Michael Degusta, October 2011