SlideShare una empresa de Scribd logo

Mobile security for SIC 2012

Descargar como PPTX, PDF
Vladimir Jirasek
Vladimir Jirasek

Mobile computing has become ubiquitous in the consumer space. Now employees require the use of mobile devices in business. How does this affect the risk profile of your company? What new types of threats does your security architecture should cover? The session will cover thee questions and more in away that will allow security professionals to apply the lessons learnt directly in the practice.

TecnologíaEmpresariales
1 de 16
CONSUMERISATION AND MOBILE SECURITY Vladimir Jirasek About.me/jirasek [date]
About me • Security professional at WorldPay as Head of Security Solutions • Non executive director, CSA UK & Ireland • I love reading books: thrillers (Clive Cusler) and business management (Jo Owen) • Apple fan 
I will cover three topics today • Consumerisation and appropriate security architecture • Mobile security challenges • Practical approach
Mobile devices in enterprise I want to use Hmm, might one mobile be tricky but device for here is what both personal we can do…. and work stuff Say yes and give clear policies, instructions and tools! Control the access to data and systems according to risk. Agree forensic policy and investigations rules for personal devices.
Classifications of systems as the input into the access calculation Managed Un-managed Compliant Trusted systems Isolated systems • Domain joined systems • Compliance checks for non- • Managed and compliant managed devices passed mobile devices Strategy: Deliver the application via Strategy: Can access most secret thin client or access to least sensitive applications and data* data Non-Compliant Vulnerable systems Rogue • Domain joined or managed • Unknown devices devices • Cannot assess compliance Strategy: Help with remediation Strategy: Give access at your peril! and limit access to sensitive applications * The access decision is taken based on other factors
Access decision logic Source ( ) trust Device trust and User/Role Location feature Destination ( Application Location in ) trust Access method classification network Calculate access decision Access denied Access granted Access limited
How to manage access this applies to any access, not just from mobile devices! Access decisions based on accuracy of following: • Identity – Google apps ID vs. Active directory ID, one factor auth vs. two factor auth • Role – FTE, contractor, cleaner, executive • Device – trusted, non-trusted, feature set • Location – inside fw or outside, US vs. China, changes in locations in time • Time – inside working hours or outside, • Data/Application – business impact, approved apps vs consumer apps, location in the network
Access path definitions Sit down with business, enterprise architects and security and create access path definitions for key enterprise applications. # Source Destination Time Access 1 Employees Any Trusted Confidentia DMZ Web Any Allow l 2 Employees Any Isolated Internal DMZ Web Any Allow mobile 3 HR admins Office, UK Trusted PII and Internal Citrix Office hours Allow payroll MZ 4 Contractors Office Isolated Confidentia DMZ Citrix Any Allow l 5 Admins Home Isolated Manageme MZ Citrix Any Allow working nt 6 Customers Any Rogue PII DMZ Web Any Allow via Facebook login
MOBILE SECURITY
Revolution in mobile device capabilities Source: McAfee • Microsoft Windows Vista • Blackberry & Palm • iOS App Store • iOS ActiveSync email Apple iPhone launches • Gartner approves iPhone • Gartner says never for the enterprise ready for enterprise • Android G1 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2007 2008 2009
And its acceleration • iPad2 RIM • Microsoft Windows 7 Playbook • Android Honeycomb with Encryption • iOS 3GS w/ encryption iPad • iCloud launches • iPhone 4s Android tablets • Windows Phone 7 • webOS • Next gen Blackberry Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2009 2010 2011 2012
Mobile devices threats • Web-based and network-based attacks • Malware • Social engineering attacks • Resource and service availability abuse. • Malicious and unintentional data loss. • Attacks on the integrity of the device’s data.
Mobile platforms – security architecture • Traditional Access Control: Traditional access control seeks to protect devices using techniques such as pass- words and idle-time screen locking. • Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature). • Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft. • Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device. • Permissions-based access control: Permission-based access control grants a set of permissions to each application Source: Symantec and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions. In many aspects the mobile device architecture is more advanced than your typical desktop OS
Updating of old devices is an an issue for Android… By Michael DeGusta TheUnderstatement.com
Correct approach to mobile security • Secure Device, Applications and Data • Use risk based approach for access control decisions • Less emphasis on whether device is corporate or personal • Extend DLP to mobile • Extend security event and forensic services • Monitor installed apps, jail-breaking and configuration compliance • Deliver corporate applications via thin clients to mobile devices Source: McAfee
References • Rethinking Enterprise Security, Toby Kohlenberg, Intel • “A Window Into
Mobile Device Security”, Carey Nachenberg, Symantec, 2011 • McAfee EMM Site • Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011 • Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx • Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx • “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft, • “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011 • “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010 • Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen • Windows Phone Platform Security, http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia • Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft • VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html • Revolution or Evolution: Information Security 2020, http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010 • Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html, Bruce Schneier, September 2010 • Android Orphans: Visualizing a Sad History of Support, http://theunderstatement.com/post/11982112928/android- orphans-visualizing-a-sad-history-of-support, Michael Degusta, October 2011

Recomendados

C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 

Recomendados

C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
Vladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
Vladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
Vladimir Jirasek
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 

Más contenido relacionado

Más de Vladimir Jirasek

2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

Más de Vladimir Jirasek (10)

Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Último

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Mobile security for SIC 2012

  • 1. CONSUMERISATION AND MOBILE SECURITY Vladimir Jirasek About.me/jirasek [date]
  • 2. About me • Security professional at WorldPay as Head of Security Solutions • Non executive director, CSA UK & Ireland • I love reading books: thrillers (Clive Cusler) and business management (Jo Owen) • Apple fan 
  • 3. I will cover three topics today • Consumerisation and appropriate security architecture • Mobile security challenges • Practical approach
  • 4. Mobile devices in enterprise I want to use Hmm, might one mobile be tricky but device for here is what both personal we can do…. and work stuff Say yes and give clear policies, instructions and tools! Control the access to data and systems according to risk. Agree forensic policy and investigations rules for personal devices.
  • 5. Classifications of systems as the input into the access calculation Managed Un-managed Compliant Trusted systems Isolated systems • Domain joined systems • Compliance checks for non- • Managed and compliant managed devices passed mobile devices Strategy: Deliver the application via Strategy: Can access most secret thin client or access to least sensitive applications and data* data Non-Compliant Vulnerable systems Rogue • Domain joined or managed • Unknown devices devices • Cannot assess compliance Strategy: Help with remediation Strategy: Give access at your peril! and limit access to sensitive applications * The access decision is taken based on other factors
  • 6. Access decision logic Source ( ) trust Device trust and User/Role Location feature Destination ( Application Location in ) trust Access method classification network Calculate access decision Access denied Access granted Access limited
  • 7. How to manage access this applies to any access, not just from mobile devices! Access decisions based on accuracy of following: • Identity – Google apps ID vs. Active directory ID, one factor auth vs. two factor auth • Role – FTE, contractor, cleaner, executive • Device – trusted, non-trusted, feature set • Location – inside fw or outside, US vs. China, changes in locations in time • Time – inside working hours or outside, • Data/Application – business impact, approved apps vs consumer apps, location in the network
  • 8. Access path definitions Sit down with business, enterprise architects and security and create access path definitions for key enterprise applications. # Source Destination Time Access 1 Employees Any Trusted Confidentia DMZ Web Any Allow l 2 Employees Any Isolated Internal DMZ Web Any Allow mobile 3 HR admins Office, UK Trusted PII and Internal Citrix Office hours Allow payroll MZ 4 Contractors Office Isolated Confidentia DMZ Citrix Any Allow l 5 Admins Home Isolated Manageme MZ Citrix Any Allow working nt 6 Customers Any Rogue PII DMZ Web Any Allow via Facebook login
  • 10. Revolution in mobile device capabilities Source: McAfee • Microsoft Windows Vista • Blackberry & Palm • iOS App Store • iOS ActiveSync email Apple iPhone launches • Gartner approves iPhone • Gartner says never for the enterprise ready for enterprise • Android G1 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2007 2008 2009
  • 11. And its acceleration • iPad2 RIM • Microsoft Windows 7 Playbook • Android Honeycomb with Encryption • iOS 3GS w/ encryption iPad • iCloud launches • iPhone 4s Android tablets • Windows Phone 7 • webOS • Next gen Blackberry Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2009 2010 2011 2012
  • 12. Mobile devices threats • Web-based and network-based attacks • Malware • Social engineering attacks • Resource and service availability abuse. • Malicious and unintentional data loss. • Attacks on the integrity of the device’s data.
  • 13. Mobile platforms – security architecture • Traditional Access Control: Traditional access control seeks to protect devices using techniques such as pass- words and idle-time screen locking. • Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature). • Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft. • Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device. • Permissions-based access control: Permission-based access control grants a set of permissions to each application Source: Symantec and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions. In many aspects the mobile device architecture is more advanced than your typical desktop OS
  • 14. Updating of old devices is an an issue for Android… By Michael DeGusta TheUnderstatement.com
  • 15. Correct approach to mobile security • Secure Device, Applications and Data • Use risk based approach for access control decisions • Less emphasis on whether device is corporate or personal • Extend DLP to mobile • Extend security event and forensic services • Monitor installed apps, jail-breaking and configuration compliance • Deliver corporate applications via thin clients to mobile devices Source: McAfee
  • 16. References • Rethinking Enterprise Security, Toby Kohlenberg, Intel • “A Window Into
Mobile Device Security”, Carey Nachenberg, Symantec, 2011 • McAfee EMM Site • Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011 • Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx • Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx • “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft, • “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011 • “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010 • Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen • Windows Phone Platform Security, http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia • Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft • VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html • Revolution or Evolution: Information Security 2020, http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010 • Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html, Bruce Schneier, September 2010 • Android Orphans: Visualizing a Sad History of Support, http://theunderstatement.com/post/11982112928/android- orphans-visualizing-a-sad-history-of-support, Michael Degusta, October 2011