Developing a Mobile SecurityStrategyWebinar for the institutions in the Universityof Texas SystemKieran NortonPrincipal, D...
Webinar Essentials       Session is currently being recorded, and will be available on our website        at http://www.u...
Table of Contents    Problem Statement                                                               2    Background      ...
Problem statementSummary observations from the security assessments related to mobiledevices:•   Lack of appropriate polic...
Background
The mobility landscapeMobile computing has been growing at a staggering rate across all age groups,income groups, industri...
Adoption of mobility trendsAt a high level, entities go through three stages of adoption for mobility.                    ...
Mobile ecosystem and risklandscape
Mobile security: Threat overlay on mobility ecosystem8                                        Copyright © 2012 Deloitte De...
Mobility risk categoriesEnabling mobility is a balance of technology, return on investment and risk. Theseneed to be align...
4. Infrastructure &      1. Operational                                                                                   ...
4. Infrastructure &      1. Operational                                                                                   ...
4. Infrastructure &      1. Operational                                                                                   ...
4. Infrastructure &      1. Operational                                                                                   ...
Strategic approach
Strategies for tackling mobile risksDefining a Mobile Security ApproachAfter gaining an understanding of the key risks tha...
Deployment decisions Key decision points that drive strategy and the resulting architecture          Bring-Your-Own       ...
Mobility reference architectureStrategy Development      Applications Development (Design, Implement, Test)  Business Anal...
Bring Your Own Device(BYOD)
BYOD considerationsEmployees increasingly want to use their favorite mobile device for personal andbusiness use. They want...
Bring-Your-Own vs. Corporate Provided                                                Bring Your Own         Device and po...
Technology and vendorconsiderations
Mobile device and app management Technology                  Key Features                                     Example Vend...
Secure containers and mobile virtualization Technology                  Key Features                                    Ex...
Key takeaways
What are early adopters doing?Taking an organization and user-centric approach1. Understand the specific mobility use   ca...
Appendix
Appendix A: References            Current mobile landscape                                      Expected growth        Mo...
How Deloitte can help
Deloitte mobile security servicesDeloitte can assist you in creating a secure delivery framework for your mobilityinitiati...
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounti...
Upcoming SlideShare
Loading in …5
×

2012 04-27%20%20 mobile%20security%20ppt%20presentation[1]

898 views
838 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
898
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
78
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

2012 04-27%20%20 mobile%20security%20ppt%20presentation[1]

  1. 1. Developing a Mobile SecurityStrategyWebinar for the institutions in the Universityof Texas SystemKieran NortonPrincipal, Deloitte & Touche LLPApril 2012
  2. 2. Webinar Essentials  Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/SWCAcademy.html.  If you wish to ask questions: • Click on the “Raise Hand” button . The webinar administrator will un-mute you at the appropriate time. Note: Remember to turn down your speaker volume to avoid feedback. • Questions may also be typed in the GoToWebinar Question panel.  CPE credit is available for this webinar for attendees who attend the live webinar. Please request credit by sending an email to the UT Systemwide Compliance Office at systemwidecomp@utsystem.edu.  Please provide your feedback in the post-session survey.1 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  3. 3. Table of Contents Problem Statement 2 Background 3-5 Mobile Ecosystem and Risk Landscape 6-12 Strategic Approach 13-16 Bring Your Own Device (BYOD) 17-19 Technology and Vendor Considerations 20-22 Key Takeaways 23-24 Appendix 25-292 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  4. 4. Problem statementSummary observations from the security assessments related to mobiledevices:• Lack of appropriate policies/guidance and procedures related to the use of mobile devices; e.g., PDAs, tablets, etc.• Proliferation of mobile devices with access to networks and applications, and no capability to track or inventory.• Increased risk of unauthorized exposure of sensitive information through mobile devices (e.g., patient information, proprietary research data, etc.) resulting in adverse impacts to UTS and the institutions, such as financial penalties, legal implications and damaged public image.3 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  5. 5. Background
  6. 6. The mobility landscapeMobile computing has been growing at a staggering rate across all age groups,income groups, industries, geographies and cultures and is widely expected tocontinue its exponential growth rate over the next five years. Current mobile landscape1 Expected growth1  Mobile cellular subscriptions  Approximately 470M smartphones surpassed 5B in 2010 (Gartner) will be sold globally in 2011 (IDC)  83% of US population owns  Approximately 980M smartphones cellphones; 35% of these are will be sold globally in 2016 (IMS) smartphones (Pew Research)  By 2015, global mobile data traffic  More than 410M smartphone devices volume will be approximately 25 have been sold globally so far times 2010 volume (FCC) (Forrester)  Tablets will reach one-third of US  Nearly 18M tablets were sold in 2010 adults by 2015 (Forrester) (IDC)  Tablet unit sales to total around 54.8M in 2011 and top 208M in 2014 (Gartner) Mobility and mobility services are not only gaining ground among consumers but also among enterprises1Note: Please refer Appendix for statistic references5 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  7. 7. Adoption of mobility trendsAt a high level, entities go through three stages of adoption for mobility. Mobility-Centric Innovation: • Develop completely new apps Business Impact/Number of Mobile Apps Mobilize Existing that leverage mobility benefits Applications: • Result: User-centered UX and • Develop new graphical user new productivity, CRM and interfaces (GUIs) on top of revenue opportunities existing business logic • Result: Acceptable UX and Mobile Veneer: noticeable productivity, CRM & revenue gains • Mobile access to existing apps • No mobile app development • Result: Poor user experience (UX) and negligible productivity, customer satisfaction or revenue gains Stage 1 Stage 2 Stage 3 Though mobility offers wide range of products and services, it has its own set of security vulnerabilities due to the changing threat landscape6 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  8. 8. Mobile ecosystem and risklandscape
  9. 9. Mobile security: Threat overlay on mobility ecosystem8 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  10. 10. Mobility risk categoriesEnabling mobility is a balance of technology, return on investment and risk. Theseneed to be aligned with business needs and strategies. When consideringdeveloping mobile solutions, or fine tuning an existing solution, it is necessary togain an understanding of the risks associated with mobility. These risks fall into fourmain categories: Mobility risk categories What makes mobile devices valuable 4. Infrastructure & 1. Operational from a business perspective – Device portability, usability and connectivity to the internet and corporate infrastructure – also presents significant risk. New risks have been introduced at the 3. Legal & 2. Technology & device, application and infrastructure Regulatory Data Protection levels requiring changes in corporate security policy and strategy.9 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  11. 11. 4. Infrastructure & 1. Operational Device1. Operational 3. Legal & 2. Technology & Regulatory Data ProtectionMobility poses unique risks and existing security and IT support resources andinfrastructure cannot be extended to cover mobile devices and applications withoutsignificant investment - in developing new skills, technical capabilities, operationalprocesses and deployment of a ‘mobility infrastructure’. A. Executives, users and customers are driving mobility decisions; operational risk considerations are not driving mobile security strategy B. Security controls can negatively impact usability, causing friction with employees and slowing adoption C. Increasing support demands may in turn outpace resource skill sets and technical capabilities D. Varied mobile OS implementations make it difficult to deploy a singular security solution E. Existing operational processes may not be efficiently designed or “mobile-ready” which can hinder expected productivity In one Deloitte case study, implementation of significant security controls led to 20% of the company’s mobile device users voluntarily opting out of the corporate program ... however it is unlikely users stopped using a mobile device10 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  12. 12. 4. Infrastructure & 1. Operational Device2. Technology and data protection 3. Legal & 2. Technology & Regulatory Data ProtectionMobile devices are valuable from a business perspective due to internetconnectivity, access to corporate infrastructure as well as mobile/cloud basedapplications. These benefits also result in greater potential exposure for theenterprise – with risks introduced at the device, application and infrastructure levels. A. End users may have the ability to modify device security parameters thus weakening the security controls B. Devices and memory cards are not encrypted by default or configured appropriately thus leading to potential data leakage/loss C. With use of cloud based applications, data protection becomes increasingly complex D. Many organizations are not able to enforce mobile OS patching and updating which may result in vulnerable devices E. Users often install unapproved applications or applications containing malware which poses information security risks As an example, 58 malicious apps were uploaded to an app store and then downloaded to around 260,000 devices before the app store pulled the apps11 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  13. 13. 4. Infrastructure & 1. Operational Device3. Legal and regulatory 3. Legal & 2. Technology & Regulatory Data ProtectionSecurity requirements may be complex, particularly if the organization operates inregulated industries. Employment labor laws, HIPAA requirements, privacyrequirements, e-discovery requirements, etc., may impact the overall mobilestrategy. A. Employees using use corporate devices for personal purposes and vice versa may give rise to significant data privacy issues B. The “bring your own device” trend raises ethical and legal questions around monitoring, device wiping, etc., upon employee termination C. Corporate usage of mobile devices by hourly employees can/will raise concerns around overtime labor law considerations D. Regulatory requirements to address e-discovery, monitoring, data archiving etc., can be complex and difficult to implement E. Data ownership and liability for corporate and employee owned devices used for business purposes is yet to determined In the Massachusetts data protection law (MA 201), responsibilities for protecting information on employee-owned devices used to access company resources may apply equally to the enterprise and the individual12 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  14. 14. 4. Infrastructure & 1. Operational Device4. Infrastructure and device 3. Legal & 2. Technology & Regulatory Data ProtectionThe diversity of device options and underlying operating system/applicationplatforms introduces a myriad of security risks and challenges. A. Mobile device attacks and varying attack vectors increases the overall risk exposure (extending the enterprise risk profile) B. Multiple choices in the devices, OS platforms, apps, etc., requires companies to employ diverse technologies expanding the attack surface C. Third party apps installed on corporate devices may contain vulnerabilities caused by developer mistakes or re-packaged malware D. Securing of mobile transmissions and channels is complex given a varied protocol landscape & the newer communication channels E. Mobile devices are easily lost or stolen in comparison with other IT assets (e.g., laptops) and remote wipe efforts frequently fail According to a recent survey, 36% of consumers in the US have either lost their mobile phone or had it stolen13 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  15. 15. Strategic approach
  16. 16. Strategies for tackling mobile risksDefining a Mobile Security ApproachAfter gaining an understanding of the key risks that affect your business, the next step isdetermining and defining your approach to a mobile security solution deployment. Whendetermining the right approach, it is important to understand your specific use cases andincorporate your key business drivers and objectives. Device centric Data centric Application centric Mobile device Minimal device data Developer training management (MDM) footprint Example controls Strict device policy Communications System development life enforcement encryption cycle Primary or multi-platform Local data encryption Virtualization IDE Secure Application distribution & containers/partitions Data integrity maintenance15 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  17. 17. Deployment decisions Key decision points that drive strategy and the resulting architecture Bring-Your-Own vs. Corporate Provided Manage Security In-House vs. Outsource Security 3rd Party Tools vs. Native Platform Tools Application Management vs. Application Guidance Full Data Access vs. Restricted Data Access16 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  18. 18. Mobility reference architectureStrategy Development Applications Development (Design, Implement, Test) Business Analysis Creative/UX/UI Design Enterprise Mobility App concept to (Opportunity ID, Infrastructure development Business Case) Cross-Platform Dev Native Development Mobile Enablement Sybase SUP, Objective C (iOS), Strategy/Roadmap HTML5, Adobe Java Business Mobile Solution Enterprise Systems Integration Strategy Architecture ERP, Web/Ecommerce Reporting/BI/DW End-to-end Network and Legacy Systems Enablement Design Mobile Middleware Mobility Readiness Enterprise Assessment Integration Data Mgmt Integration Security Industry Mobile AnalyticsRegulatory/Compliance/ Cloud and Social Feedback Security Analysis Security Business Strategy Mobile application Mobile security policy Mobile security strategy Mobile device and security and governance and architecture operations security App Concept to Development Mobility Infrastructure Deployment, Distribution, Management, Operations Mobile Device Operational / Organizational Management Enterprise Integration Strategy Readiness Product Mgmt IT Governance Security, Privacy & Compliance Enterprise App Store Enablement Support Readiness Note: Products listed for the above technology product vendors are their respective property.17 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  19. 19. Bring Your Own Device(BYOD)
  20. 20. BYOD considerationsEmployees increasingly want to use their favorite mobile device for personal andbusiness use. They want to store personal data and install games on devices they arealso using to access enterprise applications and data.If employees purchase their own device and plan, this can reduce telecom costs,however it creates several business challenges and security risks.Key Considerations • Bearing of device costs and associated usage fees • Support considerations associated with highly differentiated OS’s, platforms, hardware/devices, apps, etc. • Employee usage monitoring and device oversight • Legal, regulatory and privacy risk mitigation associated with corporate data made available on mobile devices • IT staffing and skill set requirements to support corporate issued and/or employee owned devices19 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  21. 21. Bring-Your-Own vs. Corporate Provided Bring Your Own  Device and possibly line costs incurred by employee PROS  Meets user desire to choose the device they like most, have a single phone number, etc.  Addresses increased demand by employees to connect personal devices to corporate networks  Limited device oversight and control  Increased challenges with enforcing legal and regulatory requirements CONS  Device and data ownership questions  Requires support for diverse platforms, OSes, devices; may negatively impact app strategy  Varied device service fees, lack of purchasing leverage (when chargeback/subsidies allowed) Corporate Provided  Tighter device oversight and control, more heterogeneous device environment (app strategy)  Streamlining devices, platforms and OSes simplifies IT support PROS  Direct relationship with carrier may be advantageous from a monitoring and security perspective  Device costs and service fees negotiated with service providers; increased purchasing power  Cost of providing devices and service fees  High employee demand for broader diversity in devices can lead to lower satisfaction and CONS adoption  May require potential increase in IT support staffing and skill set requirements  Privacy considerations with monitoring of employee usage and activity, etc.20 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  22. 22. Technology and vendorconsiderations
  23. 23. Mobile device and app management Technology Key Features Example VendorsMicrosoft • Over-the-air sync on mobile • EAS is a native tool included withExchange devices to existing Exchange Microsoft Exchange Server. If anActiveSync (EAS) Server infrastructure for email, organization has an existing contacts, calendar data, and more Exchange infrastructure they have • Basic device management access to EAS and its capabilities capabilities including allowing/blocking devices, and enforcing password requirementsMobile Device • Secure enrollment of mobile • Good TechnologyManagement devices to be managed • MobileIron(MDM) • Wireless configuration and • AirWatch updating of device settings • Zenprise • Monitoring and enforcing • Many others compliance with corporate policiesMobile • Secure mobile application • ApperianApplication distribution • AppceleratorManagement • Monitoring and enforcing • App47(MAM) compliance with app policies • Nukona • Reporting on approved/rogue • Mocana apps • MobileIron* • AirWatch* • Zenprise* * MAM functionality included with primary MDM offering Note: Products listed for the above technology product vendors are their respective property. Copyright © 2012 Deloitte Development LLC. All rights reserved.
  24. 24. Secure containers and mobile virtualization Technology Key Features Example VendorsSecure Container • Secure area on device for housing • Good TechnologySolutions enterprise data and applications • Sky Technology • Container content is encrypted and separated from rest of device • Allows more granular control of enterprise data (e.g., remote wipe container only)Mobile • Allows multiple mobile operating • VMWareVirtualization systems to run simultaneously on • Open Kernel Labs a single device • Red Bend Software • Personal and corporate content is separated with each running in its own virtual device Note: Products listed for the above technology product vendors are their respective property. Copyright © 2012 Deloitte Development LLC. All rights reserved.
  25. 25. Key takeaways
  26. 26. What are early adopters doing?Taking an organization and user-centric approach1. Understand the specific mobility use cases2. Understand key mobility risks that affect the organization and its constituents3. Incorporate key business drivers and objectives4. Implement security controls through both policy and technology5. Enable, not disable adoption of new innovations (it’s not stopping here…) Define Mobile Technology Architect & Security Acquisition & Design Requirements Deployment Copyright © 2012 Deloitte Development LLC. All rights reserved.
  27. 27. Appendix
  28. 28. Appendix A: References Current mobile landscape Expected growth  Mobile cellular subscriptions surpassed 5B in  Approximately 470M smartphones will be sold 2010 (Gartner) globally in 2011 (IDC) http://my.gartner.com/resources/213800/213866/m http://www.idc.com/getdoc.jsp?containerId=prUS obile_and_contextaware_bran_213866.pdf?li=1 22871611  83% of US population owns cellphones; 35% of  Approximately 980M smartphones will be sold these are smartphones (Pew Research) globally in 2016 (IMS) http://pewresearch.org/pubs/2054/smartphone- http://news.softpedia.com/news/One-Billion- ownership-demographics-iphone-blackberry- Smartphones-a-Year-by-2016-IMS-Research- android Says-213740.shtml  More than 275 million iPhones and BlackBerrys  By 2015, global mobile data traffic volume will be and 135 million Android devices have been sold approximately 25 times 2010 volume (FCC) globally (Forrester) http://www.cisco.com/en/US/solutions/collateral/n http://www.forrester.com/rb/Research/global_main s341/ns525/ns537/ns705/ns827/VNI_Hyperconn streaming_of_smartphones/q/id/60762/t/2 ectivity_WP.html  Nearly 18 Million Tablets were sold in 2010 (IDC)  Tablets will reach one-third of US adults by 2015 http://www.engadget.com/2011/03/10/idc-18- (Gartner) million-tablets-12-million-e-readers-shipped-in- http://www.forrester.com/rb/Research/why_tablet 2010/ _commerce_may_soon_trump_mobile/q/id/5909 6/t/2 Other  Tablet unit sales to total around 54.8 million next year and top 208 million in 2014 (Gartner)  MA 201 http://my.gartner.com/portal/server.pt?open=512 http://www.mass.gov/ocabr/docs/idtheft/201cmr17 &objID=260&mode=2&PageID=3460702&resId= 00reg.pdf 1451714&ref=QuickSearch&sthkw=milanesi  Lost phone survey http://www.symantec.com/about/news/release/arti cle.jsp?prid=20110208_0127 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  29. 29. How Deloitte can help
  30. 30. Deloitte mobile security servicesDeloitte can assist you in creating a secure delivery framework for your mobilityinitiatives from inception to ongoing operation. We can help you set the proper riskbalance between control, efficiency and user experience. Our security and privacyspecific services include: Deloitte’s mobility security services Mobile security strategy & architecture Mobile security risk assessment Mobile infrastructure security Mobile device & operations security Mobile application security testing Secure SDLC for mobile applications Mobile security policy management Mobile security training & awareness Incident investigation & response Mobile device forensicsWe also leverage the resources of the Deloitte Center for Security & PrivacySolutions that conduct original research and develop substantive points of view tohelp executives make sense of and profit from emerging opportunities on the edgeof business and technology.29 Copyright © 2012 Deloitte Development LLC. All rights reserved.
  31. 31. This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business,financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice orservices, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking anyaction that may affect your business, you should consult a qualified professional advisor.Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

×