• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Two Peas in a Pod: Cloud Security and Mobile Security
 

Two Peas in a Pod: Cloud Security and Mobile Security

on

  • 1,172 views

All enterprises today are

All enterprises today are

Statistics

Views

Total Views
1,172
Views on SlideShare
1,150
Embed Views
22

Actions

Likes
0
Downloads
8
Comments
0

2 Embeds 22

http://www.linkedin.com 19
https://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Will there be non-mobile end-user devices in 10 years? In 15 Years? Can you have a separate security program for just mobile?
  • homeshoring
  • Data anywhere is good, data everywhere is badMobile ↔ Cloud: 2 sides of the same coin: User / Client / Consumerization of IT – Provider / Server / Democratization of IT
  • Fragmentation (hardware, OSs, applications, operators) Market is currently too fragmented for targeted attacks to be lucrative Security testing requires access to many resources Physical security is almost non-existent Physical access is easierPhysicalwhen cell phones are lost or stolen, people immediately notice that they're gone, and have thendeactivated, reducing the potential risks associated with active cell phones.Limited physical control: physical access is easier (increased theft, loss, breach) Mobile handsets are ultra-portable; therefore, physical security is almost non-existent.CommunicationIncreasing processing power: Treat mobile devices with the same care and caution as full workstations. Multiple communication mechanisms: bluetooth, wi-fi, IR, cellular, USBDual Mode devices (Wi-Fi) Limited bandwidth creates unique obstacles that a developer must cope with by implementing bandwidth consumption reduction techniques such as caching of data;.DDoS is easierCertificate and signing:Symbian Signed Program: digitally sign applications so developers are traceableThe three Symbian Signed test houses are mPhasis, NSTL and SogetiAppDevelopers are still learning best practices Mobile apps function more like native apps or thick clients rather than utilizing a standard browser.Mobile apps are not restricted to using standard HTTP/HTTPS as their communication protocol.DevicesLocal storage: More info is stored locally (caching) since you may not always have connectivity Local data storage techniques vary by manufacturer, so multiple variations of handsets must be considered during testing.Many operating systems (Symbian, J2ME, BREW, iPhone)Multiple OS variants are used throughout the mobile phone industry causing several variations of a single application to be developed for each platform.  Each environment has its own idiosyncrasies that must be dealt with during development.Devices have varying levels of support for various technologies, so implementing secure authentication, secure data storage, secure communications across all devices becomes difficult with a single mechanism. CostSpam costs the user (SMS, data, Voice)Must be flexible:"Unlike the PC market, there will continue to be a lot of churn in the mobile device market. Companies are going to have to deal with consumer devices because they can't do an adequate job of picking corporate standard devices," he says. "If you create a standard device list but don't readdress it for three years, that's six generations of mobile products. Your users are never going to have the best mobile devicesMust be quick:"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old." ConvergenceMarket is too fragmented for targeted attacks to be lucrative: hardware, OSs, applications, operatorsFixed-Mobile (wi-fi - Cellular)Voice + DataPC + PhoneDead Spot -> Hot Spot (Femto Cells)
  • ISO 27002 Control Areas
  • "ignoramus et ignorabimus" = "we do not know and will not know”
  • Energizer Duo Battery ChargerTrojan may have been in the software since it was first offered three years agoSoftware that can be downloaded for use with the Energizer Duo USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.Read more: http://news.cnet.com/8301-27080_3-10465429-245.html#ixzz1I1Wa6YyO
  • *This is starting to become unacceptable to the businessForcing encryption of data at rest on mobile devices. Forcing secure connectivity on unsecured public networks. Ensuring unauthorized mobile devices do not have access to the corporate network or company data. Ensuring mobile user spending is in line with the mobile policy and additional costs can be recovered.BB is more enterprise friendly:over-the-air provisioning, authentication, data encryption, monitoring and decommissioning. (remote bricking)Set the device to auto-lock. After each usage session, the device should automatically lock and require re-authentication. Auto-lock does not affect the phone function, and allows the phone to be answered promptly without entering the password. Keep the device out of sight when not worn. It is risky to leave handheld data devices unguarded – even in the household. They are often targeted in break-ins because they are very easy to conceal and they usually carry important information. Instead of leaving them in plain sight, keep them in a drawer or somewhere within reach. Handheld devices should be enterprise property. While it may be more convenient from an asset management point-of-view to allow employees to purchase their own handheld data devices, it is problematic in terms of data management. It is much easier to provide the devices for employees, and require them to be returned to the enterprise at the conclusion of employment. Before an employee departs, obtain the device and remove corporate data. This policy should apply to any personal devices. A condition for allowing staff to connect their devices to the enterprise network should state that the enterprise may examine the device and delete corporate data at the enterprise's initiative. Keep an updated list of who owns a handheld data device, and make sure the device is examined before an employee leaves. Ensure that all pertinent information including address books and e-mails are deleted. Have a clear policy on remote data deletion and do not hesitate to execute it. Devices should be classified according to the sensitivity of the data they carry. For devices carrying highly sensitive data, the time to deletion should be almost immediate. For devices containing less sensitive data, more time should be permitted for the recovery attempt before the deletion is executed.\\Must be flexible:"Unlike the PC market, there will continue to be a lot of churn in the mobile device market. Companies are going to have to deal with consumer devices because they can't do an adequate job of picking corporate standard devices," he says. "If you create a standard device list but don't readdress it for three years, that's six generations of mobile products. Your users are never going to have the best mobile devicesMust be quick:"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old."
  • (encourage vendors to support multiple platforms consistently)storageapplications (internally and externally delivered)in transit (internal, external and partners)
  • "If the primary aim of a captain were to preserve his ship, he would keep it in port forever." [Thomas Aquinas]
  • For the latest version, please contact Omar KhawajaActively participate in 30+ standards / certification bodies, professional organizations and vertical specific consortiaVerizon Business manages 260,000-plus security, network and hosting devices across more than 4,200 customer networks in 142 countries and territories.Privacy Rights has tracked only 263 million breached records from Jan ‘05 to July ’09 (http://www.privacyrights.org/ar/ChronDataBreaches.htm#Total)Threat & Vulnerability IntelTrack and analyze new software vulnerabilities and related attacksUnderground Intel Watch discussions, code sharing, planning,... Historically BBS, then Usenet, now more IRC and Cons... ICSA Labs IntelSecurity product testing and security consortia operations. 400+ products Forensics IntelData and Intel from forensics investigations (200+ cases per year). MSS IntelData from IDS, FW, IPS, Applications… Management & Monitoring SOC operations Net IntelData from backbone. Sensors on more than 1 Million VzB addresses. Netflow Honey nets, Honey Pots…Studies & Surveys VZB Studies, surveys (10+/yr), Others published data to drive Risk Models, equations & methodology

Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security Presentation Transcript

  • Mobile Security: Is there an opportunity?
    Omar Khawaja
    March 30th, 2011
  • Future of Enterprise IT Infrastructure
    2
  • What is “mobile”?Smarter, faster…
    3
    …and blurrier
  • Everything is converging…
    4
    …to make security more challenging?
  • The new world…
    5
    …doesn’t exist without mobile and cloud
  • What makes mobile riskier?
    Convergence
    Mobile misuse can cost
    Small physical footprint
    Increasing processing power
    Multiple communication channels
    Increasing bandwidth
    Ownership
    Storage
    Fragmentation
    Applications
    Data
  • How do you secure mobile?
    Security Technology Elements
    7
    Security ProgramElements
  • Multiple Approaches
    8
    Security Programs
    Security Technology Sets
  • Security leaders care most about…
    9
    Breach Prevention
    • Requires preventing data from being breached
    Compliance
    • HIPAA, GLBA, PCI, State Breach Laws , etc. govern specific types of data
    Costs…
    • of securing data
    • of maintaining compliance
    • of enabling business in the information age
    The Business Cares About Data!
  • Treating Data
    10
  • ignoramus et ignorabimus?
    11
    Source: Verizon DBIR
    Minimize data and access to it!
  • What about apps?
    33% on NA Smartphone owners download apps
    Multiple versions
    Location based apps / social networking will increase
    Games continue to dominate among apps
    Users continue to demand greater usability
    10 billion app downloads from Apple's App Store in 2010
    Signed Apps = Secure Apps?
    12
    Can’t impede app proliferation, but how do you know which to trust?
  • What about everything else?
    Force encryption of data at rest on mobile devices
    Force secure connectivity on unsecured public networks
    Ensure unauthorized mobile devices do not have access to corporate LAN*
    Ensuring mobile user spending is in line with the mobile policy and additional costs can be recovered
    Over-the-air decommissioning (remote brick’ing)
    Authentication: set the device to auto-lock; set clipping level
    Keep device out of sight when not worn
    Handheld devices should be enterprise property
    Before an employee departs, obtain device and remove corporate data
    Have a clear policy on remote data deletion and do not hesitate to execute it
    Classify data according to the sensitivity of the data they carry
    Only permit digitally signed applications
    Be agile – quickly and flexibly adapt to changing mobile landscape
  • An approach…
    Inventory data (technical and consultative)
    Destroy any unnecessary data
    Associate data access w/ users, roles
    Ensure only users that need access to data have access to it (access governance)
    Assign sensitivity level to data types (tier by quantity) - based on business impact
    Assign control requirements for each data set
    Determine feasible controls  for each environment (mobile, cloud, etc.)
    Identify how (vendor, etc.) to implement controls across each platform
    For each platform, define what access level (to each of the data sets) is allowed based on residual risk
    14
  • Slight shift in focus
    15
  • Finally…
    Follow the data
    Consistent security controls
    Start w/ the business (data), not the controls
    Simplify security program
    Closely align mobile and cloud security
    16
    Doing Things Right

    Doing the Right Things
  • Questions
    Omar Khawaja
  • Verizon Security Solutions