Securing the mobile enterprise - Sydney 24 Mar 2014
Smart mobile devices will find their way to
nearly two‐thirds of the worlds mobile
workforce by 2015.
Having to carry two devices represents a clear
opportunity for a better solution that must
satisfy the needs of both IT professionals and
the mobile users they serve.
Mobility ranks among the top enterprise
priorities during the last year, and that
enterprises are all set to improve their
financial investments in the mobile devices,
applications, middleware and services.
24 March 2014 PARAG DEODHAR 2
•Document Management Systems (DMS), Field Force Automation (FFA),
Salesforce Automation (SFA), Customer Relationship Management
(CRM), and Enterprise Resource Planning (ERP).
•Minimize paperwork, reduce back‐to‐office visits, improve productivity,
and achieve higher sales closing ratios by simplifying and automating
their day‐to‐day processes.
Unified Communications (UC), Location‐based
Services (LBS), and Business Intelligence (BI).
Anytime, anywhere, any device real‐time
communication and collaboration capabilities to
employees. Enterprises can leverage LBS to track
vehicles and employees in real‐time, while
information can be extracted, analyzed and reported
Mobile Point‐of‐Sale (MPOS),
Social Networking Services (SNS),
Financial Management System
Human Resource Management
Enhance brand image , facilitate
efficient administration of internal
24 March 2014 PARAG DEODHAR 3
• Consumerization of IT is driving new
devices and access requests
• Companies need to accept and address the
• People expect to work on multiple devices
and from anywhere
• Companies need to provide access to
applications and data from any device
• IT needs to change its processes and tools
to manage the devices, taking security into
PARAG DEODHAR 4
Globally, 88% of
employees are using
their personal computing
technologies for business
24 March 2014
The Blame Game – why company provided tools are not used?
– The system is too complicated and takes too long
– External partners have trouble accessing files I sent through company tools
– The company does not offer mobile access – convenience…
– I was never trained to use company systems
Source: Ponemon institute
Survey shows that
use high risk
methods to store or
24 March 2014 PARAG DEODHAR 5
Other devices – Tabs / Smart phones
– Company Owned
• Shared devices
– Data segregation
– Data Leakage
– Personal Data on device
– Unverified apps
– Lost, Stolen
24 March 2014 PARAG DEODHAR 6
24 March 2014 PARAG DEODHAR 8
Infecting legal web resources
– Mobile malware spreads via popular websites. More and more smartphone
and tablet owners use their devices to access websites, unaware that even the
most reputable resources can be hacked.
Distribution via alternative app stores.
– In Asia there are numerous companies producing Android‐based devices and
Android apps, and many of them offer users their own app stores containing
programs that cannot be found in Google Play. The purely nominal control over
the applications uploaded to these stores means attackers can conceal Trojans
in apps made to look like innocent games or utilities.
Distribution via botnets.
– Bots self‐proliferate by sending out text messages with a malicious link to
addresses in the victim’s address book. We also registered one episode of
mobile malware spreading via a third‐party botnet.
Criminals are increasingly using obfuscation, the deliberate act of
creating complex code to make it difficult to analyze. The more
complex the obfuscation, the longer it will take an antivirus solution
to neutralize the malicious code.
24 March 2014 PARAG DEODHAR 9
Android devices account for 60% of the infections observed in the mobile network.
Malware is in the form of Trojanized apps with phishing spam campaigns luring
victims to install the infected apps.
– Android has largest smartphone market share. Maximize criminal’s RoI.
– Android offers the ability to load apps from third‐party app sites. Un‐policed mechanism
to distribute their malware.
– It is trivial for an attacker to hijack a legitimate Android application, inject malware into
it and redistribute it for consumption. There are now binder kits available that will allow
an attacker to automatically inject malware into an existing application. This is only
exacerbated by Android’s incredibly weak app signing policy that encourages using self‐
signed certificates to sign applications.
– Information Stealers
– Spy Phone
– SMS Trojans
– Banking Trojans
– Fake Security Software
24 March 2014 PARAG DEODHAR 10
– Fool the MDM agent by patching the device leaving no trace for
the MDM agent to detect if the device is Jailbroken or Rooted.
– Gets high privilege access and can access all communications that
happen on the device, can access all encrypted emails and secure
highly confidential documents and then sends these content to
the attacker’s command and control (C&C) servers
– Bypass container encryption – grab the information at the point
where the user pulls up the data to read it.
Mobile Device Tunnel Borers
– Since the tunnel is typically created on allowed ports (e.g. port 22,
SSH) it cannot be blocked by Firewalls and or IDS/IPS solution.
24 March 2014 PARAG DEODHAR 12
• High Cost = Device + Management
• Allow personal data – risk of “pirated”
software / images / videos on corporate
• Generally single OS/brand/model – easy to
manage but no choice for employees
• Increases Productivity – myth or fact?
• Lower cost
• Multiple OS/brands/models to manage
• Employee privacy – does law allow data
wiping on assets owned by someone else?
24 March 2014 PARAG DEODHAR 13
24 March 2014 PARAG DEODHAR 14
• Ability to ensure the proper
protection around the entire device
and ensure compliance with the set
• Central management of all mobile
devices and ability to check
compliance of each device.
• Security around the information is
• Ability to apply controls becomes
• Monitoring becomes significantly
• Centralized location for data and
• Ability to access information from
almost any device and share
between multiple platforms
• Loss of native apps and the “look
and feel” of what the user is
typically accustomed to
• Intrusive management & lock down
• Degraded user experience and
• Electronic Discovery difficult.
• Inability to separate personal data
from company data.
• Policies are pushed only to the
container; user experience is not
impacted for the entire phone.
• Applications within the container
• Support single‐sign‐on
COMPLY WITH APPLICABLE LAWS AND REGULATIONS
FOCUS ON DATA – NOT ON DEVICE
POLICY AND TRAINING / AWARENESS
END USER AGREEMENT
LIST OF ALLOWED DEVICES
CHOOSE THE RIGHT MDM / MAM / MIM SOLUTION
– YOUR ENVIRONMENT & DEVICES
– DATA FLOW AND ACCESS REQUIREMENTS
– CONVENIENCE v/s SECURITY
• CONTAINERIZATION & DEVICE LEVEL POLICIES
• SECURE WIPE
• IDENTITY AND ACCESS
– EMPLOYEE PERSONAL DATA PRIVACY
– CORPORATE APP STORE
– INTEGRATION WITH DLP & DRM
MOBILE SECURITY SOLUTIONS
IMPLEMENT ENHANCED NETWORK SECURITY FOR MOBILE GATEWAYS
TRAIN APPLICATION DEVELOPERS IN SECURE CODING PRACTICES FOR MOBILE DEVICE PLATFORMS
LIMIT THE SENSITIVE DATA TRANSFERRED TO MOBILE DEVICES, OR CONSIDER VIEW‐ONLY ACCESS.
PERFORM TECHNICAL SECURITY ASSESSMENTS ON MOBILE DEVICES AND THE SUPPORTING
INFRASTRUCTURE — FOCUS ON DEVICE‐SIDE DATA STORAGE.
ESTABLISH A PROGRAM THAT CONTINUALLY EVALUATES NEW AND EMERGING THREATS IN MOBILE PLATFORMS.
AUDIT THE DEVICES…
24 March 2014 PARAG DEODHAR 15