As security professionals, we live in a world where fear uncertainty and doubt are often the cause for action. I have observed countless clients who were caught askew by the mobile needs of the enterprise. Be it BYOD, deployment of tablets in the enterprise or consumer applications, we find security departments reacting to these needs.There is plenty of evidence that the risk is real - Just last week, Japanese cops arrested five developers accused of planting malware in smartphone applications. A video app for Android phones created by the group allegedly harvested 10 million pieces of personal information from 90,000 smartphones. Apparently, the apps were marketed to customers by adding the phrase "The Movie" to popular game titles.However, the opportunity is real too.This talk is about how security enables mobile innovation. My hope is that you are left with a balanced view where security is about managing information risks but more importantly about our role in building new mobile services and capabilities
Lets ask a fundamental question: Why is the mobile platform so popular?The big push towards Mobile is because a) it offers unprecedented scale of adoption across all demographics and across every continent, b) Mobile is affordable, thanks to Moore’s law – where computation power doubles every two years resulting in more capable devices in our hands, c) More capable devices in the hands of users results in the network effect increasing the utility for users and business. I will now discuss three mobile innovation examples and security’s role in its enablement.
In the first example, Mobile services are transforming the life of farmers in India. This one is personal to me, I have personal seen how farmers have traditionally waited in lines to receive information and subsidies.The World Bank has conducted numerous studies that prove that Mobile technology can be used to help raise farmers’ incomes, making agricultural marketing more efficient, lowering information costs, reducing transport costs, and providing a platform to deliver services and innovate. A world bank study found that farmers equipped with information have a stronger bargaining position within existing trade relationships, in addition to being able to seek out other markets.Farmers have little information about market prices in urban areas. The result of this information asymmetry is price dispersion—the same goods sell for widely different prices in markets merely a few kilometers apart. Mobile services have enabled farmers to achieve a much more direct connection to marketsIn India Farmers access information, link Farmer credit to phones to receive subsidies and government and other NGO services.So lets examine the enabling security aspects:Managing digital identities of consumers and linking them to phone numbers, here security enablesCRM linked to identities e.g. crops sowed, localized services - local weather forecasts transmitted through SMS Protecting the confidentiality and integrity of services provided, here security enablese.g. benefits received to those who need it as compared to middle men who have traditionally deprive farmers of the full benefitsPreventing and detecting fraudLets now take a look at an example right here in the US.
In this example, patients are able to locate doctors on-demand. As you know the process for getting a doctor to see you is onerous, mobile services have made it possible for patient to connect with doctors. Now patients can access millions of doctors by specialties and obtain an appointment.In this case security is enablingUniquely identifying patients Protecting the patient- physician relationship, appointment historyIn both these examples, the consumer is the center of focus. Business has little control over the consumer device, yet as many studies point out, consumers expect that Business’ are protecting their information. Let us look at a different example focused on the corporate workforce.
In this example, a drug company’s salesforce tool of choice is the tablet. For pharma company reps, getting time with physicians and making effective use of the time is a challenge. Reps often get very little time with Doctors, sometimes as little as 5 minutes. Leading drug companies are utilizing tablets for their physican encounters - showing product capabilities, test results, ordering samples, taking call notes and capturing physician signatures for compliance. Vendors have already written cloud-based applications (e.g. CRM) to enable the Reps to use the tablet as their only computing device.So lets see what security does for drug companies:protection of the information stored on the tablet (e.g. call notes) share encounters details with other sales reps and partnerstransmission and storage of information for cloud applicationssecurity of the tablet itself (policy, compliance and lost device management)
The three examplesdemonstrate that business’ see tremendous opportunities in mobile, both in terms of growing the business and improving the efficiency. IDC’s survey shows what business values most. Three of the responses are focused on revenue/profits while the others are focused on improving efficiency. We find that these benefits are often noted in the business case. We would do well as security professionals to link mobile security initiative to these benefits.
So now that we have some real examples, lets examine some of the macro trends. These trends will only further accelerate mobile innovation.
In 2012, we have seen a growth rate of a million Smartphone's a week. Mobile scalability and a more capable device in the hands of users will only cause business to provide additional services to users. As security professionals, we should expect thatmobile device tobecome a authentication token for connectivity and access.sensitive information is stored and transmitted by mobile devicesLocation based services offered to consumersPrivacy and cross boarder data transfer are a given
its no surprise that mobile internet traffic too has steadily grown. As more mobile services are offered, automating security capabilities becomes an imperative, particularly around Mobile forensics, reporting, log management, intrusion detection and response.
While there are a number of Mobile OS platforms, winners are emerging. Security practitioners will do well to focus on IOS, Android and Windows Mobile/RT. Again basic blocking and tackling are essential – e.g. Mobile OS platform hardening standards.
Mobile applications on smart phones have seen tremendous growth. Security professionals have to get involved with business in understanding what the applications do to Information and how: Protecting not just the device but also the applications and the information handled by the application For Location based services – the privacy and any derivative risks must be understood by evaluating scenarios, lets also not over-react Recognize that many of these applications will link to the cloud (sometimes in a store and transmit mode) and the social media. Security is integrated into the Mobile SDLC
Here is an interesting study on how the cloud and Social media are an integral part of the Mobile ecosystem.The study also reveals that 88 percent of mobile professionals use social networks, with 60 percent of them leveraging social media platforms to market their businesses. Many mobile professionals, 80 percent of them, feel it is critical to have access to information while outside of the office. Devices and services that help them stay connected while away from their desk include WiFi, text messages, smartphones, apps, notebook/netbook, iPad and cloud computing.Moral of the study: Don’t just consider Mobile, Social Media and Cloud are equally important and complementary technologies.
- Mobile and Social Media will both drive higher cloud usage, the risks stem from intermingling of data, loss of corporate control across geographies, and employee/partners continuing to access data much after separation.- Cloud applications and a place to store content are big reasons why user’s will naturally opt for cloud usage.
Mobile behaviors present risks both in terms of activities that we know about and activities that are as yet unimagined.New Apps are designed with the cloud and social media in mind (e.g. send photo to Social networks, social media in car) Have you noticed how Iphones now automaticaly pull-up the facebook picture in your contacts?IT discourages device storage which is driving data center/cloud data storage.
Ok so lets take a quick look at risks
Its probably no surprise that mobile cloud and social media have further blurred the information perimeter. Security professionals have to focus on the risks to not just the Infrastructure but also the mobile Application platforms and how they integrate with the cloud and social media.
Not a day goes by when we don’t hear about Mobile attacks, allow me to summarize what we have seen so far.Initially J2ME and Symbian but more attacks are emerging for Android OS. According to McAfee Mobile threat report:One significant change in the first quarter of 2012 was Android’s becoming the most targeted platform for mobile malware. This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth.We also saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones. Attacks progressed from proof of concept to financially motivated attacks to ransomware in just 3 years!
So if you only had to worry about three risks, what would those be? According to the Mobile Threats working group prepared by the Cloud Security Alliances, its no surprise that the top three threats are focused on the Infrastructure and applications.Top CSA report Threats:1. Data loss from lost, stolen or decommissioned devices.2. Information-stealing mobile malware.3. Data loss and data leakage through poorly written third-party apps.4. Vulnerabilities within devices, OS, design and third-party applications. 5. Unsecured WiFi, network access and rogue access points.6. Unsecured or rogue marketplaces.7. Insufficient management tools, capabilities and access to APIs (includes personals).8. NFC and proximity-based hacking.Real stories from the field:1. In 2010, a major bank’s mobile application accidentally saved account numbers, bill payments and security access codes. 2. The Korean Financial Intelligence Unit has recorded cases of cyber gaming, cross border remittance and swindling using mobile FS channels. 3. In Brazil, poor people were targeted and paid by criminals to open bank accounts equipped with remote access channels (internet or mobile). After the accounts were opened, the authorized users would hand over their passwords to criminals. 4. In India, a Duplicate SIM card was issued to an imposter with the fake driver license of the victim resulting in a loss of roughly $5,000.5. Recent Trojan captures all text messages from phone.
returning back to our original theme…
Our joint survey with CSO magazine reveals that Social Media, Mobile and Cloud adoption is moving at a much faster pace than the business’ ability to protect. Use of personal and corporate issued devices is claimed to be a challenge, but its been happening in the PC/Laptop world for at least a decade. So what complicates Mobile security?
Device Diversity/Complexity – Explosion in device types and a desire to accommodate devise diversity is a complicating factor. Short device lifespans will increase management costs. Employee/partner desire to bring their own device will challenge IT organizations. IT organization will need to govern device proliferation.Advanced Persistent threats– Expect to see more cases on Advanced Persistent Threats and corresponding process and technologies to protect against APT. Greater opportunities to launch attacks using the Mobile and Social Media vectors.Data Explosion – Expect more data to make its way to Mobility, Cloud and Social Networks. This means greater effort and reliance on automated mechanisms and analytics. IT organization will need to govern corporate data, process and technology to protect corporate data.Data transference and inference - Location Based Service will reveal additional personal information. Allowing for greater data transference and inference. Lets not overreact here, for example, location inference may matter for the M&A group but not necessarily for the IT staff. IT organization will need to govern usage of location based services and improve awareness of risks arising from Cloud/mobility/Social Media usage.Application explosion – We simply cannot expect our end users to know whether an application is doing all the right things. For example, is it OK for an application to access the address book or post your location on facebook. The diverse range of applications required by knowledge workers today makes it impractical to “lock down” a device to a list of blessed applications. IT organization will need to govern application proliferation, process and technology to protect applications.
Challenged by these complications, corporation are too narrowly focused on the device itself (just as the initial focus on security was on servers and networks)It is encouraging to see that many large organizations are viewing mobile security strategically, but as you can see there is much ground to be covered. I am also amazed at the number of organizations who have not taken any steps. One thing is clear Mobile Device Management is mainstream and so is use of encryption. Focusing just on device is like using an armor against Avian Flu. So how should business’ think about the overall solution space?
We find six building blocks in use today:First is controlling access at the network level. This also includes setting up a guest Wireless LAN, treating all mobile devices as untrusted and requiring VPN access, and use of Mobile Device Management (MDM) to develop device profiles and permit access only when specific conditions have been met.Speaking of MDM, as you saw in the previous slide, it is mainstream and the market is saturated with vendors who are continually enhancing capabilities. MDM is also the primary mechanism for policy enforcement, device control (lost device, notification etc.)A complementary capability is around managing the applications on mobile device. Some MDM have bundled these capabilities, the intent here is to focus on managing the applications that are installed on the device. Many vendors take the walled garden approach of cordoning of corporate applications and/or limiting how much can be shard between applications (e.g. access to address book)VDI is needed more as a way to expose applications without specific device customization. There's VMware's View, Citrix's Receiver and Quest's vWorkspace to name just three. Carefully evaluate security implications of Windows 7 vs. 8 Software Assurance Roaming rights. User authentication and network access control deserve attention here. Concern is around password steeling trojans as well as network/infrastructure changes required to accommodate VDI. The Roaming Use rights allow the single primary user of a device licensed through Client SA of Windows VDA to access their virtual Windows desktop while roaming on non-corporate devices such as home PCs, internet café’s, airport kiosks, etc. These roaming rights are applicable only outside of the corporate domain, and cannot be used to roam within the corporate network. As a result, customers with active Software Assurance for Windows, or a thin client with Windows VDA, get exactly the same virtual desktop access rights. "[Roaming Rights] can be exercised only on untrusted devices over unsecure networks, this keeps most IT admins awake at night, so they stop it cold whenever and wherever they can.“Secure storage has emerged as a key needs and vendors like box.net, dropbox and Microsoft are doing more to provide secure storage capabilities in the cloud. Suggest putting a capability quickly in place versus blocking Authentication and authorization is a universal need stemming from the need of binding the device to the user’s corporate identity so that he device itself can be used to authenticate the user without the need for further authentication – typically password policies are too cumbersome for users on mobile devices. We see a push to use soft tokens – e.g. certificates on these devices. However, please be aware of the challenges that the IOS platform poses in terms of integrating certs and using them to authenticate users against back end systems – gets even more complicated when multiple vendor apps are involved. API protection using Oauth 2.0 is going to be the way of the future
These six building blocks are the ones that enable mobile services – whether its for the consumer or the workforce. But its not like you can go out and buy a product for each …. In some cases you can, but its more about architecting the details for the specific problem at hand. To us its about coming up with specific initiatives that link to the three goals described here and the associated benefits.Growneed to quickly bring new mobile services onlineProvide a pleasant experience for your customersBuild partner eco-systems to help increase businessSupport the range of new consumer devices that users will want to useImprove efficiencyAutomate security processes (such as provisioning) that are often manual and paper-basedUse the cloud to improve efficiencies, but ensure that your apps & data are secure in the cloudDeploy secure virtualized environment to leverage those efficienciesImprove employee collaboration by improving security for Sharepoint environments.ProtectProtect your data from insiders – thru careless of malicious actionsEnsure that every user has only the correct access right they need for their roleGovern Mobile solutions – All about decision making for BYOD and Mobile appsControl all user access to resources – systems, applications, & data
How information security empowers mobile innovation v3 branded
www.pwc.comHow informationsecurity empowersmobile innovationInformation security forum23rd annual world congressNov 5th 2012, Chicago5th Nov 2012
Progressive innovation inMobile services is alreadyoccurringPwC 2
Innovation: Agricultural Services to farmers in IndiaThen…wait in line to receiveinformation and subsidiesNow…subsidies andinformation on mobile devicesPwC 3
Innovation: Mobile Services give consumers on-demandaccess to doctorsThen…scheduleappointment/see doctorNow…on-demand access todoctors in minutesPwC 4
Innovation: Mobile improves Pharma sales forceproductivityThen…lengthy physicianvisits, long sample fulfillmenttimes, manual CRMNow…Shorter physician visits,rich media, faster samplefulfillment, digital CRM,ePrescribingPwC 5
Organizations expect more benefits from mobilesolutionsQ: Please select the most important benefit that your organization ultimately expects to gain from current or futuremobile solutions deployments (whether or not you are currently receiving those benefits). Improve/enhance worker productivity Increased sales/revenue Improve field service response time Improve competitive advantage/market share Provide ease of information access Improve customer service Decreased costs Offer employees more flexibility Enhance portability within the office or work environment Speed the sales process Eliminate paperwork Provide perception of an advanced company to customers 0 5 10 15 20 25 30 (% of respondents)Source: IDC’s Mobile Enterprise Software Survey, 2011PwC
Macro mobile trends driveadditional innovations…PwC 7
Global Mobile traffic is growingGlobal mobile traffic as % of total internet traffic, 12/08-5/12Source: StatCounter Global Stats.PwC
IOS, Android and Windows Mobile are top 3Mobile OS platformsSmartphone operating system market share, 2005-2011ESource: Morgan Stanley Research, Gartner.PwC
Mobile application downloads have acceleratedFirst 15 quarters cumulative # of downloads, iTunes music vs. appsSource: KPCB estimates based on Apple data, after Itunes store launch in CQ2:03 as of CQ1:12.PwC
88% of mobile professionals already use socialnetworks 14% have used cloud computing in the past year 60% leveraging social media platforms to market their businesses 38% spend 11 hours or more on their devicesSource: The Business Journals reveals the business habits of the rising number of SMB mobile professionals, 2011PwC 12
Mobile is shaping new behaviorsAverage Time Spent on Various Mobile Functions, 1/11 12% 40 minutes • Maps • Games • Social networking • Utilities • more 32% 47% 27 minutes telephony • Phone • Skype • Messages 10 minutes Web/Web Apps 9% 7 minutes Mail appSource: AppsFire 1/11PwC 14
Mobile Malware attacks cause real harm “The Mobile Malware (MM) Total Mobile Malware Q2 2011 revolution started principally in 2004 with the release of the Cabir. A Android worm, SymbianOS. Some Symbian MM were released before this Java ME date, but it was Cabir and the Others release of its source code that caused an explosion of new MM to emerge.” – Ken Dunham, Mobile Ransomware Malware Attacks and Defense Complete Financially device Serious motivated control attacks attacks emergeSource: McAffee Threats Report: Second Quarter 2012PwC 17
“Top three Mobile risks include:1. Data loss from lost, stolen or decommissioneddevices.2. Information-stealing mobile malware.3. Data loss and data leakage through poorlywritten third-party apps.”Source: Top Threats to Mobile Computing, Cloud Security Alliance, October 2012PwC 18
Security is an enabler ofMobile ServicesPwC 19
Technology adoption is moving faster thansecurity implementationOrganizations are struggling to keep pace with the adoption of cloudcomputing, social networking, mobility, and use of personal devices.88% of consumers use personal mobile device for both personaland work purposes.250%40% 44% 45% 43% 37% 38%30% 32% 29% 26%20%10% 0% Cloud security strategy Mobile device security Social media security Security strategy for strategy strategy employee use of personal 2011 2012 devices in the enterpriseQuestion 14: What process information security safeguards does your organization currently have in place?” (Not all factors shown. Totals donot add up to 100%.)2 PwC, Consumer privacy: What are consumers willing to share? July 2012PwC 20
Mobile Security is complicated by multiple factors Device diversity/complexityAdvanced persistent threats Data explosion Data transference inference Application explosionPwC 21
A variety of mechanisms are used to controlsSmartphone and tablet risksWhat steps have respondents taken to mitigate the risks associated withstaff using smartphones or tablets? Do not allow any such devices to remotely connect to the organisations systemsAllow only corporate devices to remotely connect to the Small organizations organisations systems Large organizations Defined a security strategy for mobile devices Issued a policy on mobile computing Trained staff on the threats associated with mobile devices Protected corporate email and calendaring Implemented strong encryption Implemented mobile device management(to manage devices remotely over the air) No steps taken 0 10 20 30 40 50 60 70Source: Information Security Survey Breaches Report, April 2012,http://www.pwc.co.uk/en_UK/uk/assets/pdf/olpapp/uk-information-security-breaches-survey-technical-report.pdfPwC 22
Solutions for managing mobile securitychallenges are maturing Network Mobile Device Mobile Access Management Enterprise Application Management Virtual Secure Authentication Desktop Storage and Infrastructure AuthorizationPwC 23
Architecting mobile security is essential forprotecting information and creating value • Deploy mobile services quickly Grow the • Improve user experience business • Expand partner eco-systems • Embrace mobile users • Automate security processes Improve • Adopt cloud models efficiency • Expanded virtualization–securely • Improve collaboration • Combat mobile threats Protect the • Protect sensitive information business • Govern mobile solutions • Control accessPwC 24
Conclusions 1 Mobile threats are real: While data loss from lost, stolen device remains a top concern, mobile malware is causing real harm 2 Cloud and Social Media risks go hand-in- hand: Recognize the risks that arise because mobile drives new behaviors that push users to adopt cloud and social media 3 Not just technology: Consider the governance and process implications of deploying your mobile solution 4 Security as an enabler: Position mobile security as an enabler by considering both the consumer and workforce use casesPwC 25