Two case studies:The first involves a construction project manager utilizing a Mobile applications to perform safety check, upload content and archive to the cloud and use social media to update each other.Second involves a board member who downloaded a board application and while making notes, saved his notes on cloud-based notes application, and used twitter to post a question. Sr. executive also demand access to remote desktop to access applications from their tablet.
Please note that this slide has changed to clarify the usage of services. Important to understand the local and remote usage context to understand where to expect risks. It becomes clear that the potential for data leakage remains high.
Mobile usage is going hand in hand with Social Media:Registration requires a valid Japanese cellphone numberheavily uses open source: Linux, Apache, MySQL, and Perl. It uses several hundred MySQL servershas more than 21.6 million members.Key point Social Media and Mobile usage is correlated and serve as attack vectors
- Like the major Japanese company, the US has also seen a very strong correlation between Mobile and Social Media usage.- Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them- Trusted is exploited when hacked accounts have been used to send malicious messagesMobile indicators are sometimes indicated on social networksPassword sloth is prevalent across social networks, intentional and unintentional leakage of data because of lack of Separation of Personal and Professional Communications A major U.S. operator of ambulance services and provider of emergency room doctors,‖ was sued after firing an employee for criticizing her supervisor on Facebook. The case was brought by the U.S. National Labor Relations Board. It was determined that employees have the right to discuss their working conditions even if the Union is not involved. It was found that the employee was ―illegally fired and denied union representation.‖ ―Among the issues in the case was whether a worker has the right to criticize a boss on a site such as Facebook if co-workers add comments. The case was the first by the NLRB to assert that employers break the law by disciplining workers who post criticisms on social-networking websites.‖ the company promised not to deny union representation in the future and that employees won‘t be threatened with discipline for requesting union representation. In addition, the company is updating their overly broad social media policies and guidelines. A major auto manufacturer considered ending its relationship with the social media agency that was behind an obscene tweet that was posted to the their brand‘s official Twitter account. Shortly after, the tweet was removed from the company‘s Twitter feed.... ... The auto manufacturer said in a follow-up post that the tweet ―obviously‖ was meant to appear on the employee‘s personal Twitter account, rather than on company's, and that automaker did not demand that person be fired. Other Scenarios to considerA software developer posts to a forum or blog regarding his work on a revolutionary new customer application from the company. The developer reveals too much about his product development, thereby enabling a competitor to steal the idea and get to market sooner with a similar application. A marketing manager tips off Facebook friends of several successes in winning new business and mentions the new clients joining the firm. Such information violates client confidentiality and puts the company at great reputational risk (especially among clients and prospective clients), which ultimately could impede the accomplishment of business goals.
More mobile devices means more mobile data, 10 B+ units @ 100GB is a lot of dataWhen thinking about mobile devices, for security practitioners, our thinking should not just be limited to Smartphone or tablets. For example Diabetes Meters too are being connected to the cloud and there have been incidents where such devices could be attacked for malicious purposes resulting in fatal consequences. Tablets will become even more sophisticated and will replace other traditional computing devices.More Mobile data will eventually reside in cloud for ubiquitous access, the lines between public and private cloud will blur because devices are being used for both personal and work purposes.Greater amounts of data will stress Enterprise Data Protection mechanisms
Mobile behaviors present risks both in terms of activities that we know about and activities that are as yet unimagined.New Apps are designed with the cloud and social media in mind (e.g. send photo to Social networks, social media in car)
- Mobile and Social Media will both drive higher cloud usage, the risks stem from intermingling of data, loss of corporate control across geographies, and employee/partners continuing to access data much after separation.- Limited storage, convenience of access and ubiquitous connectivity are driving increasing cloud usage.
The study also reveals that 88 percent of mobile professionals use social networks, with 60 percent of them leveraging social media platforms to market their businesses. Many mobile professionals, 80 percent of them, feel it is critical to have access to information while outside of the office. Devices and services that help them stay connected while away from their desk include WiFi, text messages, smartphones, apps, notebook/netbook, iPad and cloud computing.In addition, 43 percent of mobile professionals polled in the study are familiar with cloud computing, with 14 percent having used cloud computing in the past year, while 64 percent of SMB owners who are considered mobile professionals spend more than 8 hours connected to their businesses via computer, smartphone or iPad; 38 percent spend 11 hours and more on their devices.
So lets review what changes we are seeing and can expect to see as a result of the intersection
Key concerns are on a) unauthorized devices, b) loss of sensitive data due to lost or stolen devices, c) loss of sensitive data to malware/trojanReal stories from the field:1. In 2010, a major bank’s mobile application accidentally saved account numbers, bill payments and security access codes. 2. The Korean Financial Intelligence Unit has recorded cases of cyber gaming, cross border remittance and swindling using mobile FS channels. 3. In Brazil, poor people were targeted and paid by criminals to open bank accounts equipped with remote access channels (internet or mobile). After the accounts were opened, the authorized users would hand over their passwords to criminals. 4. In India, a Duplicate SIM card was issued to an imposter with the fake driver license of the victim resulting in a loss of roughly $5,000.5. Recent Trojan captures all text messages from phone.
Initially J2ME and Symbian but more attacks are emerging for Android OS. According to McAfee Mobile threat report:One significant change in the first quarter of 2011 was Android’s becoming the third-most targeted platform for mobile malware. This quarter the count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware.This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth.We also saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones.
Device Diversity/Complexity – Explosion in device types will create a management nightmare. Short device lifespans will increase management costs. Employee/partner desire to bring their own device will challenge IT organizations. IT organization will need to govern device proliferation.Application Explosion - The diverse range of applications required by knowledge workers today makes it impractical to “lock down” a device to a list of blessed applications. IT organization will need to govern application proliferation, process and technology to protect applications.Data Explosion – Expect more data to transcend Mobility, Cloud and Social Networks. This means greater effort and reliance on automated mechanisms and analytics. IT organization will need to govern corporate data, process and technology to protect corporate data.Advanced Persistent threats– Lost stolen/device, malware will result greater privacy implications than ever before. Expect to see more cases on Advanced Persistent Threats and corresponding process and technologies to protect against APT. Greater opportunities to launch social media attacks using the Mobile and Social Media vectors.Data transference and inference - Location Based Service will reveal additional personal information Allowing for greater data transference and inference. IT organization will need to govern usage of location based services and improve awareness of risks arising from Cloud/mobility/Social Media usage.
Organizations are beginning to implement strategies to keep pace with employee adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: In the recent PwC/CSO survey, we found that less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce.
Design solutions for global and local operations from the outset, rather than global or localSeparate enterprise data from personal/other data; Identify appropriate measures when data is comingledAssign highly granular, least privilege-based user access to applications data and services from all technology assetsDeny rogue devices access to the enterprise networkControls and standards shall be extensible to all applications, data and services provided by Social networks, Cloud and on Mobile devicesWipe/Archive enterprise data from device and cloud service provider upon separationSecurity measure should enable agility in responding to changing business requirements Require cloud application, data and service providers to meet Information security compliance requirementsApplications/Services shall be reviewed for Cyber-risks and approved prior to usage
My firm PwC recently conducted a survey regarding the privacy and security implications of using Social Media and Mobile devices within the Healthcare space. We found that“Only fewer than 50% of organizations surveyed noted that they have included the approved uses of social media and mobile devices in company privacy training”Update your Policy to address these:Authentication: How often a password must be changed. How many invalid tries are allowed before the device is disabled. Strong authentication using two factor or certificates. Loss / Theft: Lost or stolen device are remotely wiped and disabling of the device over a defined period of time. Device Support: Define what devices are supported by the institution/organization i.e. Blackberry, IphonesEncryption: Sensitive data must be encrypted or devices is encrypted with Whole disc encryption. Backup/Restore: If a device could be lost or stolen, there should be a defined procedure for backing up and restoring the data to another device. Storage Cards: Storage cards are a convenient way to expand memory, but they're also portable and thus a security risk. Do you ban them? Or, encrypt them? Acceptable Use: A good security policy needs to set limits on what users can install on their devices and what is acceptable use. Enforcement: Consequences if there is violation of the policy. Develop Standards and guidelines in support of the policy:Not having a standard will result in organization developing the standards for youDeveloping a standard without the appropriate involvement will cause you to revisit itExpect to update standards with evolving risk landscapeOversight:Federated vs. central – large geographic entities will do better with regional autonomy but in collaboration; Start a cross/functional dialog with business users, IT, finance, legal, HR, and security people Cost vs. Functionality – Currently cost is a key driver, but competition is also leveraging it for business benefit, security has to be an enablerLarge oversight bodies don’t workKeep an eye on Parallel IT – risks loomChampion grass root efforts without waiting too long, involve securityAccommodate hobbies in a lab setting, involve securityInvolve Marketing, e.g. patients expect to interact with Health care providers and payors but engaing with social media may raise privacy issues.Awareness Training:People generally try to do the right thing, they may not know what they are doing is wrong and how it may impact the company/institution The risks associated with using, transmitting, and storing electronic information Risk of posting information on Social networks – vignettes, case studiesConsequences of violating policyWhat to do when device is lost/stolen?The roles and responsibilities of each community member in protecting Corporate data and systems
1. Involve security at the Architect stage. Expect more processes to change than originally imaginable. MIT CISR says “One useful perspective is to group the processes to be mobilized into distinct categories based on process requirements, as the architecture for each will be different. Those internal processes for which employees require data and computing power on a device—along with interaction with workflows, data, and applications on the server—will need a platform for building enterprise mobile applications aimed at hundreds or thousands of users.”2. Establish/update process for managing exceptions to the policies and standards. Monitor to ensure that exceptions don’t become the rule.3. Ensure that processes exist for evaluating and approving new cloud services – mostly in conjunction with Innovation center.4. If pursuing Identity Federation in conjunction with Cloud/Mobility/Social Media, anticipate major changes in process for Identity and Access Management, Log management, Forensics and Incident Management. 5. Evaluate risks of having manual processes as compared to automated ones, especially during transition. e.g. Manual MAC address approval of IPads on Corporate Wireless network.
Strong Authentication for Mobile Device accessCentralize Security Policy Manage Process & ToolsWhole Disk Encryption or File Level EncryptionEndpoint Security ToolsDevice lockdown and remote wipe capabilitiesAccess logging and file integrity monitoring with centralize log repository Data leakage controls and logging Three ways to go about isolating corporate data from personal data on mobile devices: Sandboxing it in a secure container Good Technologies- Sybase (Afaria)- Mobile Active Defense (SaaS) - Touchdown, Whisper Systems (Android encryption) 2. Managing the native environment through a trusted approach that checks for policy compliance - AirWatch- Juniper (Smobile)- McAfee (Trust Digital) MobileIron- Zenprise 3. Hosting it in a data center or public cloud and making it accessible via a desktop virtualization client Citrix- VMware Wine (open source)- Virtualbox (opensource)Which technologies control access to cloud services on mobile devices?How to control data leakage to Social Media sites on Mobile devices?What are supporting technologies?Which cloud storage provides strong encryption and support for strong authentication?
Security considerations while being Social and Mobile
www.pwc.comThe IntersectionSecurity considerations for being social &mobile while riding the cloudNalneesh Gaur, PwCWeb Forum, Information Management ForumMarch 2, 2012
Cloud, mobile and social media synergiesincreasingly exploitedCase study 1: Construction safety Case study 2: The board roomPwC 2
About this talk• Context and Emerging Trends• Pain Points/Imperatives• Response FrameworkPwC 3
Context and Emerging TrendsWhat insights can we glean from emergingtrends?PwC 4
The Context Mobile Device Local/Proximity Context Install/Access/Use Application Access/Store Data locally Exchange Information Use Location Based Services Remote Context Cloud Access/Use Applications Applications, Data and Download/Upload Content Services Conduct Mobile Commerce Social Media Community InteractionsPwC 5
Japan’s social networking trends show importance ofmobile – mobile page views = 85% vs. 14% 4.5 years agoOne of Japan’s leading social network monthly page views, mobile vs. PC,CQ2:06-CQ4:10 85% 30,000 25,000Monthly Page Views (MM) CQ3:09 – Platform opened 20,000 to 3rd-party developers 15,000 10,000 14% 5,000 86% 15% 0 2Q06 3Q06 4Q06 1Q07 2Q07 3Q07 4Q07 1Q08 2Q08 3Q08 4Q08 1Q09 2Q09 3Q09 4Q09 1Q10 2Q10 3Q10 4Q10 Mobile Page Views Desktop Page ViewsSource: Morgan Stanley ResearchPwC 6
Strong mobile trends for leading social companiesFacebook200MM mobile active users vs. Mobile = 50% of total active users.50M in 9/09 Vs. 25% Y/Y2x more active than desktop-only users Mobile = 40% of all tweets Introduction of mobile product drove 2x conversion ratio from free to paying subscribers Mobile users = 25-30% total users in mature markets SHAZAM Pandora 100MM mobile users vs. Adding 3MM users per month 50MM Y/Y 50% of all users subscribe on mobileSource: Kleiner Perkins: 2011 Top 10 Mobile Trends-Feb-2011PwC 7
Convenience and ubiquity are driving mobilityComputing growth drivers over time, 1960-2020E More than Just Phones1,000,000 iPad Mobile Internet 100,000 Smartphone Kindle Desktop Internet Tablet 10,000 10B+Units??? MP3 Cell phone/PDA 1,000 Pc Car Electronics 1B+Units/Users GPS, ABS, A/V 100 Mobile Video Minicomputer 100MM+Units Home Entertainment 10 Games 10MM+Units Mainframe Wireless Home 1 Appliances 1MM+Units 1960 1970 1980 1990 2000 2010 2020Note: PC installed base reached 100MM in 1993, cellphone/Internet users reached 1B in 2002/2005 respectively;Source: ITU, Mark Lipacis, Morgan Stanley Research.PwC 8
Mobile is shaping new behaviorsAverage Time Spent on Various Mobile Functions, 1/11 10 minutes (12%) New Activity Web/Web Apps 40 minutes (47%) All Other • Maps 27 minutes (32%) • Games Telephony • Social Networking • Phone • Utilities • Skype • More • Messages 7 minutes (9%) Mail AppSource: AppsFire 1/11PwC 9
Cloud computing: Many want better enforcementof provider security policies.Four out of ten (41%) respondents say their organization uses cloud services – and 54% of those that do say the cloudhas improved their information security. The greatest risks associated with cloud computing? An uncertain ability toenforce provider security policies and inadequate training and IT auditing are top concerns. 40% 32% 20% 19% 15% 11% 9% 0% Uncertain ability to Inadequate training Questionable privileged Proximity of data to Uncertain ability to enforce provider site and IT auditing access control someone elses recover data security policies at provider site Question 41: “Does your organization currently use cloud services such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS)?” Question 41c: “What impact has cloud computing had on your company’s information security?” Question 41b: “What is the greatest security risk to your cloud computing strategy?” (Not all factors shown. Total does not add up to 100%.)PwC 11
88 percent of mobile professionals use socialnetworks14 percent have used cloud computing in the past yearSource: The Business Journals reveals the business habits of the rising number of SMB mobile professionals, 2011PwC 12
In a cloud services environment, providers andconsumers must address familiar security andrisk challenges Control access to Provision and deprovision Audit and report userAccess Control user access access and data use sensitive data Ensure the viability of the Provide businessBusiness continuity provider and contingency continuity and of the consumer’s services disaster recovery Document, audit processes Maintain complianceCompliance with regulatory and procedures for data access protection Implement data Prevent unauthorized data Maintain dataData protection and classification scheme Securely dispose of data exposure, loss or segregation in multi-tenetsegregation corruption environment and processes for handling no longer required sensitive dataEvents - Incident Cooperate during Detect and correctresponse and security events investigations andinvestigation incident responsesPwC 13
Recap: Key trends at the IntersectionBusiness drivers Key trends1. Mobile Devices with Advanced Capabilities and Fast Network 1 BYOD/Approved Corporate Mobile devices Connectivity2. User Driven Change 2 Compelling Mobile Applications - Board Room and Senior Identity as a Service, Strong Executives driving usage 3 Authentication - Users demanding enhanced collaboration and productivity 4 Cloud Applications, Data and Services3. Greater convenience Social Networking for Marketing and 5 Customer Interaction - Applications moving beyond Email/Contacts/Calendars 6 Social Media Monitoring/Analytics - Rich content enables quick decisioningPwC 14
Pain points (Imperatives)Business Context:What other businesses are experiencing?PwC 15
“Nearly 30% of companies experienced a breachdue to unauthorized mobile device use.”Source: Q1 Enterprise and SMB Survey, 2009 - Forrester ResearchPwC 16
Malware by mobile OS New Mobile Malware Q2 2011 Android “The MM revolution started Jave ME principally in 2004 with the Symbian release of the Cabir. A Blackberry worm, SymbianOS. Some MSIL MM were released before Python this date, but it was Cabir VBS and the release of its source code that caused an Growth in Mobile Malware explosion of new MM to Complete device Serious attacks control emerge.” – Ken emerge Dunham, Mobile Malware Attacks and DefenseSource: McAffee Threats Report: Second Quarter 2011PwC 17
Complicating factors for security Device Diversity/Complexity Application Explosion Data Explosion Advanced Persistent Threats Data Transference and InferencePwC 18
Response frameworkLeading practices:How other businesses are respondingPwC 19
Mobile devices and social media: New rules andnew risks 50% 40% 43% 37% 30% 32% 20% 10% Have a security strategy for Have a security strategy Have a security strategy employee use of personal devices for mobile devices for social media Source: PwC/CXO media 2012 Global State of Information Security SurveyQuestion 17: “What process information security safeguards does your organization currently have in place?” (Not all factors shown. Total doesnot add up to 100%.)PwC 20
Key questions remain• Which policies are enforceable?• How will we educate our customers, employers and partners?• Which process and tools to evolve? How to address gaps?• How to balance productivity, opportunity and risks?• What is the right approach to changing culture – grass roots, leadership, hybrid?• Others?PwC 25