Mobile security for SIC 2012


Published on

Mobile computing has become ubiquitous in the consumer space. Now employees require the use of mobile devices in business. How does this affect the risk profile of your company? What new types of threats does your security architecture should cover? The session will cover thee questions and more in away that will allow security professionals to apply the lessons learnt directly in the practice.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile security for SIC 2012

  2. 2. About me• Security professional at WorldPay as Head of Security Solutions• Non executive director, CSA UK & Ireland• I love reading books: thrillers (Clive Cusler) and business management (Jo Owen)• Apple fan 
  3. 3. I will cover three topics today• Consumerisation and appropriate security architecture• Mobile security challenges• Practical approach
  4. 4. Mobile devices in enterprise I want to use Hmm, might one mobile be tricky but device for here is what both personal we can do…. and work stuff Say yes and give clear policies, instructions and tools! Control the access to data and systems according to risk. Agree forensic policy and investigations rules for personal devices.
  5. 5. Classifications of systems as the input intothe access calculation Managed Un-managedCompliant Trusted systems Isolated systems • Domain joined systems • Compliance checks for non- • Managed and compliant managed devices passed mobile devices Strategy: Deliver the application via Strategy: Can access most secret thin client or access to least sensitive applications and data* dataNon-Compliant Vulnerable systems Rogue • Domain joined or managed • Unknown devices devices • Cannot assess compliance Strategy: Help with remediation Strategy: Give access at your peril! and limit access to sensitive applications* The access decision is taken based on other factors
  6. 6. Access decision logicSource ( ) trust Device trust and User/Role Location featureDestination ( Application Location in ) trust Access method classification network Calculate access decision Access denied Access granted Access limited
  7. 7. How to manage accessthis applies to any access, not just from mobile devices!Access decisions based on accuracy of following:• Identity – Google apps ID vs. Active directory ID, one factor auth vs. two factor auth• Role – FTE, contractor, cleaner, executive• Device – trusted, non-trusted, feature set• Location – inside fw or outside, US vs. China, changes in locations in time• Time – inside working hours or outside,• Data/Application – business impact, approved apps vs consumer apps, location in the network
  8. 8. Access path definitions Sit down with business, enterprise architects and security and create access path definitions for key enterprise applications.# Source Destination Time Access1 Employees Any Trusted Confidentia DMZ Web Any Allow l2 Employees Any Isolated Internal DMZ Web Any Allow mobile3 HR admins Office, UK Trusted PII and Internal Citrix Office hours Allow payroll MZ4 Contractors Office Isolated Confidentia DMZ Citrix Any Allow l5 Admins Home Isolated Manageme MZ Citrix Any Allow working nt6 Customers Any Rogue PII DMZ Web Any Allow via Facebook login
  10. 10. Revolution in mobile device capabilities Source: McAfee • Microsoft Windows Vista • Blackberry & Palm • iOS App Store • iOS ActiveSync email Apple iPhone launches • Gartner approves iPhone • Gartner says never for the enterprise ready for enterprise • Android G1 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2007 2008 2009
  11. 11. And its acceleration • iPad2 RIM • Microsoft Windows 7 Playbook • Android Honeycomb with Encryption• iOS 3GS w/ encryption iPad • iCloud launches • iPhone 4s Android tablets • Windows Phone 7 • webOS • Next gen Blackberry Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2009 2010 2011 2012
  12. 12. Mobile devices threats• Web-based and network-based attacks• Malware• Social engineering attacks• Resource and service availability abuse.• Malicious and unintentional data loss.• Attacks on the integrity of the device’s data.
  13. 13. Mobile platforms – security architecture• Traditional Access Control: Traditional access control seeks to protect devices using techniques such as pass- words and idle-time screen locking.• Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature).• Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft.• Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device.• Permissions-based access control: Permission-based access control grants a set of permissions to each application Source: Symantec and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions. In many aspects the mobile device architecture is more advanced than your typical desktop OS
  14. 14. Updating of old devices is an an issue forAndroid… By Michael DeGusta
  15. 15. Correct approach to mobile security• Secure Device, Applications and Data• Use risk based approach for access control decisions• Less emphasis on whether device is corporate or personal• Extend DLP to mobile• Extend security event and forensic services• Monitor installed apps, jail-breaking and configuration compliance• Deliver corporate applications via thin clients to mobile devices Source: McAfee
  16. 16. References• Rethinking Enterprise Security, Toby Kohlenberg, Intel• “A Window Into
Mobile Device Security”, Carey Nachenberg, Symantec, 2011• McAfee EMM Site• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011• Microsoft ActiveSync certification program,• Microsoft Consumerization Site,• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft,• “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010• Windows Phone 7.5 (Mango) Security model explained,, Jani Nevalainen• Windows Phone Platform Security,, Nokia• Windows Phone Security page,, Microsoft• VMware Mobile virtual platform,• Revolution or Evolution: Information Security 2020,, PWC, 2010• Consumerisation and Corporate IT Security,, Bruce Schneier, September 2010• Android Orphans: Visualizing a Sad History of Support, orphans-visualizing-a-sad-history-of-support, Michael Degusta, October 2011