Securing Enterprise or User Brought mobile devices Wilfried Baeten Business Line Director Projects&Consulting Econocom Managed Services 20/09/2013 WWW.ECONOCOM.COM
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 2
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 3
Introduction 03/09/2012 4
Introduction 03/09/2012 5
Introduction 03/09/2012 6
FACT Organizations Enable Mobile Devices 89% Allow mobile devices in the organization 65% Allow personal devices Source: The impact of mobile devices on information security January 2012. Check Point Software Technologies. N=768
The Good Old Days of Mobility Fully integrated security, encryption and policy stacks Business Email, Calendar and Contacts only on BlackBerry IT command-and-control, no personal apps allowed Predictable and controlled
What Makes BYOD a Unique Challenge for Enterprise IT? Consumer-grade OS s susceptible to rooting and malware Devices in an unknown and unverified starting state Unencrypted corporate data mixed with personal Unverified 3 rd party apps with access to open APIs Restrictions on strong device-level policies and wiping Accidental data leakage through end-user actions Heightened risk of corporate data leakage and cyber attacks 9
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 10
Today s Mobility Environment
Some statistics... 03/09/2012 12
Enterprise Mobility Challenge Embracing the Next Wave of Mobility
Security: 3 is the magic number Command Control Lock down Manage Secure Protect Mobile Device Management Mobile Application Management Mobile Information Management 03/09/2012 14
Mobile security strategy MAM MDM MIM Mobile Security Strategy 03/09/2012 15
Challenges 1) How to manage the multitude of devices? 2) Mobile devices are now the top platform for malware 3) How to secure corporate applications on personal devices? 4) Profile management in the PC world solves many problems. How to tackle this in the mobile device world? 5) What about dropbox? 03/09/2012 16
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 17
Allign devices, applications and users
Challenges How to control which devices, and their state, are allowed on the network? How to give and withdraw device rights? How to deploy applications? How to limit the use of device controls (micro, camera,...)? How to terminate a device / data? How to differentiate between personal and professional data? 03/09/2012 19
Mobile Device Management needs to cover full device life cycle 03/09/2012 20
Mobile Device Management: Best Practices Registering devices to ensure security: Virus protection, authentication, encryption: minimal required standards Provisioning of firm-authorized apps IT use monitoring User education Compliance with firm security policies Mobile Device registration with IT Password protection Use of unsanctioned apps Lost/stolen devices (selective) remote wipe
Ensure control of Corporate Data Stop transfer of data Stop Jailbroken & Rooted Devices
Know what you need and what you can 03/09/2012 23
Control the device Data protection settings that allow IT to take a granular, yet measured approach Disable Camera Disable Open-In Disable icloud use Disable Copy/Paste Disable sending SMS Disable printing Disable sending email Restrict outbound URL Encrypt app and data 03/09/2012 24
Geotracking results Once enabled, ZDM can store up to 6 hours of movement for each device
Evolution of the EMM (MDM) Technology Landscape Mobile Apps & Private Data Mobile App Management Encryption & Containerization of Corporate Apps & Data Email/PIM Docs & Files Browsing Custom Apps Mobile Devices Mobile Device Management (MDM) Integrity Verification Compliance OS Hardening Provisioning & Management Security & Compliance
MDM is just the start!! 03/09/2012 27
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 28
Security Malware Slide 29
04/03/2013 30
ATTACK VECTORS FOR THE MOBILE MALWARE
Malware - impact Common malicious activities on smartphones Collecting user information (61%) Sending premium-rate SMS messages (52%) Amusement Credential theft SMS spam Search engine optimization Ransom
Malware - impact Spy recorder Remotely turn on the microphone and start recording any voice input Initiated and terminated by a phone call from a specific number Microphone is turned on when a call comes from the number and the call is automatically rejected afterwards User is not notified Spy camera Taking snap shots from the camera Pictures uploaded to a remote server User is not notified when pictures are taken
Common Prevention and Protection Keeping the device in non-discoverable Bluetooth mode. Installing an anti-virus / IDS on the mobile device. Installing firmware updates when they are made available. Exercising caution when installing applications from untrusted sources.
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 35
Mobile applications - challenges Application interop data leakage risk Application security containerization of applications ActiveSync issue (no 2-factor brute force attack): combine MDM & IDS Application deployment corporate App Store Many EMM suites provide solutions both for MDM and MAM 03/09/2012 36
Security Applications Slide 38
Allow Camera InterApp Sharing icloud Backup Enable DLP Require Authentication Trusted Network Only Disable printing Restrict outbound URL Offline lease period 24 h
Secure app containers Micro VPN Lock and wipe Inter-app controls Allow Camera Conditional access policies InterApp Sharing icloud Backup Enable DLP Require Authentication Trusted Network Only Disable printing Restrict outbound URL Offline lease period 24 h
Secure Containerization Key Considerations and Approaches
Corporate App Store: Governing cloud & mobile users Mobile world is consumer driver; users are spoiled with itunes or Google play; Enterprise have additional requirements Consumer-Centric Requirements App discovery/search and user choice Install/update, trials, social network IT-Centric Requirement License management and distribution Verification testing, reporting Approve, publish and control install/uninstall Challenges: App stores intersect multiple IT markets 03/09/2012 44
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 45
Context Awareness
Context Aware Risk Based Access Control Mobile App Application Management User Credentials Access Management Risk-based Access Mobile Threat Protection App Optimization Enterprise Applications and Connectivity 03/09/2012 47
Geo-Fencing for ios
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 49
Users Demand Instant file and data access from any device File sharing (with anyone) Easy and familiar (love Dropbox) IT Wants Security Control no data leakage (hate Dropbox)
Dangers of Dropbox Easy to use, users are not aware of the dangers If no corporate solution, users get a private dropbox Uncontrolled Cloud End User License Agreement!! Document ownership http upload: bypass of all corporate security mechanisms Data leakage 03/09/2012 51
Enterprise file sharing solution Enables file sharing with anyone Syncs data across all devices Online file sharing spaces for virtual teams Selective offline access on mobile devices Data protection Encryption Device lock Store Sync Remote wipe Poison-pill Share
Private Cloud storage solution
Agenda Introduction The mobile security challenges Challenge 1: Managing the mobile device spread Challenge 2: Malware on mobile devices Challenge 3: Managing & securing corporate applications on mobile devices Challenge 4: Mobile profile management Challenge 5: Dropbox Conclusions 03/09/2012 54
Mobile Security Challenges Faced By Enterprises Achieving Data Separation & Providing Data Protection Personal vs corporate Data leakage into and out of the enterprise Partial wipe vs. device wipe vs legally defensible wipe Corporate Cloud data sharing solutions Data policies Adapting to the BYOD/ Consumerization of IT Trend Providing secure access to enterprise applications & data Developing Secure Applications Multiple device platforms and variants Multiple providers Managed devices (B2E) Unmanaged devices (B2B,B2E, B2C) Endpoint policies Threat protection Identity of user and devices Enterprise application store Authentication, Authorization and Federation User policies Secure Connectivity Application life-cycle Static & Dynamic analysis Call and data flow analysis Application policies I n t e r r e l a t e d Designing & Instituting an Adaptive Security Posture Policy Management: Location, Geo, Roles, Response, Time policies Context based user profiles Security Intelligence Reporting
Mobility of the future... 04/03/2013 56
Q & A 01/10/2013 EMS BELUX & NED - OB 2014 57