Mobile Security 1
Uniqueness of Mobile Mobile Devices are Shared More Often Mobile Devices are Used in More Locations Mobile Devices prioritize User Experience Mobile Devices have multiple personas Mobile Devices are Diverse Smartphones and tablets are multipurpose personal devices. Therefore, users share them with friends, and family more often than traditional computing devices laptops and desktops. Social norms on privacy are different when accessing filesystems vs mobile apps Smartphones and tablets are frequently used in challenging wireless situations that contrast with laptop friendly remote access centers. Laptops are used in a limited number of trusted locations Smartphones and tablets place a premium on user experience and any security protocol that diminishes the experiences will not be adopted or will be circumvented. Workstation level security cannot be assumed unless they are dedicated devices Smartphones and tablets may have multiple personas entertainment device, work tool, etc. Each persona is used in a different context. Users may want to employ a different security model for each persona without affecting another. Smartphones and tablets employ a variety of different platforms and have numerous applications aimed at pushing the boundaries of collaboration. The standard interaction paradigms used on laptops and desktops cannot be assumed. 2
Market Sweet Spot: Enterprise Mobile Security Enterprises: Empower mobile employees to attain greater productivity, agility and responsiveness but mitigate operational risk Multifaceted requirements Need to be proactive Consumers: Leverage mobility for social engagement, ease of access, and entertainment but avoid losing the device or sacrificing user experience and privacy Main requirement : Threat Protection (i.e. antimalware) Consumer Mobile Security CSPs Enterprise Mobile Security Communication Service Providers (CSPs): Deliver value-added differentiating services to meet the mobile security requirements of Enterprisesand Consumers Top offerings: MDM, Threat Protection, IAM 3
Built In vs. Bolted On: ios vs. Android Variance in Security Models Apple ios Google Android Application Sandbox Yes Yes, but not as strictly enforced Updates Application delivery OS Enforcement Pushed directly to devices. Enterprises can acquire MDM server to push updates. Apple AppStore only applications need to be approved. OS enforces performance requirements on running apps User Identity Apple ID for apps Gmail ID Differences in Security Management Features Carriers or device manufacturers required to push updates No app store requirement or third party app stores exist OS does not enforce performance requirements Apple provides a standard of management APIs for ios eliminating differentiation among device management providers Today, Google relies on the Android ecosystem to deliver device management capabilities Apple secures ios by process and design which up until now has reduced its exposure to attacks and threats CISOs must trust Apple Apple is the first and last line of defense Today, Android is the main market for mobile device security given its relatively loose security model but offers IT the most control (fragmentation has inadvertently prevented spreading of malware) Security vendors target Android first and then release ios support 4
Mobile Security Challenges Faced by Enterprises Achieving Data Separation & Providing Data Protection Data separation: personal vs corporate Data leakage into and out of the enterprise Partial wipe vs. device wipe vs legally defensible wipe Data policies Adapting to the BYOD/ Consumerization of IT Trend Multiple device platforms and variants Multiple providers Managed devices (B2E) Unmanaged devices (B2B,B2E, B2C) Endpoint policies Threat protection Providing secure access to enterprise applications & data Identity of user and devices Authentication, Authorization and Federation User policies Secure Connectivity Developing Secure Applications Application life-cycle Vulnerability & Penetration testing Application Management Application policies Designing & Instituting an Adaptive Security Posture Policy Management: Location, Geo, Roles, Response, Time policies Security Intelligence Reporting 5
Customer Scenarios Business Need: Protect Data & Applications on the Device Prevent Loss or Leakage of Enterprise Data Wipe Local Data Encryption Protect Access to the Device Device lock Mitigate exposure to vulnerabilities Anti-malware Push updates Detect jailbreak Detect non-compliance Protect Access to Apps App disable User authentication Enforce Corporate Policies Business Need: Protect Enterprise Systems & Deliver Secure Access Provide secure access to enterprise systems VPN Prevent unauthorized access to enterprise systems Identity Certificate management Authentication Authorization Audit Protect users from Internet borne threats Threat protection Enforce Corporate Policies Anomaly Detection Security challenges for access to sensitive data Business Need: Build, Test and Run Secure Mobile Apps Enforce Corporate Development Best Practices Development tools enforcing security policies Testing mobile apps for exposure to threats Penetration Testing Vulnerability Testing Provide Offline Access Encrypted Local Storage of Credentials Deliver mobile apps securely Enterprise App Store Prevent usage of compromised apps Detect and disable compromised apps 6
Mobile Security a Market View: A spectrum of capabilities Mobile devices are not only computing platforms but also communication devices, hence mobile security is multi-faceted, driven by customers operational priorities Mobile Security Intelligence Mobile Device Management Data, Network & Access Security App/Test Development Mobile Device Management Acquire/Deploy Register Activation Content Mgmt Manage/Monitor Self Service Reporting Retire De-provision Mobile Device Security Management Device wipe & lockdown Password Management Configuration Policy Compliance Mobile Threat Management Anti-malware Anti-spyware Anti-spam Firewall/IPS Web filtering Web Reputation Mobile Information Protection Data encryption (device,file & app) Mobile data loss prevention Mobile Network Protection Secure Communications (VPN) Edge Protection Mobile Identity& Access Management Identity Management Authorize & Authenticate Certificate Management Multi-factor Secure Mobile Application Development Vulnerability testing Mobile app testing Enforced by tools Enterprise policies Mobile Applications i.e. Native, Hybrid, Web Application Platform Extension OS/ Application Layer (Optional) i.e. Application Container (Sandboxing ), Virtualization Device Platforms 30 device Manufacturers, 10 operating platforms i.e. ios, Android, Windows Mobile, Symbian, etc 7
Enterprise Use Case : Security from Device to Web Apps WiFi Internet Mobile apps Web sites Develop, test and deliver safe applications Secure endpoint device and data Telecom Provider Mobile Security Gateway User authentication, Secure connectivity Web Threat Protection Corporate Intranet Secure access to enterprise applications and data 8
End User Scenario and Focus Questions My SmartPhone (ios, Android, Windows Phone or the next cool device ) Angry Birds My Personal Emails My Corporate Emails Enterprise App 1 (Sourced Internally) Enterprise App 2 (Sourced Internally) Enterprise App (Sourced From 3 rd Party) My Citibank App Security Issues Who owns the security policies for the device or the application? How do we make the security appropriate to the application (family?) that I want to access Device management and data protection How do I keep corporate data separate from personal data? When I lose the device, how can I partially wipe the (corporate)data? Where is the data stored (centrally, or by app), and is the dataencrypted Access management How do I authenticate for the enterprise apps? How do I authenticate for the Citibank app? I want to be able to play Angry Birds without my company or Citibank authentication of the device How do I utilize the new features of smart phones like touch screen and camera for greater usability? Threat management What happens when I install an app that contains a virus or Trojan Horse? VPN How do I connect securely to enterprise (VPN) Secure app development 9 How do I figure out if an application is vulnerable before installing? Or prevent malicious code exploits?
Strong Authentication Scenarios Passphrase Biometric Biometric + Risk factor (device fingerprint, location, time etc) Passphrase + Risk factor (device fingerprint, location, time etc) Soft token Auth One time passcode(otp) 10
Secure Access using Biometrics Why?? Increasing security while hugely simplifying access Making Mobile access completely Hands free. Verify user with face and voice. 11
Biometrics Enrollment Multiple images/voice print of the user will be enrolled, under supervision, with data being stored on a server. This can be done through the smartphone, or through photographs/voiceprint of the subject taken using other means Face enrollment can be done through multiple images captured using camera The enrollment data will be sent via a web server to the server 12
Biometrics Verification The client (mobile device) will make a call to a server API using a web service (REST or SOAP) API, sending an image/voice print of the subject along with the user id The server will calculate the confidence that the face in the image/voice print belongs to the user, and base further action on that confidence 13
Biometrics Demo DEMO 14