Mobility, Security Concerns, and Avoidance

Similar documents
Securing Today s Mobile Workforce

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

ForeScout ControlFabric TM Architecture

Changing face of endpoint security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

A Guide to Closing All Potential VDI Security Gaps

Make security part of your client systems refresh

MOBILE NETWORK ACCESS CONTROL

RHM Presentation. Maas 360 Mobile device management

WHITE PAPER. Applying Software-Defined Security to the Branch Office

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Microsoft IT deploys Work Folders as an enterprise client data management solution

PCI DSS Compliance. White Paper Parallels Remote Application Server

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

SIEMLESS THREAT DETECTION FOR AWS

Mobile Security using IBM Endpoint Manager Mobile Device Management

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Google Identity Services for work

Mobile Experience and Security - A Delicate Balance. Jeff Keller, CISA, CIA, CFSA SVP/Senior Audit Director, Technology, Projects, Due Diligence

Information Security Controls Policy

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Internet of Things Toolkit for Small and Medium Businesses

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Simple and Powerful Security for PCI DSS

Securing the SMB Cloud Generation

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Symantec Network Access Control Starter Edition

The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication

Symantec Network Access Control Starter Edition

SECURING DEVICES IN THE INTERNET OF THINGS

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

The Quick-Start Guide to Print Security. How to maximize your print environment and minimize security threats

Security Audit What Why

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Secure Access for Microsoft Office 365 & SaaS Applications

CipherCloud CASB+ Connector for ServiceNow

FireMon Security manager

Requirements for IT Infrastructure

Maximizing IT Security with Configuration Management WHITE PAPER

Privileged Account Security: A Balanced Approach to Securing Unix Environments

10 Hidden IT Risks That Might Threaten Your Business

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Cyber Essentials. Requirements for IT Infrastructure. QG Adaption Publication 25 th July 17

PCI Compliance Updates

Best Practices in Securing a Multicloud World

SECURING DEVICES IN THE INTERNET OF THINGS

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Symantec Network Access Control Starter Edition

SECURE, CENTRALIZED, SIMPLE

Integrated Access Management Solutions. Access Televentures

Client Computing Security Standard (CCSS)

BYOD Risks, Challenges and Solutions. The primary challenges companies face when it comes to BYOD and how these challenges can be handled

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY:

Automated, Real-Time Risk Analysis & Remediation

Carbon Black PCI Compliance Mapping Checklist

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

NEN The Education Network

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Five Tips to Mastering Enterprise Mobility

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

White paper. April Security

NEXT GENERATION SECURITY OPERATIONS CENTER

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Security Enhancements

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Trustwave Managed Security Testing

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

THE SONICWALL CLEAN VPN APPROACH FOR THE MOBILE WORKFORCE

8 Must Have. Features for Risk-Based Vulnerability Management and More

Mobile Device Management: A Real Need for the Mobile World

Teradata and Protegrity High-Value Protection for High-Value Data

A Review Paper on Network Security Attacks and Defences

Securing Health Data in a BYOD World

Juniper Vendor Security Requirements

Sarbanes-Oxley Act (SOX)

WHITE PAPER. Five AWS Practices. Enhancing Cloud Security through Better Visibility

XenApp, XenDesktop and XenMobile Integration

Security Readiness Assessment

Transcription:

By Jorge García, Technology Evaluation Centers Technology Evaluation Centers

Mobile Challenges: An Overview Data drives business today, as IT managers and security executives face enormous pressure to use data effectively and securely. They require quick, agile transmission of data via a wide number of communication channels and devices, with smartphones and tablets in particular being an increasingly prevalent data consumption device. The corporate mobile landscape is increasingly crowded by devices, business applications, and technologies, including an increasing number of business applications ready for (or designed to be used with) mobile devices such as laptops, netbooks, smartphones, and tablets. Furthermore, organizations are adopting bring your own device (BYOD) initiatives that allow users to incorporate their own mobile devices into daily business tasks, from e-mail to the use of all business applications available within the organization. At the same time, freedom to access data through mobile devices involves serious risks and issues. One reason information is such an important asset for an organization is that it conceals intrinsic value. It needs to be managed securely to prevent/minimize internal and external threats that might expose this information to deliberate or non-deliberate disclosure, misuse, or damage. Threats include (but are not limited to) malware and spyware while in the past, malicious software predominantly affected personal computers, in recent years the mobile industry has seen an increase in the number of malware and spyware programs used to cause harm or to steal confidential information from users and companies; hacking by exploiting a system s/network s weaknesses, hackers can gain access to sensitive data in order to exploit, disclose, or harm information residing within the mobile infrastructure; data loss an increasing number of mobile users and organizations store sensitive information within their mobile devices information that can potentially be stolen or lost with the device; and jailbreaking (ios)/rooting (Android) many mobile users choose to modify the original operating system to expand the capabilities of ios and Android devices. However, such modifications make devices more vulnerable to external attacks and may expose information and passwords stored on these devices to hackers. 2

But these are not the only challenges. Mobile proliferation leads to a number of other risks: a focus on applications rather than on corporate strategy, hindering a complete corporate view of the deployment, maintenance, and security of a mobile platform corporate mobile silos with little or no interaction capabilities, preventing a centralized approach to the management of applications and devices painful scalability due to lack of a unified mobile strategy little to no mobile governance These challenges can make it difficult and sometimes impossible to secure all elements of the corporate mobile infrastructure. That said, it s imperative for organizations to find and maintain an optimal balance between data security and access to information, at all times. In other words, when deploying a corporate mobile strategy, organizations need to address mobile security strategy needs properly in order to ensure that all mobile security components work with and not against user access. Security managers need to approach the problem to find the level of acceptable risk for access to sensitive information through mobile devices, and an easier way to configure and control it in a single instance as much as possible. They also need to define the right policies and deploy the necessary solutions to configure responsibilities and define which level of risk can be taken and who is authorized to take it, if necessary. This is aimed at providing adaptive security measures that are transparent to the user without creating unnecessary limits, while establishing a risk schema that defines where and when a risk is acceptable and who is authorized to accept it. 3

Mobile Security from the Inside Out: Solving the Security Challenge Given that data is one of an organization s most important assets, it s vital to take mobile security into consideration at various levels: At the source: Source encompasses all components residing within the corporate firewall. Everything within the corporate network must be protected, which means implementing policies and strategies to grant, limit, or prohibit access to the corporate network. This includes the use of specific mobile virtual private network (VPN) tunnels or a secure mobile network operation center (NOC). During transmission: I.e., the transmission of information over a wireless network. Three elements are important at this stage: sending, reception, and transit through the wireless network. Securing transmission includes verification/authentication of the sender as well as the use of additional processes such as data encryption. At target (internal devices): The vast number and variety of devices, as well as new corporate patterns of adoption, make it essential for organizations to anticipate new risks, from exposure of sensitive data through theft or loss, to the potential threat of malware and spyware programs. Measures such as restricting access to the mobile device, or establishing policies to block or erase sensitive data need to be taken to ensure information security is improved. 4

Securing the Corporate Mobile Strategy Thus, securing the corporate mobile platform requires a rigorous evaluation not only of the entire corporate set of mobile applications, but also of the technical and human infrastructure. The BYOD Scenario Many IT managers are incorporating a BYOD approach in the workplace. This means that they need to implement security measures for different types of mobile devices for both the hardware and software. In particular, IT managers will need to secure different sets of mobile operating systems (OSs), such as SymbianOS, ios, Android, and BlackBerry, and address the challenges in establishing security measures for each of the mobile OSs that they have in place. This is made more difficult by the fact that some mobile OSs such as Android and ios were not designed for corporate environments. So, ensuring security for a multi-mobile device environment means: integrating all mobile devices within a single security infrastructure, making security measures as transparent as possible for the user, automating as many device security measures as possible, and creating a combination of written policies and technology enforcement measures, and ensuring end users are aware of them. These challenges can hardly be overcome without a comprehensive way of managing all mobile devices within a single strategy and/or application. This is where a corporate view comes in handy. Why a Corporate Solution? With data flowing wirelessly through a grid of mobile devices and business applications, both inside and outside the corporate firewall, it is important to diminish risk and improve the productivity of the mobile infrastructure. A corporate approach to managing the entire mobile infrastructure can provide many benefits: a centralized application to administer mobile security at all stages (source, transmission, and target) straightforward creation and monitoring of general mobile policies secure and controlled user devices automation of security tasks (automatic update installation, security patches, updated user profiles, etc.) 5

minimized user responsibility with respect to mobile security tasks balance between security and easy authentication of user access to the mobile platform potential integration with third-party security standards and solutions platform scalability/configuration to meet different needs and requirements proper training and security assessment for all involved users a set of self-service scenarios to help end users address problems quickly, with minimal support costs means for detecting jailbroken/rooted devices and denying network access to them meeting regulatory and data protection standards specific to industries and countries An enterprise mobility management (EMM) solution provides much of the functionality required to maintain the security of the mobile platform. As a middleware solution, it can serve as a centralized enabler or limiter of access to the mobile network, as well as manage mobile security by addressing the complete data cycle within the corporate mobile infrastructure. EMM solutions have the potential to leverage data security by reinforcing security controls within all corporate mobile devices; configuring access to mobile services and applications; enabling the setting and maintenance of mobile access policies; centralizing security management to respect a single source for security control, thereby facilitating the monitoring, configuration, policy enforcement, and maintenance of the infrastructure; providing a set of analytics tools integrated to the mobile infrastructure to allow administrators and key users to establish relevant security key performance indicators in order to identify key security issues in all stages of the mobile platform (from the device to the mobile server), as well as to establish usage profiles to identify potential threats, reinforce security policies, and monitor device usage, enrollment, etc.; and empowering end users with self-service. A corporate mobile approach needs to perform the following main tasks: authentications set and configure firewalls to prevent hacking and external attacks centralize management of security on mobile devices secure data in transit deploy anti-malware applications on mobile devices implement policies of use of mobile devices protect data at rest train for and promote risk awareness 6

Summary: Core Security Functions of an Enterprise Mobility Management Solution At source Transmission and network At target Setting connection profiles Role and group configuration and management Data encryption Policies and profile management Integration and connectivity with third-party systems Multi-device management and authentication Security alerting and messaging Security task scheduling and prioritization Security configuration for connected and disconnected apps VPN support and management SSL tunnel support and management Encryption support and management Antivirus and firewall management Central management of mobile device security (remote lock setting, remote deployment of security apps, etc.) Support for multiple devices Automated security tasks 7

Assess Your Level of Corporate Mobile Security Take the following self-assessment to help you evaluate your current mobile platform status. Answer Yes, No, or Partially, according to your organization s ability to address each of the following items. Once you re done, tally your score and consult the legend following the table for your results. Authentication Yes (5 points No (0 points Partially (3 points Our solutions provide centralized policy management and enforcement We authenticate users and devices We define power-on passwords for mobile devices Firewalls Security levels are easily defined and configured by the administrator We restrict types of traffic and origins Our detection systems can block external attacks Centralized security management We have centralized provisioning of settings and policies We lock mobile security settings on devices to prevent users from modifying them We deploy security and pattern file updates as well as software patch updates to mobile devices We install mobile security applications on devices Integrated analytics to monitor and analyze security performance Secure in-transit data We use virtual private network (VPN) technologies Secure socket layers (SSLs) are simple to implement Anti-malware applications We have implemented real-time scanning for malware over devices We scan for mobile threats and applications We update security apps regularly with minimum user or administrator intervention We have a jailbroken/rooted device detection service in place 8

Policies of use for mobile devices We have developed and enforce mobile security policies within all applicable areas We inventory all device types and models We protect or restrict data synced with mobile devices Protection of data at rest We have selected the necessary encryption to comply with policies We provide in-place encryption We protect and manage encryption keys We encrypt all data at rest Training and risk awareness We have established formal security training We have established simple and clear risk awareness policies We have established self-service scenarios for users Yes (5 points No (0 points Partially (3 points Fewer than 63 points: low security/high risk While some security measures may be deployed, major improvements should be made to the mobile platform. The security approach is reactive, and issues are addressed as they arise. Prevention is difficult, as is setting and executing proper security policies. Mobile security is mostly based on security imposed by devices with less corporate awareness. Lack of training and risk awareness on the part of users makes security administration costly and slow. Between 63 and 93 points: moderate security and risk The mobile platform has improved reliability but still needs to address issues that might represent a threat for data and systems in use by the corporate infrastructure. While there are some prevention measures in place, configuration of the platform may still be somewhat complicated and slow, addressing rather than preventing problems. Some security processes may be automated, which decreases pressure from mobile administrators with respect to some security tasks. More than 93 points: high security/low risk There is an existing infrastructure in place that enables mobile administrators to implement prevention measures by automating some security processes. Data security policies are well defined, and security controls are in place to protect data transmission and mobile devices. While there is always room for improvement, improvements are deployed as reinforcements rather than as immediate issue avoidance. Report sponsored by SAP 9

About Technology Evaluation Centers Technology Evaluation Centers (TEC) provides insight and expertise in offering impartial resources and services to minimize the costs, risks, and time associated with software selection. Over 3.5 million technology decision makers visit TEC s Web sites each month, to find information on hundreds of solutions, and to access articles, white papers, and podcasts. TEC s decision support system (DSS) and analyst data assist with the evaluation, comparison, and selection of enterprise solutions and services. TEC s offerings include in-depth research, detailed product information, and software selection services for any industry or company size. 10

Technology Evaluation Centers Technology Evaluation Centers Inc. 740 St. Maurice, 4th Floor Montreal, Quebec Canada, H3C 1L5 Phone: +1 514-954-3665 Toll-free: 1-800-496-1303 Fax: +1 514-954-9739 E-mail: asktheexperts@technologyevaluation.com Web site: www.technologyevaluation.com TEC, TEC Advisor, and ERGO are trademarks of Technology Evaluation Centers Inc. All other company and product names may be trademarks of their respective owners. Technology Evaluation Centers Inc. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback