The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

Transcription

1 The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh May 20 th, 2013

2 Companies are leveraging mobile computing today Three major consumption models: 1. Improving productivity Improving employee productivity by extending reach of existing apps. Ex. mobile timesheets 2. Enabling employees Enabling employees via new or more efficient business processes. Ex. mobile field support, mobile CRM. 3. Enabling new business Targeting new markets or offering clients new products/services. Ex mobile commerce apps. Transform infrastructure by changing application delivery method. Arming your people with the best tools to increase productivity. Deliver a new service, or existing service to a new market. [2] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

3 The future mobile workplace will be driven by an empowered employee Work will be done by open, interconnected, global communities where knowledge is collective and accessible The workforce will be more mobile, flexible, agile, and adaptable to the changing business needs The tools of work will be easy to use, seamless and always available The Old World: Corporate Owned Device The New World: Employee Owned Device Anytime Anywhere Any Connection Any Trusted Device [3] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

4 Mobile nirvana? Make getting work done easier by empowering the employee Any Trusted Device Public Private Any Connection Access to the Information they Need Anytime Anywhere Enablement Platforms Cloud IT Apps [4] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

5 The big picture the mobile security risk surface Devices Jailbreak or rooting NFC/Bluetooth exploits Privacy legislation Industry regulations Cloud Service Theft and Data Extraction Social Engineering Apps Malware Data Leakage Unencrypted Local Storage Application Vulnerabilities Unencrypted data in transit Third party data leakage Insecure service configuration External Unsecure MDM Configuration Application Vulnerabilities Insecure Services Internal Mobile Device Management Enterprise Mobile Applications Private Cloud / Services [5] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

6 How can your organization strike a balance between risk and reward? Employee view: Corporate devices are oldfashioned Many employees already own as their personal device and bring to work Some C-level executives may already be using one for business as a special request Arguments for increased innovation, flexibility and productivity I want one for work too! Enterprise view: Devices built for the consumer market Concern regarding device management, security, scalability and data protection Impact on meeting regulatory compliance obligations What happens if we don t support? Is it secure and reliable enough for handling corporate information? [6] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

7 There is no one size fits all solution; instead, organizations should focus on addressing risk within four core areas Area 1 Securing mobile devices Goal Ensure that lost and stolen devices are handled securely, and that access to data is protected 2 Addressing application risk Minimize risk of malware and insecure mobile apps affecting the organization s data 3 Managing the mobile environment Address risk tied to enrollment, deprovisioning, patching and monitoring 4 Addressing governance and compliance Proactively handle regulatory risk tied to industry regulations and in-country privacy legislation [7] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

8 Securing mobile devices [8] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

9 The greatest mobile risk is still device loss/theft but the risks are shifting as a function of new usage scenarios Mobile device loss Lost device recovery rate Finder voyeurism Employee data access More data/access + more devices + more theft/loss = Increased risk [9] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

10 The evolution of threats Device security controls should be tailored based on mobile use cases and threats [10] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

11 8 steps to secure your devices 1. Evaluate current and future usage scenarios 2. Invest in a MDM solution 3. Enforce the Big 4 security policies as a minimum 4. Set a device security baseline 5. Layer the infrastructure 6. Consider more stringent access controls to critical business apps 7. Monitor usage and access 8. Amend the organization s awareness program The Big 4 Device encryption PIN Wipe after 10 failed PIN attempts Remote wipe [11] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

12 Addressing application risk [12] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

13 Mobile banking malware in the wild: Sophisticated malware modus operandi Malware sample: Eurograbber Victim clicks on a link sent via spam or available on a malicious website Victim downloads malware to desktop. Malware waits until user begins banking session The bank implements two factor authentication. To complete a transaction, a transaction authorization number (TAN) is needed. TAN is sent to end-users via SMS Malware creates fake pages during the session requesting user to install a security upgrade. The link to this upgrade is sent via SMS Victim clicks on the upgrade link and installs mobile malware. This malware now waits for the user to receive a TAN number Malware intercepts the TAN number and processes transactions [13] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

14 5 steps to counter application risk 1. Protect malware-prone mobile operating systems with antivirus 2. Ensure your secure development lifecycle contains security processes to cover mobile application development 3. Manage applications through an in-house app store, and monitor external apps 4. Proactively bring in or develop services that enables data sharing between devices 5. Continually assess the need for apps to increase productivity and security [14] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

15 Managing the mobile environment [15] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

16 Failing to handle the management issue will ensure ballooning risk 3000 devices ios Android Mobile operating system distribution [16] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

17 Mobile Device Management (MDM) is a first step for risk mitigation in diverse mobile deployments Without MDM With MDM Limited security controls Consistent controls Inability to securely wipe devices Secure, confirmed remote wipe No application management No way to restrict devices based on security settings Compartmentalization and app management Restrict based on policy Hard to control enrollment / deprovisioning Control enrollment and deprovisioning Limited manageability Better manageability Difficult to manage devices Little or no control over device status Easier to manage and support diverse devices Better control over device status Doesn t scale Scales to many types of devices [17] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

18 6 Steps to securely manage mobile devices 1. Create a cross-functional mobile working group and a mobile strategy 2. Create a BYOD policy (if applicable) and invest in a MDM 3. Re-vamp existing support processes 4. Create a patch education process to encourage users to update their mobile devices 5. Monitor deviations from security baseline 6. Implement a wiki/knowledge base employee self-service support solution [18] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

19 Addressing governance and compliance [19] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

20 Mobile deployments must account for global privacy regulation (and surveillance) risks Relevant U.S. / international regulations: PCI-DSS recently published on BYOD HIPAA HITECH refers to NIST standards, but will likely change FINRA SOX Core EU privacy concepts: Privacy governance Data protection Monitoring (privacy at work) Breach investigation and notification Right to be forgotten and erasure Data ownership and recovery The trend is for more specific regulation around mobile data protection to be released [20] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

21 5 steps to handle regulatory/compliance risk 1. Engage legal and HR in the respective countries where devices are to be supported 2. Create tiered policies per geographical segment 3. Ensure that local management has the right processes in place to support the policy 4. Monitor and revise policies regularly 5. Segment business environments and data from personal employee data as much as possible [21] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

22 Using these four areas to scope your audit will help you focus on the right risks 1 2 Securing mobile devices Addressing application risk 3 Mobile audit scope 4 Managing the mobile environment Addressing governance and compliance [22] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

23 Questions? [23] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

24 Ernst & Young contacts Paul Chabot Senior Manager IT Transformation San Francisco, CA Michael Janosko Senior Manager, Advanced Security Center New York, NY Carsten Maartmann-Moe Manager, Advanced Security Center New York, NY carsten [24] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

25 BYOD pitfalls and leading practices [25] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

26 BYOD Strategy Pitfalls and leading practices when developing your BYOD strategy Scope Pitfalls Leading Practices User segments Device Certification One size fits all strategy Considering only currently available devices Analyze the requirements of different user types and define user segments Keep the number of segments manageable to reduce the complexity of your BYOD strategy Consider long-term plans to use mobile enterprise applications as part of your usage scenarios New devices are introduced into the market every 3-6 months The certification process must be ongoing and continually evolving IT must become an expert on device and operating system evolution [26] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

27 BYOD Strategy Scope Pitfalls Leading Practices Mobile TCO Cost savings Usage Variation Ignoring TCO and expected benefits can result in a very costly BYOD solution. Ignoring regional or internation al diversity Develop a business case Quantify the expected BYOD benefits. - Don t focus only on cost savings as costs will likely increase by 7-10% - Focus on increased employee productivity and satisfaction Multi-national firms should consider the impact of device availability, usage habits, provider capabilities on use cases for different user types [27] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

28 BYOD Design Pitfalls and leading practices when developing your BYOD solution Scope Pitfalls Leading Practices Policy BYOD Program Describing technical standards that users do not understand or focusing on what is not allowed Treating BYOD as a one time project and not considering ongoing operations Create a BYOD policy that is easy to understand Augment the policy with education and communications so users understand their options and can better select devices to meet their needs This will improve adoption, increases satisfaction, and decreases support calls Define processes and allocate sufficient resources to support ongoing operations and mature the BYOD program Support continuous improvement of policies and solutions to maintain a positive end-to-end experience and continue to realize BYOD benefits Establish a team that can monitor and evaluate new technology Maintain relationships with device and technology providers [28] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

29 BYOD Design Scope Pitfalls Leading Practices Mobile risk and cost Regulatory risk Policy design BYOD exposes company to security and regulatory risks Trying to design a policy that covers all possible scenarios Design BYOD strategy with both security and regulatory compliance in mind Plan for security monitoring and regular testing of devices and infrastructure Consider in-country data requirements Establishing a governing body and processes for ruling on the inevitable exceptions to the policy Devise a policy with a dimension of Ownership where personal and corporate data each have different sets of policies for security, privacy, and apps [29] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

30 BYOD Deployment Pitfalls and leading practices when deploying BYOD in your organization Scope Pitfalls Leading Practices Employee communication Resistance to change Big bang deployment Creating a negative perception that BYOD is designed to shift the cost burden to the employee Not involving key stakeholders early Neglecting to test the waters with a pilot before doing a more extensive rollout Don t underestimate the required communication and change management- validate that communications are working and adjust your plans as necessary Be ultimately accountable for providing a positive end-to-end user experience Educate employees on mobile data security, scams, phishing schemes, etc By engaging key stakeholders early, you will ultimately overcome resistance to change Have representation from: Executives, HR, Support, Finance, Legal and User groups/segments to ensure concerns are addressed during design Perform a pilot before doing a more extensive roll out Capture lessons learned and adjust you BYOD solution and deployment plans to increase adoption and user satisfaction Identify early adopters that can become champions the greater deployment [30] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

31 BYOD Deployment Scope Pitfalls Leading Practices Mobile support Measured benefit Support costs Not monitoring adoption and usage Ballooning support costs Establish success metrics and targets as part of the deployment plan: Adoption metrics (#devices, #user, data usage) Benefit realization metrics (user satisfaction, employee productivity, cost/user) Make sure your support model makes extensive use of: Self help - web help, FAQs, support workflow automation Community support use social technology to enable peer support, leverage early adopter champions [31] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk