Mobile Security. Policies, Standards, Frameworks, Guidelines

Transcription

1 Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP Rev. 1) 1

2 APPLE ios 6 TECHNOLOGY OVERVIEW Version 1, Release 0.1, 31 October 2012 Developed by DISA for the DoD MOBILE DEVICE MANAGEMENT (MDM) SECURITY REQUIREMENTS GUIDE (SRG), Version 1, Release 0.2, Developed by DISA for the DoD, OVERVIEW, 26 October 2012 OpenID OpenID is just one type of Federated Identity system. OpenID is focused more on the consumer market, whereas FID-proper is focused on the enterprise. OpenID offers the ability for users to log into one website (Facebook, for example) using credentials from another website, such as Google (who is now an OpenID identity provider). 2

3 OAuth OAuth s main goal is to eliminate the need to give website A your username and password for website B, and determines what website B can get from website A once it s been allowed access. OpenID is about authentication OAuth is about authorization Security Assertion Markup Language (SAML) The SAML standard defines a framework for exchanging security information between online business partners. SAML defines a common XML framework for exchanging security assertions between Entities. 3

4 Security Assertion Markup Language (SAML) Identity Provider (IdP) The system, or administrative domain, that asserts information about a subject. For instance, the Identity Provider asserts that this user has been authenticated and has given associated attributes. Service Provider (SP) The system, or administrative domain, that relies on information supplied to it by the Identity Provider. It is up to the Service Provider as to whether it trusts the assertions provided to it. SAML defines a number of mechanisms that enable the Service Provider to trust the assertions provided to it. Security Assertion Markup Language (SAML) 1. How does the relying party trust what is being asserted to it? 2. What prevents a man-in-the-middle attack that grabs assertions to be illicitly replayed at a later date? The primary mechanism to mitigate or detect such attacks is for the relying party and asserting party to have a pre-existing trust relationship, typically involving a Public Key Infrastructure (PKI). 4

5 Mobile Device Security Standards Required to cover each type of device: Laptop Windows Mobile Blackberry Client iphone; ipad (ios5/6) Required to cover each type of technology Wireless LAN Bluetooth 1 Mobile Security Standard ISO 17799:2005 Example Section 11.7 covers Mobile Computing and Teleworking A formal policy should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities A policy, operational plans and procedures should be developed and implemented for teleworking activities. 1 5

6 ISO/IEC 29176:2011 Information technology -- Mobile item identification and management -- Consumer privacy-protection protocol for Mobile RFID services ISO/IEC :2006 Information technology -- Security techniques -- IT network security -- Part 5: Securing communications across networks using virtual private networks ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of practice for information security management ISO/IEC & Security Policy Organizational Security Infrastructure Asset Classification and Control Human Resource Security Physical and Environmental Security Communications and Operations Management Access Control Incident Management Systems Development and Maintenance Business Continuity Management Compliance 6

7 OWASP Mobile Security Project This list was initially released on September 23, 2011 A call for volunteers was released in the July 2012 for an annual refresh of the Top 10 Mobile Risks. OWASP Top 10 Mobile Controls 1. Identify and protect sensitive data on the mobile device 2. Handle password credentials securely on the device 3. Ensure sensitive data is protected in transit 4. Implement user authentication/authorization and session management correctly 5. Keep the backend APIs (services) and the platform (server) secure. 1 7

8 OWASP Top 10 Mobile Controls 6. Perform data integration with third party services/applications securely 7. Pay specific attention to the collection and storage of consent for the collection and use of the user s data 8. Implement controls to prevent unauthorised access to paid-for resources (wallet, SMS, phone calls etc...) 9. Ensure secure distribution/provisioning of mobile applications 10. Carefully check any runtime interpretation of code for errors OWASP Mobile Controls I. Establish coding practices for mobile coding II. Enforce higher security posture on the device for sensitive apps used in an enterprise context III. Protect your application from other malicious applications on the device IV. Provide or use an existing reporting channel for phishing from apps. 8

9 The user's authentication and authorization experience should be consistent across both web and native mobile applications. Users will become confused when they're expected to use different credentials and/or a different login ceremony for mobile application models, especially if accessing the same application. Phishing is becoming a major problem for cloud services and is not diminished when using mobile applications. The user should be given the chance to recognize and trust the authentication service. This means a mobile browser should be used to authenticate the user, the address bar should be visible, and user passwords should not be collected within the native application itself. 9

10 What happens when an employee loses their phone? If passwords are left cached on the phone, an organization's data is put at risk. The use of OAuth in combination with SSO allows for seamless access without the risk of caching passwords. Additional Resources 1. For more information about the Common Criteria, including links to download the complete official criteria, see the Common Criteria portal at and the website of the Common Criteria Evaluation and Validation Scheme (CCEVS) ( 2. The authentication model for HTTP is described in RFC 2617, HTTP Authentication: Basic and Digest Access Authentication, which you can find at 3. For information on the SSL protocol for secure networking, see For the TLS protocol, see and RFC 5246 at 4. Documentation of the AES encryption algorithm used for FileVault is available on the National Institute of Standards and Technology (NIST) website at 5. For information on Kerberos authentication, see For information on MIT s Kerberos for Macintosh, see n/documentation/kerberosframework.html. 6. See OS X Server Open Directory Administration available at for details on the services that support Kerberos and on how to implement a Kerberos KDC on your OS X server. 10