If you can't beat them - secure them

If you can't beat them - secure them v1.0 October 2012 Accenture, its logo, and High Performance delivered are trademarks of Accenture.

Preface: Mobile adoption New apps deployed in the cloud Allow access to their networks Employees use two or more devices Smart phone sales roughly doubled in the last financial year. Approx. 80 of the Fortune 100 companies are deploying or evaluating the Apple ipad for enterprise. By 2014, 90% of organizations will support corporate applications on personal devices Smartphone vendors shipped 153.9 million handsets in Q2 2012, compared to 108.3 units in the Q2 2011 (Source IDC) 2

Preface: Mobile adoption Mobile technologies are a standard part of work life Mobile banking users exceeded 150 million globally in 2011 Value of mobile payments to reach $110 billion in 2013, CAGR of 105% Sales of Smartphones were up by 42.7%,with Apple and Samsung together accounting for 83% market share (Source Gartner 2012) Global Hits from Mobile Devices (Jan 2012) 3G Mobile Network Coverage Total Mobile Apps Downloaded in 2011 Expenditure on Mobile Advertising Worldwide in 2011 Mobile Payments Users in 2011 8.5% 45% of world population 29 Billion Apps USD 3.3 Billion 14.1 Million Source: StatCounter Source: ITU Source: ABI Research Source: Gartner Source: Gartner. 3

Preface: Bring Your Own Device context Bring your own device (BYOD) is termed as a business policy of employees bringing personally owned mobile devices to their workplace and using those devices to access privileged company resources such as email, file servers and databases as well as their personal applications and data. Recent survey 39% 69% 340% 2,170% 2010 177M corp PCs 2015 246M corp PCs 2010 173 M personal PCs 2015 293M personal PCs 2010 300M smartphones 2015 1017M smartphones 2010 15M tablets 2015 326M tablets Mobile Device Explosion paves way for BYOD 4

Contents Your worst BYOD Nightmare Waking up from my BYOD nightmare where am I? Controlling BYOD: From woe to go Safeguard controls for mobile devices Final Notes 5

Your worst BYOD Nightmare is to not realise that the cord has already been cut: From smart phones to tablets to laptops, mobile technologies have become a standard part of work life, offering productivity and efficiency gains as well as enhanced services for customers. The ways in which these technologies interweave work life and personal life raise a major security challenge for most organizations. Meanwhile, Cybercrime organisations aggregate and mine user data for new attacks In this new world, old-fashioned Information Risk Assessment methodology still apply Topics to be discussed over the next few minutes: o Risk Assessment in a Mobile world o Mobile Reference Architecture on commonly used components of mobile in a corporate landscape o Mobile profile to understand the scope of your clients mobile environment and related vulnerabilities o Threat, Vulnerabilities and Controls database to help identify threats that apply to your clients situation and which controls would be suitable to mitigate the risks 6

BYOD is a reality, requiring executive action Mobility comes with risks that are different from the standard enterprise IT environment. Mobile technologies require a different response from the executives, charged with defending their enterprise from cyber attacks and enabling the enterprise to improve operations and expand their markets more effectively Few devices know more personal details about people than the smart phones in their pockets: phone numbers, current location, passwords, personal details etc and vulnerabilities abound. They are prone to being lost or stolen, yet very few are encrypted. Unlike desktop or laptop computers, smart phones have customized hardware architectures, and even open source operating systems like Android which comes in many versions. Often, it s up to users to accept and install the patches, resulting in an inconsistent mobile device security posture Business needs demanding rapid Mobility enablement: CIO involvement is key Mobile malware can enter a device at many points: An end-to-end approach is necessary 7

Contents Your worst BYOD Nightmare Waking up from my BYOD nightmare where am I? Controlling BYOD: From woe to go Safeguard controls for mobile devices Final Notes 8

Waking up from my BYOD nightmare where am I? Waking up: Risk Assessment helps us find as-is, and desired to-be Security Risk assessment such as ISO 27005:2011 is mapped to the a project delivery lifecycle. After the assessment, a remediation project is typically started to treat the risks identified, reaching a desired to-be status less nightmarish. Project Management Plan Analyse Design Build & Test Risk Assessment Initiation Establish Context Establish Risk Assessment Context Identify Current Landscape Threats, Vulnerabilities & Existing Controls Inherent Risks Analyse Residual Risk Evaluate Evaluate Residual Risks Suggest Controls Document Assessment Results Transition to Remediation Project / Risk Management Operations Remediation Approach Cost Benefit Analysis Control Implementation Treat Implement Controls Validate & Test Implementation Measure Performance Transition to Deploy and Support Phases Information Risk Assessment Project Scope Follow on remediation Project scope 9

Accenture: Added Risk Extensions to the Risk Assessment methodology The Risk Extension components can be used in specific steps of the risk assessment Experience with Mobility helps accelerating Assessment and Remediation phases Project Management Plan Analyse Design Build & Test Risk Assessment Process Risk Assessment Initiation Establish Context Establish Risk Assessment Context Identify Current Landscape Threats, Vulnerabilities & Existing Controls Inherent Risks Analyse Residual Risk Evaluate Evaluate Residual Risks Suggest Controls Document Assessment Results Transition to Remediation Project / Risk Management Operations Remediation Approach Cost Benefit Analysis Control Implementation Treat Implement Controls Validate & Test Implementation Measure Performance Transition to Deploy and Support Phases Mobile Profile Risk Extension Reference architecture TVC database Collection of inputs Establish Context Identify Analyse Evaluate Treat Risk Assessment Extension for Mobile 10

Mapping risks to architecture landscape 1. Data Storage and Transmission 2. Higher Privileges than required and/or authorized 3. Failure to disable or insecure mobile device platform features 4. Access without strong authentication 5. Malicious/Counterfeit third-party code 6. Insecure or unnecessary interaction between applications and OS components 7. Un-validated or un-authenticated input 8. Data Leakage 9. Client-side injection and overflows 10. Client-side DoS 11 11

Contents Your worst BYOD Nightmare Waking up from my BYOD nightmare where am I? Controlling BYOD: From woe to go Safeguard controls for mobile devices Final Notes 12

Controlling BYOD: From woe to go Our experience: Core capabilities are required for managing a Mobile solution 13

From woe to go: Layered approach The Device Use an end-to-end approach, from manufacturing to disposal Assume many mobile devices used by employees will not be secure. The Application Provide layers of security If someone bypasses one security measure additional security protects data. The Back-end system Consider multi-factor authentication (e.g. biometrics plus password) and host level security and monitoring. The Network Secure and monitor corporate wireless networks Demand better security from wireless network service providers 14

From woe to go: Standardised approach TVC database Accenture developed a solution that takes Assets, threats and vulnerabilities related to mobile environments, cross-referenced and mapped to the reference architecture. Likewise, suggested controls are listed to recommend defense in depth mitigations. Out-of-the-box, the August 2012 release of the Threat, Vulnerability and Controls (TVC) database contains following information: Information assets 43 mobile threats based on various threat reports 37 vulnerabilities based on vulnerability research for the components in the mobile profile and reference architecture 40 information assets based on vulnerability research for the components in the mobile profile and reference architecture 70 controls and their attributes based on analyst reports for functionalities of top-of-class solutions and mobile security controls research Elements are cross-referenced in the structure depicted on the right Additional elements are added per quarterly release Vulnerabilities Threats Reference architecture Controls 15

Contents Your worst BYOD Nightmare Waking up from my BYOD nightmare where am I? Controlling BYOD: From woe to go Safeguard controls for mobile devices Final Notes 16

Safeguard controls for mobile devices There are 2 approaches to safeguard mobile devices Mobile Device Management (MDM) Secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM functionality typically includes over-theair distribution of applications, data and configuration settings for all types of mobile devices, Mobile Application Management (MAM) App Centric strategy is around for developing, securing, deploying, configuring, updating and removing business applications from mobile devices centrally. Application Wrapping: MAM functionality includes wrapping of the enterprise application as per the business policies. Key Aspect MDM only protects and secures the mobile devices. It does not control the applications,data or transactions. BYOD Success = Mastering BYOD Control Points Key Aspect MAM provides application level security to maintain both personal and corporate data with different security levels. Devices Apps Data 17

Mobile Device Management (MDM) Enable Activate enterprise access, apps and data easily and automatically ios, Win Mobile, BB, Symbian Secure Protect enterprise data and infrastructure from attack and theft Prevent JB, ensure passcodes. Manage Control inventory and configuration with massive scalability Tracking the device 18

Mobile Device Management (MDM) features Authentication and Access Control Integration with LDAP 2 factor authentication Single sign on Digital certification for mobile device/smartphone authentication (e.g. Managed PKI solution Information Protection DLP for Mobile devices Antivirus /Malware protection App Center / Cloud for application data management Device Control and Management Managed Device Inventory Remote assistance and wipe out Compliance /policy enforcement(e.g. certificate distribution, password management, camera permission, encryption management) Device Security - Anti malware /Live updates, SMS anti-spam, location update of devices, Application control. App Distribution and Collaboration Application provisioning as per the business requirements. No Protection of the data. 19

Mobile Application Management (MAM) Corporate Computing in Transition By 2014, 90% of organizations will support corporate applications on personal devices By 2013, 80% of businesses will support a workforce using tablets Developer Creates apps either native or web Readies it for publishing Notifies Admin via App center Source: Gartner IT Administrator Role based permissions and reporting Enforcement of corporate policies with respect to apps or content Distributed through App store/cloud Employee Receives notification that app or doc is available. Downloads and runs the secured app or accesses the secured doc Has familiar app store experience 20

Mobile Application Management (MAM) features Policy Management User authentication and integration with AD/LDAP Encryption Access control on Jail broken devices Restriction to network connections Document sharing Offline access Additional content policies such as versioning and expiry Secure Browser Web apps are tied to specific set of authorized sites (e.g. intranet sites) Inter application data transfer protection Restricting copy paste / downloading content Multiple deployment options Cloud based On-premise : Private cloud or Virtual appliance Reporting Standard reporting on application usage Downloads Data access requests Users Connectivity Real -time metrics Supports Diverse Content types PDFs Videos Forums epub documents 21

Contents Introduction Relation with Information Risk Assessment Method Controlling BYOD: From woe to go Safeguard controls for mobile devices Final Notes 22

Final notes More details on this topic Unplugged and Exposed: Rethinking Cyber Security for a Mobile World Accenture Best Practices in Securing Endpoint Computing Devices Information Security Forum Best Practices for Mobile Device Banking Security ATM Industry Association Guidelines on Cell Phone and PDA Security NIST Special Publication The CIO s Guide to Mobile Security Research in Motion Limited Gartner s market overview of Mobile Device Management market. Contact info: Accenture ANZ Security lead: Tor Jomar Nordhagen, tor.jomar.nordhagen@accenture.com Accenture Perth Security lead: Benjamin Brophy, benjamin.brophy@accenture.com Accenture Mobility&Security: Andreas Kafka, andreas.kafka@accenture.com 23