White Paer A Layered Aroach to Mobile Security Time-tested best ractices for maagig security of iformatio systems are beig rewritte i the mobile eabled world; distributio of data, alicatios ad devices has brought the focus back to security. The traditioal mode of risk cotaimet withi the eterrise usig erimeter cotrols is o loger valid, as the erimeter has bee broke. Cosumerizatio of IT has chaged the IT ladscae ad IT admiistrators are ow required to suort myriad systems with flexibility of choice rovided to the ed user. Esurig data ad alicatio security withi a Secure Eterrise Ifrastructure is critical to the success of mobility iitiatives. The aer will discuss the threats ad risks i a mobile eviromet ad list stes a orgaizatio ca take to hadle mobile security. Various rocess ad techological remediatio cotrols available to the admiistrator are aalyzed before closig with iformatio o certai romisig high assurace security measures.
About the Author Rajmoha, CISSP Educatio MS i Comuter Security MS i IT Maagemet Naval Postgraduate School, Moterey, CA Summary of Exeriece Coloel Rajmoha has over 20 years of exeriece i iformatio techology ad secializes i Iformatio security. He is a vetera from the Idia Army. He has had a illustrious career withi the commuicatios ad IT wigs of the Army ad held seior commad aoitmets. He was the first army officer to be ivited to Naval Postgraduate School, CA ad graduated with hoors. He was awarded the best iteratioal studet laque for his outstadig cotributio i academics ad commuity work. Subsequetly, he ioeered the army secure wide area itraet ad was istrumetal i settig u the secure data ceter. He also oversaw the settig u of the cyber security establishmet ad the security oeratios ceter. He has made sigificat cotributios i the area of digital Image watermarkig havig itroduced the cocet of cotet based watermarkig ad has ublished i leadig jourals o the subject. Rajmoha has bee with TCS for two ad half years ad curretly heads the mobile Security grou at Tata Cosultacy Services. He oversees secure develomet methodology for mobile alicatios ad reviews security architecture of TCS mobility solutios. 2
Table of Cotets 1. Abstract 1 2. Table of Cotets 3 3. Executive Summary 4 4. Itroductio 5 5. Mobile Security Threats ad Challeges 5 6. Buildig Security for Mobility 6 7. Mobile Security Strategy 6 8. Mobile Security Policy 7 9. Buildig a Security ad Maagemet Ifrastructure to Suort Mobility 8 10. Mobile Alicatio Security 9 11. Mobile Data Protectio 10 12. Other High Assurace Mobile Security Measures 12 13. TCS Aroach to Mobile Security 13 14. Coclusio 14 15. Refereces 14 3
Executive Summary Mobility has oeed ew oortuities for busiesses but has also itroduced ew risks. Emloyees or customers embracig mobility must ot lower the security osture of a orgaizatio, mobile as must rotect cofidetial customer iformatio ad orgaizatio IP, ad loss of devices should ot exose orgaizatios, emloyees or customers to vulerability i ay way. The challege is to eable roductivity without icreasig risk. Mobile device ortability ad tyical usage scearios have made mobile devices owerful assets that itroduce a host of ew risks reviously ukow to the eterrise IT sace. The robability of losig these devices is o-egligible ad uts the data ad as o or accessible by them at risk. Use of a commo device for ersoal ad official usage itroduces rivacy cocers. Icreased usage of wireless etworks ad cloud services outside orgaizatio cotrol ca exose data through etwork vulerabilities. Busiesses must cosider a layered mobile security strategy wherei risk based security cotrols are embedded i security olicy, ifrastructure, alicatios ad data objects. Orgaizatios must exted their security olicy ad articulate a accetable mobile usage olicy that addresses rivacy ad cofidetiality cocers. Security olicy must be suorted by a mobile moitorig ad maagemet ifrastructure to esure comliace. Based o the maturity of its mobility rogram ad its risk rofile, orgaizatios must deloy mobile maagemet solutios. With a cetral security-moitorig dashboard, a comay ca eforce security olicy ad remotely deloy ad maage as securely. Though some MAM solutios rovide secure cotaiers for as, they caot be used as a alterative to a robust mobile alicatio security rogram. Mobile oeratig systems tyically rovide a umber of built-i security features that alicatios must use. Orgaizatios must emloy a Secure Software Lifecycle Maagemet style ad build security ito the desig of a alicatio ad track it through its life cycle. Every mobile a must udergo vulerability assessmet ad eetratio testig before it goes live. Orgaizatios ru the risk of facig stee ealties i case of a reorted loss of ersoally idetifiable iformatio. Data rotectio is therefore essetial ad is the last defese agaist ay attack. Data cofidetiality is tyically achieved by havig a clear orgaizatio wide data classificatio olicy, a eedto-kow based disclosure olicy ad imlemetig ecrytio of data at rest ad i motio, as a ecryt-all strategy may either be feasible or roductive. Orgaizatios must evolve a data rotectio strategy based o risk assessmet ad deloy adative strog autheticatio ad access cotrol measures to cotrol data access i the first lace. This must be comlemeted with ecrytio ad data loss revetio cotrols. Orgaizatios with low-risk aetite could cosider some high-assurace mobile security measures that are resiliet agaist ma-i-the-middle attacks that target software based systems. Mobile virtual deskto ifrastructure (VDI), or always-o VPN, is a solutio that rovides higher security at the cost of user exeriece ad roductivity. Aother otio is the Trusted Executio Eviromet (TEE), which is a searate hardware rotected executio eviromet that rus alogside the rich OS ad rovides 4
security services to that rich eviromet. Higher security assurace tyically comes with higher itegratio costs ad reduced usability. TCS recommeds a risk-based, cost-effective, holistic mobile security solutio with focus o user exeriece ad ehacig customer egagemet. Itroductio Eterrises are raidly adotig mobility due to its immese busiess beefits ad great user exeriece. Traditioal IT ad security restrictios imosed o the systems ad software that could eter the eterrise etworks have bee relaced by flexible aroaches i the Brig Your Ow Devices (BYOD) era. The advet of mobility has brought a aradigm shift i how IT is sourced, maaged ad moitored. Though there is a uiversal accetace of the value of mobility, there is also a uiversal cocer as to how eterrise security will be addressed with the cosumerizatio of IT. The traditioal erimeter defese strategy is o loger valid as emloyees use wireless ad rovider etworks to access eterrise systems. Devices for ersoal use are also beig adoted as the devices of choice for eterrise access. These flexible aroaches have itroduced rivacy ad cofidetiality cocers for both emloyees ad cororatios. Secure mobility is critical to a successful eterrise-wide rollout. Balaced ad comliat security cotrols eed to be i lace rior to rollout i order for emloyees to accet busiesses moitorig ad cotrollig security maagemet of their ersoal devices. The triad of eole, rocess ad techology has to comlemet each other to rovide a robust security framework that stays resiliet desite mobility. Mobile Security Threats ad Challeges Mobility itroduces ew risks ad threat vectors that hitherto were ucommo. Four major risks are as follows: Loss of devices. Mobile devices ted to get mislaced ad lost. They ca be left uatteded for brief momets, allowig a erso with malicious itet to otetially gai imroer access to their alicatios ad data. Eterrises have to la for such cotigecies, as the umber of lost devices is tyically very high. Traversig isecure Networks. Emloyees roamig i ad out of the eterrise etwork tyically traverse o isecure WiFi/3G/4G etworks outside eterrise cotrol. Traditioal etwork security eeds secial focus o etwork ad iformatio access cotrols based o locatio ad tye of device used for access. Overla of ersoal ad official usage of devices. I a BYOD sceario, a sigle device is used for both ersoal ad official use. Persoal iformatio ad busiess iformatio reside o the same device ad itermiglig is ossible. Maitaiig cofidetiality of cororate data is critical, but care also eeds to be take ot to tresass ito users rivacy. A balace betwee users rights ad a eterrise s right to moitor ad maage its data has to be achieved. Cloud based data storage ad back u services. Cloud based storage ad backu services outside the eterrise etwork are icreasigly beig used to store ad back u data from mobile devices; this 5
is a otetial source of data leakage. Strog cotrols o how data is stored ad backed u are therefore required. Buildig Security for Mobility Secure rollout of mobility requires risk assessmet, formulatio of mobile security olicy ad deloyig security cotrols. Mobility itroduces ew threat vectors, ad a eterrise ca broadly classify its mobile security rogram ito five distict categories as deicted below: Native/3 rd Party Ecrytio Secure Data at Rest & Motio Eterrise Key Maagemet Eterrise Mobile - PKI Itegratio Data Loss Prevetio Office Aligmet with BYOD/COPE- Mobility Stragegy Risk Assessmet Multi Tiered Defese Home Mobile Data Security Mobile Security Strategy Shared Buildig (Home or Office) Secure A Desig A Security Traiig Secure A Develomet Secure A Deloymet Mobile As Security Testig Mobile Alicatio Security Mobile Device Maagemet Mobile A Maagemet Mobile Risk Maagemet Mobile Moitorig & Security Maagemet Customer or Parter Site Mobile Security Policy Accetable Use Policy Moitorig Cotrols & Privacy Regulatory Comliace Multifactor Autheticatio Policy Mobile Data Protectio Policy Figure 1: Eterrise Secure Mobility Rollout Program Mobile Security Strategy Security cotrols make the task of a determied attacker difficult, though ot imossible. A good security strategy must therefore emloy a defese i deth strategy with a multilayered security eveloe. This makes the task of the determied attacker extremely difficult ad time cosumig. I a worst-case sceario, should the cotrols be breached, a alert should geerate ad damage should be cotaied. A layered security strategy thus rovides a accetable risk osture allowig busiess to embrace techology. Traditioal security was built aroud a strog erimeter. Movemet of data across this erimeter crossed secified gateway oits that were fortified ad moitored roud-the-clock. With mobility, the erimeter is less relevat. BYOD has further comlicated matters itroducig disarate systems ad software ito the eterrise. Security rofessioals ow have to work aroud this; ew layers of security cotrols eed to be added ad more vulerable layers eed to be stregtheed. 6
A security olicy fortified with cotrols for mobility is the first tier i a multi-tiered security architecture for secure mobility. The security olicy is comlemeted by techological cotrols i the ifrastructure, amely Mobile Device Maagemet (MDM) ad Mobile alicatio Maagemet (MAM) solutios. These solutios moitor ad maage mobile devices ad add to the existig security ifrastructure. The security olicies imlemeted by MDM ad MAM solutios rovide a imortat lie of defese but do ot reduce the imortace of buildig secure alicatios; alicatio security ad data security rovide the fial lies of defese agaist malicious attacks. This is sigificat i a eviromet where devices are lost easily ad the risk of alicatios fallig ito the wrog hads is relatively high. Mobile Security Policy Eterrise Mobility Strategy will have a imact o how security cotrols will eed to be rioritized ad deloyed. The right strategy will esure a imroved user exeriece without comromisig security. Eterrises tyically have oe of two models of embracig mobility: either Brig Your Ow Device (BYOD) or Cororate Owed Persoally Eabled (COPE). A BYOD eviromet creates a heterogeeous eviromet ad calls for a umber of cotrols to be eabled to esure that the security osture of the orgaizatio is ot diluted. I a comay rovided equimet sceario, the comay ca maage security i a cost effective maer by smart selectio of devices ad alicatios. The security olicy of a orgaizatio is the foudatio for a secure eterrise. I a mobility sceario, the security olicy must be aroriately drafted to icororate the chages brought about due to mobility. Emloyees must be uambiguously told of the exected behaviours, moitorig ad security maagemet cotrols that will be ut i lace as well as how they may be otetially liable i case of security olicy violatios. Limits to comay liability must also be stated ad emloyees must sig u to accet the terms of the olicy before beig ermitted to use their ow devices to access busiess iformatio. The olicy will be differet betwee BYOD ad COPE eviromets; some areas of the security olicy that will require chages are: Policy agaist Rootig ad Jail Breakig Data rivacy ad cofidetiality olicy Remote wie olicy Mobile access cotrol measures Camera usage olicy Policy o as that use GPS withi comay remises Removable media usage olicy Data access olicy (Wi-Fi / 3G / other) Loss ad relacemet of mobile Device Termiatio olicy. 7
The security olicy must be comrehesive ad comly with ay coutry or state secific regulatios. I certai geograhies it may ot be eough to have the emloyee sig u o the accetable use olicy but the olicy itself must be legally teable. Rules regardig access to cororate data, geo fecig cotrols ad limitatios of use of third arty alicatios i either idividual liable devices or cororate liable devices be clearly articulated i the revised security olicy of the orgaizatio. Buildig a Security ad Maagemet Ifrastructure to Suort Mobility IT ifrastructure ad oeratios rofessioals will require makig the ifrastructure stroger with MDM or MAM solutios to securely maage mobile devices. These solutios tyically suort multile latforms ad more imortatly exted security olicies to both cororate-liable ad emloyee owed mobile devices. Accordig to Forrester s recet Network ad Telecommuicatios Survey, 31% of firms have imlemeted a MDM solutio ad aother 42% of firms are iterested i doig so4. Mobile alicatio Maagemet (MAM) solutios tyically wra mobile maagemet caabilities ito mobile alicatio store solutios. Some of the MAM solutios rovide a Secure cotaier for alicatios to work withi ad aim to rovide security for isecure alicatios. The ecryted cotaiers sad boxes all the data withi it. Some solutios offer olicy APIs that ca be called from mobile alicatios to eforce er a olicies such as restrictig coy-aste or eve delete data ad alicatios if ermissios are revoked. MAM solutios target alicatio level cotrol o security. I a BYOD eviromet, cotrollig oly the eterrise alicatios i relatio to the etire device could also rovide comfort to emloyees o their rivacy ad save the emloyers from accusatio of rivacy itrusio ad subsequet liabilities. However, from a security ersective, it may be desirable to have a balaced combiatio of both device level ad alicatio level cotrols. Some of the key security fuctioalities that mobile maagemet solutios rovide are: Jailbreak detectio - Rootig o Adroid or Jailbreakig o ios device rovides alicatios ad users urestricted access to system resources. This also rovides meas to byass remote maagemet ad IT cotrol. A umber of security features available o the mobile OS that rotect the alicatios ad data from malicious abuse become dysfuctioal i a rooted device. Ability to detect this o a device ad dey access to them is a critical fuctioality of a MDM solutio. Remote Data wie - Selectively wie cororate data from devices that have bee reorted lost or have falle ito wrog hads. Password Policy Eforcemet - Eforce strog assword or PIN olicy for device access. VPN / Ecrytio suort for devices which do t have ative OS suort. Active Syc Device Restrictio: Esure oly registered devices gai access to the etwork ad ot devices that have gaied access through Active Syc. Data Loss Prevetio Suort Security olicy eforcemet (autheticatio ad ecrytio requiremets, device lock, selectively disable device fuctioalities such as camera ad GPS) Device backu ad recovery. 8
Cetral dashboard for IT ad security admiistrators with ivetory reorts, admi alerts, real time moitorig, loggig, ad hel desk suort. Alicatio maagemet- remote delivery of alicatios atches ad udates esurig itegrity of alicatios ad oly authorized access to selected alicatios. Mobile Alicatio Security Mobile devices sort a umber of chaels such as voice, SMS, ad data. The devices also tyically cotai hardware such as microhoe, camera, touch-scree iterface, gyroscoe ad accelerometer. Mobile alicatios ca access all of these features ad therefore ca do more harm if comromised. Poular oeratig systems such as ios, Adroid ad Widows Phoe have evolved, rovidig a umber of security features that ca ehace the security of the alicatio ad user data. Kowledge of these features ad their correct use is critical. Mobile alicatios are tyically oe of three tyes ad have differet security rofiles: Native - Alicatios that oerate off the ative mobile device oeratig system leveragig its APIs. Alicatios ca store data locally ad hece data security of these alicatios becomes aramout. Web alicatios - Alicatios that are accessed through a web browser. These may be regular web sites or a searate mobile web alicatio otimized for mobile attributes. Well kow web alicatio vulerabilities eed to be addressed here. A secure browsig cotext should be used for web access. Hybrid alicatios - alicatios that are hybrid of ative ad web ad oerate by leveragig web ages iside a dedicated ative alicatio wraer. Sesitive data ca be hadled at the backed while cliet alicatio ca rovide ehaced user exeriece ad busiess fuctioality. A fie balace betwee usability ad security ca therefore be achieved. Mobile alicatios are tyically targeted i a umber of ways, exloitig weakesses of the alicatio desig ad develomet. Some of these iclude: Imroer sesitive data storage Buffer overflow Dyamic rutime ijectio Permissios misuse Privilege escalatio Imroer SSL validatio Imroer cofiguratios Orgaizatios must have a secure software develomet lifecycle rocess i lace. Secure alicatio desig must take a aroach that ecomasses a umber of defesive measures desiged to rotect data ad systems from a variety of attack methods. A mobile alicatio tyically must emloy a 9
authorizatio framework, eable comromise detectio ad rovide robust security framework itegratio with latform ad third arty APIs as ecessary to maitai data cofidetiality at rest ad i motio. Data cofidetiality is tyically achieved by havig a clear orgaizatio wide data classificatio olicy; a eed-to-kow based disclosure olicy ad ecryted data at rest ad i motio. A orgaizatio Each latform has its ow eculiarities; develoig a secure alicatio requires adherig to best ractices as relevat to the latform. Security must be built ito to the desig of the alicatio. Some recommeded key riciles for buildig alicatios securely are: Avoid storig sesitive iformatio o the cliet ed. If it is essetial to do so for some reaso (such as offlie access), the the data must be stored securely, icororatig best ractices for ecrytio. May alicatios utilize ecrytio to rotect sesitive data; however, may flaws i the techique allow a attacker to retrieve or deduce the key, or extract the key from the oeratig system. Avoid cachig of data. Take roer care while storig data i log or debug files, cookies, web history, web cache, roerty lists, files ad SQLite databases. Iescaable cachig must be doe securely. Fully validate SSL/TLS certificates ad sessios. Imlemet file ermissios aroriately. Hadle autheticatio ad sessios roerly. Imlemet two factors or adative multifactor autheticatio. Imlemet ecrytio cotrols correctly. Avoid uiteded iformatio leakage Resist rutime maiulatio. Leverage code obfuscatio ad ati-tamerig to comlicate reverse egieerig. Every mobile alicatio must udergo vulerability assessmet ad eetratio testig, as both a stadaloe alicatio as well as withi the cotext i which it will evetually oerate. All etwork level activity ad ay web iterfaces that it uses must be tested to esure that they are secure as well. Tool based Black ad White box testig comlemeted with maual review by security cosultats esures that a secure mobile alicatio rolls out. Mobile Data Protectio Data rotectio is the last bastio i security that ca rotect users ad orgaizatios from attacks that have breached all the other layers of security. Protectig data is also critical for orgaizatios i order to comly with govermet or idustry regulatios, maitai rivacy ad rotect itellectual roerty. Orgaizatios ru the risk of facig high ealties i case of a reorted loss of ersoally idetifiable iformatio. 10
wide, ecrytio-based, data rotectio strategy will require a comrehesive system for maagig security keys ad rivileges. Data security i the mobile world has gaied eve more imortace, as data teds to travel o usecured wireless etworks, ofte outside of eterrise cotrol. Mobile devices also ted to get mislaced or lost easily, thereby exosig the data i a ruig or stored state to a malicious user. Ecrytio o mobile devices ca be eabled usig built i oeratig system caabilities or third arty software with cetralized maagemet tools. Poular oeratig systems such as Adroid ad ios rovide ative suort for device level ecrytio. Orgaizatios must require emloyees to eable this i order to coect to eterrise systems. Data o ecryted devices ca oly be recovered if the correct PIN is sulied. Moder mobile oeratig systems also rovide access to stadard etworkig rotocols for autheticated, authorized ad ecryted commuicatios. Though ecrytio is a great way to rotect data, as a word of cautio, orgaizatios must be aware that correctly imlemeted moder ecrytio algorithms make it imossible to recover data i the absece of a key. A lost key is as good as data loss. Puttig a key maagemet ad retrieval system i lace is therefore essetial. A orgaizatio s data rotectio strategy could also revolve aroud rotectio based o the risk exosure to the data. Strog autheticatio, strict access cotrol ad accoutability mechaisms for less sesitive data access are some examles of this tye of imlemetatio. The associated overhead costs of key maagemet ad lost-key hel desk suort may further suort this view. Comlemetig this with remote data wie caabilities will further reduce risk exosure. A orgaizatio s data rotectio strategy must maitai good balace based o risk assessmet. Mobile devices ca easily fall ito the wrog hads as they ca be left uatteded. It is therefore imortat to esure, from a alicatio ersective, that the right user is at the other ed. A strog ad adative multifactor autheticatio olicy is therefore a essetial requiremet. Strog autheticatio must ot adversely imact usability, hece the eed to build a adative autheticatio that demads strog autheticatio for high risk ad less frequet trasactios. Strog multifactor autheticatio ca be built usig Oe Time Passwords (OTP), digital certificate based challege resose autheticatio, or Grid. These ca be itegrated ito a eterrise Public Key Ifrastructure (PKI) solutio ad a eterrise autheticatio server with built i Hardware Security Module (HSM) to imrove its overall security stregth. A eterrise PKI rovides flexibility of usig digital certificates for ecrytio ad autheticatio adatively. However, eablig alicatios to obtai, store, ad rocess certificates securely is ot trivial, ad a holistic PKI solutio couled with a key maagemet solutio must be cosidered for the same. The challege i imlemetig these directly o mobile is the safe storage of the rivate keys or seed required for OTP geeratio. Storig it securely i key chais ad credetial storage locatios rovided by the OS rovides good usability but suffers from limitatios faced by all software based security cotrols ad may ot withstad a sohisticated attack. The ext sectio will deal with two ways that hold romise i obviatig this roblem at varyig costs. Other High Assurace Mobile Security Measures 11
Mobile Virtual Deskto Ifrastructure (VDI) - VDI vedors have begu offerig VDI cliets for mobile latforms. These solutios rovide remote access to deskto or server eviromets at the cost of user exeriece ad erformace. The data does ot leave the server or deskto ad hece offers a higher level of security. Orgaizatios workig i a low risk, highly regulated idustry that wat to rovide remote access to highly sesitive alicatios may ot for mobile VDI solutios. Mobile A Risk Maagemet - Mobile alicatios dowloaded from a stores carry a risk of malicious behaviour. Eterrises ca use cloud based latforms, which rovide reutatioal feeds of mobile alicatios to eterrises that itegrate with eterrise EMM / MDM/ MAM solutios, quatifyig the risks of the alicatios o the devices accessig the eterrise. This eables eterrises to rollout a role ad risk based alicatio usage olicy. Always-o-VPN - This aroach ivolves routig all data traffic back to the comay through a ecryted tuel. This imacts erformace, icreases traffic load o cororate security ad etworkig ifrastructure, ad comlicates ersoal usage. However, this also esures that all orgaizatios cetrally imlemeted coutermeasures aly to mobile as well. Trusted Executio Eviromet (TEE) GlobalPlatform (htt://www.globallatform. org) is stadardizig TEE techology. The TEE is roosed to be a searate hardware rotected executio eviromet that rus alogside the Rich OS ad rovides security services to that rich eviromet. The TEE offers a executio sace that rovides a higher level of security tha a Rich OS. The TEE rotects the user iut etered through the touch scree or keyboard. It also rotects the data dislayed o the scree ad rotects the trasactio details from modificatio by a hidde malevolet alicatio. It is resiliet agaist key loggers ad ma i the middle tye of threats. The TEE rovides secure storage area for sesitive data such as ecrytio keys, PINs ad OTP seeds. Secure credetial storage rovides ways to securely erform VPN autheticatio or imlemet a OTP solutio for Strog Autheticatio. The TEE as evisaged by Global Platform is as deicted-below. Rich OS Alicatio Eviromet Cliet Alicatios Trusted Executio Eviromet Trusted Alicatio DRM Trusted Alicatio Paymet Trusted Alicatio Cororate Global Platform TEE Fuctioal API Global Platform TEE Cliet API Rich OS Hardware Platform GlobalPlatformTEE Iteral API Trusted Core Eviromet HW Secure Resources TEE Kerel Trusted Fuctios HW Keys, Secure Storage, Trusted UI (Keyad, Scree) Cryto accellerators, NFC Cotroller, Secure Elemet Etc., Figure 2: Trusted Executio Eviromet (Source : htt://globallatform.org) 12
As Figure 2 illustrates, the TEE offers safe executio of authorized security software, kow as trusted alicatios; it also eforces rotectio, cofidetiality, itegrity ad access rights of the resources ad data belogig to those trusted alicatios. I order to guaratee the root of trust of the TEE, the TEE is autheticated ad the isolated from the rest of the Rich OS durig the secure boot rocess. TCS Aroach to Mobile Security TCS aroach to mobility rollout revolves aroud the fudametal ricile of risk ad role based mobility. The framework works as a eabler for eterrise Mobility. The framework is backed by TCS eriched exeriece i the etire sectrum of secure software develomet ad IT services. The framework is built over its i-house develoed methodologies ad roducts comlemeted with itegratio with the best of breed security solutios. Four illars of TCS mobile Security Offerigs are: Ed-to-Ed Mobile Security Cosultig: Security assessmet of the mobile ecosystem, Develoig a secure mobility strategy as er the eterrise s eed, Risk assessmet ad evolvig eterrise mobile security olicies. Mobile Device Security ad Alicatio Maagemet Ifrastructure: MDM/MAM roduct selectio Alicatio ad device rovisioig/de-rovisioig olicy Procedures for requestig ad obtaiig mobile devices Alicatios Service selectio, use, ad roduct itegratio i cosoace with the security olicy. Secure Mobile Alicatio Rollout Toolkit. (SMART) rovides methodologies ad toolkits for the etire SSDLC of mobile Software Develomet. These iclude: Secure develomet guidelies for mobile latforms Reusable tool kits for key security fuctios Secure develomet traiig Threat modellig ad secure desig Mobile alicatios security testig icludig source code review ad black box testig. Mobile Data Protectio. Mobile Data Protectio rovides customized solutios to guaratee data rotectio for data at rest & durig trasit. They are as follows: Mobile device ad data ecrytio solutios PKI based ecrytio tools Eterrise key store maagemet solutio Digital sigig ad verificatio tools Multifactor autheticatio solutios 13
Coclusio Eterrises are faced with the challege to suort ad secure a growig oulatio of mobile devices. The challege is how to maitai a balace betwee user ad cororate exectatios without comromisig eterrise security ad users rivacy. Because of these comlexities, there is o straightforward, oe-size-fits-all recie for success whe it comes to solvig the mobile security uzzle. Noetheless, orgaizatios must: Evolve a risk based mobile security strategy Icororate key igrediets of mobile security ito the eterrise security olicy Pursue a layered aroach where MDM/MAM orieted security caabilities are sulemeted by the advaced cotrols described herei for secure access, alicatio security, threat rotectio, ad data rotectio Favour solutios that deliver a high degree of admiistrative efficiecy ad low overall TCO ad icororate eterrise-class features, such as cetralized maagemet, eterrise PKI /directory itegratio, ad robust reortig Egrai security i all hases of alicatio SDLC ad comlemet it with a robust mobile as security testig rogram Focus o esurig adequate rotectio of mobile data, while balacig this with the eed for a ositive user exeriece ad reasoable cost of owershi Refereces 1. OWASP Mobile Security Project: htts://www.owas.org/idex.h/owasp_mobile_security_project 2. Eterrise Mobility Guidebook- eterrise Mobility Foudatio: htt://www.theemf.org; 3. Cororate A Store Eviromets Oe New Market Oortuities: by Michele Pelio, Forrestor research, Feb 2012 4. Market Overview: O-Premises Mobile Device Maagemet Solutios, Q3 201, Forrester research. By Bejami Gray ad Christia Kae 5. Desigig for security: htt://develoer.adroid.com/guide/ractices/security.html 6. ios Security, May 2012: htt://images.ale.com/iad/busiess/docs/ios_security_may12.df 7. 42+ Best Practices: Secure mobile develomet for ios ad Adroid: viforesics 8. Multi Layered mobile alicatio Security: htt://www.arxa.com/blog/2012/07/18/multi-layered-mobile-a-security-2/ 9. "Web alicatio Security Cosortium," www.webasec.org/. 10. The Trusted Executio Eviromet: Deliverig Ehaced Security at a Lower Cost to the mobile Market htt://www.globallatform.org, Feb 2011 11. A 3 Ste la for mobile Security, Mark Bouchard, CISSP, Websese Ic: htt://www.websese.com/assets/white-aers/whiteaer-a-3-ste-la-for-mobile-security.df 12. The Athority Platform : htts://www.athority.com/ 14
About TCS Mobility TCS Mobility delivers best i class mobility services ad solutios with comlete mobility lifecycle cosultatio ad develomet service alog with customizatio o to of re-built solutios to rovide the best i class beefits to our customers. Our assio for rovidig the very best ad comrehesive mobility services ad solutios to our customers is realized through our dee exertise i mobility gaied through the exeriece of a strog team that has a career log exeriece i mobile techologies ad a dedicated mobility user exeriece desig team that is committed to leveragig the uique ative caabilities of each device latform. Cotact For more iformatio about TCS Mobility cotact mobility.solutios@tcs.com Subscribe to TCS White Paers TCS.com RSS: htt://www.tcs.com/rss_feeds/pages/feed.asx?f=w Feedburer: htt://feeds2.feedburer.com/tcswhiteaers About Tata Cosultacy Services Ltd (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated ortfolio of IT ad IT-eabled ifrastructure, egieerig TM ad assurace services. This is delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software develomet. A art of the Tata Grou, Idia s largest idustrial coglomerate, TCS has a global footrit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com IT Services Busiess Solutios Outsourcig All cotet / iformatio reset here is the exclusive roerty of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of ublishig. No material from here may be coied, modified, reroduced, reublished, uloaded, trasmitted, osted or distributed i ay form without rior writte ermissio from TCS. Uauthorized use of the cotet / iformatio aearig here may violate coyright, trademark ad other alicable laws, ad could result i crimial or civil ealties. Coyright 2012 Tata Cosultacy Services Limited TCS Desig Services I M I 10 I 12