The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

Similar documents
Cisco Mobile Collaboration Management Service

How To Write A Mobile Device Policy

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

A number of factors contribute to the diminished regard for security:

White Paper. Data Security. The Top Threat Facing Enterprises Today

Hands on, field experiences with BYOD. BYOD Seminar

SECURITY OF HANDHELD DEVICES TAKE CONTROL OF THE MOBILE DEVICE

Symantec Mobile Management 7.1

Symantec Mobile Management 7.2

Data Protection Act Bring your own device (BYOD)

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Best Practices for a BYOD World

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

How To Manage A Mobile Device Management (Mdm) Solution

EOH Cloud Mobile Device Management. EOH Cloud Services - EOH Cloud Mobile Device Management

Security and Compliance challenges in Mobile environment

BYOD Strategies: Chapter I

AirWatch Solution Overview

EasiShare Whitepaper - Empowering Your Mobile Workforce

If you can't beat them - secure them

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

How To Protect Your Mobile Devices From Security Threats

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Symantec Mobile Management 7.1

Healthcare Buyers Guide: Mobile Device Management

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

A path to improving the end-user experience

Symantec Mobile Management Suite

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Mobility Challenges & Trends The Financial Services Point Of View

IT Resource Management vs. User Empowerment

DEPLOYMENT. ASSURED. SEVEN ELEMENTS OF A MOBILE TEST STRATEGY. An Olenick & Associates White Paper

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Why Encryption is Essential to the Safety of Your Business

BYOD BEST PRACTICES GUIDE

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

Hosted Virtual Desktops (VDI)

Symantec Mobile Management for Configuration Manager 7.2

Addressing the BYOD Challenge with Okta Mobility Management. Okta Inc. 301 Brannan Street San Francisco, CA

IBM MobileFirst Managed Mobility

IT Resource Management & Mobile Data Protection vs. User Empowerment

Business Case for Voltage Secur Mobile Edition

Control Issues and Mobile Devices

Kaspersky Security for Mobile

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

CA Enterprise Mobility Management MSO

What We Do: Simplify Enterprise Mobility

Mobile Device Security Information for IT Managers

White Paper. Data Security. journeyapps.com

Secure Your Mobile Workplace

Securing Virtual Desktop Infrastructures with Strong Authentication

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

RFI Template for Enterprise MDM Solutions

Enabling mobile workstyles with an end-to-end enterprise mobility management solution.

Guideline on Safe BYOD Management

Mobile Device Management

Top. Enterprise Reasons to Select kiteworks by Accellion

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Consumerization. Managing the BYOD trend successfully. Harish Krishnan, General Manager, Wipro Mobility Solutions

Executive s Guide to Cloud Access Security Brokers

Top. Reasons Federal Government Agencies Select kiteworks by Accellion

CREATING AN EFFECTIVE SUPPORT PLAN FOR BYOD: A BEST PRACTICE GUIDE

The BYOD of Tomorrow: BYOD 2.0. What is BYOD 1.0? What is BYOD 2.0? 3/27/2014. Cesar Picasso, MBA SOTI Inc. April 02, 2014

A CIO s Guide To Mobility Management

Bell Mobile Device Management (MDM)

Mobile First Government

PULSE SECURE FOR GOOGLE ANDROID

How To Support Bring Your Own Device (Byod)

ForeScout MDM Enterprise

IT Self Service and BYOD Markku A Suistola

IT Enterprise Services

Whitepaper. How MSPs are Increasing Revenues by Solving BYOD Issues. nfrascaletm. Infrascale Phone: Web:

Transcription:

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh May 20 th, 2013

Companies are leveraging mobile computing today Three major consumption models: 1. Improving productivity Improving employee productivity by extending reach of existing apps. Ex. mobile timesheets 2. Enabling employees Enabling employees via new or more efficient business processes. Ex. mobile field support, mobile CRM. 3. Enabling new business Targeting new markets or offering clients new products/services. Ex mobile commerce apps. Transform infrastructure by changing application delivery method. Arming your people with the best tools to increase productivity. Deliver a new service, or existing service to a new market. [2] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

The future mobile workplace will be driven by an empowered employee Work will be done by open, interconnected, global communities where knowledge is collective and accessible The workforce will be more mobile, flexible, agile, and adaptable to the changing business needs The tools of work will be easy to use, seamless and always available The Old World: Corporate Owned Device The New World: Employee Owned Device Anytime Anywhere Any Connection Any Trusted Device [3] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Mobile nirvana? Make getting work done easier by empowering the employee Any Trusted Device Public Private Any Connection Access to the Information they Need Anytime Anywhere Enablement Platforms Cloud IT Apps [4] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

The big picture the mobile security risk surface Devices Jailbreak or rooting NFC/Bluetooth exploits Privacy legislation Industry regulations Cloud Service Theft and Data Extraction Social Engineering Apps Malware Data Leakage Unencrypted Local Storage Application Vulnerabilities Unencrypted data in transit Third party data leakage Insecure service configuration External Unsecure MDM Configuration Application Vulnerabilities Insecure Services Internal Mobile Device Management Enterprise Mobile Applications Private Cloud / Services [5] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

How can your organization strike a balance between risk and reward? Employee view: Corporate devices are oldfashioned Many employees already own as their personal device and bring to work Some C-level executives may already be using one for business as a special request Arguments for increased innovation, flexibility and productivity I want one for work too! Enterprise view: Devices built for the consumer market Concern regarding device management, security, scalability and data protection Impact on meeting regulatory compliance obligations What happens if we don t support? Is it secure and reliable enough for handling corporate information? [6] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

There is no one size fits all solution; instead, organizations should focus on addressing risk within four core areas Area 1 Securing mobile devices Goal Ensure that lost and stolen devices are handled securely, and that access to data is protected 2 Addressing application risk Minimize risk of malware and insecure mobile apps affecting the organization s data 3 Managing the mobile environment Address risk tied to enrollment, deprovisioning, patching and monitoring 4 Addressing governance and compliance Proactively handle regulatory risk tied to industry regulations and in-country privacy legislation [7] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Securing mobile devices [8] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

The greatest mobile risk is still device loss/theft but the risks are shifting as a function of new usage scenarios Mobile device loss Lost device recovery rate Finder voyeurism Employee data access More data/access + more devices + more theft/loss = Increased risk [9] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

The evolution of threats Device security controls should be tailored based on mobile use cases and threats [10] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

8 steps to secure your devices 1. Evaluate current and future usage scenarios 2. Invest in a MDM solution 3. Enforce the Big 4 security policies as a minimum 4. Set a device security baseline 5. Layer the infrastructure 6. Consider more stringent access controls to critical business apps 7. Monitor usage and access 8. Amend the organization s awareness program The Big 4 Device encryption PIN Wipe after 10 failed PIN attempts Remote wipe [11] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Addressing application risk [12] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Mobile banking malware in the wild: Sophisticated malware modus operandi Malware sample: Eurograbber 1 2 3 4 5 6 Victim clicks on a link sent via spam or available on a malicious website Victim downloads malware to desktop. Malware waits until user begins banking session The bank implements two factor authentication. To complete a transaction, a transaction authorization number (TAN) is needed. TAN is sent to end-users via SMS Malware creates fake pages during the session requesting user to install a security upgrade. The link to this upgrade is sent via SMS Victim clicks on the upgrade link and installs mobile malware. This malware now waits for the user to receive a TAN number Malware intercepts the TAN number and processes transactions [13] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

5 steps to counter application risk 1. Protect malware-prone mobile operating systems with antivirus 2. Ensure your secure development lifecycle contains security processes to cover mobile application development 3. Manage applications through an in-house app store, and monitor external apps 4. Proactively bring in or develop services that enables data sharing between devices 5. Continually assess the need for apps to increase productivity and security [14] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Managing the mobile environment [15] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Failing to handle the management issue will ensure ballooning risk 3000 devices ios Android Mobile operating system distribution [16] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Mobile Device Management (MDM) is a first step for risk mitigation in diverse mobile deployments Without MDM With MDM Limited security controls Consistent controls Inability to securely wipe devices Secure, confirmed remote wipe No application management No way to restrict devices based on security settings Compartmentalization and app management Restrict based on policy Hard to control enrollment / deprovisioning Control enrollment and deprovisioning Limited manageability Better manageability Difficult to manage devices Little or no control over device status Easier to manage and support diverse devices Better control over device status Doesn t scale Scales to many types of devices [17] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

6 Steps to securely manage mobile devices 1. Create a cross-functional mobile working group and a mobile strategy 2. Create a BYOD policy (if applicable) and invest in a MDM 3. Re-vamp existing support processes 4. Create a patch education process to encourage users to update their mobile devices 5. Monitor deviations from security baseline 6. Implement a wiki/knowledge base employee self-service support solution [18] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Addressing governance and compliance [19] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Mobile deployments must account for global privacy regulation (and surveillance) risks Relevant U.S. / international regulations: PCI-DSS recently published on BYOD HIPAA HITECH refers to NIST standards, but will likely change FINRA SOX Core EU privacy concepts: Privacy governance Data protection Monitoring (privacy at work) Breach investigation and notification Right to be forgotten and erasure Data ownership and recovery The trend is for more specific regulation around mobile data protection to be released [20] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

5 steps to handle regulatory/compliance risk 1. Engage legal and HR in the respective countries where devices are to be supported 2. Create tiered policies per geographical segment 3. Ensure that local management has the right processes in place to support the policy 4. Monitor and revise policies regularly 5. Segment business environments and data from personal employee data as much as possible [21] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Using these four areas to scope your audit will help you focus on the right risks 1 2 Securing mobile devices Addressing application risk 3 Mobile audit scope 4 Managing the mobile environment Addressing governance and compliance [22] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Questions? [23] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Ernst & Young contacts Paul Chabot Senior Manager IT Transformation San Francisco, CA paul.chabot@ey.com +1 415 601 7466 Michael Janosko Senior Manager, Advanced Security Center New York, NY michael.janosko@ey.com +1 212 773 1646 Carsten Maartmann-Moe Manager, Advanced Security Center New York, NY carsten. maartmannmoe@ey.com +1 212 773 0133 [24] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD pitfalls and leading practices [25] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD Strategy Pitfalls and leading practices when developing your BYOD strategy Scope Pitfalls Leading Practices User segments Device Certification One size fits all strategy Considering only currently available devices Analyze the requirements of different user types and define user segments Keep the number of segments manageable to reduce the complexity of your BYOD strategy Consider long-term plans to use mobile enterprise applications as part of your usage scenarios New devices are introduced into the market every 3-6 months The certification process must be ongoing and continually evolving IT must become an expert on device and operating system evolution [26] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD Strategy Scope Pitfalls Leading Practices Mobile TCO Cost savings Usage Variation Ignoring TCO and expected benefits can result in a very costly BYOD solution. Ignoring regional or internation al diversity Develop a business case Quantify the expected BYOD benefits. - Don t focus only on cost savings as costs will likely increase by 7-10% - Focus on increased employee productivity and satisfaction Multi-national firms should consider the impact of device availability, usage habits, provider capabilities on use cases for different user types [27] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD Design Pitfalls and leading practices when developing your BYOD solution Scope Pitfalls Leading Practices Policy BYOD Program Describing technical standards that users do not understand or focusing on what is not allowed Treating BYOD as a one time project and not considering ongoing operations Create a BYOD policy that is easy to understand Augment the policy with education and communications so users understand their options and can better select devices to meet their needs This will improve adoption, increases satisfaction, and decreases support calls Define processes and allocate sufficient resources to support ongoing operations and mature the BYOD program Support continuous improvement of policies and solutions to maintain a positive end-to-end experience and continue to realize BYOD benefits Establish a team that can monitor and evaluate new technology Maintain relationships with device and technology providers [28] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD Design Scope Pitfalls Leading Practices Mobile risk and cost Regulatory risk Policy design BYOD exposes company to security and regulatory risks Trying to design a policy that covers all possible scenarios Design BYOD strategy with both security and regulatory compliance in mind Plan for security monitoring and regular testing of devices and infrastructure Consider in-country data requirements Establishing a governing body and processes for ruling on the inevitable exceptions to the policy Devise a policy with a dimension of Ownership where personal and corporate data each have different sets of policies for security, privacy, and apps [29] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD Deployment Pitfalls and leading practices when deploying BYOD in your organization Scope Pitfalls Leading Practices Employee communication Resistance to change Big bang deployment Creating a negative perception that BYOD is designed to shift the cost burden to the employee Not involving key stakeholders early Neglecting to test the waters with a pilot before doing a more extensive rollout Don t underestimate the required communication and change management- validate that communications are working and adjust your plans as necessary Be ultimately accountable for providing a positive end-to-end user experience Educate employees on mobile data security, scams, phishing schemes, etc By engaging key stakeholders early, you will ultimately overcome resistance to change Have representation from: Executives, HR, Support, Finance, Legal and User groups/segments to ensure concerns are addressed during design Perform a pilot before doing a more extensive roll out Capture lessons learned and adjust you BYOD solution and deployment plans to increase adoption and user satisfaction Identify early adopters that can become champions the greater deployment [30] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

BYOD Deployment Scope Pitfalls Leading Practices Mobile support Measured benefit Support costs Not monitoring adoption and usage Ballooning support costs Establish success metrics and targets as part of the deployment plan: Adoption metrics (#devices, #user, data usage) Benefit realization metrics (user satisfaction, employee productivity, cost/user) Make sure your support model makes extensive use of: Self help - web help, FAQs, support workflow automation Community support use social technology to enable peer support, leverage early adopter champions [31] ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information