BYOD: End-to-End Security

Similar documents

Tom Schauer TrustCC cell

Guideline on Safe BYOD Management

Kaspersky Security for Mobile

Feature List for Kaspersky Security for Mobile

Symantec Mobile Management Suite

Secure Your Mobile Workplace

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Mobile First Government

Hands on, field experiences with BYOD. BYOD Seminar

[BRING YOUR OWN DEVICE POLICY]

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

EndUser Protection. Peter Skondro. Sophos

Embracing Complete BYOD Security with MDM and NAC

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security and Compliance challenges in Mobile environment

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

Addressing NIST and DOD Requirements for Mobile Device Management

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Mobile Device Management

Managing and Securing the Mobile Device Invasion IBM Corporation

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

IT Resource Management & Mobile Data Protection vs. User Empowerment

Mobile Device Management for CFAES

Mobile Device Management and Security Glossary

Mobile Device Security Is there an app for that?

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

If you can't beat them - secure them

Weak Spots in Enterprise Mobility Management Dennis Schröder

Mobile device and application management. Speaker Name Date

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

BEST PRACTICE GUIDE MOBILE DEVICE MANAGEMENT AND MOBILE SECURITY.

A framework for auditing mobile devices

The User is Evolving. July 12, 2011

Codeproof Mobile Security & SaaS MDM Platform

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

MDM Mobile Device Management

Mobility Challenges & Trends The Financial Services Point Of View

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Chris Boykin VP of Professional Services

What We Do: Simplify Enterprise Mobility

Symantec Mobile Management 7.2

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Systems Manager Cloud-Based Enterprise Mobility Management

Systems Manager Cloud Based Mobile Device Management

Defending Behind The Device Mobile Application Risks

Mobile Devices Policy

IBM Endpoint Manager for Mobile Devices

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Supplier Information Security Addendum for GE Restricted Data

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Symantec Mobile Management 7.1

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Symantec Mobile Management for Configuration Manager 7.2

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

RFI Template for Enterprise MDM Solutions

Enterprise Mobility Management

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation

Information Blue Valley Schools FEBRUARY 2015

Ben Hall Technical Pre-Sales Manager

Enterprise- Grade MDM

BYOD Guidance: BlackBerry Secure Work Space

6 Things To Think About Before Implementing BYOD

IBM United States Software Announcement , dated February 3, 2015

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Direct Control for Mobile & Supporting Mac OS X in Windows Environments

Symantec Mobile Management 7.1

When enterprise mobility strategies are discussed, security is usually one of the first topics

MOBILE SECURITY. As seen by FortConsult. Lars Syberg Head of Security Services

Cisco Mobile Collaboration Management Service

How To Manage A Mobile Device Management (Mdm) Solution

Mobile Device Management Glossary.

Ensuring the security of your mobile business intelligence

MDM: Enabling Productivity in the world of mobility. Sudhakar S Peddibhotla Director of Engineering, Good Technology

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

ANY TIME ANY PLACE ANY WHERE. JOEL SWEENEY and SHAUN BENNETTS XPERTEX

Transcription:

BYOD: End-to-End Security Alen Lo MBA(CUHK), BSc(HKU), CISA, CCP, CISSP, CISM, CEH IRCA Certified ISMS Lead Auditor, itsmf ISO 20000 Auditor Principal Consultant i-totalsecurity Consulting Limited alenlo@n2nsecurity.com

Agenda BYOD Revisited Security Risk Analysis A Holistic Control Approach

Bring Your Own Device (BYOD) Permitting the use of personally-owned mobile devices to access an organization s networks, applications and data The most popular business apps are email, calendar, and contact management

Traditional Mobile Computing vs. BYOD Components Clients Network Connectivity Data Storage Security Mechanism Operating Systems Traditional Mobile Computing Organization Provided Notebook Computers On Demand (Wired, Wi-Fi, 3G) Organization Owned IT Infrastructure VPN, Explicit Authentication, Endpoint Security Windows, Linux, Mac OS X BYOD Staff Owned Smartphones, Tablets Always On (3G, 4G, Wi-Fi) 3 rd Party Owned Cloud Storage Implicit Authentication, Application Dependent Android, ios, BlackBerry, Windows, Bada, Symbian

A Typical Architecture Client Side DMZ Other Servers Server Side Internet MDM Server Mobile Device External Firewall Secure Email Gateway Internal Firewall Mobile Email Front-End Server Back-End Email Servers

Client Side Security Issues Loss and Theft of Mobile Devices Shoulder Surfing Use of Untrusted Mobile Devices (Jailbroken or Rooted) Use of Untrusted or Unsecured Networks Use of Applications Created by Unknown Parties Interaction with Other Systems (for data synchronization and storage) Use of Untrusted Content (e.g. QR Code) Use of Location Services 6

apkdeveloper hosted Android Malwares in Google Play 7

Mobile Application Security Issues Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Poor Authorization and Authentication Improper Session Handling Security Decisions via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure

BYOD Security Considerations

BYOD Security Considerations Establish a BYOD Policy Review the Information Handling Procedure Control the Mobile Device Cycle Conduct Security Test Regularly Integrate into the Employment Life Cycle Secure the Mobile Device Configuration

Establish BYOD Policy Acceptable Uses and Privacy Types of mobile devices and OS versions allowed Mandatory and prohibited applications for each device Groups of employees allowed to use these devices Service plan and device costs Baseline security measures Risks, Liabilities and Disclaimers

Review the Information Handling Procedure Examples Store on Mobile Device Stored on Cloud Storage Send over Internet Disposal Public --- --- --- --- Internal Use Recommend Encrypted Recommend Encrypted Recommend Encrypted Recommend Wiping Confidential Require Strong Encryption Prohibited Require Strong Encryption Required Wiping

Control the Mobile Device Cycle #1 Set device security Create app blacklists/whitelists, restrict device resources Configure Enrollment and Provision Implement security policies Distribute apps and remove prohibited apps Locate and map lost device Remotely lock and wipe data and installed apps Secure

Control the Mobile Device Cycle #2 Over-the-air distribution of software and policy changes Backup and restore BYOD device data Support Monitor and report Inventory devices and software versions Log of all sensitive BYOD activities Identify inactive devices Fully or selectively wipe devices Decommission

Secure the Mobile Device Configuration Passcodes length, age, composition, history Maximum failed attempts Progressive passcode timeout Allow / disallow camera Allow / disallow web browsing Remote and Local wipe Full Disk Encryption Anti-malware defenses

Mobile Device Quarantine Patch levels for OSs and apps Required security software is active and current, i.e., antivirus, firewall, full-disk encryption, etc. Device is not jailbroken (Apple) or rooted (Android) Presence of unapproved devices

Integrate into Employment Life Cycle Acknowledge of BYOD Policy before on broad Device Enrollment and Decommissioning during recruitment, transfer and termination Return of organization owned mobile devices

Conduct Security Test Regularly Information Gathering Gaining Access Static Analysis Dynamic Analysis Reconnaissance and mapping Vulnerability Scan and Control Exploitation Analyze raw mobile source code, decompiled or disassembled code Assess the Mobile App s local interprocess communication surface, analyze the local file system, assess remote service dependencies

Questions and Answers