1. The Smart Mobile Device Environment 2. Rising Risks and Concerns with Smart Devices 3. Managing Mobile Devices In The Enterprise 4.

Questions 1) How many people have at least one smart mobile device that you use for business? 2) How many people have Android? 3) How many ios devices? 4) How many people have jailbroken devices? 1

1. The Smart Mobile Device Environment 2. Rising Risks and Concerns with Smart Devices 3. Managing Mobile Devices In The Enterprise 4. Other Issues and Concerns 2

3

They are everywhere At the end of 2011, there were 6 billion mobile subscriptions, worldwide That is equivalent to 80 percent of the world population In the US mobile cellular subscriptions 100% of population In Europe around 120% Other areas ranging from 74% to over 150% 4

In terms of geographic distribution smart Mobile devices are everywhere Developing nations might be currently lagging behind in total numbers and per capita use However developing nations also among the fastest growing smart mobile user base Partly because there is very little terrestrial infrastructure for other forms of connectivity like fixed wire line telephone or broadband service Its cheaper and easier to build a cellular infrastructure than a wired one And that infrastructure is less likely to be washed out by a flood or damaged by an earthquake 5

When it comes to Internet connectivity, mobile broadband usage eclipses fixed wire-line broadband services Vastly more people have a mobile broadband connection than a fixed broadband connection This is true even in the United States, where there are almost double the number of mobile broadband vs. fixed broadband 6

1. Smart mobile devices have had a phenomenal adoption rate The ipad has the fastest adoption rate of any technology, ever, possibly eclipsing even the wheel, or fire if you believe Apple 2011 numbers are a huge increase from 5.4 billion in 2010 and 4.7 billion mobile subscriptions in 2009 up over 50% in some areas Market growth is being driven by demand in the developing world, led by rapid mobile adoption in China, Africa and India Mobile subscriptions outnumber fixed lines 5:1 (more so in developing nations); Mobile broadband outnumbers fixed broadband 2:1. Total smartphone sales in 2011 were almost 500 million units up over 60 percent from 2010. This makes smartphones about 32 percent of all handsets shipped. 7

Looking at smartphone growth, In terms of the major players in the market, I don t think there is a lot of surprise here When it comes to hardware sales, the top five smart phone vendors worldwide in 2011 were Samsung, Apple, Nokia, RIM, HTC Of those Nokia sales declined 23% and RIM s sales were almost stagnant at 5% growth Samsung, Apple, and HTC had a 310%, 96%, and 100% growth rate respectively Growth by operating system reflects the hardware sales Android had almost 250% year on year growth 2011 vs 2010 ios had almost 100% growth in the same period Interesting newcomer Bada from Samsung aimed at being a low end smartphone OS for not so smart hardware platforms small market share but huge growth worth keeping an eye on Nobody else in the market even comes close Symbian and Windows phone had negative growth 8

What are the driving factors for integrating smart mobile devices into the enterprise? One that is often talked about is cost reduction That is, off setting the cost of corporate provided or corporate subsidized handsets by allowing employees to to use their own devices Quite frankly, I have never seen any numbers to support the cost reduction argument, MDM vendors are also backing away from it Another factor that is often discussed in the media is increased productivity Again, I have yet to see any numbers supporting this claim I do believe there is a significant potential value, as new and imaginative ways of leveraging smart mobile devices arrive, there may be some other arguments to support enterprise mobile device integration And as we will see, there are some significant concerns that need to be considered 9

Considerations What are the goals for allowing mobile devices into your enterprise? How can you measure how well you achieve these goals? What data will and will not be allowed on mobile devices? Which employees and contractors will be allowed to connect? 10

11

Based on some recent surveys, there is at least C level recognition of the risks associated with mobile devices in the enterprise Given this level of concern, and in light of the amount of customer data stored on mobile devices, it is definitely worth taking a hard look at the risks and potential mitigating factors when considering mobile devices in the enterprise 12

So what are the security concerns with smart mobile devices? Well, obviously given that there is customer data stored on half of the devices used for business, physical security of the device is a huge concern Stored data, including access credentials, is at risk anytime a devices is lost, stolen, an employee leaves the company, the device is recycled, or sold on ebay How can the enterprise be sure that sensitive data, or network access, does not into the wrong hands? Encryption of locally stored data is available in ios since about ios 4.3, as long as a passcode is configured ipad2 and iphone4 and later have hardware based encryption Android is a different story, no device encryption until 4.0 aka Ice Cream Sandwich, and then it depends on vendor support Even more troubling however, is the official stance by both Android and Apple that ultimately the security of the device rests with the end user Obviously a disturbing position for those with responsibility for securing corporate data 13

Second to the physical security issue, but rapidly gaining ground, is the mobile malware risk Mobile malware is becoming more and more sophisticated Mirroring malware in the desktop world, but evolving at a much greater pace 2011 saw an incredible growth in mobile malware over 1,500% as compared to 2009, almost 370% over 2010 Amost a 2,000% increase in December vs January 2012 is on track to be the year of mobile malware Mobile malware is borrowing technology from the desktop world adapting to not only the mobile technology, but the mobile usage patterns In particular leveraging social networking and social engineering approaches By far the greatest growth in malware is in Androids Last week the first Android Bootkit DKFBootKit was discovered raising the ante again DKFBootKit piggybacks on legitimate applications to infect the device, then replaces key daemons to compromise the device at boot time before the Android framework is fully loaded 14

Mobile malware exhibits all the same types of behavior we re used to in other environments In addition mobile malware can monetize the infection directly by sending SMS messages to premium rate numbers Further, device features like cameras, microphones, and GPS receivers can all be controlled and accessed remotely This is a real concern when executives are traveling with devices, bringing them into sensitive meetings etc. There is some evidence malware authors leveraging this information to gain advantage in stock trades 15

The Android mobile platform is considered to introduce the greatest security risks from mobile malware almost 11 million infected Android devices world wide 472% increase in Android malware July through November last year China leads the infection rate India, Russia, and the US roughly equal with a little over 10% of total infections each 16

Several reasons exist for this, one of the most significant is simply market share Malware written for Android has the potential to infect many more devices than any other mobile OS 49% of smart phones run some version of Android 19% run Apple ios 16% run Nokia s Symbian However, Nokia is ceasing support for Symbian and moving to Windows Mobile Symbian malware s decline mirrors the growth of Android malware, perhaps the malware authors are switching platforms Only 10% of devices run RIM s Blackberry OS RIM is rapidly losing ground to the others Windows Mobile OS only accounts for 1.4% - and is expected to grow slowly 17

1. However market is not the whole story to really understand the issue we need to take a closer look at the almost 50% of the market that Android owns 1. While ios is only available from Apple, and only on Apple devices 2. The Android market is split between Samsung (35%), HTC (24%), LG (11%), Motorola (9%), Sanyo, Sony, and a myriad of smaller players (21%) 3. Each device, and each carrier s version of that device, has their own slightly different version of Android 4. Each one is tweaked to support different hardware, different software bundles, and other offerings and carrier requirements 5. This presents some significant concerns with respect to platform security, and security of carrier-bundled software 18

Its when we start looking at the relative update history of the devices that the real story comes out and its not a pretty one for Android Just like in the desktop and server world Keeping operating systems updated and properly patched is a central tenet to maintaining information systems security The next three slides show the update history of every smart mobile phones released in the US between 2009 and 2011 Green indicates that updates were available to keep the device on the current major version Yellow 1 major version behind, orange two versions behind, red three versions The X s indicate when the device was being actively sold Updates and patches were available for all ios based phones sold since day one Apple updates ios regularly and they updates are published by Apple direct to device owners Since ios 5 updates are pushed OTA, and don t require computer connectivity 19

Android updates on the other hand go from Google/Android, to the hardware vendors, to the carriers, and thence to the device users Or more often don t. Android updating, or lack thereof, is a major security problem Of the 18 Android phones shipped in the US between 2009 and 2011, 7 of them never ran a current version of the OS. 12 of 18 only ran a current version of the OS for a matter of weeks or less. 10 of 18 were at least two major versions behind well within their two-year contract period. 11 of 18 stopped getting any support updates less than a year after release. 20

13 of 18 stopped getting any support updates before they even stopped selling the device or very shortly thereafter. 15 of 18 don t run Gingerbread, v2.3, which shipped in December 2010. When 4.0, or Ice Cream Sandwich, came out in November, every device on this list was another major version behind. At least 16 of 18 will almost certainly never get Ice Cream Sandwich. 21

There are three primary ways that malware infects a mobile device The most significant is piggy backing off a legitimate application Generally the malware author will download a popular legitimate application from an app store, disassemble it, compile in the malware then reupload it to the app store as a different version Angry Birds, one of the most popular applications, had at least one version infected in this fashion Sometimes the malware isn t included, just some code to download the malware as an in app upgrade once the program is started Malware can also be loaded by tricking users to go to malicious web sites that then attack via browser vulnerabilities just like in the desktop world 22

The single biggest source of malware for mobile devices are the various app stores Neither Apple nor Google do much to vet software for security issues Although Apple seems to do a slightly better job Google is starting to make changes it remains to be seen how well they will do In addition to the official Android Market, Android devices can also side load applications and download applications from unofficial app stores As you might expect, the unofficial Android stores contain significantly more malware To make matters words, with Android in particular, the security model depends on the end user to make a determination regarding the specific permissions granted to the application Most users just blindly accept whatever the application asks for 23

As it stands right now, there are only very limited anti-malware protections available There are some tools to scan email attachments, but this is really focused on preventing forwarding on malware rather than preventing local device infection Ironically, it s the architecture of the device operating systems that keep each application in its own segregated application space that also prevents anti-malware software similar to what we see on the desktop Desktop like anti-malware would require a jail break Jailbreaking devices, popular on both ios and Android, breaks the security model of each application in its own space Jail broken devices are much, much more likely to be infected with malware By the jailbreak itself By other malware that takes advantage of the removal of security by the jailbreak Best option currently user training and education, blacklisting known malware, not allowing jailbroken devices 24

Considerations What devices will be allowed to connect to the enterprise? Apple? Android? Will devices be required to be up to date/patched? If so, how will this impact Android use? Will jailbroken devices be allowed? How will these requirements be monitored and enforced? How will you detect or prevent malware? 25

26

Managing Mobile Devices APIs built into the mobile operating systems allow management of the devices Each OS has its own specifics, there is no standardization Currently Apple s MDM API is by far the most capable and flexible Allows restrictions on device passcode length, complexity, expiration, re-use history, # failed attempts before wipe Deny or allow use of various applications, restricts some application settings to administrator proscribed settings, allow or deny cloud backups, and force various browser and application settings, lock device, and clear passcode Apple MDM APIs can provision email accounts including username and password Allows either a corporate wipe or a full wipe 27

Android MDM APIs much weaker than ios, though slightly better in 3.0 Android API s provide much less control essentially a limited subset of password controls One of the most significant problems with the Android API is the lack of an enterprise wipe it s a Nuke from high orbit only Lack of enterprise wipe is a significant problem, especially in BYOD environments no way to avoid deleting personal data Additionally, our testing shows that sometimes the device does not even restore to the configuration and software that came from the carrier 28

Samsung SAFE devices custom APIs to allow much greater control of security on a limited subset of new Samsung Android devices It is possible that LG might be coming out with additional MDM APIs of their own also 29

Considerations What are the specific security controls that you would like to enforce? Which devices support those controls? How will you protect the enterprise from liability of wiping personal data? What controls (technology or policy) can you put in place around Android devices? Are you willing to support older/weaker versions of Android that have limited security controls? 30

Two Primary Architectures for Mobile Device Management API Based and VPN and Proxy API based installs restrictive profiles on device, generally use some additional agent Once the profiles are installed, all communication between device and network services is direct MDM plays no part in the communication Agent does on-device monitoring and compliance checking reports back to the MDM service periodically Can verify compliance with required security settings as well as detect jailbreaks and installation of blacklisted software There is another component, eliminated from this drawing for simplicity Both Google and Apple have a mechanism for store and forward asynchronous messaging between the MDM provider and the device These allow MDM to send a message to the device, and for that message to be held until the phone is online When it comes online if can then respond to the message by checking in with the MDM service Apple s is called the Apple Push Notification Service, or APNS 31

The other primary architecture is the VPN and Proxy method VPN and Proxy - Forces all traffic back to enterprise proxy via IPSEC VPN Proxy may be in the enterprise data center, cloud, or vendor site(s) Again, there is usually an agent that does on-device monitoring and compliance checking May allow browser content filtering and URL black listing May provide email filtering on cloud email/personal email Architecture could allow for network-based DLP Architecture could allow for IDS/IPS and other network-based malware detection/protection On ios forces an automatic VPN configuration 32

In general, the VPN-based architecture will provide a higher level of control and security However, as always it comes at a price Requires all traffic to come back to the proxy eliminates many of the advantages of cloud based enterprise services e.g. email Depending on enterprise architecture, may increase bandwidth requirements and costs particularly if proxy in the cloud, could double or quadruple bandwidth costs Possible reduction in fault tolerance issues with data center may take all mobile devices offline For global companies, and/or those with highly distributed mobile work force, VPN and Proxy might require building out a global infrastructure to support them However, one of the biggest issues with VPN and proxy, there is no IPSEC VPN possible on Android 2.x devices Android 2.x is by a long way the majority of Android devices in the field today The only way to support it on Android 2.x is a custom ROM essentially your own jail break This raises huge device management issues for a remote work force, help desk 33

Considerations Is the potential for increased security in the VPN and Proxy model worth the costs, complexities, reduced flexibility? If so, and if Android will be supported? Will you use a custom ROM/custom jailbreak? How will you manage devices in the field? How does this impact your BYOD stance? 34

35

There are other, non-technical issues that any enterprise considering smart mobile device integration should consider Especially if the enterprise will be providing help desk service for mobile devices Consider that the current crop of devices are consumer devices Also, If the enterprise is using, or intends to use, cloud services for email/ contacts/calendars such as Google Apps which we see a lot and which is often associated with a mobile initiative Realize that many of these services are consumer focused services as well Additionally, the mobile device vendors and the cloud service provides aren t talking as often as they should Also, Mobile Device Management software is still early stage technology Take a look at the Gartner Magic Quadrant for MDM, they are all almost all in the lower left Niche Player/Start up Quadrant When you try to combine two consumer items, the mobile device and the cloud service, and manage it with an early stage technology, You will not get enterprise grade service levels its simply not possible 36

Also, especially in large enterprises, properly integrating mobile devices into the enterprise is likely to require some organizational reshuffling We all know how smoothly that is likely to be It is imperative to realize, the latest crop of smart mobile devices are not just phones They are generally as powerful as a 3-4 year old laptop They should not be considered a telephone, they should not be managed like a telephone When coupled with always-online technology, and some of the other concerns I've discussed, It should be clear that smart mobile devices should be managed through IT/technology channels And that security policies and procedures must be reviewed and properly applied to the devices and the business processes In particular, HR processes around separation are critical for enterprise data protection Timely recovery and/or erasure of enterprise data 37

Integrating smart mobile devices into the enterprise also brings additional liability risks This is particularly true if you are allowing BYOD There is a potential for wiping an employees personal data from their device if the enterprise is managing it Either accidentally, or deliberately particularly at separation What happens if this is the employee s only picture of his dead Granny? - Actual case! What happens if the employee then goes to work for another company, and your HR processes don t get around to wiping his or her device until a few days later Now you are wiping some other companies data off their employee s device Remember There is no such thing as a selective wipe in Android it s a nuke from high orbit 38

Also, consider that smart mobile devices aren t for everyone Consider making only certain job functions or payroll bands eligible Also, consider the costs/impacts of rising help desk calls with these devices It might also be worth reviewing employment terms for non-exempt employees and hourly contractors. If they are receiving enterprise email on their phone at night, is there an expectation that they respond and has that been communicated clearly? If so, how does that impact hours worked or billing? Can the bill for that time? What about the intervening time between the end of the day and the 2am email? What if the employee is on vacation? Can he or she now claim that is not a vacation day? Another critical issue to consider for enterprises that utilize cloud services for email or customer management for example If you do not integrate provisioning of these services and mobile devices with some sort of central Identity Management mechanism, and mobile device users have a password rather than using SAML or OAUTH, the enterprise has very little visibility into and control over the data It is impossible to ensure that data is erased as it could have been synched anywhere 39

A final consideration must be given to enterprises statutory and regulatory obligations when it comes to data on mobile devices Consider PCI, GLBA, HIPAA, FTC Red Flags If a device is lost, and there is a possibility for regulated data on it, it may trigger obligations for reporting and breach notification For global companies, it is likely that EU Data Protection laws may impact the monitoring and management of devices in those regions In which case your US based data center must comply with the Safe Harbor principles Also consider the use of these devices by your executives and board members It is worth determining if they need additional protections And what the legal and other implications of a potential breach of security on one of their mobile devices 40

How will HR policies and processes change to support secure use of smart mobile devices throughout an employee s tenure, especially at separation? Are there any local or national employment laws or collective bargaining agreements that should be considered? Will only corporate liable devices be allowed, or will you allow BYOD? If BYOD is considered, what are the constraints? 41

Mobile devices are ubiquitous The power and connectedness of mobile devices is increasing rapidly IT departments under increasing pressure to integrate them into the environment There are significant technical and non-technical risks to using mobile devices in the enterprise Particularly if BYOD is considered IT, InfoSec, HR, and Legal at a minimum need to been involved in the decision making process 42

43