Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Mobile Working Group...

transcript

Mobile Working Group Session

Thank You

Dan HubbardGuido SanchidrianMark Cunningham Nadeem BhukariAlice DeckerSatheesh SudarsanMatt BrodaRandy BunnellMegan BellJim HunterPam FuscoTyler Shields

Jeff ShafferGovind TatachariKen HuangMats NäslundGiles HogbenEric FisherSam WilkeSteven MichaloveAllen LumGirish BhatWarren TsaiJay Munsterman

Initiative Leads/ContributorsCo-chairsDavid LingenfelterCesare GarlatiFreddy Kasprzykowski

CSA StaffLuciano SantosJohn YeohAaron AlvaEvan ScoboriaKendall Scoboria

Mobile Guidance v1.0Security Guidance for

Critical Areas of Mobile ComputingPublished Nov. 2012

Mobile Computing Definition

Threats to Mobile Computing

Maturity of the Mobile Landscape

BYOD Policies

Mobile Authentication

App Stores

Mobile Device Management

Authentication Apps

MDMBYOD

Mobile Guidance Defined

THREATS AND MATURITY

Top Mobile Threats – Evil 8

1. Data loss from lost, stolen or decommissioned devices.

2. Information-stealing mobile malware.

3. Data loss and data leakage through poorly written third-party

4. Vulnerabilities within devices, OS, design and third-party

applications.

5. Unsecured Wi-Fi, network access and rogue access points.

6. Unsecured or rogue marketplaces.

7. Insufficient management tools, capabilities and access to APIs

(includes personas).

8. NFC and proximity-based hacking.

Maturity

…there’s room for improvement

78%Have Mobile

Policy

86%Allow BYOD

47%Utilize MDM

36%Have App Restriction

41%Have

Security Controls

BYODJay Munsterman

BYOD Charter

Analyze new challenges of:• Policy• Privacy• Device and Data Segmentation

Delivered Policy Guidance for v1 Guidance

Next Steps for BYOD

• Need more team members!! Help us out!• Conference call late March• Decide on next steps, consider:

• Policy Templates• Policy Examples• Evaluation of emerging containerization options

MDMDavid Lingenfelter

MDM OpportunitiesIncrease security and compliance enforcement

Reduce the cost of supporting mobile assets

Enhance application and performance management

Ensure better business continuity

Increase productivity and employee satisfaction

Beyond Simple MDM

MOBILE AUTHENTICATIONMark Cunningham

Mobile Authentication Guidance

• Ease of Use

• Future Authentication Technologies

APP STORES SECURITY

What you download may be compromised!

James Hunter

State of the App Market

•Apple and Google control 80% of the App Market•By the end of 2013 an estimated 50 Billion downloads•There are over 1 million different Apps

The summary doesn't consider Amazon and Samsung. Corporate sites offering downloads for their flavor Apps, Developers, in all sizes and Apps Distributors.

We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).

What are the areas of concern?•How trustworthy is the App Store?•How trustworthy is the Developer?•Can the user report issues found in the App?•Who should get the report?•Does the App use more permissions than

needed?•Does the App make connections to the

Internet?•Does the user need anti-virus, malware, etc.?•Will this be an issue with BYOD?

The status of the working group?•Initial draft of the policy guideline submitted in

late October-early November 2012, for Orlando.•November 2012 decision made to develop a

stand-alone document.•December 2012 received updated peer review

info from J. Yeoh.•January 2013 started efforts to recruit more

volunteers for App Store Security working group?•February 2013 re-started efforts to make contact

with App Store Management at Microsoft.

The status of the working group?•March 2013 start update of draft guideline to a

stand alone document.•March 2013 continue efforts to recruit several

volunteers to work on the stand alone document.•March 2013 request CSA Global support for

contacts with Apple, Google, Amazon, Samsung Appstore contacts.

•April-June 2013 pursue App Store management contacts, involvement and support.

App Store Security InitiativeThanks to the following individuals:

John Yeoh, Research Analyst, Global CSAAuthors/ContributorsGroup Lead James Hunter, Net Effects Inc.

Peer ReviewersTom Jones; Ionnis Kounelis; Sandeep Mahajan; Henry St. Andre, InContact

Co Chair, Mobile Security, Cesare Garlati Trend Micro

MOBILE 2013

Moving at the speed of mobile!

Where do we go from here?

Charter review

Cooperation Between Working Groups

New Mobile Controls In CCM

Maturity questionnaire v2.0

Top Threats Review

Stand Alone App Store Document

Stand Alone Authentication Document

New Section On Data Protection

Mobile Working Group Charter

Securing public and private application stores

Analysis of mobile security features of key mobile operating systems

Mobile device management, provisioning, policy, and data management

Guidelines for the mobile device security framework

Scalable authentication for mobile

Best practices for secure mobile application

Identification of primary risks related BYOD – Bring Your Own Device

Solutions for resolving multiple usage roles related to BYOD

Chapter Cooperation

Information sharing across working groups

Already working with CCM

More guidance and input from Corporate, GRC and SME

Timeframes/Deadlines/Review Periods

Reference MaterialsCreate more material people will want to use to develop their mobile business plans

Baseline Controls

Policy Templates

App Security Guidelines

Threats and Risks

CSA 2013 Events

BlackHat (July 27-Aug1)

EMEA Congress (September)

ASIAPAC Events (Congress, May 14-17)

CSA Congress Orlando (November)

https://cloudsecurityalliance.org/events/

THANK YOU

Chapter meetings every other Thursday @ 9:00am PST

LinkedIn: Cloud Security Alliance: Mobile Working Group

Basecamp

Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Mobile Working Group...

Documents