Date post: | 14-Nov-2014 |
Category: |
Technology |
Upload: | vladimir-jirasek |
View: | 2,506 times |
Download: | 1 times |
CONSUMERISATION AND MOBILE SECURITYVladimir Jirasek
About.me/jirasek
[date]
About me• Security professional at WorldPay as Head of Security
Solutions• Non executive director, CSA UK & Ireland• I love reading books: thrillers (Clive Cusler) and business
management (Jo Owen)• Apple fan
I will cover three topics today• Consumerisation and appropriate security architecture• Mobile security challenges• Practical approach
Mobile devices in enterpriseI want to use one mobile device for
both personal and work stuff
Hmm, might be tricky but here is what we can do….
Say yes and give clear policies, instructions and tools!
Control the access to data and systems according to risk.
Agree forensic policy and investigations rules for personal devices.
Classifications of systems as the input into the access calculation
Managed Un-managed
Compliant Trusted systems• Domain joined systems• Managed and compliant
mobile devices
Strategy: Can access most secret applications and data*
Isolated systems• Compliance checks for non-
managed devices passed
Strategy: Deliver the application via thin client or access to least sensitive data
Non-Compliant Vulnerable systems• Domain joined or managed
devices
Strategy: Help with remediation and limit access to sensitive applications
Rogue• Unknown devices• Cannot assess compliance
Strategy: Give access at your peril!
* The access decision is taken based on other factors
Access denied Access granted Access limited
Sou
rce
trus
tD
estin
atio
ntr
ust
User/Role LocationDevice trust and
feature
Application classification
Location in network
Access method
Calculate access decision
(
( )
)Access decision logic
How to manage accessthis applies to any access, not just from mobile devices!
Access decisions based on accuracy of following:
• Identity – Google apps ID vs. Active directory ID, one factor auth vs. two factor auth
• Role – FTE, contractor, cleaner, executive• Device – trusted, non-trusted, feature set• Location – inside fw or outside, US vs. China, changes in
locations in time• Time – inside working hours or outside, • Data/Application – business impact, approved apps vs
consumer apps, location in the network
Access path definitions
# Source Destination Time Access
1 Employees Any Trusted Confidential
DMZ Web Any Allow
2 Employees Any Isolated mobile
Internal DMZ Web Any Allow
3 HR admins Office, UK Trusted PII and payroll
Internal MZ
Citrix Office hours Allow
4 Contractors Office Isolated Confidential
DMZ Citrix Any Allow
5 Admins Home working
Isolated Management
MZ Citrix Any Allow
6 Customers via Facebook login
Any Rogue PII DMZ Web Any Allow
Sit down with business, enterprise architects and security and create access path definitions for key enterprise applications.
MOBILE SECURITY
Revolution in mobile device capabilities
Apple iPhone launches
• Gartner says never ready for enterprise
• iOS App Store
• iOS ActiveSync email
• Gartner approves iPhone for the enterprise
• Android G1
• Microsoft Windows Vista
• Blackberry & Palm
Q3 Q4 Q12008
Q2 Q3 Q4 Q12009
Q12007
Q2
Source: McAfee
And its acceleration
Q3 Q4 Q12010
Q2 Q3 Q4 Q12011
Q2 Q3 Q4Q12009
Q2 Q12012
Androidtablets
• Microsoft Windows 7
• iOS 3GS w/ encryption
RIMPlaybook
iPadlaunches
• iPad2
•Android Honeycombwith Encryption
• Windows Phone 7• webOS• Next gen Blackberry
• iCloud
• iPhone 4s
Mobile devices threats• Web-based and network-based attacks• Malware• Social engineering attacks• Resource and service availability abuse.• Malicious and unintentional data loss.• Attacks on the integrity of the device’s data.
Mobile platforms – security architecture• Traditional Access Control: Traditional access control seeks to
protect devices using techniques such as pass- words and idle-time screen locking.
• Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature).
• Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft.
• Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device.
• Permissions-based access control: Permission-based access control grants a set of permissions to each application and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions.
Source: Symantec
In many aspects the mobile device architecture is more advanced than your typical desktop OS
Updating of old devices is an an issue for Android…
By Michael DeGustaTheUnderstatement.com
Correct approach to mobile security• Secure Device, Applications and Data• Use risk based approach for access control decisions• Less emphasis on whether device is corporate or personal• Extend DLP to mobile• Extend security event and forensic services• Monitor installed apps, jail-breaking and configuration compliance• Deliver corporate applications via thin clients to mobile devices
Source: McAfee
References• Rethinking Enterprise Security, Toby Kohlenberg, Intel• “A Window IntoMobile Device Security”, Carey Nachenberg, Symantec, 2011• McAfee EMM Site• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft, • “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen• Windows Phone Platform Security,
http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html• Revolution or Evolution: Information Security 2020,
http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010• Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html,
Bruce Schneier, September 2010• Android Orphans: Visualizing a Sad History of Support,
http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support , Michael Degusta, October 2011