CONSUMERISATION AND MOBILE SECURITYVladimir Jirasek

About.me/jirasek

[date]

About me• Security professional at WorldPay as Head of Security

Solutions• Non executive director, CSA UK & Ireland• I love reading books: thrillers (Clive Cusler) and business

management (Jo Owen)• Apple fan

I will cover three topics today• Consumerisation and appropriate security architecture• Mobile security challenges• Practical approach

Mobile devices in enterpriseI want to use one mobile device for

both personal and work stuff

Hmm, might be tricky but here is what we can do….

Say yes and give clear policies, instructions and tools!

Control the access to data and systems according to risk.

Agree forensic policy and investigations rules for personal devices.

Classifications of systems as the input into the access calculation

Managed Un-managed

Compliant Trusted systems• Domain joined systems• Managed and compliant

mobile devices

Strategy: Can access most secret applications and data*

Isolated systems• Compliance checks for non-

managed devices passed

Strategy: Deliver the application via thin client or access to least sensitive data

Non-Compliant Vulnerable systems• Domain joined or managed

devices

Strategy: Help with remediation and limit access to sensitive applications

Rogue• Unknown devices• Cannot assess compliance

Strategy: Give access at your peril!

* The access decision is taken based on other factors

Access denied Access granted Access limited

Sou

rce

trus

tD

estin

atio

ntr

ust

User/Role LocationDevice trust and

feature

Application classification

Location in network

Access method

Calculate access decision

(

( )

)Access decision logic

How to manage accessthis applies to any access, not just from mobile devices!

Access decisions based on accuracy of following:

• Identity – Google apps ID vs. Active directory ID, one factor auth vs. two factor auth

• Role – FTE, contractor, cleaner, executive• Device – trusted, non-trusted, feature set• Location – inside fw or outside, US vs. China, changes in

locations in time• Time – inside working hours or outside, • Data/Application – business impact, approved apps vs

consumer apps, location in the network

Access path definitions

# Source Destination Time Access

1 Employees Any Trusted Confidential

DMZ Web Any Allow

2 Employees Any Isolated mobile

Internal DMZ Web Any Allow

3 HR admins Office, UK Trusted PII and payroll

Internal MZ

Citrix Office hours Allow

4 Contractors Office Isolated Confidential

DMZ Citrix Any Allow

5 Admins Home working

Isolated Management

MZ Citrix Any Allow

6 Customers via Facebook login

Any Rogue PII DMZ Web Any Allow

Sit down with business, enterprise architects and security and create access path definitions for key enterprise applications.

MOBILE SECURITY

Revolution in mobile device capabilities

Apple iPhone launches

• Gartner says never ready for enterprise

• iOS App Store

• iOS ActiveSync email

• Gartner approves iPhone for the enterprise

• Android G1

• Microsoft Windows Vista

• Blackberry & Palm

Q3 Q4 Q12008

Q2 Q3 Q4 Q12009

Q12007

Q2

Source: McAfee

And its acceleration

Q3 Q4 Q12010

Q2 Q3 Q4 Q12011

Q2 Q3 Q4Q12009

Q2 Q12012

Androidtablets

• Microsoft Windows 7

• iOS 3GS w/ encryption

RIMPlaybook

iPadlaunches

• iPad2

•Android Honeycombwith Encryption

• Windows Phone 7• webOS• Next gen Blackberry

• iCloud

• iPhone 4s

Mobile devices threats• Web-based and network-based attacks• Malware• Social engineering attacks• Resource and service availability abuse.• Malicious and unintentional data loss.• Attacks on the integrity of the device’s data.

Mobile platforms – security architecture• Traditional Access Control: Traditional access control seeks to

protect devices using techniques such as pass- words and idle-time screen locking.

• Application Provenance: Provenance is an approach where each application is stamped with the identity of its author and then made tamper resistant (using a digital signature).

• Encryption: Encryption seeks to conceal data at rest on the device to address device loss or theft.

• Isolation: Isolation techniques attempt to limit an application’s ability to access the sensitive data or systems on a device.

• Permissions-based access control: Permission-based access control grants a set of permissions to each application and then limits each application to accessing device data/systems that are within the scope of those permissions, blocking the applications if they attempt to perform actions that exceed these permissions.

Source: Symantec

In many aspects the mobile device architecture is more advanced than your typical desktop OS

Updating of old devices is an an issue for Android…

By Michael DeGustaTheUnderstatement.com

Correct approach to mobile security• Secure Device, Applications and Data• Use risk based approach for access control decisions• Less emphasis on whether device is corporate or personal• Extend DLP to mobile• Extend security event and forensic services• Monitor installed apps, jail-breaking and configuration compliance• Deliver corporate applications via thin clients to mobile devices

Source: McAfee

References• Rethinking Enterprise Security, Toby Kohlenberg, Intel• “A Window IntoMobile Device Security”, Carey Nachenberg, Symantec, 2011• McAfee EMM Site• Mobile Security: Looking Back, Looking Forward, David Goldschlag, McAfee, 2011• Microsoft ActiveSync certification program, http://technet.microsoft.com/en-us/exchange/gg187968.aspx• Microsoft Consumerization Site, http://www.microsoft.com/enterprise/viewpoints/consumerization/default.aspx• “CISO Perspective: Consumerization of IT” @ RSA Europe 2011, Bret Arsenault, CISO Microsoft, • “Magic Quadrant for Mobile Device Management Software”, Document ID G00211101, Gartner, 2011• “Your Apps Are Watching You,” The Wall Street Journal, December 17, 2010• Windows Phone 7.5 (Mango) Security model explained, http://j4ni.com/blog/?p=59, Jani Nevalainen• Windows Phone Platform Security,

http://www.developer.nokia.com/Community/Wiki/Windows_Phone_Platform_Security, Nokia• Windows Phone Security page, http://msdn.microsoft.com/en-us/library/ff402533(v=vs.92).aspx, Microsoft• VMware Mobile virtual platform, http://www.vmware.com/products/mobile/overview.html• Revolution or Evolution: Information Security 2020,

http://www.pwc.co.uk/eng/publications/revolution_or_evolution_information_security_2020.html, PWC, 2010• Consumerisation and Corporate IT Security, http://www.schneier.com/blog/archives/2010/09/consumerization.html,

Bruce Schneier, September 2010• Android Orphans: Visualizing a Sad History of Support,

http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support , Michael Degusta, October 2011