Developing a Mobile Security Strategy...2012/04/27 · Manage Security In-House vs. Outsource...

April 2012

Developing a Mobile Security Strategy

Webinar for the institutions in the University of Texas System

Kieran NortonPrincipal, Deloitte & Touche LLP

Copyright © 2012 Deloitte Development LLC. All rights reserved.1

Webinar Essentials

Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/SWCAcademy.html.

If you wish to ask questions:

• Click on the “Raise Hand” button . The webinar administrator will un-mute you at the appropriate time. Note: Remember to turn down your speaker volume to avoid feedback.

• Questions may also be typed in the GoToWebinar Question panel.

CPE credit is available for this webinar for attendees who attend the live webinar. Please request credit by sending an email to the UT Systemwide Compliance Office at [email protected].

Please provide your feedback in the post-session survey.


Problem Statement 2

Background 3-5

Mobile Ecosystem and Risk Landscape 6-12

Strategic Approach 13-16

Bring Your Own Device (BYOD) 17-19

Technology and Vendor Considerations 20-22

Key Takeaways 23-24

Appendix 25-29

Table of Contents


Summary observations from the security assessments related to mobile devices:

• Lack of appropriate policies/guidance and procedures related to the use of mobile devices; e.g., PDAs, tablets, etc.

• Proliferation of mobile devices with access to networks and applications, and no capability to track or inventory.

• Increased risk of unauthorized exposure of sensitive information through mobile devices (e.g., patient information, proprietary research data, etc.) resulting in adverse impacts to UTS and the institutions, such as financial penalties, legal implications and damaged public image.

Problem statement

Background


Mobile computing has been growing at a staggering rate across all age groups, income groups, industries, geographies and cultures and is widely expected to continue its exponential growth rate over the next five years.

The mobility landscape

Mobile cellular subscriptions surpassed 5B in 2010 (Gartner)

83% of US population owns cellphones; 35% of these are smartphones (Pew Research)

More than 410M smartphone devices have been sold globally so far (Forrester)

Nearly 18M tablets were sold in 2010 (IDC)

Approximately 470M smartphones will be sold globally in 2011 (IDC)

Approximately 980M smartphones will be sold globally in 2016 (IMS)

By 2015, global mobile data traffic volume will be approximately 25 times 2010 volume (FCC)

Tablets will reach one-third of US adults by 2015 (Forrester)

Tablet unit sales to total around 54.8M in 2011 and top 208M in 2014 (Gartner)

Current mobile landscape1 Expected growth1

Mobility and mobility services are not only gaining ground among consumers but also among enterprises

1Note: Please refer Appendix for statistic references


Adoption of mobility trends

At a high level, entities go through three stages of adoption for mobility.

Though mobility offers wide range of products and services, it has its own set of security vulnerabilities due to the changing threat landscape

Bus

ines

s Im

pact

/Num

ber o

f Mob

ile A

pps

Stage 1 Stage 2 Stage 3

Mobile Veneer:• Mobile access to existing

apps• No mobile app development• Result: Poor user experience

(UX) and negligible productivity, customer satisfaction or revenue gains

Mobilize Existing Applications:

• Develop new graphical user interfaces (GUIs) on top of existing business logic

• Result: Acceptable UX and noticeable productivity, CRM & revenue gains

Mobility-Centric Innovation:• Develop completely new apps

that leverage mobility benefits• Result: User-centered UX and

new productivity, CRM and revenue opportunities

Mobile ecosystem and risk landscape


Mobile security: Threat overlay on mobility ecosystem


Mobility risk categories

1. Operational

3. Legal &Regulatory

2. Technology &Data Protection

4. Infrastructure & Device

Enabling mobility is a balance of technology, return on investment and risk. These need to be aligned with business needs and strategies. When considering developing mobile solutions, or fine tuning an existing solution, it is necessary to gain an understanding of the risks associated with mobility. These risks fall into four main categories:

Mobility risk categories

What makes mobile devices valuable from a business perspective –portability, usability and connectivity to the internet and corporate infrastructure – also presents significant risk.

New risks have been introduced at the device, application and infrastructure levels requiring changes in corporate security policy and strategy.


In one Deloitte case study, implementation of significant security controls led to 20% of the company’s mobile device users voluntarily opting out of the corporate program ...

however it is unlikely users stopped using a mobile device

1. Operational1. Operational




Mobility poses unique risks and existing security and IT support resources and infrastructure cannot be extended to cover mobile devices and applications without significant investment - in developing new skills, technical capabilities, operational processes and deployment of a ‘mobility infrastructure’.

A. Executives, users and customers are driving mobility decisions; operational risk considerations are not driving mobile security strategy

B. Security controls can negatively impact usability, causing friction with employees and slowing adoption

C. Increasing support demands may in turn outpace resource skill sets and technical capabilities

D. Varied mobile OS implementations make it difficult to deploy a singular security solution

E. Existing operational processes may not be efficiently designed or “mobile-ready” which can hinder expected productivity


2. Technology and data protection1. Operational




Mobile devices are valuable from a business perspective due to internet connectivity, access to corporate infrastructure as well as mobile/cloud based applications. These benefits also result in greater potential exposure for the enterprise – with risks introduced at the device, application and infrastructure levels.

A. End users may have the ability to modify device security parameters thus weakening the security controls

B. Devices and memory cards are not encrypted by default or configured appropriately thus leading to potential data leakage/loss

C. With use of cloud based applications, data protection becomes increasingly complex

D. Many organizations are not able to enforce mobile OS patching and updating which may result in vulnerable devices

E. Users often install unapproved applications or applications containing malware which poses information security risks

As an example, 58 malicious apps were uploaded to an app store and then downloaded to around 260,000 devices before the app store pulled the apps


1. Operational




3. Legal and regulatory

Security requirements may be complex, particularly if the organization operates in regulated industries. Employment labor laws, HIPAA requirements, privacy requirements, e-discovery requirements, etc., may impact the overall mobile strategy.

A. Employees using use corporate devices for personal purposes and vice versa may give rise to significant data privacy issues

B. The “bring your own device” trend raises ethical and legal questions around monitoring, device wiping, etc., upon employee termination

C. Corporate usage of mobile devices by hourly employees can/will raise concerns around overtime labor law considerations

D. Regulatory requirements to address e-discovery, monitoring, data archiving etc., can be complex and difficult to implement

E. Data ownership and liability for corporate and employee owned devices used for business purposes is yet to determined

In the Massachusetts data protection law (MA 201), responsibilities for protecting information on employee-owned devices used to access company

resources may apply equally to the enterprise and the individual


1. Operational




4. Infrastructure and device

The diversity of device options and underlying operating system/application platforms introduces a myriad of security risks and challenges.

A. Mobile device attacks and varying attack vectors increases the overall risk exposure (extending the enterprise risk profile)

B. Multiple choices in the devices, OS platforms, apps, etc., requires companies to employ diverse technologies expanding the attack surface

C. Third party apps installed on corporate devices may contain vulnerabilities caused by developer mistakes or re-packaged malware

D. Securing of mobile transmissions and channels is complex given a varied protocol landscape & the newer communication channels

E. Mobile devices are easily lost or stolen in comparison with other IT assets (e.g., laptops) and remote wipe efforts frequently fail

According to a recent survey, 36% of consumers in the US have either lost their mobile phone or had it stolen

Strategic approach


Strategies for tackling mobile risksDefining a Mobile Security ApproachAfter gaining an understanding of the key risks that affect your business, the next step is determining and defining your approach to a mobile security solution deployment. When determining the right approach, it is important to understand your specific use cases and incorporate your key business drivers and objectives.

Data centric

Minimal device data footprint

Communicationsencryption

Virtualization

Data integrity

Device centric

Mobile device management (MDM)

Strict device policy enforcement

Local data encryption

Secure containers/partitions

Application centric

Developer training

System development life cycle

Primary or multi-platform IDE

Application distribution & maintenance

Exam

ple

cont

rols


Key decision points that drive strategy and the resulting architecture

Deployment decisions

Manage Security In-House Outsource Securityvs.

3rd Party Tools Native Platform Toolsvs.

Application Management Application Guidancevs.

Full Data Access Restricted Data Accessvs.

Bring-Your-Own Corporate Providedvs.


Mobility reference architecture

Applications Development (Design, Implement, Test)Strategy Development

Business Analysis (Opportunity ID, Business Case)

Mobile Enablement Strategy/Roadmap

Mobility ReadinessAssessment

End-to-end Network Design

Industry Regulatory/Compliance/

Security Analysis

Mobile Solution Architecture

Creative/UX/UI Design

Mobile Middleware

Integration Data Mgmt

Native Development

Objective C (iOS),Java

Cross-Platform Dev

Sybase SUP,HTML5, Adobe

Enterprise Systems Integration

ERP, Web/Ecommerce and Legacy Systems

Reporting/BI/DW Enablement

Mobile Analytics Feedback

Security

Mobile application security

Mobile security policy and governance

Mobile security strategy and architecture

Mobile device and operations security

Deployment, Distribution, Management, OperationsMobile Device Management

Enterprise App Store Support Readiness

Operational / Organizational Readiness

Product Mgmt Enablement IT Governance

Cloud and Social

BusinessStrategy

Enterprise Mobility Infrastructure

App concept to development

EnterpriseIntegration Security

Business Strategy

App Concept to Development

Mobility Infrastructure

Enterprise Integration Strategy

Security, Privacy & Compliance

Note: Products listed for the above technology product vendors are their respective property.

Bring Your Own Device (BYOD)


Employees increasingly want to use their favorite mobile device for personal and business use. They want to store personal data and install games on devices they are also using to access enterprise applications and data.

If employees purchase their own device and plan, this can reduce telecom costs, however it creates several business challenges and security risks.

BYOD considerations

Key Considerations • Bearing of device costs and associated usage fees• Support considerations associated with highly differentiated OS’s, platforms,

hardware/devices, apps, etc.• Employee usage monitoring and device oversight• Legal, regulatory and privacy risk mitigation associated with corporate data made

available on mobile devices• IT staffing and skill set requirements to support corporate issued and/or employee

owned devices


Bring-Your-Own vs. Corporate ProvidedBring Your Own

Corporate Provided

Device and possibly line costs incurred by employeeMeets user desire to choose the device they like most, have a single phone number, etc.Addresses increased demand by employees to connect personal devices to corporate networksPR

OS

Tighter device oversight and control, more heterogeneous device environment (app strategy)Streamlining devices, platforms and OSes simplifies IT supportDirect relationship with carrier may be advantageous from a monitoring and security perspectiveDevice costs and service fees negotiated with service providers; increased purchasing power

PRO

S

Cost of providing devices and service feesHigh employee demand for broader diversity in devices can lead to lower satisfaction and

adoptionMay require potential increase in IT support staffing and skill set requirementsPrivacy considerations with monitoring of employee usage and activity, etc.

CO

NS

Limited device oversight and control Increased challenges with enforcing legal and regulatory requirementsDevice and data ownership questionsRequires support for diverse platforms, OSes, devices; may negatively impact app strategyVaried device service fees, lack of purchasing leverage (when chargeback/subsidies allowed)

CO

NS

Technology and vendor considerations

Copyright © 2012 Deloitte Development LLC. All rights reserved.

Mobile device and app managementTechnology Key Features Example Vendors

MicrosoftExchange ActiveSync (EAS)

• Over-the-air sync on mobile devices to existing Exchange Server infrastructure for email, contacts, calendar data, and more

• Basic device management capabilities including allowing/blocking devices, and enforcing password requirements

• EAS is a native tool included with Microsoft Exchange Server. If an organization has an existing Exchange infrastructure they have access to EAS and its capabilities

Mobile Device Management (MDM)

• Secure enrollment of mobile devices to be managed

• Wireless configuration and updating of device settings

• Monitoring and enforcing compliance with corporate policies

• Good Technology• MobileIron• AirWatch• Zenprise• Many others

MobileApplication Management (MAM)

• Secure mobile application distribution

• Monitoring and enforcing compliance with app policies

• Reporting on approved/rogue apps

• Apperian• Appcelerator• App47• Nukona• Mocana• MobileIron*• AirWatch*• Zenprise*

* MAM functionality included with primary MDM offering



Secure containers and mobile virtualization

Technology Key Features Example Vendors

Secure Container Solutions

• Secure area on device for housing enterprise data and applications

• Container content is encrypted and separated from rest of device

• Allows more granular control of enterprise data (e.g., remote wipe container only)

• Good Technology• Sky Technology

Mobile Virtualization

• Allows multiple mobile operating systems to run simultaneously on a single device

• Personal and corporate content is separated with each running in its own virtual device

• VMWare• Open Kernel Labs• Red Bend Software


Key takeaways


1. Understand the specific mobility use cases

2. Understand key mobility risks that affect the organization and its constituents

3. Incorporate key business drivers and objectives

4. Implement security controls through both policy and technology

5. Enable, not disable adoption of new innovations (it’s not stopping here…)

Taking an organization and user-centric approachWhat are early adopters doing?

Define Mobile Security

Requirements

Architect & Design

Technology Acquisition & Deployment

Appendix


Appendix A: References

Approximately 470M smartphones will be sold globally in 2011 (IDC) http://www.idc.com/getdoc.jsp?containerId=prUS22871611

Approximately 980M smartphones will be sold globally in 2016 (IMS) http://news.softpedia.com/news/One-Billion-Smartphones-a-Year-by-2016-IMS-Research-Says-213740.shtml

By 2015, global mobile data traffic volume will be approximately 25 times 2010 volume (FCC)http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/VNI_Hyperconnectivity_WP.html

Tablets will reach one-third of US adults by 2015 (Gartner)http://www.forrester.com/rb/Research/why_tablet_commerce_may_soon_trump_mobile/q/id/59096/t/2

Tablet unit sales to total around 54.8 million next year and top 208 million in 2014 (Gartner)http://my.gartner.com/portal/server.pt?open=512&objID=260&mode=2&PageID=3460702&resId=1451714&ref=QuickSearch&sthkw=milanesi

Mobile cellular subscriptions surpassed 5B in 2010 (Gartner) http://my.gartner.com/resources/213800/213866/mobile_and_contextaware_bran_213866.pdf?li=1

83% of US population owns cellphones; 35% of these are smartphones (Pew Research) http://pewresearch.org/pubs/2054/smartphone-ownership-demographics-iphone-blackberry-android

More than 275 million iPhones and BlackBerrys and 135 million Android devices have been sold globally (Forrester) http://www.forrester.com/rb/Research/global_mainstreaming_of_smartphones/q/id/60762/t/2

Nearly 18 Million Tablets were sold in 2010 (IDC)http://www.engadget.com/2011/03/10/idc-18-million-tablets-12-million-e-readers-shipped-in-2010/

Current mobile landscape Expected growth

MA 201 http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

Lost phone survey http://www.symantec.com/about/news/release/article.jsp?prid=20110208_01

Other

How Deloitte can help


Deloitte can assist you in creating a secure delivery framework for your mobility initiatives from inception to ongoing operation. We can help you set the proper risk balance between control, efficiency and user experience. Our security and privacy specific services include:

We also leverage the resources of the Deloitte Center for Security & Privacy Solutions that conduct original research and develop substantive points of view to help executives make sense of and profit from emerging opportunities on the edge of business and technology.

Deloitte mobile security services

Deloitte’s mobility security services

Mobile infrastructure security

Mobile application security testing

Mobile security policy management

Incident investigation & response

Mobile device & operations security

Secure SDLC for mobile applications

Mobile security training & awareness

Mobile device forensics

Mobile security strategy & architecture Mobile security risk assessment

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

Developing a Mobile Security Strategy...2012/04/27 · Manage Security In-House vs. Outsource...

Documents

Transcript of Developing a Mobile Security Strategy...2012/04/27 · Manage Security In-House vs. Outsource...