Developing a Mobile Security Strategy...2012/04/27 · Manage Security In-House vs. Outsource...
Transcript of Developing a Mobile Security Strategy...2012/04/27 · Manage Security In-House vs. Outsource...
April 2012
Developing a Mobile Security Strategy
Webinar for the institutions in the University of Texas System
Kieran NortonPrincipal, Deloitte & Touche LLP
Copyright © 2012 Deloitte Development LLC. All rights reserved.1
Webinar Essentials
Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/SWCAcademy.html.
If you wish to ask questions:
• Click on the “Raise Hand” button . The webinar administrator will un-mute you at the appropriate time. Note: Remember to turn down your speaker volume to avoid feedback.
• Questions may also be typed in the GoToWebinar Question panel.
CPE credit is available for this webinar for attendees who attend the live webinar. Please request credit by sending an email to the UT Systemwide Compliance Office at [email protected].
Please provide your feedback in the post-session survey.
Copyright © 2012 Deloitte Development LLC. All rights reserved.2
Problem Statement 2
Background 3-5
Mobile Ecosystem and Risk Landscape 6-12
Strategic Approach 13-16
Bring Your Own Device (BYOD) 17-19
Technology and Vendor Considerations 20-22
Key Takeaways 23-24
Appendix 25-29
Table of Contents
Copyright © 2012 Deloitte Development LLC. All rights reserved.3
Summary observations from the security assessments related to mobile devices:
• Lack of appropriate policies/guidance and procedures related to the use of mobile devices; e.g., PDAs, tablets, etc.
• Proliferation of mobile devices with access to networks and applications, and no capability to track or inventory.
• Increased risk of unauthorized exposure of sensitive information through mobile devices (e.g., patient information, proprietary research data, etc.) resulting in adverse impacts to UTS and the institutions, such as financial penalties, legal implications and damaged public image.
Problem statement
Background
Copyright © 2012 Deloitte Development LLC. All rights reserved.5
Mobile computing has been growing at a staggering rate across all age groups, income groups, industries, geographies and cultures and is widely expected to continue its exponential growth rate over the next five years.
The mobility landscape
Mobile cellular subscriptions surpassed 5B in 2010 (Gartner)
83% of US population owns cellphones; 35% of these are smartphones (Pew Research)
More than 410M smartphone devices have been sold globally so far (Forrester)
Nearly 18M tablets were sold in 2010 (IDC)
Approximately 470M smartphones will be sold globally in 2011 (IDC)
Approximately 980M smartphones will be sold globally in 2016 (IMS)
By 2015, global mobile data traffic volume will be approximately 25 times 2010 volume (FCC)
Tablets will reach one-third of US adults by 2015 (Forrester)
Tablet unit sales to total around 54.8M in 2011 and top 208M in 2014 (Gartner)
Current mobile landscape1 Expected growth1
Mobility and mobility services are not only gaining ground among consumers but also among enterprises
1Note: Please refer Appendix for statistic references
Copyright © 2012 Deloitte Development LLC. All rights reserved.6
Adoption of mobility trends
At a high level, entities go through three stages of adoption for mobility.
Though mobility offers wide range of products and services, it has its own set of security vulnerabilities due to the changing threat landscape
Bus
ines
s Im
pact
/Num
ber o
f Mob
ile A
pps
Stage 1 Stage 2 Stage 3
Mobile Veneer:• Mobile access to existing
apps• No mobile app development• Result: Poor user experience
(UX) and negligible productivity, customer satisfaction or revenue gains
Mobilize Existing Applications:
• Develop new graphical user interfaces (GUIs) on top of existing business logic
• Result: Acceptable UX and noticeable productivity, CRM & revenue gains
Mobility-Centric Innovation:• Develop completely new apps
that leverage mobility benefits• Result: User-centered UX and
new productivity, CRM and revenue opportunities
Mobile ecosystem and risk landscape
Copyright © 2012 Deloitte Development LLC. All rights reserved.8
Mobile security: Threat overlay on mobility ecosystem
Copyright © 2012 Deloitte Development LLC. All rights reserved.9
Mobility risk categories
1. Operational
3. Legal &Regulatory
2. Technology &Data Protection
4. Infrastructure & Device
Enabling mobility is a balance of technology, return on investment and risk. These need to be aligned with business needs and strategies. When considering developing mobile solutions, or fine tuning an existing solution, it is necessary to gain an understanding of the risks associated with mobility. These risks fall into four main categories:
Mobility risk categories
What makes mobile devices valuable from a business perspective –portability, usability and connectivity to the internet and corporate infrastructure – also presents significant risk.
New risks have been introduced at the device, application and infrastructure levels requiring changes in corporate security policy and strategy.
Copyright © 2012 Deloitte Development LLC. All rights reserved.10
In one Deloitte case study, implementation of significant security controls led to 20% of the company’s mobile device users voluntarily opting out of the corporate program ...
however it is unlikely users stopped using a mobile device
1. Operational1. Operational
3. Legal &Regulatory
2. Technology &Data Protection
4. Infrastructure & Device
Mobility poses unique risks and existing security and IT support resources and infrastructure cannot be extended to cover mobile devices and applications without significant investment - in developing new skills, technical capabilities, operational processes and deployment of a ‘mobility infrastructure’.
A. Executives, users and customers are driving mobility decisions; operational risk considerations are not driving mobile security strategy
B. Security controls can negatively impact usability, causing friction with employees and slowing adoption
C. Increasing support demands may in turn outpace resource skill sets and technical capabilities
D. Varied mobile OS implementations make it difficult to deploy a singular security solution
E. Existing operational processes may not be efficiently designed or “mobile-ready” which can hinder expected productivity
Copyright © 2012 Deloitte Development LLC. All rights reserved.11
2. Technology and data protection1. Operational
3. Legal &Regulatory
2. Technology &Data Protection
4. Infrastructure & Device
Mobile devices are valuable from a business perspective due to internet connectivity, access to corporate infrastructure as well as mobile/cloud based applications. These benefits also result in greater potential exposure for the enterprise – with risks introduced at the device, application and infrastructure levels.
A. End users may have the ability to modify device security parameters thus weakening the security controls
B. Devices and memory cards are not encrypted by default or configured appropriately thus leading to potential data leakage/loss
C. With use of cloud based applications, data protection becomes increasingly complex
D. Many organizations are not able to enforce mobile OS patching and updating which may result in vulnerable devices
E. Users often install unapproved applications or applications containing malware which poses information security risks
As an example, 58 malicious apps were uploaded to an app store and then downloaded to around 260,000 devices before the app store pulled the apps
Copyright © 2012 Deloitte Development LLC. All rights reserved.12
1. Operational
3. Legal &Regulatory
2. Technology &Data Protection
4. Infrastructure & Device
3. Legal and regulatory
Security requirements may be complex, particularly if the organization operates in regulated industries. Employment labor laws, HIPAA requirements, privacy requirements, e-discovery requirements, etc., may impact the overall mobile strategy.
A. Employees using use corporate devices for personal purposes and vice versa may give rise to significant data privacy issues
B. The “bring your own device” trend raises ethical and legal questions around monitoring, device wiping, etc., upon employee termination
C. Corporate usage of mobile devices by hourly employees can/will raise concerns around overtime labor law considerations
D. Regulatory requirements to address e-discovery, monitoring, data archiving etc., can be complex and difficult to implement
E. Data ownership and liability for corporate and employee owned devices used for business purposes is yet to determined
In the Massachusetts data protection law (MA 201), responsibilities for protecting information on employee-owned devices used to access company
resources may apply equally to the enterprise and the individual
Copyright © 2012 Deloitte Development LLC. All rights reserved.13
1. Operational
3. Legal &Regulatory
2. Technology &Data Protection
4. Infrastructure & Device
4. Infrastructure and device
The diversity of device options and underlying operating system/application platforms introduces a myriad of security risks and challenges.
A. Mobile device attacks and varying attack vectors increases the overall risk exposure (extending the enterprise risk profile)
B. Multiple choices in the devices, OS platforms, apps, etc., requires companies to employ diverse technologies expanding the attack surface
C. Third party apps installed on corporate devices may contain vulnerabilities caused by developer mistakes or re-packaged malware
D. Securing of mobile transmissions and channels is complex given a varied protocol landscape & the newer communication channels
E. Mobile devices are easily lost or stolen in comparison with other IT assets (e.g., laptops) and remote wipe efforts frequently fail
According to a recent survey, 36% of consumers in the US have either lost their mobile phone or had it stolen
Strategic approach
Copyright © 2012 Deloitte Development LLC. All rights reserved.15
Strategies for tackling mobile risksDefining a Mobile Security ApproachAfter gaining an understanding of the key risks that affect your business, the next step is determining and defining your approach to a mobile security solution deployment. When determining the right approach, it is important to understand your specific use cases and incorporate your key business drivers and objectives.
Data centric
Minimal device data footprint
Communicationsencryption
Virtualization
Data integrity
Device centric
Mobile device management (MDM)
Strict device policy enforcement
Local data encryption
Secure containers/partitions
Application centric
Developer training
System development life cycle
Primary or multi-platform IDE
Application distribution & maintenance
Exam
ple
cont
rols
Copyright © 2012 Deloitte Development LLC. All rights reserved.16
Key decision points that drive strategy and the resulting architecture
Deployment decisions
Manage Security In-House Outsource Securityvs.
3rd Party Tools Native Platform Toolsvs.
Application Management Application Guidancevs.
Full Data Access Restricted Data Accessvs.
Bring-Your-Own Corporate Providedvs.
Copyright © 2012 Deloitte Development LLC. All rights reserved.17
Mobility reference architecture
Applications Development (Design, Implement, Test)Strategy Development
Business Analysis (Opportunity ID, Business Case)
Mobile Enablement Strategy/Roadmap
Mobility ReadinessAssessment
End-to-end Network Design
Industry Regulatory/Compliance/
Security Analysis
Mobile Solution Architecture
Creative/UX/UI Design
Mobile Middleware
Integration Data Mgmt
Native Development
Objective C (iOS),Java
Cross-Platform Dev
Sybase SUP,HTML5, Adobe
Enterprise Systems Integration
ERP, Web/Ecommerce and Legacy Systems
Reporting/BI/DW Enablement
Mobile Analytics Feedback
Security
Mobile application security
Mobile security policy and governance
Mobile security strategy and architecture
Mobile device and operations security
Deployment, Distribution, Management, OperationsMobile Device Management
Enterprise App Store Support Readiness
Operational / Organizational Readiness
Product Mgmt Enablement IT Governance
Cloud and Social
BusinessStrategy
Enterprise Mobility Infrastructure
App concept to development
EnterpriseIntegration Security
Business Strategy
App Concept to Development
Mobility Infrastructure
Enterprise Integration Strategy
Security, Privacy & Compliance
Note: Products listed for the above technology product vendors are their respective property.
Bring Your Own Device (BYOD)
Copyright © 2012 Deloitte Development LLC. All rights reserved.19
Employees increasingly want to use their favorite mobile device for personal and business use. They want to store personal data and install games on devices they are also using to access enterprise applications and data.
If employees purchase their own device and plan, this can reduce telecom costs, however it creates several business challenges and security risks.
BYOD considerations
Key Considerations • Bearing of device costs and associated usage fees• Support considerations associated with highly differentiated OS’s, platforms,
hardware/devices, apps, etc.• Employee usage monitoring and device oversight• Legal, regulatory and privacy risk mitigation associated with corporate data made
available on mobile devices• IT staffing and skill set requirements to support corporate issued and/or employee
owned devices
Copyright © 2012 Deloitte Development LLC. All rights reserved.20
Bring-Your-Own vs. Corporate ProvidedBring Your Own
Corporate Provided
Device and possibly line costs incurred by employeeMeets user desire to choose the device they like most, have a single phone number, etc.Addresses increased demand by employees to connect personal devices to corporate networksPR
OS
Tighter device oversight and control, more heterogeneous device environment (app strategy)Streamlining devices, platforms and OSes simplifies IT supportDirect relationship with carrier may be advantageous from a monitoring and security perspectiveDevice costs and service fees negotiated with service providers; increased purchasing power
PRO
S
Cost of providing devices and service feesHigh employee demand for broader diversity in devices can lead to lower satisfaction and
adoptionMay require potential increase in IT support staffing and skill set requirementsPrivacy considerations with monitoring of employee usage and activity, etc.
CO
NS
Limited device oversight and control Increased challenges with enforcing legal and regulatory requirementsDevice and data ownership questionsRequires support for diverse platforms, OSes, devices; may negatively impact app strategyVaried device service fees, lack of purchasing leverage (when chargeback/subsidies allowed)
CO
NS
Technology and vendor considerations
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Mobile device and app managementTechnology Key Features Example Vendors
MicrosoftExchange ActiveSync (EAS)
• Over-the-air sync on mobile devices to existing Exchange Server infrastructure for email, contacts, calendar data, and more
• Basic device management capabilities including allowing/blocking devices, and enforcing password requirements
• EAS is a native tool included with Microsoft Exchange Server. If an organization has an existing Exchange infrastructure they have access to EAS and its capabilities
Mobile Device Management (MDM)
• Secure enrollment of mobile devices to be managed
• Wireless configuration and updating of device settings
• Monitoring and enforcing compliance with corporate policies
• Good Technology• MobileIron• AirWatch• Zenprise• Many others
MobileApplication Management (MAM)
• Secure mobile application distribution
• Monitoring and enforcing compliance with app policies
• Reporting on approved/rogue apps
• Apperian• Appcelerator• App47• Nukona• Mocana• MobileIron*• AirWatch*• Zenprise*
* MAM functionality included with primary MDM offering
Note: Products listed for the above technology product vendors are their respective property.
Copyright © 2012 Deloitte Development LLC. All rights reserved.
Secure containers and mobile virtualization
Technology Key Features Example Vendors
Secure Container Solutions
• Secure area on device for housing enterprise data and applications
• Container content is encrypted and separated from rest of device
• Allows more granular control of enterprise data (e.g., remote wipe container only)
• Good Technology• Sky Technology
Mobile Virtualization
• Allows multiple mobile operating systems to run simultaneously on a single device
• Personal and corporate content is separated with each running in its own virtual device
• VMWare• Open Kernel Labs• Red Bend Software
Note: Products listed for the above technology product vendors are their respective property.
Key takeaways
Copyright © 2012 Deloitte Development LLC. All rights reserved.
1. Understand the specific mobility use cases
2. Understand key mobility risks that affect the organization and its constituents
3. Incorporate key business drivers and objectives
4. Implement security controls through both policy and technology
5. Enable, not disable adoption of new innovations (it’s not stopping here…)
Taking an organization and user-centric approachWhat are early adopters doing?
Define Mobile Security
Requirements
Architect & Design
Technology Acquisition & Deployment
Appendix
Copyright © 2012 Deloitte Development LLC. All rights reserved.27
Appendix A: References
Approximately 470M smartphones will be sold globally in 2011 (IDC) http://www.idc.com/getdoc.jsp?containerId=prUS22871611
Approximately 980M smartphones will be sold globally in 2016 (IMS) http://news.softpedia.com/news/One-Billion-Smartphones-a-Year-by-2016-IMS-Research-Says-213740.shtml
By 2015, global mobile data traffic volume will be approximately 25 times 2010 volume (FCC)http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/VNI_Hyperconnectivity_WP.html
Tablets will reach one-third of US adults by 2015 (Gartner)http://www.forrester.com/rb/Research/why_tablet_commerce_may_soon_trump_mobile/q/id/59096/t/2
Tablet unit sales to total around 54.8 million next year and top 208 million in 2014 (Gartner)http://my.gartner.com/portal/server.pt?open=512&objID=260&mode=2&PageID=3460702&resId=1451714&ref=QuickSearch&sthkw=milanesi
Mobile cellular subscriptions surpassed 5B in 2010 (Gartner) http://my.gartner.com/resources/213800/213866/mobile_and_contextaware_bran_213866.pdf?li=1
83% of US population owns cellphones; 35% of these are smartphones (Pew Research) http://pewresearch.org/pubs/2054/smartphone-ownership-demographics-iphone-blackberry-android
More than 275 million iPhones and BlackBerrys and 135 million Android devices have been sold globally (Forrester) http://www.forrester.com/rb/Research/global_mainstreaming_of_smartphones/q/id/60762/t/2
Nearly 18 Million Tablets were sold in 2010 (IDC)http://www.engadget.com/2011/03/10/idc-18-million-tablets-12-million-e-readers-shipped-in-2010/
Current mobile landscape Expected growth
MA 201 http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
Lost phone survey http://www.symantec.com/about/news/release/article.jsp?prid=20110208_01
Other
How Deloitte can help
Copyright © 2012 Deloitte Development LLC. All rights reserved.29
Deloitte can assist you in creating a secure delivery framework for your mobility initiatives from inception to ongoing operation. We can help you set the proper risk balance between control, efficiency and user experience. Our security and privacy specific services include:
We also leverage the resources of the Deloitte Center for Security & Privacy Solutions that conduct original research and develop substantive points of view to help executives make sense of and profit from emerging opportunities on the edge of business and technology.
Deloitte mobile security services
Deloitte’s mobility security services
Mobile infrastructure security
Mobile application security testing
Mobile security policy management
Incident investigation & response
Mobile device & operations security
Secure SDLC for mobile applications
Mobile security training & awareness
Mobile device forensics
Mobile security strategy & architecture Mobile security risk assessment
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited