Security Considerations for Mobile Devices
description
Transcript of Security Considerations for Mobile Devices
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.© 2012 Gartner, Inc. and/or its affiliates. All rights reserved.
Trent HenryResearch VP
Security & Risk Management
Security Considerations for Mobile Devices
Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day.
“Small” Incidents are Common
Agenda
• What’s really new about risks for mobile devices?• Controls you may put on your list of requirements• What about user experience?• How do mobile security architectures compare?• Why and when would you improve on existing platform
security controls?
Gartner for Technical Professionals
What’s really new about risks for mobile devices?
Threat Agents
Malware
Threat type: logical Coexists with user
Examples:• Redsn0w Jailbreak• Android
FoncyDropper • ZitMo
Thief
Threat type: physical Exclusive access
Example:• Plenty in the room
6
Evil maid
Threat type: physical Coexists with user
Examples:• Stealing a file
system
Old risks, in new context
7
Impa
ct
Likelihood
Thief Malware
It is only a matter of time before the first large data breach concerning a mobile device receives media attention
Impa
ctLikelihood
Expanding use cases
and storage capacity
Increased popularity
Impact on Security Architecture
• The security risks to information have not changed:- Malicious software- Theft/loss of the device- Eavesdropping
• But there are new twists:- Endpoint ownership- No dominant operating system or paradigm- Very short device life cycle- Immature management and security tools- Usability and network connectivity
Impact on Security ArchitectureRisk
ManagementNo data on device
Controls in the Apps(Container)
Controls on thedevice
ManagementNone
Manage the device (requiredfor certificates) i.e. MDM
Limited (manage container only)
ConnectivityRequired
On-line only
Offline
Application/User Experience
VDI/Web app/App w/ remote data
Resident App (dev/COTS) w/security
Resident App (dev/COTS) w/o security
Native Apps
Example 1 – No Data on the Device
Impact on Security ArchitectureRisk
ManagementNo data on device
Controls in the Apps(Container)
Controls on thedevice
ManagementNone
Manage the device (requiredfor certificates) i.e. MDM
Limited (manage container only)
ConnectivityRequired
On-line only
Offline
Application/User Experience
VDI/Web app/App w/ remote data
Resident App (dev/COTS) w/security
Resident App (dev/COTS) w/o security
Native Apps
Example 2 – Data within a Container Only
Impact on Security ArchitectureRisk
ManagementNo data on device
Controls in the Apps(Container)
Controls on thedevice
ManagementNone
Manage the device (requiredfor certificates) i.e. MDM
Limited (manage container only)
ConnectivityRequired
On-line only
Offline
Application/User Experience
VDI/Web app/App w/ remote data
Resident App (dev/COTS) w/security
Resident App (dev/COTS) w/o security
Native Apps
Example 3 – Data on the Device
Gartner for Technical Professionals
Controls you may put on your list of requirements
Access Control
• Consider- Methods: PIN, password, swipe, face unlock,
hardware token, other biometrics- Policies to enforce: password
complexity/history/delay/lock, inactivity timer- Risks of keyloggers and other spyware- Limitations facing laboratory attacks that
circumvent authentication
13
• Aims to reduce the risk of Thieves and Evil Maids by preventing direct logical access to device
Encryption
• Aims to reduce the risk of Thieves and Evil Maids by preventing logical access to extracted information
• Consider• Encryption and keys in hardware/software• Keys derived from device and/or passcode?• What information is encrypted?• Cache management• Known weaknesses and third party validations
14
011010000101
Application Controls
15
• Aim to reduce the risk of Malware and Evil Maids by preventing direct logical access to applications and their data
• Consider• Application and data isolation• Signatures• Key management and encryption APIs• Management hooks• Application store controls• Kill switch: remotely kill an application on all devices
App App
Data Data
Remote and Local Wipe
• Aims to reduce the risk of Thieves by remotely or locally wiping applications and data
• Consider- Full/partial wipe- Local/remote wipe- What information and apps are wiped- The wiping method - How to confirm completion
16
Gartner for Technical Professionals
What about user experience?
Let’s keep sensitive information off the device entirely!
18
An example: Client Virtualization
No controls needed on the device
Connection secured with encryption
User authenticated prior to access
…But malware, keyloggers, and jailbroken devices may be a problem
You gotta be kidding me! Access to Information Secure Time-to-market Manageability Rich and Immersive UX Offline Native Capabilities Portability
Comparison Assessment
20
*You are responsible for building your own security controls!
*
Broader Impact: Network Architecture
• Increasing radio spectrum consumption - An increasing number of Wi-Fi devices will consume
more of your spectrum (Wi-Fi devices > humans)- S L O W networks are not user-friendly- Even unauthorized Wi-Fi devices consume spectrum as
they scan for Wi-Fi networks
• Solutions include- Selective site survey, mission-critical network design- Capacity planning, 802.11n APs- Intrusion detection systems, spectrum monitoring
Same goes for WAN and WWAN
Gartner for Technical Professionals
(AKA “Know your platforms before adding more stuff”)
How do mobile security architectures compare?
Android Security
• Type: End-user control• Key elements
- Linux process and file isolation- Permissions based
• Concerns:- Fragmentation of the platform over OEMs- Encryption support dependent on OEM- Content providers accessible by default- Many OSS components and uncurated
appstores may lead to malware- Permissions rely on people’s judgment
23
iOS Security
• Type: Walled garden• Key elements:
- Curated Appstore - Sandboxing- Hardware encryption, always on- OTA updates
• Concerns:- Vulnerabilities in OS that lead to jailbreak- Few mechanisms that limit the access of an app- Data protection not used by all applications and not validated
24
BlackBerry Security
• Type: Guardian• Key elements
- Best in class mobile management and security
- Data protection capabilities- No jailbreaks for BB smartphones
• Concerns- AppWorld is vetted but its use not mandated,
leading to potential for malware- Apps may have extensive access, without
jailbreak- Management is critical, e.g. encryption is
optional
25
Application Controls for Various PlatformsPlatform Application
testingCentralized signing Application
control on the device
Third-party anti-malware
productsBlackBerry Yes, but applications
can be offered outside of App World
Yes, but the requirement to check the signature is
configurable
Yes Yes
iPhone Yes Yes Limited to major applications
No
Windows Phone 6.x
Yes Yes, but the requirement to check the signature is
configurable
Available through third-party products or
System Center
Yes
Windows Phone 7
Yes Yes, but the requirement to check the signature is
configurable
No No
Symbian Yes Yes Available through third-party products
Yes
Android Limited – some app stores perform testing
but apps available outside of app stores
No No Yes
Gartner for Technical Professionals
Recommendations
Recommendations
Understand the risks and the threats you are trying to protect against and accept that some risks cannot be mitigated
Limit support to handhelds that satisfy minimal security requirements
Balance UX with security and connectivityUsers will go around security if you don’t have a good UX
Conduct data analysis to determine what is acceptable on the device and what is not
Deal with related infrastructure issues: network, authentication, provisioning, …
Recommended Gartner Research
Comparing Security Controls for Handheld DevicesMario de Boer, Eric Maiwald, 22 January 2012
Decision Point for Mobile Endpoint SecurityEric Maiwald
Client Virtualization: Reducing Malware and Information SprawlMario de Boer, Dan Blum
Solution Path: How to Create a Mobile ArchitecturePaul Debeasi
Field Research Summary: Mobility and SecurityEric Maiwald, 26 January 2012