1

Mobile Security

1

2

Mobile Devices are

Used in More

Locations

Smartphones and tablets are frequently

used in challenging wireless situations that contrast with

laptop friendly remote access centers.

Laptops are used in a limited number of trusted locations

Uniqueness of Mobile…

Mobile Devices are

Shared More Often

Smartphones and tablets are multi-

purpose personal devices. Therefore, users share them with

friends, and family more often than

traditional computing devices – laptops and desktops. Social

norms on privacy are different when

accessing file-systems vs mobile

apps

Mobile Devices

prioritize User

Experience

Smartphones and tablets place a premium on user

experience and any security protocol that

diminishes the experiences will not

be adopted or will be circumvented. Workstation level

security cannot be assumed unless they

are dedicated devices

Mobile Devices

have multiple

personas

Smartphones and tablets may have

multiple personas –entertainment device, work tool, etc. Each

persona is used in a different context.

Users may want to employ a different security model for

each persona without affecting another.

Mobile Devices are

Diverse

Smartphones and tablets employ a

variety of different platforms and have numerous

applications aimed at pushing the

boundaries of collaboration. The standard interaction

paradigms used on laptops and desktops

cannot be assumed.

3

Market Sweet Spot: Enterprise Mobile Security

Enterprise Mobile SecurityConsumer

Mobile Security

CSPs

Enterprises: Empower mobile employees to attain greater productivity, agility and responsiveness but mitigate operational risk•Multifaceted requirements•Need to be proactive

Consumers: Leverage mobility for social engagement, ease of access, and entertainment but avoid losing the device or sacrificing user experience and privacy•Main requirement : Threat Protection (i.e. antimalware)

Communication Service Providers (CSPs): Deliver value-added differentiating services to meet the mobile security requirements of Enterprises and Consumers•Top offerings: MDM, Threat Protection, IAM

4

Built In vs. Bolted On: iOS vs. Android

Apple iOS Google Android

Application Sandbox Yes Yes, but not as strictly enforced

UpdatesPushed directly to devices. Enterprises can acquire MDM server to push updates.

Carriers or device manufacturers required to push updates

Application deliveryApple AppStore only – applications need to be approved.

No app store requirement or third party app stores exist

OS EnforcementOS enforces performance requirements on running apps

OS does not enforce performance requirements

User Identity Apple ID for apps Gmail ID

� Apple provides a standard of

management APIs for iOS

eliminating differentiation among device management providers

� Today, Google relies on the Android

ecosystem to deliver device

management capabilities

� Apple secures iOS by process and

design which up until now has

reduced its exposure to attacks and

threats� CISOs must trust Apple –

Apple is the first and last line

of defense

� Today, Android is the main market

for mobile device security given its

relatively loose security model but

offers IT the most control

(fragmentation has inadvertently prevented spreading of malware)

� Security vendors target Android first

and then release iOS support

Variance in Security Models

Differences in Security Management Features

5

Mobile Security Challenges Faced by Enterprises

Achieving Data Separation &

Providing Data Protection

Data separation: personal vs corporate

Data leakage into and out of the enterprise

Partial wipe vs. device wipe vs legally defensible wipe

Data policies

Adapting to the BYOD/

Consumerization of IT Trend

Multiple device platforms and variants

Multiple providers

Managed devices (B2E)

Unmanaged devices (B2B,B2E, B2C)

Endpoint policies

Threat protection

Providing secure access to

enterprise applications &

data

Identity of user and devices

Authentication, Authorization and Federation

User policies

Secure Connectivity

Developing Secure

Applications

Application life-cycle

Vulnerability & Penetration testing

Application Management

Application policies

Designing & Instituting an

Adaptive Security Posture

Policy Management: Location, Geo, Roles, Response, Time policies

Security Intelligence

Reporting

6

Customer Scenarios

Business Need:Protect Data & Applications on the

Device

�Prevent Loss or Leakage of

Enterprise Data

� Wipe

� Local Data Encryption

�Protect Access to the Device

� Device lock

�Mitigate exposure to vulnerabilities

� Anti-malware

� Push updates

� Detect jailbreak

� Detect non-compliance

�Protect Access to Apps

� App disable

� User authentication

�Enforce Corporate Policies

Business Need:Protect Enterprise Systems & Deliver

Secure Access

�Provide secure access to enterprise

systems

� VPN

�Prevent unauthorized access to

enterprise systems

� Identity

� Certificate management

� Authentication

� Authorization

� Audit

�Protect users from Internet borne

threats

� Threat protection

�Enforce Corporate Policies

� Anomaly Detection

� Security challenges for

access to sensitive data

Business Need:Build, Test and Run Secure Mobile

Apps

�Enforce Corporate Development

Best Practices

� Development tools

enforcing security

policies

�Testing mobile apps for exposure

to threats

� Penetration Testing

� Vulnerability Testing

�Provide Offline Access

� Encrypted Local Storage

of Credentials

�Deliver mobile apps securely

� Enterprise App Store

�Prevent usage of compromised

apps

� Detect and disable

compromised apps

7

Data, Network & Access Security

Mobile Security a Market View: A spectrum of capabilities

App/Test

DevelopmentMobile Device

Management

Device Platforms30 device Manufacturers, 10 operating platforms

i.e. iOS, Android, Windows Mobile, Symbian, etc

Platform Extension OS/ Application Layer (Optional)i.e. Application Container (Sandboxing ), Virtualization

Mobile Device

Management

�Acquire/Deploy

� Register

� Activation

� Content Mgmt

�Manage/Monitor

�Self Service

�Reporting

�Retire

�De-provision

Secure Mobile

Application

Development

�Vulnerability

testing

�Mobile app testing

�Enforced by tools

�Enterprise policies

Mobile Applicationsi.e. Native, Hybrid, Web Application

Mobile Device Security

Management

�Device wipe & lockdown�Password Management�Configuration Policy�Compliance

MobileInformation Protection

�Data encryption (device,file & app)�Mobile data loss prevention

Mobile Threat Management

�Anti-malware�Anti-spyware�Anti-spam�Firewall/IPS�Web filtering�Web Reputation

Mobile Network Protection

�Secure Communications (VPN)�Edge Protection

Mobile Identity& Access Management

�Identity Management�Authorize & Authenticate�Certificate Management�Multi-factor

Mobile Security Intelligence

Mobile devices are not only computing platforms but also communication devices, hence

mobile security is multi-faceted, driven by customers’ operational priorities

8

Enterprise Use Case : Security from Device to Web Apps

Secure

endpoint

device and

data

Secure access to enterprise

applications and data

Develop, test and

deliver safe

applications

Internet

WiFi

Telecom

Provider

Web

sites

Mobile

apps

Mobile

Security

Gateway

Corporate

Intranet

User authentication,

Secure connectivity

Web Threat Protection

9

My SmartPhone (iOS, Android, Windows Phone or “the next cool device”)

Angry BirdsMy Personal

Emails

My Corporate

Emails

Enterprise

App 1

(Sourced

Internally)

Enterprise

App 2

(Sourced

Internally)

Enterprise

App (Sourced

From 3rd

Party)

My Citibank

App

End User Scenario and Focus Questions

� Security Issues

– Who owns the security policies for the device or the application?

– How do we make the security appropriate to the application (family?) that I want to access

– Device management and data protection

• How do I keep corporate data separate from personal data?

• When I lose the device, how can I partially wipe the (corporate) data?

• Where is the data stored (centrally, or by app), and is the data encrypted

– Access management

• How do I authenticate for the enterprise apps? How do I authenticate for the Citibank app?

• I want to be able to play Angry Birds without my company or Citibank authentication of the device

• How do I utilize the new features of smart phones like touch screen and camera for greater usability?

– Threat management

• What happens when I install an app that contains a virus or Trojan Horse?

– VPN

• How do I connect securely to enterprise (VPN)

– Secure app development

• How do I figure out if an application is vulnerable before installing? Or prevent malicious code exploits?

10

Strong Authentication Scenarios

� Passphrase

� Biometric

� Biometric + Risk factor (device fingerprint, location, time etc)

� Passphrase + Risk factor (device fingerprint, location, time etc)

� Soft token Auth

� One time passcode (OTP)

11

Secure Access using Biometrics – Why ??

� Increasing security while hugely simplifying

access

� Making Mobile access completely Hands

free.

� Verify user with face and voice.

12

Biometrics Enrollment

� Multiple images/voice print of the user will be enrolled, under supervision, with data being stored on a server. This can be done through the smartphone, or through photographs/voiceprint of the subject taken using other means

� Face enrollment can be done through multiple images captured using camera

� The enrollment data will be sent via a web server to the server

13

Biometrics Verification

� The client (mobile device) will make a call to a server API using a web service (REST or SOAP) API, sending an image/voice print of the subject along with the user id

� The server will calculate the confidence that the face in the image/voice print belongs to the user, and base further action on that confidence

14

Biometrics Demo

DEMO