Upload
vuongdung
View
215
Download
1
Embed Size (px)
Citation preview
2
Mobile Devices are
Used in More
Locations
Smartphones and tablets are frequently
used in challenging wireless situations that contrast with
laptop friendly remote access centers.
Laptops are used in a limited number of trusted locations
Uniqueness of Mobile…
Mobile Devices are
Shared More Often
Smartphones and tablets are multi-
purpose personal devices. Therefore, users share them with
friends, and family more often than
traditional computing devices – laptops and desktops. Social
norms on privacy are different when
accessing file-systems vs mobile
apps
Mobile Devices
prioritize User
Experience
Smartphones and tablets place a premium on user
experience and any security protocol that
diminishes the experiences will not
be adopted or will be circumvented. Workstation level
security cannot be assumed unless they
are dedicated devices
Mobile Devices
have multiple
personas
Smartphones and tablets may have
multiple personas –entertainment device, work tool, etc. Each
persona is used in a different context.
Users may want to employ a different security model for
each persona without affecting another.
Mobile Devices are
Diverse
Smartphones and tablets employ a
variety of different platforms and have numerous
applications aimed at pushing the
boundaries of collaboration. The standard interaction
paradigms used on laptops and desktops
cannot be assumed.
3
Market Sweet Spot: Enterprise Mobile Security
Enterprise Mobile SecurityConsumer
Mobile Security
CSPs
Enterprises: Empower mobile employees to attain greater productivity, agility and responsiveness but mitigate operational risk•Multifaceted requirements•Need to be proactive
Consumers: Leverage mobility for social engagement, ease of access, and entertainment but avoid losing the device or sacrificing user experience and privacy•Main requirement : Threat Protection (i.e. antimalware)
Communication Service Providers (CSPs): Deliver value-added differentiating services to meet the mobile security requirements of Enterprises and Consumers•Top offerings: MDM, Threat Protection, IAM
4
Built In vs. Bolted On: iOS vs. Android
Apple iOS Google Android
Application Sandbox Yes Yes, but not as strictly enforced
UpdatesPushed directly to devices. Enterprises can acquire MDM server to push updates.
Carriers or device manufacturers required to push updates
Application deliveryApple AppStore only – applications need to be approved.
No app store requirement or third party app stores exist
OS EnforcementOS enforces performance requirements on running apps
OS does not enforce performance requirements
User Identity Apple ID for apps Gmail ID
� Apple provides a standard of
management APIs for iOS
eliminating differentiation among device management providers
� Today, Google relies on the Android
ecosystem to deliver device
management capabilities
� Apple secures iOS by process and
design which up until now has
reduced its exposure to attacks and
threats� CISOs must trust Apple –
Apple is the first and last line
of defense
� Today, Android is the main market
for mobile device security given its
relatively loose security model but
offers IT the most control
(fragmentation has inadvertently prevented spreading of malware)
� Security vendors target Android first
and then release iOS support
Variance in Security Models
Differences in Security Management Features
5
Mobile Security Challenges Faced by Enterprises
Achieving Data Separation &
Providing Data Protection
Data separation: personal vs corporate
Data leakage into and out of the enterprise
Partial wipe vs. device wipe vs legally defensible wipe
Data policies
Adapting to the BYOD/
Consumerization of IT Trend
Multiple device platforms and variants
Multiple providers
Managed devices (B2E)
Unmanaged devices (B2B,B2E, B2C)
Endpoint policies
Threat protection
Providing secure access to
enterprise applications &
data
Identity of user and devices
Authentication, Authorization and Federation
User policies
Secure Connectivity
Developing Secure
Applications
Application life-cycle
Vulnerability & Penetration testing
Application Management
Application policies
Designing & Instituting an
Adaptive Security Posture
Policy Management: Location, Geo, Roles, Response, Time policies
Security Intelligence
Reporting
6
Customer Scenarios
Business Need:Protect Data & Applications on the
Device
�Prevent Loss or Leakage of
Enterprise Data
� Wipe
� Local Data Encryption
�Protect Access to the Device
� Device lock
�Mitigate exposure to vulnerabilities
� Anti-malware
� Push updates
� Detect jailbreak
� Detect non-compliance
�Protect Access to Apps
� App disable
� User authentication
�Enforce Corporate Policies
Business Need:Protect Enterprise Systems & Deliver
Secure Access
�Provide secure access to enterprise
systems
� VPN
�Prevent unauthorized access to
enterprise systems
� Identity
� Certificate management
� Authentication
� Authorization
� Audit
�Protect users from Internet borne
threats
� Threat protection
�Enforce Corporate Policies
� Anomaly Detection
� Security challenges for
access to sensitive data
Business Need:Build, Test and Run Secure Mobile
Apps
�Enforce Corporate Development
Best Practices
� Development tools
enforcing security
policies
�Testing mobile apps for exposure
to threats
� Penetration Testing
� Vulnerability Testing
�Provide Offline Access
� Encrypted Local Storage
of Credentials
�Deliver mobile apps securely
� Enterprise App Store
�Prevent usage of compromised
apps
� Detect and disable
compromised apps
7
Data, Network & Access Security
Mobile Security a Market View: A spectrum of capabilities
App/Test
DevelopmentMobile Device
Management
Device Platforms30 device Manufacturers, 10 operating platforms
i.e. iOS, Android, Windows Mobile, Symbian, etc
Platform Extension OS/ Application Layer (Optional)i.e. Application Container (Sandboxing ), Virtualization
Mobile Device
Management
�Acquire/Deploy
� Register
� Activation
� Content Mgmt
�Manage/Monitor
�Self Service
�Reporting
�Retire
�De-provision
Secure Mobile
Application
Development
�Vulnerability
testing
�Mobile app testing
�Enforced by tools
�Enterprise policies
Mobile Applicationsi.e. Native, Hybrid, Web Application
Mobile Device Security
Management
�Device wipe & lockdown�Password Management�Configuration Policy�Compliance
MobileInformation Protection
�Data encryption (device,file & app)�Mobile data loss prevention
Mobile Threat Management
�Anti-malware�Anti-spyware�Anti-spam�Firewall/IPS�Web filtering�Web Reputation
Mobile Network Protection
�Secure Communications (VPN)�Edge Protection
Mobile Identity& Access Management
�Identity Management�Authorize & Authenticate�Certificate Management�Multi-factor
Mobile Security Intelligence
Mobile devices are not only computing platforms but also communication devices, hence
mobile security is multi-faceted, driven by customers’ operational priorities
8
Enterprise Use Case : Security from Device to Web Apps
Secure
endpoint
device and
data
Secure access to enterprise
applications and data
Develop, test and
deliver safe
applications
Internet
WiFi
Telecom
Provider
Web
sites
Mobile
apps
Mobile
Security
Gateway
Corporate
Intranet
User authentication,
Secure connectivity
Web Threat Protection
9
My SmartPhone (iOS, Android, Windows Phone or “the next cool device”)
Angry BirdsMy Personal
Emails
My Corporate
Emails
Enterprise
App 1
(Sourced
Internally)
Enterprise
App 2
(Sourced
Internally)
Enterprise
App (Sourced
From 3rd
Party)
My Citibank
App
End User Scenario and Focus Questions
� Security Issues
– Who owns the security policies for the device or the application?
– How do we make the security appropriate to the application (family?) that I want to access
– Device management and data protection
• How do I keep corporate data separate from personal data?
• When I lose the device, how can I partially wipe the (corporate) data?
• Where is the data stored (centrally, or by app), and is the data encrypted
– Access management
• How do I authenticate for the enterprise apps? How do I authenticate for the Citibank app?
• I want to be able to play Angry Birds without my company or Citibank authentication of the device
• How do I utilize the new features of smart phones like touch screen and camera for greater usability?
– Threat management
• What happens when I install an app that contains a virus or Trojan Horse?
– VPN
• How do I connect securely to enterprise (VPN)
– Secure app development
• How do I figure out if an application is vulnerable before installing? Or prevent malicious code exploits?
10
Strong Authentication Scenarios
� Passphrase
� Biometric
� Biometric + Risk factor (device fingerprint, location, time etc)
� Passphrase + Risk factor (device fingerprint, location, time etc)
� Soft token Auth
� One time passcode (OTP)
11
Secure Access using Biometrics – Why ??
� Increasing security while hugely simplifying
access
� Making Mobile access completely Hands
free.
� Verify user with face and voice.
12
Biometrics Enrollment
� Multiple images/voice print of the user will be enrolled, under supervision, with data being stored on a server. This can be done through the smartphone, or through photographs/voiceprint of the subject taken using other means
� Face enrollment can be done through multiple images captured using camera
� The enrollment data will be sent via a web server to the server
13
Biometrics Verification
� The client (mobile device) will make a call to a server API using a web service (REST or SOAP) API, sending an image/voice print of the subject along with the user id
� The server will calculate the confidence that the face in the image/voice print belongs to the user, and base further action on that confidence