This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.

Slides:



Advertisements
Similar presentations
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Advertisements

B-CERB complete protection against phishing copyright 2008 by Wheel.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
©2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals Visions for 2010 Anna Russell & Andy Clark.
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Security for Mobile Devices
Mobile Device Protocol Sunil Vallamkonda 11/19/2012.
BYOD in practice KPMG case study 13 March © 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Smart Phones and Tablets: Security Issues S. Roy 1.
IBM Endpoint Manager for Mobile Devices Mobile Device Management
Identify risks with mobile devices: Portable data storage Wireless connections 3 rd party applications Data integrity Data availability 2.
Copyright Movidan, Inc. All rights reserved. 1 Dont think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion.
1 Confidential Lessons Learned from the First Generation of Mobile Apps Sean Ginevan, Product Management MobileIron - Confidential1.
Mobile Protection Overview
MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo for Citrix Optimal User Experience & Maximum IT Control Ceedo for Call.
1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Security for Today’s Threat Landscape Kat Pelak 1.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
SEC316: BitLocker™ Drive Encryption
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Managing BYOD Legal IT’s Next Great Challenge. Agenda  The BYOD Trend – benefits and risks  Best practices for managing mobile device usage  Overview.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Security issues for mobile devices Cvetko Andreeski.
Introduction to Network Defense
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
Mobile Operating System Security A PRESENTATION BY DANIEL ADAMS CSC 345 DR. BOX.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
INTEROP 2014 Mobile Issues in the Network. Mobile Issues Data loss – Hardware theft or failure – Data corruption Data theft – Hardware theft – Spyware,
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication.
Security Vulnerabilities in A Virtual Environment
Computer Security By Duncan Hall.
Mobile Security By Jenish Jariwala. What is Mobile Security?  Mobile Security is the protection of smartphones, tablets, laptops and other portable computing.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Security and Ethics Safeguards and Codes of Conduct.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
IS3220 Information Technology Infrastructure Security
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Securing Your Data in Endpoint and Mobile Environments Frank Suijten Security.
© 2012 IBM Corporation IBM Worklight Overview Martin Triska – IBM Worklight specialist (420) July 2012.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
Mobile Devices in the Corporate World
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
The time to address enterprise mobility is now
Chapter 6: Securing the Cloud
Cybersecurity - What’s Next? June 2017
Security of Mobile Operating Systems
IS4550 Security Policies and Implementation
Mobile Device Management
11/23/2018 3:03 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
M.Eng. Alessandro Mancuso Supervisor: Dr. Piotr Żebrowski
Presentation transcript:

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Trent Henry Research VP Security & Risk Management Security Considerations for Mobile Devices

Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day.

Small Incidents are Common

Agenda Whats really new about risks for mobile devices? Controls you may put on your list of requirements What about user experience? How do mobile security architectures compare? Why and when would you improve on existing platform security controls?

Gartner for Technical Professionals Whats really new about risks for mobile devices?

Threat Agents Malware Threat type: logical Coexists with user Examples: Redsn0w Jailbreak Android FoncyDropper ZitMo Thief Threat type: physical Exclusive access Example: Plenty in the room 5 Evil maid Threat type: physical Coexists with user Examples: Stealing a file system

Old risks, in new context 6 Impact Likelihood Thief Malware It is only a matter of time before the first large data breach concerning a mobile device receives media attention Impact Likelihood Expanding use cases and storage capacity Increased popularity

Impact on Security Architecture The security risks to information have not changed: -Malicious software -Theft/loss of the device -Eavesdropping But there are new twists: -Endpoint ownership -No dominant operating system or paradigm -Very short device life cycle -Immature management and security tools -Usability and network connectivity

Impact on Security Architecture Risk Management No data on device Controls in the Apps (Container) Controls on the device Management None Manage the device (required for certificates) i.e. MDM Limited (manage container only) Connectivity Required On-line only Offline Application/ User Experience VDI/Web app/App w/ remote data Resident App (dev/COTS) w/security Resident App (dev/COTS) w/o security Native Apps Example 1 – No Data on the Device

Impact on Security Architecture Risk Management No data on device Controls in the Apps (Container) Controls on the device Management None Manage the device (required for certificates) i.e. MDM Limited (manage container only) Connectivity Required On-line only Offline Application/ User Experience VDI/Web app/App w/ remote data Resident App (dev/COTS) w/security Resident App (dev/COTS) w/o security Native Apps Example 2 – Data within a Container Only

Impact on Security Architecture Risk Management No data on device Controls in the Apps (Container) Controls on the device Management None Manage the device (required for certificates) i.e. MDM Limited (manage container only) Connectivity Required On-line only Offline Application/ User Experience VDI/Web app/App w/ remote data Resident App (dev/COTS) w/security Resident App (dev/COTS) w/o security Native Apps Example 3 – Data on the Device

Gartner for Technical Professionals Controls you may put on your list of requirements

Access Control Consider -Methods: PIN, password, swipe, face unlock, hardware token, other biometrics -Policies to enforce: password complexity/history/delay/lock, inactivity timer -Risks of keyloggers and other spyware -Limitations facing laboratory attacks that circumvent authentication 12 Aims to reduce the risk of Thieves and Evil Maids by preventing direct logical access to device

Encryption Aims to reduce the risk of Thieves and Evil Maids by preventing logical access to extracted information Consider Encryption and keys in hardware/software Keys derived from device and/or passcode? What information is encrypted? Cache management Known weaknesses and third party validations

Application Controls 14 Aim to reduce the risk of Malware and Evil Maids by preventing direct logical access to applications and their data Consider Application and data isolation Signatures Key management and encryption APIs Management hooks Application store controls Kill switch: remotely kill an application on all devices App Data

Remote and Local Wipe Aims to reduce the risk of Thieves by remotely or locally wiping applications and data Consider -Full/partial wipe -Local/remote wipe -What information and apps are wiped -The wiping method -How to confirm completion 15

Gartner for Technical Professionals What about user experience?

Lets keep sensitive information off the device entirely! 17 An example: Client Virtualization No controls needed on the device Connection secured with encryption User authenticated prior to access …But malware, keyloggers, and jailbroken devices may be a problem

Access to Information Secure Time-to-market Manageability Rich and Immersive UX Offline Native Capabilities Portability

Comparison Assessment 19 *You are responsible for building your own security controls! *

Broader Impact: Network Architecture Increasing radio spectrum consumption -An increasing number of Wi-Fi devices will consume more of your spectrum (Wi-Fi devices > humans) -S L O W networks are not user-friendly -Even unauthorized Wi-Fi devices consume spectrum as they scan for Wi-Fi networks Solutions include -Selective site survey, mission-critical network design -Capacity planning, n APs -Intrusion detection systems, spectrum monitoring Same goes for WAN and WWAN

Gartner for Technical Professionals (AKA Know your platforms before adding more stuff) How do mobile security architectures compare?

Android Security Type: End-user control Key elements -Linux process and file isolation -Permissions based Concerns: -Fragmentation of the platform over OEMs -Encryption support dependent on OEM -Content providers accessible by default -Many OSS components and uncurated appstores may lead to malware -Permissions rely on peoples judgment 22

iOS Security Type: Walled garden Key elements: -Curated Appstore -Sandboxing -Hardware encryption, always on -OTA updates Concerns: -Vulnerabilities in OS that lead to jailbreak -Few mechanisms that limit the access of an app -Data protection not used by all applications and not validated 23

BlackBerry Security Type: Guardian Key elements -Best in class mobile management and security -Data protection capabilities -No jailbreaks for BB smartphones Concerns -AppWorld is vetted but its use not mandated, leading to potential for malware -Apps may have extensive access, without jailbreak -Management is critical, e.g. encryption is optional 24

Application Controls for Various Platforms PlatformApplication testing Centralized signing Application control on the device Third-party anti-malware products BlackBerry Yes, but applications can be offered outside of App World Yes, but the requirement to check the signature is configurable Yes iPhone Yes Limited to major applications No Windows Phone 6.x YesYes, but the requirement to check the signature is configurable Available through third-party products or System Center Yes Windows Phone 7 YesYes, but the requirement to check the signature is configurable No Symbian Yes Available through third-party products Yes Android Limited – some app stores perform testing but apps available outside of app stores No Yes

Gartner for Technical Professionals Recommendations

Understand the risks and the threats you are trying to protect against and accept that some risks cannot be mitigated Limit support to handhelds that satisfy minimal security requirements Balance UX with security and connectivity Users will go around security if you dont have a good UX Conduct data analysis to determine what is acceptable on the device and what is not Deal with related infrastructure issues: network, authentication, provisioning, …

Recommended Gartner Research Comparing Security Controls for Handheld Devices Mario de Boer, Eric Maiwald, 22 January 2012 Decision Point for Mobile Endpoint Security Eric Maiwald Client Virtualization: Reducing Malware and Information Sprawl Mario de Boer, Dan Blum Solution Path: How to Create a Mobile Architecture Paul Debeasi Field Research Summary: Mobility and Security Eric Maiwald, 26 January 2012