Gartner - ISSA

Report
Security Considerations for
Mobile Devices
Trent Henry
Research VP
Security & Risk Management
This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole
use of the intended Gartner audience or other authorized recipients. This presentation may contain information that
is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly
displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2012 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner delivers the technology-related
insight necessary for our clients to make
the right decisions, every day.
“Small” Incidents are Common
Agenda
• What’s really new about risks for mobile devices?
• Controls you may put on your list of requirements
• What about user experience?
• How do mobile security architectures compare?
• Why and when would you improve on existing platform
security controls?
What’s really new about risks for
mobile devices?
Gartner for Technical Professionals
Threat Agents
Malware
Thief
Evil maid
Threat type: logical
Threat type: physical
Threat type: physical
Coexists with user
Exclusive access
Coexists with user
Examples:
Example:
Examples:
•
Redsn0w Jailbreak
•
• Stealing a file system
•
Android
FoncyDropper
•
ZitMo
Plenty in the room
5
Old risks, in new context
Expanding
use cases
and
storage
capacity
Malware
Impact
Impact
Thief
Increased
popularity
Likelihood
Likelihood
It is only a matter of time before the first large data breach
concerning a mobile device receives media attention
6
Impact on Security Architecture
• The security risks to information have not changed:
- Malicious software
- Theft/loss of the device
- Eavesdropping
• But there are new twists:
- Endpoint ownership
- No dominant operating system or paradigm
- Very short device life cycle
- Immature management and security tools
- Usability and network connectivity
Impact on Security Architecture
Risk
Management
Management
No data on device
None
Controls in the Apps
Limited (manage container only)
(Container)
Controls on the
Manage the device (required
device
for certificates) i.e. MDM
Example 1 – No Data
on the Device
Native Apps
VDI/Web app/App w/ remote data
Resident App (dev/COTS) w/security
On-line only
Offline
Resident App (dev/COTS) w/o security
Application/
User Experience
Connectivity
Required
Impact on Security Architecture
Risk
Management
Management
No data on device
None
Controls in the Apps
Limited (manage container only)
(Container)
Manage the device (required
Controls on the
for certificates) i.e. MDM
device
Example 2 – Data within
a Container Only
Native Apps
VDI/Web app/App w/ remote data
Resident App (dev/COTS) w/security
On-line only
Offline
Resident App (dev/COTS) w/o security
Application/
User Experience
Connectivity
Required
Impact on Security Architecture
Risk
Management
Management
No data on device
None
Controls in the Apps
Limited (manage container only)
(Container)
Manage the device (required
Controls on the
for certificates) i.e. MDM
device
Example 3 – Data on
the Device
Native Apps
VDI/Web app/App w/ remote data
Resident App (dev/COTS) w/security
On-line only
Offline
Resident App (dev/COTS) w/o security
Application/
User Experience
Connectivity
Required
Controls you may put on your list
of requirements
Gartner for Technical Professionals
Access Control
• Aims to reduce the risk of Thieves and Evil
Maids by preventing direct logical access to
device
• Consider
- Methods: PIN, password, swipe, face unlock,
hardware token, other biometrics
- Policies to enforce: password
complexity/history/delay/lock, inactivity timer
- Risks of keyloggers and other spyware
- Limitations facing laboratory attacks that
circumvent authentication
12
Encryption
• Aims to reduce the risk of Thieves and Evil
Maids by preventing logical access to extracted
information
• Consider
•
Encryption and keys in hardware/software
•
Keys derived from device and/or passcode?
•
What information is encrypted?
•
Cache management
•
Known weaknesses and third party validations
13
Application Controls
• Aim to reduce the risk of Malware and Evil
Maids by preventing direct logical access to
applications and their data
• Consider
App
App
Data
Data
•
Application and data isolation
•
Signatures
•
Key management and encryption APIs
•
Management hooks
•
Application store controls
•
Kill switch: remotely kill an application on all devices
14
Remote and Local Wipe
• Aims to reduce the risk of Thieves by remotely or
locally wiping applications and data
• Consider
- Full/partial wipe
- Local/remote wipe
- What information and apps are wiped
- The wiping method
- How to confirm completion
15
What about user experience?
Gartner for Technical Professionals
An example: Client Virtualization
Let’s keep sensitive information off the device entirely!
Connection
secured with
encryption
No controls
needed on
the device
…But malware,
keyloggers,
and jailbroken
devices may be
a problem
User authenticated
prior to access
17
 Access to Information
 Secure
 Time-to-market
 Manageability
 Rich and Immersive UX
 Offline
 Native Capabilities
 Portability
Comparison Assessment
The Options
UX
Security
Best Used…
as a stop gap solution for business-to-employee legacy
applications where time-to-market and security is
paramount.
when the consumer or employee user experience is
medium priority, leveraging features of the native
experience isn't necessary, and sensitive data isn't
stored on the device.
for employee apps when security of data stored on the
device is paramount.
Virtualization
Mobile Web
App
Container
Resident
Mobile App
*
when the user experience is highest priority.
Key
Worst
Poor
Average
Good
Best
*You are responsible for building
your own security controls!
19
Broader Impact: Network Architecture
• Increasing radio spectrum consumption
- An increasing number of Wi-Fi devices will consume
more of your spectrum (Wi-Fi devices > humans)
- S L O W networks are not user-friendly
- Even unauthorized Wi-Fi devices consume spectrum as
they scan for Wi-Fi networks
• Solutions include
- Selective site survey, mission-critical network design
- Capacity planning, 802.11n APs
- Intrusion detection systems, spectrum monitoring
Same goes for WAN and WWAN
How do mobile security
architectures compare?
(AKA “Know your platforms before adding more stuff”)
Gartner for Technical Professionals
Android Security
•
Type: End-user control
•
Key elements
- Linux process and file isolation
- Permissions based
•
Concerns:
- Fragmentation of the platform over OEMs
- Encryption support dependent on OEM
- Content providers accessible by default
- Many OSS components and uncurated
appstores may lead to malware
- Permissions rely on people’s judgment
22
iOS Security
•
Type: Walled garden
•
Key elements:
- Curated Appstore
- Sandboxing
- Hardware encryption, always on
- OTA updates
•
Concerns:
- Vulnerabilities in OS that lead to jailbreak
- Few mechanisms that limit the access of an app
- Data protection not used by all applications and not validated
23
BlackBerry Security
•
Type: Guardian
•
Key elements
- Best in class mobile management and
security
- Data protection capabilities
- No jailbreaks for BB smartphones
•
Concerns
- AppWorld is vetted but its use not mandated,
leading to potential for malware
- Apps may have extensive access, without
jailbreak
- Management is critical, e.g. encryption is
optional
24
Application Controls for Various Platforms
Platform
Application
testing
Centralized
signing
Application
control on
the device
Third-party
anti-malware
products
BlackBerry
Yes, but applications
can be offered outside
of App World
Yes, but the requirement
to check the signature is
configurable
Yes
Yes
iPhone
Yes
Yes
Limited to major
applications
No
Windows
Phone 6.x
Yes
Yes, but the requirement
to check the signature is
configurable
Available through
third-party
products or
System Center
Yes
Windows
Phone 7
Yes
Yes, but the requirement
to check the signature is
configurable
No
No
Symbian
Yes
Yes
Available through
third-party
products
Yes
Android
Limited – some app
stores perform testing
but apps available
outside of app stores
No
No
Yes
Recommendations
Gartner for Technical Professionals
Recommendations
 Understand the risks and the threats you are trying to
protect against and accept that some risks cannot be
mitigated
 Limit support to handhelds that satisfy minimal
security requirements
 Balance UX with security and connectivity
Users will go around security if you don’t have a good UX
 Conduct data analysis to determine what is
acceptable on the device and what is not
 Deal with related infrastructure issues: network,
authentication, provisioning, …
Recommended Gartner Research
 Comparing Security Controls for Handheld Devices
Mario de Boer, Eric Maiwald, 22 January 2012
 Decision Point for Mobile Endpoint Security
Eric Maiwald
 Client Virtualization: Reducing Malware and
Information Sprawl
Mario de Boer, Dan Blum
 Solution Path: How to Create a Mobile Architecture
Paul Debeasi
 Field Research Summary: Mobility and Security
Eric Maiwald, 26 January 2012

similar documents