1 / 29

Security Considerations for Mobile Devices

Security Considerations for Mobile Devices. Trent Henry Research VP Security & Risk Management. Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day. “Small” Incidents are Common. Agenda.

ellis
Download Presentation

Security Considerations for Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Considerations for Mobile Devices Trent Henry Research VP Security & Risk Management

  2. Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day.

  3. “Small” Incidents are Common

  4. Agenda What’s really new about risks for mobile devices? Controls you may put on your list of requirements What about user experience? How do mobile security architectures compare? Why and when would you improve on existing platform security controls?

  5. What’s really new about risks for mobile devices?

  6. Threat Agents Malware Threat type: logical Coexists with user Examples: • Redsn0w Jailbreak • Android FoncyDropper • ZitMo Thief Threat type: physical Exclusive access Example: • Plenty in the room • Evil maid Threat type: physical Coexists with user Examples: • Stealing a file system 5

  7. Old risks, in new context Thief Expanding use cases and storage capacity Malware Impact Impact Increased popularity Likelihood Likelihood It is only a matter of time before the first large data breach concerning a mobile device receives media attention 6

  8. Impact on Security Architecture • The security risks to information have not changed: • Malicious software • Theft/loss of the device • Eavesdropping • But there are new twists: • Endpoint ownership • No dominant operating system or paradigm • Very short device life cycle • Immature management and security tools • Usability and network connectivity

  9. Impact on Security Architecture Risk Management Management No data on device None Controls in the Apps (Container) Limited (manage container only) Manage the device (required for certificates) i.e. MDM Controls on the device Example 1 – No Data on the Device Native Apps On-line only VDI/Web app/App w/ remote data Offline Resident App (dev/COTS) w/security Resident App (dev/COTS) w/o security Connectivity Required Application/ User Experience

  10. Impact on Security Architecture Risk Management Management No data on device None Controls in the Apps (Container) Limited (manage container only) Manage the device (required for certificates) i.e. MDM Controls on the device Example 2 – Data within a Container Only Native Apps VDI/Web app/App w/ remote data On-line only Resident App (dev/COTS) w/security Offline Resident App (dev/COTS) w/o security Connectivity Required Application/ User Experience

  11. Impact on Security Architecture Risk Management Management No data on device None Controls in the Apps (Container) Limited (manage container only) Manage the device (required for certificates) i.e. MDM Controls on the device Example 3 – Data on the Device Native Apps VDI/Web app/App w/ remote data On-line only Resident App (dev/COTS) w/security Offline Resident App (dev/COTS) w/o security Connectivity Required Application/ User Experience

  12. Controls you may put on your list of requirements

  13. Access Control • Consider • Methods: PIN, password, swipe, face unlock, hardware token, other biometrics • Policies to enforce: password complexity/history/delay/lock, inactivity timer • Risks of keyloggers and other spyware • Limitations facing laboratory attacks that circumvent authentication • Aims to reduce the risk of Thieves and Evil Maids by preventing direct logical access to device 12

  14. Encryption 011010000101 • Aims to reduce the risk of Thieves and Evil Maids by preventing logical access to extracted information • Consider • Encryption and keys in hardware/software • Keys derived from device and/or passcode? • What information is encrypted? • Cache management • Known weaknesses and third party validations 13

  15. Application Controls App App Data Data 14 • Aim to reduce the risk of Malware and Evil Maids by preventing direct logical access to applications and their data • Consider • Application and data isolation • Signatures • Key management and encryption APIs • Management hooks • Application store controls • Kill switch: remotely kill an application on all devices

  16. Remote and Local Wipe • Aims to reduce the risk of Thieves by remotely or locally wiping applications and data • Consider • Full/partial wipe • Local/remote wipe • What information and apps are wiped • The wiping method • How to confirm completion 15

  17. What about user experience?

  18. An example: Client Virtualization Connection secured with encryption No controls needed on the device …But malware, keyloggers, and jailbroken devices may be a problem User authenticated prior to access Let’s keep sensitive information off the device entirely! 17

  19. You gotta be kidding me! • Access to Information • Secure • Time-to-market • Manageability • Rich and Immersive UX • Offline • Native Capabilities • Portability

  20. Comparison Assessment * *You are responsible for building your own security controls! 19

  21. Broader Impact: Network Architecture Same goes for WAN and WWAN • Increasing radio spectrum consumption • An increasing number of Wi-Fi devices will consume more of your spectrum (Wi-Fi devices > humans) • S L O W networks are not user-friendly • Even unauthorized Wi-Fi devices consume spectrum as they scan for Wi-Fi networks • Solutions include • Selective site survey, mission-critical network design • Capacity planning, 802.11n APs • Intrusion detection systems, spectrum monitoring

  22. How do mobile security architectures compare? (AKA “Know your platforms before adding more stuff”)

  23. Android Security • Type: End-user control • Key elements • Linux process and file isolation • Permissions based • Concerns: • Fragmentation of the platform over OEMs • Encryption support dependent on OEM • Content providers accessible by default • Many OSS components and uncuratedappstores may lead to malware • Permissions rely on people’s judgment 22

  24. iOS Security • Type: Walled garden • Key elements: • CuratedAppstore • Sandboxing • Hardware encryption, always on • OTA updates • Concerns: • Vulnerabilities in OS that lead to jailbreak • Few mechanisms that limit the access of an app • Data protection not used by all applications and not validated 23

  25. BlackBerry Security • Type: Guardian • Key elements • Best in class mobile management and security • Data protection capabilities • No jailbreaks for BB smartphones • Concerns • AppWorld is vetted but its use not mandated, leading to potential for malware • Apps may have extensive access, without jailbreak • Management is critical, e.g. encryption is optional 24

  26. Application Controls for Various Platforms

  27. Recommendations

  28. Recommendations • Understand the risks and the threats you are trying to protect against and accept that some risks cannot be mitigated • Limit support to handhelds that satisfy minimal security requirements • Balance UX with security and connectivity • Users will go around security if you don’t have a good UX • Conduct data analysis to determine what is acceptable on the device and what is not • Deal with related infrastructure issues: network, authentication, provisioning, …

  29. Recommended Gartner Research • Comparing Security Controls for Handheld DevicesMario de Boer, Eric Maiwald, 22 January 2012 • Decision Point for Mobile Endpoint SecurityEric Maiwald • Client Virtualization: Reducing Malware and Information SprawlMario de Boer, Dan Blum • Solution Path: How to Create a Mobile ArchitecturePaul Debeasi • Field Research Summary: Mobility and SecurityEric Maiwald, 26 January 2012

More Related