hidden security and privacy consequences around mobility (infosec 2013)
DESCRIPTION
An overview of the security and privacy implications and risks resulting from the wider adoption of mobile devices, apps, cloud and the resultant changes to customer interaction and business processesTRANSCRIPT
Copyright © Tier-3 Pty Ltd, 2012. All rights reserved.
A world of information Security and privacy implications
of mobility
Piers Wilson Tier-3 Huntsman® - Head of Product Management
Introduc)ons
2 01/05/2013
Piers Wilson Head of Product Management
Director of IISP Previously senior manager in Cyber
Security prac?ce at PricewaterhouseCoopers
Tier-‐3 Huntsman® at Infosec
• SIEM / Event correla?on / “Big data” analy?cs • Behaviour Anomaly Detec?on (BAD 2.0)
• Governance, Risk, Compliance • Cloud/mul?-‐tenancy support
Stand K31
Agenda and scope
• What this talk is about… – Iden?fying the informa?on on users/
ac?vity that has relevance for security and an?-‐fraud purposes
– Security and fraud consequences of the wider business adop?on of mobile applica?ons
– Privacy and security versus business interest and usefulness
• What this talk is not about… – Mobile device management – Mobile applica?on security
01/05/2013 3
79% of the UK popula?on use the internet anywhere, on any device
Ofcom, 2012 11% of businesses report all marke?ng ac?vi?es are truly integrated across online and offline channels
Affilinet, 2011 Four out of five US smartphone owners, use the phone to help with shopping
Google/Ipsos, 2011 Demand for security informa?on and event management tools will grow to more than $1 billion worldwide by 2015
Frost & Sullivan 2011 "There is no subs?tute for knowledge.”
W. Edwards Deming
“Before undertaking monitoring, iden?fy clearly the purpose(s) behind the monitoring and the specific benefits it is likely to bring”
ICO BYOD Guidance, 2013
Background
• App “ecosystems”, consumerisa?on and "bring your own device" are here
• Users / Customers increasingly expect to access systems via apps / personal devices
• Imminent explosion in mobile payments • Opportunity to collect, process and
understand considerably more data – Internal logs, external sources, user
transac?ons, staff movements, habits, loca?ons, ac?vi?es, wider contexts, proximity
01/05/2013 4
However…
Two big ques)ons
1. Can organisa?ons iden?fy, collect and effec?vely analyse the data available to them
2. What are the privacy and security implica?ons of collec?ng data and using it in this way
01/05/2013 5
Business intelligence origins
• Most businesses are comfortable with:
– Collec?ng security log and event informa?on from systems (tradi?onal SIEM technologies)
– Monitoring staff use, system ac?vity and network traffic for threat iden?fica?on
– Gathering payment and transac?on informa?on for fraud detec?on and risk management (FMS)
– Profiling customer ac?vity through on-‐line accounts and loyalty schemes
– Credit checking and the concept of risk scoring
01/05/2013 6
What does mobility mean for security and fraud?
Richer Data • Loca?on and ac?vity informa?on for
employees/contractors/customers becomes more available and more useful
• Monitoring of browsing and buying habits can be device and loca?on aware – Richer than just web-‐site analy?cs for tracking
customers – Loca?on, proximity to outlets and real-‐world
marke?ng and loca?ons of neighbours/compe?tor
• Loyalty systems expand beyond what I buy (or what I might like) or where I shop (special offers) to being more focussed
• We’ll see interest in greater security and fraud insights; coupled with customer profiling and new flavours of data – “big data”
Financial Drivers • Interfaces between systems to detect
security incidents, events and fraud will become more prevalent in the mobile space
• Some intelligence will move from the back-‐end to nearer the client end – What you can’t do in a web page you may be
able to do within an app
• Mobile payments will mean real money flowing between real devices and/or terminals
• Real world financial ac?vity, coupled with on-‐line logging and monitoring and the ability to track loca?on becomes real ?me – Who gets the mobile payment? – Where are the logs?
What else does mobility mean for security and fraud?
New Applica)ons • Sector-‐specific applica?ons with the ability
to gather and analyse logs and data sets which “mean something” – Searching for meaning in security log data – Some uses will have business/customer benefits – Could become intrusive
• If we create data with more value the business cri?cality and the impact of loss/them/exposure will also increase – Driving security requirements
• Some obvious examples: – Motor insurance applica?ons to derive risk
informa?on or to make post-‐claim decisions – to log accidents and/or track movement/speed/loca?on/risk factors prior to crash or robbery
– Applica?ons that turn on the hea?ng when you are close to home
Personal / Lifestyle • Personal and social aspects of mobility,
security and data analysis
• In many cases there is (or will be) a social and a business interpreta?on of the gathered data
• Whose data is this? – Work/life balance (hours at office) – Health (exercise/food consump?on) – Social interac?ons (associa?ons/photos/”near
me”) – Security systems based on proximity between
users/devices/controls – Emergency situa?ons/unrest and loca?on/
exposure
01/05/2013 8
Don’t collect more than you need and then struggle to protect it
• Increasing contextual data being available to apps installed locally or to back-‐end systems
• Collec?on and analysis may be overt or could become part of the rou?ne handling of ac?vity and transac?ons – Hence less visible – What is a security log and what is a customer ac)vity log?
• The collec?on and use “purposes” could get blurred … with implica?ons for privacy and security – Data collected for fraud purposes could become useful for customer
profiling and marke?ng – If you know “where I am”, you also know “where I am not” (at home, at
work, at the gym); and maybe “who I’m with” or “what I’m doing”
01/05/2013 9
Deciding what informa)on to collect and why…
Security teams are used to drawing a balance between benefit and risk • what data we collect and its value Industry (more widely) is star?ng to invest in, and discover, the value of data analy?cs In security the wider benefits of “big data” involves different parameters … more data means: • Improved fraud detec?on capability • Beqer customer profiling • More context • Richer user experience AND • Greater visibility around security threats, risks,
aqacks 01/05/2013 10
Smarter data analy?cs
More useful data sources
More uses / Bigger audience
… and then making sure we can protect it
Growth of security/customer/fraud/business data from the emerging mobile compu?ng environment can: • Challenge privacy obliga?ons • Exceed expecta?ons from users/regulators • Give security teams another (and higher impact) data set to protect
Organisa)ons need to evolve their security stance -‐ even simple “big data” examples could raise the risk levels much higher
Need considera?on of: • Balancing security, fraud, privacy and func?onality within the mobile apps/facili?es
used by customers and staff • Protect data that we collect – where privacy implica?ons (to customers) or raw value
(to us) is heightened
Organisa)ons must ensure they have the right tools and approaches to gain the maximum value from the security, fraud, ac)vity, loca)on data 01/05/2013 11
So what?
• The value of (all) data is increasing, partly driven by a more mobile and app-‐oriented environment … security logs, behaviour anomaly detec?on, cyber threat detec?on … businesses increasingly using data to drive efficiencies and customer in?macy through mobile channels
• We have to acknowledge these trends and ensure that we adequately protect business informa?on where the privacy risk, exposure and value becomes more cri?cal
• Clever security technologies can really help, especially where past controls become less applicable or effec?ve in a more interconnected space
01/05/2013 12
Copyright © Tier-3 Pty Ltd, 2012. All rights reserved.
Finally…
Time for questions
Or:
Find me at Tier-3’s stand K31
[email protected] +44 (0) 7800 508517 @only1weasel
www.tier-3.com @tier3huntsman