service2media: webinar security & management (17 march 2014) by derk tegeler
DESCRIPTION
The webinar series 'How to build an app competence centre?' focuses on key topics that are important in executing your mobile strategy and optimising your mobile app competence center. This third webinar addresses security. How ready are you to mitigate threats to your organisation and organisation’s assets? To what degree are you really in control? And how well do you protect your customers data? Have you addressed the unique challenges of mobile apps and the valuable data they hold or transactions they facilitate, now, and in the future?TRANSCRIPT
1
30 MINUTEN Welcome! How to build your Mobile App Competence Center? Webinar Series.. #3 Security & Management Derk Tegeler Director Security
Agenda
2
• Trends
• #3 Security & Management • Introduction • Policy and motivation • Technical Coverage • MDM/MAM – device and application management • Monitoring and alarming
Trends
Advanced app solutions | 3
• Information centric approach • Identity fraud • Lawful and unlawful interception
• Where is your data? Is that allowed? • Data confidentiality • Data integrity • PKI…
Trends: the evil 8
Advanced app solutions | 4
• Data loss from lost, stolen or decommissioned devices • Information-stealing mobile malware • Data loss and data leakage through poorly written third-party
applications • Vulnerabilities within devices, OS, design and third-party applications • Unsecure Wi-Fi, network access and rogue access points • Unsecure or rogue marketplaces • Insufficient management tools, capabilities and access to APIs (includes
personas) • NFC and proximity-based hacking
Source: Cloud Security Alliance Mobile Working Group
The Opportunistic Market in Transition
Experimentation is giving way to a more thoughtful approach to mobility. Organizations are taking astep back and rethinking how best to maximize the value of mobility. 3
1 "The early days of mobile adoption were characterized by experimentation and unfettered departmental demand for mobile apps. These apps, funded by the business, tend to be natively developed, and are built quickly and cheaply and often without coordination with the rest of the organization or a view to long-term sustainment and value maximization.
2 Such experimentation and piloting are necessary for organizations to test and learn about mobility, with the lessons learned that enterprise mobility can show significant business value, and that not embracing enterprise mobility will put the organization at a competitive disadvantage.
Source: Gartner, 2013
Mobile Maturity Model Explained
6
Disclaimer J
HOW TO GROW YOUR MOBILE MATURITY?
7
1. What is your Mobile Strategy Maturity goal? 2. How are you performing currently? 3. What are the gaps? 4. Define gaps that matter most 5. Prioritize and close the gaps
8
Opportunistic Strategic Mobile-First
The majority of companies A small minority of companies Very few, if any, companies
A reactive IT department
Mobility Center of Excellence: C-level attention, self-empowered lines of business, a responsive IT department
Low
Organization-wide strategic focus
Medium High
Siloed employee classes, typically field and sales forces and applications addressing basic customer interactions
Limited extendibility of architecture
Addresses large subsets of both dedicatedly and occasional mobile workers and more sophisticated offerings to customers
Affects all mobile workers and internal activities and sophisticated customer engagement
Common architecture for mobility
Common architecture for mobility and integrated into most IT business processes
Siloed point solutions
Sophisticated administration and management tools; voice, data and integrated communications services
Integrated platform capabilities and ubiquitous connectivity
Few formal policies with decisions heavily user-influenced
Policy-driven approach for management, security and compliance
Policy-driven and 'factory' approach to mobile innovation, re-casting business workflows
Proportion of companies
Mobile strategy center of gravity
Level of business model innovation
Users
Architecture
Technologies
Policies
WHAT IS YOUR MOBILE MATURITY GOAL?
9
1. Strategy and Organization 2. Initiation and Design 3. Security and Management 4. Development and Maintenance 5. Test and Distribution 6. Backend and Integration
MOBILE MATURITY MODEL - ASSESMENT AXES
10
MOBILE MATURITY MODEL - LEVEL DETERMINATION
OPPORTUNISTIC
Developing
Aware
STRATEGIC
Optimising
Practicing
MOBILE FIRST
Leading
Opportunis.c Strategic Mobile First
Strategy & Organisa.on
Prac'ce observed 1 ✔ x Prac'ce observed 2 ✔ x Ini.a.on & Design
Prac'ce observed 1 ✔ x Prac'ce observed 2 ✔ Development & Maintenance
Prac'ce observed 1 x
11
MOBILE MATURITY MODEL - GAP IDENTIFICATION
Chapter three:
12
Security and Management
Security and Management
13
Policy and mo.va.on
Opportunis.c Strategic Mobile First
Security measures are dictated by common sense and in-‐house experience
Law abiding, covering business risks Quan'fied risk coverage
Prac'ces Observed
1) Policies and processes 2) Risk analysis 3) Accountability
Security and Management
14
Technical Coverage
Opportunis.c Strategic Mobile First
Customer is developing secure apps
Customer is addresssing specific mobile vulnerabili'es on a case per case basis
Customer is on par with current threat mi'ga'on
Prac'ces Observed
1) code quality 2) vulnerability coverage 3) data protec'on 4) app protec'on 5) key management
Security and Management
15
Mobile Device and/or Mobile Applica.on Management
Opportunis.c Strategic Mobile First
None or only MicrosoK Exchange controls
MDM system in place Central policy based device and applica'on management
Prac'ces Observed
1. scenario coverage 2. company data on device 3. impact 4. authen'ca'on 5. device management 6. management console
Security and Management
16
NOC Integra.on (monitoring and alarming)
Opportunis.c Strategic Mobile First
The mobile service is a stand alone isolated server, ill fiQed in the organisa'on
Embrionic dashboards reveal real'me status and performance
The service is fully integrated inthe normal service administra'on
Prac'ces Observed
1) KPI’s 2) Ticke'ng system 3) Knowledge base 4) IT process automa'on …
Next Webinar April 17th
18
#4. Development and Maintenance by … myself