Mobile Security: Is there an opportunity?

Omar KhawajaMarch 30th, 2011

Future of Enterprise IT Infrastructure

2

What is “mobile”?Smarter, faster…

3 …and blurrier

Everything is converging…

4

Voice ↔ Data

Dead Spot ↔ Hot Spot

Distributed Architecture ↔ Centralized Architecture

Home ↔ Office

Fixed ↔ Mobile

Wired ↔ Wireless

Web Applications ↔ Mobile Applications

…to make security more challenging?

The new world…

5 …doesn’t exist without mobile and cloud

Anyone can access Partners and customers too

Access from anywhere Outside firewalls too

Access from any device Non-corporate ones too

Access to all data Sensitive information too

Corporate IT owns and dictates IT direction

Consumerization and Democratization of IT

What makes mobile riskier?

• Convergence• Mobile misuse can cost• Small physical footprint • Increasing processing power• Multiple communication channels• Increasing bandwidth• Ownership• Storage• Fragmentation• Applications• Data

How do you secure mobile?

Security Technology Elements

7

Security Program Elements

App Security Anti-X Config Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt Threat Mgmt

VPN Vuln. Mgmt …

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

Multiple Approaches

Multiple

Single

Single Multiple8 Security Technology Sets

Secu

rity

Prog

ram

s

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

App Security Anti-X Config

Mgmt

DLP Encryption IAM, NAC

Patching Policy Mgmt

Threat Mgmt

VPN Vuln. Mgmt …

Risk Assessment

Security Policy

Organization of Info

Security

Asset Management

Human Resources

Management

Physical & Environment

Security

Comms & Ops Mgmt

Access Control

Info Systems Acquisition,

Dev, & Maint.

Info Security Incident

Management

Business Continuity

ManagementCompliance

Security leaders care most about…

9The Business Cares About Data!

• Requires preventing data from being breached

Breach Prevention

• HIPAA, GLBA, PCI, State Breach Laws , etc. govern specific types of dataCompliance

• of securing data• of maintaining compliance• of enabling business in the information age

Costs…

Treating Data

Inventory (must)

Monitor

Encrypt

Protect

Destroy (ideal)

10

ignoramus et ignorabimus?

11 Minimize data and access to it!

Source: Verizon DBIR

What about apps?

• 33% on NA Smartphone owners download apps

• Multiple versions• Location based apps / social

networking will increase• Games continue to dominate among

apps• Users continue to demand greater

usability• 10 billion app downloads from Apple's

App Store in 2010• Signed Apps = Secure Apps?

12Can’t impede app proliferation, but how do

you know which to trust?

What about everything else?

• Force encryption of data at rest on mobile devices• Force secure connectivity on unsecured public networks • Ensure unauthorized mobile devices do not have access to corporate LAN*• Ensuring mobile user spending is in line with the mobile policy and additional costs

can be recovered• Over-the-air decommissioning (remote brick’ing)• Authentication: set the device to auto-lock; set clipping level• Keep device out of sight when not worn• Handheld devices should be enterprise property• Before an employee departs, obtain device and remove corporate data• Have a clear policy on remote data deletion and do not hesitate to execute it• Classify data according to the sensitivity of the data they carry• Only permit digitally signed applications

Be agile – quickly and flexibly adapt to changing mobile landscape

An approach…

1. Inventory data (technical and consultative)2. Destroy any unnecessary data3. Associate data access w/ users, roles4. Ensure only users that need access to data have access to it (access governance)5. Assign sensitivity level to data types (tier by quantity) - based on business impact6. Assign control requirements for each data set7. Determine feasible controls for each environment (mobile, cloud, etc.)8. Identify how (vendor, etc.) to implement controls across each platform9. For each platform, define what access level (to each of the data sets) is allowed

based on residual risk

14

Slight shift in focus

15

Measuring vulnerabilities / threats Measuring impact

Applying controls Picking the right controls

Securing the enterprise Securing what matters to the

business

Managing projects Selecting the right projects

Protecting the enterprise Enabling the enterprise

Multiple Security Programs Single Security Programs

Multiple sets of Security Technologies Single set of Security Technologies

Finally…

• Follow the data• Consistent security controls• Start w/ the business (data),

not the controls• Simplify security program• Closely align mobile and

cloud security

16

Doing Things Right

Doing the Right Things

Questions

Omar Khawaja

Industry Recognition Verizon is the leading global MSSP (Gartner, Forrester) Founding and Executive Member of Open Identity Exchange Security Consulting practice recognized as a Strong Performer (Forrester) ICSA Labs is the industry standard for certifying security products

Credentials BSI Associate Consultant for ISO 27001 and BS 25999 PCI ASV, QSA and PA-QSA CREST approved penetration tester HITRUST Qualified CSF Assessor and member Leadership Roundtable

Global Reach 500+ security consultants based in 23 countries that speak 24 languages Serve 77% of Forbes Global 2000 7 sources of risk intelligence

Experience Verizon’s SMP is the oldest security certification program in the industry Analyzed breaches involving 900+ million records Provide national identity solutions in over 25 countries Provide services to 78% of Fortune 100 Delivered 2000+ security consulting engagements in 2010

Verizon Security Solutions