Gartner - ISSA-Utah.org

minorbigarmSecurity

Nov 30, 2013 (3 years and 4 months ago)

51 views

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole
use of the intended Gartner audience or other authorized recipients. This presentation may contain information that
is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly
displayed without the express written permission of Gartner, Inc. or its affiliates.

© 2012 Gartner, Inc. and/or its affiliates. All rights reserved.

Trent Henry

Research VP

Security & Risk Management

Security Considerations for

Mobile Devices

Gartner delivers the technology
-
related
insight necessary for our clients to make
the right decisions, every day.

“Small” Incidents are Common

Agenda


What’s really new about risks for mobile devices?


Controls you may put on your list of requirements


What about user experience?


How do mobile security architectures compare?


Why and when would you improve on existing platform
security controls?

Gartner for Technical Professionals

What’s really new about risks for
mobile devices?

Threat Agents

Malware



Threat type: logical

Coexists with user


Examples:


Redsn0w Jailbreak


Android
FoncyDropper



ZitMo

Thief



Threat type: physical

Exclusive access


Example:


Plenty in the room


5

Evil

maid



Threat type: physical

Coexists with user


Examples:



Stealing a file system

Old risks, in new context


6

Impact

Likelihood

Thief

Malware

It is only a matter of time before the first large data breach
concerning a mobile device receives media attention

Impact

Likelihood

Expanding
use cases
and
storage
capacity

Increased
popularity

Impact on Security Architecture


The security risks to information have not changed:

-
Malicious software

-
Theft/loss of the device

-
Eavesdropping


But there are new twists:

-
Endpoint ownership

-
No dominant operating system or paradigm

-
Very short device life cycle

-
Immature management and security tools

-
Usability and
network connectivity

Impact on Security Architecture

Risk

Management

No data on device

Controls in the Apps

(Container)

Controls on the

device

Management

None

Manage the device (required

for certificates) i.e. MDM

Limited (manage container only)

Connectivity

Required

On
-
line only

Offline

Application/

User Experience

VDI/Web app/App w/ remote data

Resident App (dev/COTS) w/security

Resident App (dev/COTS) w/o security

Native Apps

Example 1


No Data
on the Device

Impact on Security Architecture

Risk

Management

No data on device

Controls in the Apps

(Container)

Controls on the

device

Management

None

Manage the device (required

for certificates) i.e. MDM

Limited (manage container only)

Connectivity

Required

On
-
line only

Offline

Application/

User Experience

VDI/Web app/App w/ remote data

Resident App (dev/COTS) w/security

Resident App (dev/COTS) w/o security

Native Apps

Example 2


Data within
a Container Only

Impact on Security Architecture

Risk

Management

No data on device

Controls in the Apps

(Container)

Controls on the

device

Management

None

Manage the device (required

for certificates) i.e. MDM

Limited (manage container only)

Connectivity

Required

On
-
line only

Offline

Application/

User Experience

VDI/Web app/App w/ remote data

Resident App (dev/COTS) w/security

Resident App (dev/COTS) w/o security

Native Apps

Example 3


Data on
the Device

Gartner for Technical Professionals

Controls you may put on your list
of requirements

Access Control


Consider

-
Methods: PIN, password, swipe, face unlock,
hardware token, other biometrics

-
Policies to enforce: password
complexity/history/delay/lock, inactivity timer

-
Risks of
keyloggers

and other spyware

-
Limitations facing laboratory attacks that
circumvent authentication


12


Aims to reduce the risk of
Thieves

and
Evil
Maids
by preventing direct logical access to
device

Encryption


Aims to reduce the risk of
Thieves

and
Evil
Maids
by preventing logical access to extracted
information



Consider


Encryption and keys in hardware/software


Keys derived from device and/or
passcode
?


What information is encrypted?


Cache management


Known weaknesses and third party validations


13

Application Controls


14


Aim to reduce the risk of
Malware

and
Evil
Maids
by preventing direct logical access to
applications and their data


Consider


Application and data isolation


Signatures


Key management and encryption APIs


Management hooks


Application store controls


Kill switch: remotely kill an application on all devices

App

App

Data

Data

Remote and
L
ocal Wipe


Aims to reduce the risk of
Thieves

by remotely or
locally wiping applications and data



Consider

-
Full/partial wipe

-
Local/remote wipe

-
What information and apps are wiped

-
The wiping method

-
How to confirm completion


15

Gartner for Technical Professionals

What about user experience?

Let’s keep sensitive information off the device entirely!



17

An example: Client Virtualization

No controls
needed on
the device

Connection
secured with
encryption

User authenticated
prior to access

…But malware,
keyloggers
,
and
jailbroken

devices may be
a problem


Access to Information


Secure


Time
-
to
-
market


Manageability


Rich
and
Immersive UX


Offline


Native Capabilities


Portability

Comparison Assessment


19

T
h
e

O
p
ti
o
n
s
UX
Se
c
u
r
i
ty
B
e
s
t
U
s
e
d

V
i
rt
u
a
l
i
za
t
i
o
n
a
s
a

st
o
p

g
a
p

so
l
u
t
i
o
n

f
o
r
b
u
si
n
e
ss-t
o
-e
mp
l
o
ye
e

l
e
g
a
cy
a
p
p
l
i
ca
t
i
o
n
s
w
h
e
re

t
i
me
-t
o
-ma
rke
t

a
n
d

se
cu
ri
t
y
i
s
p
a
ra
mo
u
n
t
.
Mo
b
i
l
e

W
e
b

Ap
p
w
h
e
n

t
h
e

co
n
su
me
r
o
r
e
mp
l
o
ye
e

u
se
r
e
xp
e
ri
e
n
ce

i
s
me
d
i
u
m
p
ri
o
ri
t
y
,

l
e
ve
ra
g
i
n
g

f
e
a
t
u
re
s
o
f

t
h
e

n
a
t
i
ve

e
xp
e
ri
e
n
ce

i
sn
'
t

n
e
ce
ssa
ry
,

a
n
d

se
n
si
t
i
ve

d
a
t
a

i
sn
'
t

st
o
re
d

o
n

t
h
e

d
e
vi
ce
.
Container
f
o
r
e
mp
l
o
ye
e

a
p
p
s
w
h
e
n

se
cu
ri
t
y
o
f

d
a
t
a

st
o
re
d

o
n

t
h
e

d
e
vi
ce

i
s
p
a
ra
mo
u
n
t
.
R
e
si
d
e
n
t

Mo
b
i
l
e

Ap
p
w
h
e
n

t
h
e

u
se
r
e
xp
e
ri
e
n
ce

i
s
h
i
g
h
e
st

p
ri
o
ri
t
y
.
Key
W
o
r
s
t
P
o
o
r
A
v
e
r
a
g
e
G
o
o
d
B
e
s
t
*You are responsible for building
your own security controls!

*

Broader Impact: Network Architecture


Increasing radio spectrum consumption

-
An increasing number of Wi
-
Fi devices will consume
more of your spectrum (Wi
-
Fi devices > humans)

-
S L O W networks are not user
-
friendly

-
Even unauthorized Wi
-
Fi devices consume spectrum as
they scan for Wi
-
Fi networks


Solutions include

-
Selective site survey, mission
-
critical network design

-
Capacity planning, 802.11n APs

-
Intrusion detection systems, spectrum monitoring


Same goes for WAN and WWAN

Gartner for Technical Professionals

(AKA “Know your platforms before adding more stuff”)

How do mobile security
architectures compare?

Android Security


Type: End
-
user control


Key elements

-
Linux process and file isolation

-
Permissions based


Concerns:

-
Fragmentation of the platform over OEMs

-
Encryption support dependent on OEM

-
Content providers accessible by default

-
Many OSS components and
uncurated

appstores

may lead to malware

-
Permissions rely on people’s judgment


22

iOS

Security


Type: Walled garden


Key elements:

-
Curated

Appstore


-
Sandboxing

-
Hardware encryption, always on

-
OTA updates


Concerns:

-
Vulnerabilities in OS that lead to jailbreak

-
Few mechanisms that limit the access of an app

-
Data protection not used by all applications and not validated



23

BlackBerry Security


Type: Guardian


Key elements

-
Best in class mobile management and
security

-
Data protection capabilities

-
No jailbreaks for BB smartphones


Concerns

-
AppWorld

is vetted but its use not mandated,
leading to potential for malware

-
Apps may have extensive access, without
jailbreak

-
Management is critical, e.g. encryption is
optional



24

Application Controls for Various Platforms


Platform

Application
testing

Centralized
signing

Application
control on
the device

Third
-
party

anti
-
malware
products

BlackBerry

Yes, but applications
can be offered

outside
of App World

Yes, but the

requirement
to check the signature is
configurable

Yes

Yes

iPhone

Yes

Yes

Limited

to major
applications

No

Windows
Phone 6.x

Yes

Yes, but the

requirement
to check the signature is
configurable

Available through
third
-
party

products or
System Center

Yes

Windows
Phone 7

Yes

Yes, but the

requirement
to check the signature is
configurable

No

No

Symbian

Yes

Yes

Available

through
third
-
party
products

Yes

Android

Limited


some

app
stores perform testing
but apps available
outside of app stores

No

No

Yes

Gartner for Technical Professionals

Recommendations

Recommendations


Understand the risks and the threats you are trying to
protect against and accept that some risks cannot be
mitigated


Limit support to handhelds that satisfy minimal
security requirements


Balance UX with security and connectivity


Users will go around security if you don’t have a good UX


Conduct data analysis to determine what is
acceptable on the device and what is not


Deal with related infrastructure issues: network,
authentication, provisioning, …

Recommended Gartner Research


Comparing Security Controls for Handheld Devices

Mario de Boer, Eric Maiwald, 22 January 2012


Decision Point for Mobile Endpoint Security

Eric
Maiwald


Client Virtualization: Reducing Malware and
Information Sprawl

Mario de Boer, Dan Blum


Solution Path: How to Create a Mobile Architecture

Paul
Debeasi


Field Research Summary: Mobility and Security

Eric Maiwald, 26 January 2012