3Critical Areas of Mobile Computing Mobile Guidance v1.0Security Guidance forCritical Areas of Mobile ComputingPublished Nov. 2012Mobile Computing DefinitionThreats to Mobile ComputingMaturity of the Mobile LandscapeBYOD PoliciesMobile AuthenticationApp StoresMobile Device Management
4Mobile Guidance Defined AuthenticationAppsMDMBYODWhat we used to limit the scope of mobile for the purposes of this initial guidance. One of the biggest reasons is because smartphones and tablets are currently the popular items. The guidance is open to adding or expanding the scope of mobile, but we feel the major components we cover now will remain relevant going forward.
6Top Mobile Threats – Evil 8 Data loss from lost, stolen or decommissioned devices.Information-stealing mobile malware.Data loss and data leakage through poorly written third-party apps.Vulnerabilities within devices, OS, design and third-party applications.Unsecured Wi-Fi, network access and rogue access points.Unsecured or rogue marketplaces.Insufficient management tools, capabilities and access to APIs (includes personas).NFC and proximity-based hacking.High level overview of the top mobile threats findings – basic discussions around these…not spending too much time.
7Have Security Controls Maturity78%Have Mobile Policy86%Allow BYOD47%Utilize MDM36%Have App Restriction41%Have Security ControlsA few highlights from the mobile maturity questionnaire, basically showing that from a standard maturity model there is still a lot of room for mobile to mature in the enterprise space. This will continue to happen as the mobile industry (hardware, OS, app developers, management) continue to mature.…there’s room for improvement
12MDM Opportunities Beyond Simple MDM Increase security and compliance enforcementReduce the cost of supporting mobile assetsEnhance application and performance managementEnsure better business continuityIncrease productivity and employee satisfactionBeyond Simple MDM
18Mobile Authentication Guidance Ease of UseFuture Authentication Technologies
19What you download may be compromised! App Stores securityJames Hunter
20State of the App Market Apple and Google control 80% of the App Market By the end of 2013 an estimated 50 Billion downloadsThere are over 1 million different AppsThe summary doesn't consider Amazon and Samsung. Corporate sites offering downloads for their flavor Apps, Developers, in all sizes and Apps Distributors.We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).
21What are the areas of concern? How trustworthy is the App Store?How trustworthy is the Developer?Can the user report issues found in the App?Who should get the report?Does the App use more permissions than needed?Does the App make connections to the Internet?Does the user need anti-virus, malware, etc.?Will this be an issue with BYOD?
22The status of the working group? Initial draft of the policy guideline submitted in late October-early November 2012, for Orlando.November 2012 decision made to develop a stand-alone document.December 2012 received updated peer review info from J. Yeoh.January 2013 started efforts to recruit more volunteers for App Store Security working group?February 2013 re-started efforts to make contact with App Store Management at Microsoft.
23The status of the working group? March 2013 start update of draft guideline to a stand alone document.March 2013 continue efforts to recruit several volunteers to work on the stand alone document.March 2013 request CSA Global support for contacts with Apple, Google, Amazon, Samsung Appstore contacts.April-June 2013 pursue App Store management contacts, involvement and support.
24App Store Security Initiative Thanks to the following individuals: John Yeoh, Research Analyst, Global CSAAuthors/Contributors Group Lead James Hunter, Net Effects Inc. Peer Reviewers Tom Jones; Ionnis Kounelis; Sandeep Mahajan; Henry St. Andre, InContact Co Chair, Mobile Security, Cesare Garlati Trend Micro
26Where do we go from here? Charter review Cooperation Between Working GroupsNew Mobile Controls In CCMMaturity questionnaire v2.0Top Threats ReviewStand Alone App Store DocumentStand Alone Authentication DocumentNew Section On Data Protection
27Mobile Working Group Charter Securing public and private application storesAnalysis of mobile security features of key mobile operating systemsMobile device management, provisioning, policy, and data managementGuidelines for the mobile device security frameworkScalable authentication for mobileBest practices for secure mobile applicationIdentification of primary risks related BYOD – Bring Your Own DeviceSolutions for resolving multiple usage roles related to BYODCharter – as per Mobile Initiative Charter-V3.docx Feb 2012:1) Securing public and private application stores and other public entities deploying software to mobile devices2) Analysis of mobile security capabilities and features of key mobile operating systems3) Cloud-based mobile device management, provisioning, policy, and data management of mobile devices to achieve security objectives4) Guidelines for the mobile device security framework and mobile cloud architectures5) Scalable authentication from mobile devices to multiple, heterogeneous cloud providers and enterprise.6) Best practices for secure mobile application development and securely enabling existing applications on mobile platforms7) Identification of primary risks related to individually owned devices accessing organizational systems (commonly known as BYOD – Bring Your Own Device)8) Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device
28Chapter Cooperation Information sharing across working groups Already working with CCMMore guidance and input from Corporate, GRC and SMETimeframes/Deadlines/Review Periods
29Reference MaterialsCreate more material people will want to use to develop their mobile business plansBaseline ControlsPolicy TemplatesApp Security GuidelinesThreats and Risks
30CSA 2013 Events BlackHat (July 27-Aug1) EMEA Congress (September) ASIAPAC Events (Congress, May 14-17)CSA Congress Orlando (November)https://cloudsecurityalliance.org/events/
31Thank you Chapter meetings every other Thursday @ 9:00am PST LinkedIn: Cloud Security Alliance: Mobile Working GroupBasecampThank you