Mobile Working Group Session
Thank You Co-chairs CSA Staff Initiative Leads/Contributors David Lingenfelter Cesare Garlati Freddy Kasprzykowski CSA Staff Luciano Santos John Yeoh Aaron Alva Evan Scoboria Kendall Scoboria Initiative Leads/Contributors Dan Hubbard Guido Sanchidrian Mark Cunningham Nadeem Bhukari Alice Decker Satheesh Sudarsan Matt Broda Randy Bunnell Megan Bell Jim Hunter Pam Fusco Tyler Shields Jeff Shaffer Govind Tatachari Ken Huang Mats Näslund Giles Hogben Eric Fisher Sam Wilke Steven Michalove Allen Lum Girish Bhat Warren Tsai Jay Munsterman
Critical Areas of Mobile Computing Mobile Guidance v1.0 Security Guidance for Critical Areas of Mobile Computing Published Nov. 2012 Mobile Computing Definition Threats to Mobile Computing Maturity of the Mobile Landscape BYOD Policies Mobile Authentication App Stores Mobile Device Management
Mobile Guidance Defined Authentication Apps MDM BYOD What we used to limit the scope of mobile for the purposes of this initial guidance. One of the biggest reasons is because smartphones and tablets are currently the popular items. The guidance is open to adding or expanding the scope of mobile, but we feel the major components we cover now will remain relevant going forward.
Threats and Maturity
Top Mobile Threats – Evil 8 Data loss from lost, stolen or decommissioned devices. Information-stealing mobile malware. Data loss and data leakage through poorly written third-party apps. Vulnerabilities within devices, OS, design and third-party applications. Unsecured Wi-Fi, network access and rogue access points. Unsecured or rogue marketplaces. Insufficient management tools, capabilities and access to APIs (includes personas). NFC and proximity-based hacking. High level overview of the top mobile threats findings – basic discussions around these…not spending too much time.
Have Security Controls Maturity 78% Have Mobile Policy 86% Allow BYOD 47% Utilize MDM 36% Have App Restriction 41% Have Security Controls A few highlights from the mobile maturity questionnaire, basically showing that from a standard maturity model there is still a lot of room for mobile to mature in the enterprise space. This will continue to happen as the mobile industry (hardware, OS, app developers, management) continue to mature. …there’s room for improvement
BYOD Jay Munsterman
BYOD Charter Analyze new challenges of: Policy Privacy Device and Data Segmentation Delivered Policy Guidance for v1 Guidance
Next Steps for BYOD Need more team members!! Help us out! Conference call late March Decide on next steps, consider: Policy Templates Policy Examples Evaluation of emerging containerization options
MDM David Lingenfelter
MDM Opportunities Beyond Simple MDM Increase security and compliance enforcement Reduce the cost of supporting mobile assets Enhance application and performance management Ensure better business continuity Increase productivity and employee satisfaction Beyond Simple MDM
Mobile Authentication Mark Cunningham
Mobile Authentication Guidance
Mobile Authentication Guidance
Mobile Authentication Guidance
Mobile Authentication Guidance
Mobile Authentication Guidance Ease of Use Future Authentication Technologies
What you download may be compromised! App Stores security James Hunter
State of the App Market Apple and Google control 80% of the App Market By the end of 2013 an estimated 50 Billion downloads There are over 1 million different Apps The summary doesn't consider Amazon and Samsung. Corporate sites offering downloads for their flavor Apps, Developers, in all sizes and Apps Distributors. We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).
What are the areas of concern? How trustworthy is the App Store? How trustworthy is the Developer? Can the user report issues found in the App? Who should get the report? Does the App use more permissions than needed? Does the App make connections to the Internet? Does the user need anti-virus, malware, etc.? Will this be an issue with BYOD?
The status of the working group? Initial draft of the policy guideline submitted in late October-early November 2012, for Orlando. November 2012 decision made to develop a stand-alone document. December 2012 received updated peer review info from J. Yeoh. January 2013 started efforts to recruit more volunteers for App Store Security working group? February 2013 re-started efforts to make contact with App Store Management at Microsoft.
The status of the working group? March 2013 start update of draft guideline to a stand alone document. March 2013 continue efforts to recruit several volunteers to work on the stand alone document. March 2013 request CSA Global support for contacts with Apple, Google, Amazon, Samsung Appstore contacts. April-June 2013 pursue App Store management contacts, involvement and support.
App Store Security Initiative Thanks to the following individuals: John Yeoh, Research Analyst, Global CSAAuthors/Contributors Group Lead James Hunter, Net Effects Inc. Peer Reviewers Tom Jones; Ionnis Kounelis; Sandeep Mahajan; Henry St. Andre, InContact Co Chair, Mobile Security, Cesare Garlati Trend Micro
Moving at the speed of mobile!
Where do we go from here? Charter review Cooperation Between Working Groups New Mobile Controls In CCM Maturity questionnaire v2.0 Top Threats Review Stand Alone App Store Document Stand Alone Authentication Document New Section On Data Protection
Mobile Working Group Charter Securing public and private application stores Analysis of mobile security features of key mobile operating systems Mobile device management, provisioning, policy, and data management Guidelines for the mobile device security framework Scalable authentication for mobile Best practices for secure mobile application Identification of primary risks related BYOD – Bring Your Own Device Solutions for resolving multiple usage roles related to BYOD Charter – as per Mobile Initiative Charter-V3.docx Feb 2012: 1) Securing public and private application stores and other public entities deploying software to mobile devices 2) Analysis of mobile security capabilities and features of key mobile operating systems 3) Cloud-based mobile device management, provisioning, policy, and data management of mobile devices to achieve security objectives 4) Guidelines for the mobile device security framework and mobile cloud architectures 5) Scalable authentication from mobile devices to multiple, heterogeneous cloud providers and enterprise. 6) Best practices for secure mobile application development and securely enabling existing applications on mobile platforms 7) Identification of primary risks related to individually owned devices accessing organizational systems (commonly known as BYOD – Bring Your Own Device) 8) Solutions for resolving multiple usage roles related to BYOD, e.g. personal and business use of a common device
Chapter Cooperation Information sharing across working groups Already working with CCM More guidance and input from Corporate, GRC and SME Timeframes/Deadlines/Review Periods
Reference Materials Create more material people will want to use to develop their mobile business plans Baseline Controls Policy Templates App Security Guidelines Threats and Risks
CSA 2013 Events BlackHat (July 27-Aug1) EMEA Congress (September) ASIAPAC Events (Congress, May 14-17) CSA Congress Orlando (November) https://cloudsecurityalliance.org/events/
Thank you Chapter meetings every other Thursday @ 9:00am PST LinkedIn: Cloud Security Alliance: Mobile Working Group Basecamp Thank you