5 STEP PROCESS TO MOBILE RISK MANAGEMENT
1/ Understand how employees want to use Mobile Devices and Applications
2/ Identify potential threats
3/ Define the impact to the business based on probable threat scenarios
4/ Develop policies and procedures to protect the business to an acceptable level
5/ Implement manageable procedural and technical controls, and monitor their effectiveness
5. Nearly 80% of American investors say they aren’t likely
to invest in companies that have suffered multiple cyber
attacks. Analysts estimate that data breaches cost large
enterprises an average of $5.4 million per breach and
can erode brand value by hundreds of millions of dollars.
As data breaches have damaged business performance
and company valuations, data security concerns have
broken out of the CIO’s office and into the boardroom,
where CEOs are being challenged to explain what they’re
doing to ensure that vital revenue streams and shareholder
value is being safeguarded.
INTRODUCTION
As the business stakes have been raised, the explosive
growth in mobile devices has multiplied the threat. Nearly
40% of organizations in another recent study had data
breaches resulting from lost or stolen mobile devices,
including tablet computers, smartphones and USB drives
that contained confidential or sensitive data.
So what does a company need to do to manage the risk of
data loss through mobile devices? This white paper outlines
a rational, risk-based approach to data protection that’s
designed particularly for the new world of mobile devices.
6. Mobile Security 2013
6
Historically, when new business process-changing
technologies become available, e.g. Email, Web Services,
Laptops, Wifi, Cloud Services, and now ubiquitous and
heterogeneous Mobile Devices, the focus is on figuring
out how to use and manage the technology. Worrying
about securing it comes later. Then a familiar pattern is
often repeated: a period of time is spent admiring the
security problem; eventually a myriad of disparate “bolt
on” point security solutions are developed; then finally
security is integrated into the technology.
Right now, Mobile technologies are somewhere between
admiring the problem, and bolting on solutions. Mobile
security vendors are in a rush to launch new products.
Dozens of new point solutions are flooding the market,
and enterprises are challenged to determine what they
need, and how to integrate them into their infrastructure.
The problem is that there is little discussion of what the
business requirements for security actually are. Mobile
Security is not just one thing. There are multifaceted
threats and risks that need to be managed. These include
secure identity and access control; data protection and
content management; application management and
security; malware protection; digital forensics, secure
transport, monitoring and reporting, policy enforcement
and device management. Each of these plays a critical
part in managing risk, because no organization has the
same risk profile. Balancing which to prioritize, and how
much to implement takes expertise.
WiFi Internet
Bluetooth TelCom
7. Mobile Security 2013
7
MOBILE SECURITY
LANDSCAPE
USERS DATA APPS
Secure Identity
Access Control
Privacy Controls
Data Protection
Content Management
Digital Forensics
Secure Transport
Monitoring/Reporting
Policy Enforcement
Device Management
Application Management
Application Security
Malware Protection
NETWORKS
& DEVICES
8. Mobile Security 2013
8
The key to real security is taking a risk-based approach.
This means developing a set of practical business and
securityrequirementsthatpointthewaytothetechnologies
and policies that eliminate the most risk without unduly
impacting usability and needed business functionality.
This avoids the common backwards approach: buying a
technology based on feature set, then figuring out how to
integrate it into the business process.
Establishing business security requirements involves
answering the question, “secure from what?” Almost
every organization will have a different answer. There will
certainly be standard risk-based approaches and security
features that apply across the board. But the priority of
controls, the way they are implemented, and the way they
are managed will be unique to each organization.
The Twenty Critical Security Controls, developed by the
SANS Institute, have helped many large enterprises
and government agencies begin to transform security
by focusing their spending on the key controls that block
attacks that have the greatest overall impact on security.
Several of these Critical Security Controls apply just as
well to mobile devices as to traditional computers:
• Asset and configuration management
• Strong authentication and identity management
• Protection of sensitive data at rest and in transit
• Protection against Lost/stolen/decommissioned
devices
• Protection from malware for email or web
• Device-specific Operating System vulnerabilities
• Connecting to insecure/rogue wifi
• Protection and management of web and email traffic
The organization’s unique business requirements will
determine where to start and how to build. For companies
with intellectual property to protect, encryption will be a
high priority; organizations that field many mobile apps
might need to focus on application security; companies
where users need to access internal applications
might require strong identity management. Many tools
are available for each area. Selecting the right one
depends on an organization’s unique environment and
requirements. To help define requirements and determine
the best approach, DMI recommends a Five Step Mobile
Risk Management Process.
A RISK-BASED
APPROACH
9. Mobile Security 2013
9
5 STEP PROCESS FOR
MOBILE RISK MANAGEMENT
Understand how employees want to use Mobile
Devices and Applications
Identify potential threats
Define the impact to the business based on
probable threat scenarios
Develop policies and procedures to protect the
business to an acceptable level
Implement manageable procedural and technical
controls, and monitor their effectiveness
1
2
3
4
5
10. Mobile Security 2013
10
UNDERSTAND USER
REQUIREMENTS
1
Thismayvarybyindustry,businessneedsororganizational
culture, but a typical list of user requirements for a personal
mobile device is likely to include:
• Access to enterprise applications (email, calendar,
contacts, business appplications, Sharepoint servers,
etc)
• Ability to make both personal and professional calls
• Privacy for personal employee activities, data, photos,
emails, texts, and applications (i.e., no corporate
collecting, monitoring, or tracking)
• Prohibitionoforganizationalbackuporwipeofpersonal
data
11. Mobile Security 2013
11
IDENTIFY POTENTIAL
THREATS
2
Somecommonthreatsintroducedorexacerbatedbymobile
devices are listed on the right. Like user requirements,
threats that are relevant to any given organization will
vary depending on industry, corporate culture, and current
security program and architecture implementation.
• Corporate loss of control of data on device (lost / stolen
/ decommissioned / employment separation)
• Compromise of user credentials (malicious
applications, insecure applications or operating
systems, credentials passed in clear over public
networks, phishing websites)
• Unauthorized access to sensitive data (data passed
over network in clear, data stored uncrypted on device,
data backed up to uncontrolled system)
• Devices (intentionally or unintentionally) used as
recording devices (phone, or camera on during
meetings, pictures or video of sensitive information)
6’0’’
5’0’’
4’0’’
3’0’’
12. Mobile Security 2013
12
DEFINE THE IMPACT
TO THE BUSINESS
BASED ON PROBABLE
THREAT SCENARIOS
3
Business risk is about loss of Confidentiality, Integrity, or
Availability (CIA). Each kind of loss is associated with a
different level of business impact. And the approaches to
monitoring and protecting against each type of loss are
different. An adversary might use a spear phishing email
to compromise an endpoint to steal user credentials to
accessadatabasetoexfiltratedata(lossofConfidentiality).
Or, they could corrupt (loss of Integrity) or delete (loss of
Availability) that data.
One problem with traditional risk modeling is that it often
setsa“value”foranassetbasedonasimplemeasurement,
such as the cost of a lost device. But business impact value
is more complicated--value of data, of business process,
of loss of future revenue, etc. must all be considered. And
the impact of a loss may even vary depending on how the
asset is lost. For a given set of data, loss of Confidentiality
(trade secrets fall into the hands of a competitor) might
have a greater business impact than loss of Availability, or
Integrity (the same data is deleted or corrupted).
Standards need to be created that call out different levels
of impact and different controls for each of these three
(CIA) risks. More importantly, the likelihood and impact
of a security event needs to be factored in to achieve
better prioritization. A whole paper could be written about
vulnerabilities in mobile operating systems, applications,
or ActiveSync. But risk management is about playing
to the rule and not the exception. A rational approach
addresses the more likely and costly threats before getting
to the more esoteric.
13. Mobile Security 2013
13
Loss of a device is very common—for most organizations,
it’s likely to be a high priority for risk management. What
about a hacker in a coffee shop sniffing WiFi traffic and
pulling data or credentials off the air? This is where it’s
necessary to think about unique business characteristics
and how they influence risk: does your company manage a
lot of intellectual property? Are there significant regulatory
requirements for how to protect and control data? Do you
have a diverse workforce distributed around the country,
or around the globe with different privacy laws? Do your
users only access email, or do you have critical business
applications running on your mobile devices, or do you
collect critical business data on them? These are the
kinds of questions that need to be answered, and risks
factored for each.
A security program built around the threats that get the
most “press” is likely to be both costly and ineffective.
Successful programs address the risks that carry the
greatest business impact and that are most likely to
occur--like expecting that users will lose mobile devices.
14. Mobile Security 2013
14
DEVELOP POLICIES AND
PROCEDURES TO
PROTECT THE BUSINESS
TOANACCEPTABLE LEVEL
4
Mobile security can be complicated. If the organization
owns the mobile endpoints, the same security controls
and policy processes can be applied as are being used to
protect laptops:
• Require good passwords
• Encrypt the data
• Antivirus (only effective on Android)
• Educate users about phishing emails that ask for
credentials
• Educate users about application risks, don’t allow
apps over public wifi
• Keep phones out of meetings when talking about
proprietary information
ButBYODintroducessignificantprivacyissues.Employees
might need to sign off on a policy that authorizes forensics
testing on their device. Implementation becomes more
complex because it may require separation for work email,
calendar, contacts, phone, and documents from personal
data. A policy should include:
• Maintenance and management of a list of devices
(linked to users) that are authorized to access company
resources
• Tracking of devices and users accessing company
resources at any given time
• Restricted access from devices with insufficient
protection against compromise to data or user
credentials
• Controlled access to data, applications, and resources
based policies such as data classification, user, device,
network, or location (...)
15. Mobile Security 2013
15
An aditional item that might require discussion with HR
or legal: Geo-location (do you need to know where your
employees are?) This might have privacy implications
whether company owned or BYOD.
• Secured company data, at rest (at server and locally),
and in transit (across mobile network or wifi)
• Protection of devices from unauthorized access or
malicious code
• Maintenance of user privacy (email, texts, contacts,
voicemails, applications, etc)
• Regular security evaluation of all business applications
to identify data leakage or unnecessary access to
device resources (e.g., camera, contacts list, call
history, etc)
• Removal of corporate data from personal devices in
case of loss, theft, or separation from employment.
16. Mobile Security 2013
16
IMPLEMENTMANAGEABLE
PROCEDURAL,TECHNICAL
CONTROLS & MONITOR
THEIR EFFECTIVENESS
STACKING MOBILE
SECURITY
5
Once requirements have been established to mitigate the
potential risks to the business it’s possible to estimate the
size, scale, complexity, and budget for implementation. It
might be that having better visibility of what devices are
connected and insuring that they are encrypted is enough.
AlotcanbedonewithActiveSync,whichdoesn’tcostanything.
DEVICE FORENSICSSECURITY MATURITY LEVEL
SECURITYREQUIREMENTS
USER PRIVACY
APPLICATION SECURITY
SECURE PROTECTION
DATA PROTECTION
MALWARE PROTECTION
DEVICE MANAGEMENT
ASSET &
CONFIGURATION
MANAGEMENT
COMPROMISED
APPLICATIONS,
PROTECTION OF OS
VULNERABILITIES
ENCRYPTION OF
DATA AT REST
AND IN TRANSIT
2 FACTOR OR
CERTIFICATE-
BASED
AUTHENTICATION
SECURE CODING:
DATA LEAKAGE
PROTECTION;
APPLICATION
POLICY CONTROLS
REGULATORY
COMPLIANCE;
SEPARATION OF
PERSONAL&BUSINESS
DATA & APPS
eDISCOVERY;
HACKING OR
MISS-USE
EVENTS
An MDM platform offers more control. Container, wrapper,
or secure virtualization might be necessary to meet some
security requirements. Requirements drive a progression
from simple and inexpensive to more complex and costly
as illustrated below.
17. Mobile Security 2013
17
Where risk management comes in is identifying in what
sequence these would be implemented, based on needs
of the business, and priorities for protection.
The bottom line is that it takes a rational plan, and an
understanding of available technologies. The number
of mobile security technology tool companies is
growing weekly. First MDMs, then containers, then
application wrappers to give more granular control;
then encryption tools, and strong authentication tools;
application management tools, and even handsets with
secure virtualization. Today, many enterprises struggle
to to achieve application security – this is true both of
commercial apps and custom apps. How to manage
secure connectivity to mobile devices; how to secure the
data contained in the apps; how to maintain app security
by seamlessly pushing updates and patches to user
devices… these have all become major concerns. And
each layer of concern brings more cost and complexity.
As enterprises are challenged to determine what tools
are needed and how to integrate them, the key is to keep
coming back to the question of which risks are the most
impactful to the business. These are the areas that must
be secured first.
Deciding what level to achieve is the first step. Then
research or assistance may be needed to understand all
these tools and how they work together, how they integrate,
and what benefits they bring. Finally, it’s necessary to set
up a monitoring and management structure to maintain
this posture going forward. Some organizations may
choose to handle mobile security internally, others may
outsource to specialists. Either way, it’s important to
set the balance, applying the security that’s necessary
without over spending on trying to cover everything. It
takes a risk-based approach to prioritize organizational
needs and develop a security architecture and process
to match.
18. Zogby Analytics/HBGary Feb 25, 2013
Ponemon Institue 2013 Cost of Data Breach Study
Ponemon Institute October 2011
Ponemon Institute 2011 Cost of Data Breach Study
SOURCES
19. Stockholm
Golden Gekko
Bondegatan 64 c
116 33 Stockholm
Sweden
+46 855 921 601
sales@goldengekko.com
Phnom Penh
Street 106
House 14
Phnom Penh
Kingdom of Cambodia
+855 12 725 210
pp@goldengekko.com
goldengekko.com
mobilize
yourideas
London
22 Ganton Street
London W1F 7BY
United Kingdom
Sales +44 20 3290 9955
Other +44 20 7558 8107
info@goldengekko.com
Berlin
Torstrasse 98
10119 Berlin
Germany
info@goldengekko.com
7th floor
Tower 270 Condominium
86 Chambers Street
New York
USA
info@goldengekko.com
Barcelona
Sales +34 93 001 3655
Other +34 93 001 3261
Fax +34 932 008 482
sales@goldengekko.com
Bruc 49, ppal
08009 Barcelona
Spain
New York