View
1.275
Download
11
Category
Tags:
Preview:
Citation preview
Addressing Mobile Application Security
www.mobilereach.com
• Introduction
• Understanding the Enterprise Environment
• Security Concerns in Enterprise Mobility
• What is Important
• Specific concerns with HTML5
• What to remember
• Wrap up, Q&A
2
Welcome!
• Security is by far the most important enterprise
mobility adoption challenge for CIOs, according
to a recent survey
• However… according to 2012 Information Security
Breaches Survey
Only 39% of large organizations encrypt data
downloaded to smartphones and tablets
38% of large businesses do not have any kind of
program for educating their staff about security risks.
26% of respondents with a security policy believe
their staff have a very good understanding of it, while
21% think the level of staff understanding is poor. 3
Introduction
• Crucial to have right policy and tools in place
• Implementation of a clear mobile security
policy will contribute to success
• New technology useful for solving some
problems, MDM, etc.
• However, securing mobile apps from the
ground up and with the right policies and
procedures in place will ensure all bases are
covered.
4
Introduction
• The Corporate / Organization perspective:
Enterprise responsibility
Balance between risk and reward
Employee impacts
• Security concerns within your Mobile Strategy
• Taking advantage of technology to create secure
processes
• HTML5 risks
• The Mobile Reach approach5
Enterprise Mobile App Security
Mobile Environment
6
What is an Enterprise Mobile App
Enterprise Environment
data
data
data
4
2
3
1
AREAS OF SECURITY CONCERN!1. Network hacker “listens” to my
data2. Device data exposed3. Unauthorized person gains
access to data4. Unauthorized network access
after hacking device
• Your Organization cares about Protecting
Enterprise Data in the hands and on the
devices of mobile users
What is the data? How sensitive is it?
How bad is it if the data gets lost or into the “wrong”
hands?
• Your Organization cares about keeping
malicious users and other threats OUT of
the Corporate network
How to limit the threats?
How to minimize damage upon a breach?
7
What is Important?
• What happens if a user loses his/her mobile
device? How do we prevent sensitive or confidential
information from being exposed?
How do we prevent an unauthorized user from using
the device / its applications?
• How do we prevent a malicious user,
application, or virus from infecting our
corporate network?
• How do we protect the corporate entity from a
legal situation (being sued)?8
Security in your Mobile Strategy
• Think twice about pushing sensitive information
to the mobile device. Does the mobile user need
it to do his job?
• Is it possible to minimize the sensitive data to a
point where exposure is very low risk?
• Whenever neither is possible:
Encrypt the data in all over-the-air transport
Encrypt the data at rest on a mobile device
Have procedures in place to detect/inform as soon as
data is at risk
Use remote –wipe and device tracking features ASAP9
Mobile App Considerations
Your Mobile Strategy MUST include: Security Policies and Procedures for your PEOPLE
NETWORK Security and Policies to control access
Mobile DEVICE Management
Data RISK ANALYSIS for your mobile apps
Data PROTECTION for all sensitive data
10
Addressing Security Concerns
Security Policies and Procedures: BYOD requirements, including remote wipe consent
Instructions on the handling of sensitive/confidential
information
Instructions on how/when to report lost or stolen
devices
Authentication policies
Mobile application usage instructions
User responsibilities and penalties for non-
compliance
Clear and Consistent rules and processes11
PEOPLE
Security and Policies for network access: Identify WHO is allowed to access the corporate
network from WHAT mobile device
Identify HOW mobile users are to access the
corporate network
Specify required authentication
Incorporate malware protection
Protect network from unauthorized
access (hacking)12
NETWORK Security
Mobile Device Management MUST include: Support for all mobile devices that your users will be
using
Provisioning to manage who is allowed to use what
Anti-virus, Anti-malware capability
Remote wipe capability
Ongoing support, upgrading, etc
Device location tracking
Manage and control mobile devices and
usage13
DEVICE MANAGEMENT
Data Risk Analysis for your Mobile Apps: Identify the data that will be used by the mobile app
and characterize its sensitivity
Map out processes for mobile users
Minimize sensitive data on the mobile device
Identify the risks of exposure for all sensitive data
Implement data protection measures to mitigate risks
Minimize risk while maximizing operational
effectiveness14
RISK ANALYSIS
Protecting Sensitive Data: Do not count on device security to be enough!
Application-level ENCRYPT ION of all sensitive data
BOTH during Over-the-Air transmission AND At-Rest
on the device is required
AUTHENTICATION of authorized mobile users is
required for access to enterprise mobile apps and
data
No clear text storage of passwords or other
authentication criteria
Make it extremely difficult / impossible to
hack data
15
DATA PROTECTION
• How it can help:
Visually hiding data
Encrypting data (at rest, over-the-air)
Requiring Authentication for access
Transferring data real-time, removing it from the
mobile device
• Considerations:
Data is in an electronic format
Must be encrypted within the software16
Using technology securely
• Nurse capturing patient data
Form and clipboard – free text, easy to be seen
Mobile device with electronic form – encrypted
text
• Military personnel performing an Armory
inventory
Spreadsheets and clipboard with part-codes and
quantities in free text
Mobile device with barcode scanner and coded fields
Technology can be used to assist in the
protection of data
17
Examples…
• Authentication of users
• Incorporate an idle timer application lock
• Encryption of all data at rest
• Encryption of data transferred over the air
• Good error handling
• No dependence on untrustworthy code
18
Components of a secure app
• Browser Based Vulnerabilities Security varies depending on browser Many more browser options available on
smartphones With much more data caching and local storage,
browsers now accessing much more sensitive data
Email client, CRM and other systems could be exposed
Browsers are the major attack point for hackers Browser providers must agree to adopt industry
standards that have yet to be approved New standard not due until 201419
Security Issues With HTML
• Browser Attack Points Cross Document Messaging, Local
Storage, Cookies Issues with HTML4 and JavaScript remain
in HTML5 Abuse of DNS and insecure of of API could
leave website vulnerable Flawed input validation, client side
validation syntax issues
20
HTML 5 Holes
• According to a recent report on Security Predicitions and Trends by Watchguard.com, HTML5 will be under increased attack in 2012.
“… the security of HTML5 applications is still dependent on the skill and care with which developers create them. HTML5 is new and complex … Developers are still getting comfortable with it, which means they are likely to make programming mistakes that could translate into web vulnerabilities. Increased usage of HTML5 will significantly contribute to the continued increase in web applications attacks next year."
21
Predictions
Mobile Reach Splitware Mobility Platform:• Security built into the foundation of the platform
• Data transferred and at rest is encrypted via AES256-bit
encryption
Easy to scale / add other encryption algorithms
• All software built in-house with no 3rd party components
• Native application platform to avoid the pitfalls of HTML5
• Ability to incorporate fingerprint scanning, retina
scanning, and other device-native features
• Database protected from general-purpose device backup
facilities
• Authentication incorporated22
The Mobile Reach approach
23
Splitware Approach to Security
24
Splitware System Encryption
• What happens if a user loses his/her mobile device? Mobile apps lock requiring password; Remote wipe
• How do we prevent sensitive or confidential information from being exposed? Encryption of all data, encryption of all passwords
• How do we prevent an unauthorized user from using the device and its applications? Authentication (ideally two-factor), Idle-time locking
• How do we prevent a malicious user, application, or virus from infecting our corporate network? Network security software
• How do we protect the corporate entity from a legal situation (being sued)? Well-thought-out and documented procedures, adherence to
industry best practices25
The Mobile Strategy Checklist
• Protecting enterprise data is what’s important
• Developing appropriate rules and procedures that
complement your mobile processes and the needs of
your mobile workforce is critical
• Understand the real risks of your mobile solution
and focus security measures on those risks
• Avoid using HTML5 for mobile apps that require
high security
• Avoid the tendency to implement security procedures
just for the sake of “security”26
Summary
For a copy of the presentation, more
information, or to request a product
demonstration, please contact Bob
Silver.
Bob Silver: bsilver@mobilereach.com
919-336-2500, ext 109
27
Q&A
• Mobile Reach Enterprise Mobility Webinar Series
Building Mobile Apps in Minutes
Analyzing and Implementing Effective Mobile
Workflow
Why Native Apps are the right choice for
Enterprise
Addressing Mobile Application Security
Developing an Enterprise Mobile
Strategy
August 2012
28
Thanks for Joining Us!
Recommended