Mobile Working Group Session

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

Mobile Working Group Session

http://www.cloudsecurityalliance.org/


Thank You

Dan HubbardGuido SanchidrianMark Cunningham Nadeem BhukariAlice DeckerSatheesh SudarsanMatt BrodaRandy BunnellMegan BellJim HunterPam FuscoTyler Shields

Jeff ShafferGovind TatachariKen HuangMats NäslundGiles HogbenEric FisherSam WilkeSteven MichaloveAllen LumGirish BhatWarren TsaiJay Munsterman

Initiative Leads/ContributorsCo-chairsDavid LingenfelterCesare GarlatiFreddy Kasprzykowski

CSA StaffLuciano SantosJohn YeohAaron AlvaEvan ScoboriaKendall Scoboria



Mobile Guidance v1.0Security Guidance for

Critical Areas of Mobile ComputingPublished Nov. 2012

Mobile Computing Definition Threats to Mobile Computing Maturity of the Mobile Landscape BYOD Policies Mobile Authentication App Stores Mobile Device Management



Authentication Apps

MDMBYOD

Mobile Guidance Defined



THREATS AND MATURITY



Top Mobile Threats – Evil 8

1. Data loss from lost, stolen or decommissioned devices. 2. Information-stealing mobile malware. 3. Data loss and data leakage through poorly written third-party

apps. 4. Vulnerabilities within devices, OS, design and third-party

applications.5. Unsecured Wi-Fi, network access and rogue access points. 6. Unsecured or rogue marketplaces. 7. Insufficient management tools, capabilities and access to APIs

(includes personas). 8. NFC and proximity-based hacking.



Maturity

…there’s room for improvement

78%Have Mobile

Policy86%

Allow BYOD47%

Utilize MDM

36%Have App Restriction

41%Have

Security Controls



BYODJay Munsterman



BYOD CharterAnalyze new challenges of:• Policy• Privacy• Device and Data Segmentation

Delivered Policy Guidance for v1 Guidance



Next Steps for BYOD• Need more team members!! Help us out!• Conference call late March• Decide on next steps, consider:

• Policy Templates• Policy Examples• Evaluation of emerging containerization options



MDMDavid Lingenfelter



MDM OpportunitiesIncrease security and compliance enforcementReduce the cost of supporting mobile assetsEnhance application and performance managementEnsure better business continuityIncrease productivity and employee satisfaction

Beyond Simple MDM



MOBILE AUTHENTICATIONMark Cunningham



Mobile Authentication Guidance













• Ease of Use• Future Authentication Technologies



APP STORES SECURITY

What you download may be compromised!

James Hunter



State of the App Market•Apple and Google control 80% of the App Market•By the end of 2013 an estimated 50 Billion downloads•There are over 1 million different Apps

The summary doesn't consider Amazon and Samsung. Corporate sites offering downloads for their flavor Apps, Developers, in all sizes and Apps Distributors.

We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).



What are the areas of concern?•How trustworthy is the App Store?•How trustworthy is the Developer?•Can the user report issues found in the App?•Who should get the report?•Does the App use more permissions than

needed?•Does the App make connections to the

Internet?•Does the user need anti-virus, malware, etc.?•Will this be an issue with BYOD?



The status of the working group?•Initial draft of the policy guideline submitted in

late October-early November 2012, for Orlando.•November 2012 decision made to develop a

stand-alone document.•December 2012 received updated peer review

info from J. Yeoh.•January 2013 started efforts to recruit more

volunteers for App Store Security working group?•February 2013 re-started efforts to make contact

with App Store Management at Microsoft.



The status of the working group?•March 2013 start update of draft guideline to a

stand alone document.•March 2013 continue efforts to recruit several

volunteers to work on the stand alone document.•March 2013 request CSA Global support for

contacts with Apple, Google, Amazon, Samsung Appstore contacts.

•April-June 2013 pursue App Store management contacts, involvement and support.



App Store Security InitiativeThanks to the following individuals:

John Yeoh, Research Analyst, Global CSAAuthors/ContributorsGroup Lead James Hunter, Net Effects Inc.

Peer ReviewersTom Jones; Ionnis Kounelis; Sandeep Mahajan; Henry St. Andre, InContact

Co Chair, Mobile Security, Cesare Garlati Trend Micro



MOBILE 2013Moving at the speed of mobile!



Where do we go from here?

Charter reviewCooperation Between Working GroupsNew Mobile Controls In CCMMaturity questionnaire v2.0Top Threats ReviewStand Alone App Store DocumentStand Alone Authentication DocumentNew Section On Data Protection



Mobile Working Group Charter

Securing public and private application storesAnalysis of mobile security features of key mobile operating systemsMobile device management, provisioning, policy, and data managementGuidelines for the mobile device security frameworkScalable authentication for mobileBest practices for secure mobile applicationIdentification of primary risks related BYOD – Bring Your Own DeviceSolutions for resolving multiple usage roles related to BYOD



Chapter Cooperation

Information sharing across working groupsAlready working with CCMMore guidance and input from Corporate, GRC and SMETimeframes/Deadlines/Review Periods



Reference MaterialsCreate more material people will want to use to develop their mobile business plans

Baseline ControlsPolicy TemplatesApp Security GuidelinesThreats and Risks



CSA 2013 EventsBlackHat (July 27-Aug1)EMEA Congress (September)ASIAPAC Events (Congress, May 14-17)CSA Congress Orlando (November)

https://cloudsecurityalliance.org/events/


https://cloudsecurityalliance.org/events/


THANK YOU

Chapter meetings every other Thursday @ 9:00am PSTLinkedIn: Cloud Security Alliance: Mobile Working GroupBasecamp


Documents

Mobile Working Group Session