Upload
will-adams
View
560
Download
0
Embed Size (px)
Citation preview
Mobile Security for the EnterpriseConsiderations For A Robust Strategy
Will AdamsSoftware ArchitectFiserv, Inc.@RemoteArchitect
Agenda
• Questions that need to be asked
• Defining a security strategy
• Risks and threats
• Authentication & Authorization
• Protecting data
• Securing communications
• Application security
• Managing devices
• Enterprise Mobility Management
• Demo
• Resources
Questions that need to be asked
• What problems are we trying to solve?
• How do we identify users?
• How do we manage what users can do?
• How do we protect our data?
• How do we enforce secure communications?
• How do we secure our apps?
• How do we manage devices?
• What are the risks and threats?
• How do we solve these problems and deliver a mobile solution to our enterprise while mitigating the risks and threats?
Defining a security strategy
• Determine usage scenario(s) – corporate-owned devices (COD) and/or bring your own device (BYOD)
• Least control of hardware, OS and software with BYOD
• Don’t let users do both since it’s harder to support
• Create policies to manage mobile security in the enterprise. For example:
• Set mandatory passcodes
• No rooted or jailbroken devices
• Disable copy-and-paste of business data
• Don’t store sensitive data on the device
• Always require VPN
• Wrap custom apps in a secure container
Mobile Network Managementand Security
At the Device
Mobile DeviceManagement and Security
EnrollRegister owner and services
ConfigureSet appropriate security policies
MonitorEnsure device compliance
ReconfigureAdd new policies over-the-air
De-provisionRemove services and wipe
Mobile Device Management
Device wipe and lockdown
Password management
Configuration policy Compliance
Mobile Network
Protection
Secure communications (VPN)
Mobile Identity & Access
Management
Identity management Authorize and
authenticate Certificate
management Multi-factor
Mobile Threat Management
Antimalware Antispyware Antispam Firewall/IPS Web filtering Web reputation
Mobile ApplicationManagement and Security
On the Network For the mobile app
Mobile Information Protection
Data encryption (device, file and app)
Mobile data loss prevention
Mobile App Development &
Management
Scanning Authenticity
testing Update
enforcement Remote disable
AuthenticateProperly identify mobile users
EncryptSecure network connectivity
MonitorLog network access and events
ControlAllow or deny access to apps
BlockIdentify and stop mobile threats
DevelopUtilize secure coding practices
TestIdentify application vulnerabilities
MonitorCorrelate unauthorized activity
ProtectDefend against app attacks
UpdatePatch old or vulnerable apps
Risks & Threats
• OWASP1 sums it up pretty well in their top 10 list:
• M1 – Improper Platform Usage
• M2 – Insecure Data Storage
• M3 – Insecure Communication
• M4 – Insecure Authentication
• M5 – Insufficient Cryptography
• M6 – Insecure Authorization
• M7 – Client Code Quality
• M8 – Code Tampering
• M9 – Reverse Engineering
• M10 – Extraneous Functionality
1Top 10 Release Candidate for 2016
Authentication
• Two-factor authentication (TFA)
• What you know – e.g. user name, password
• What you have – e.g. physical device
• Multi-factor authentication (MFA) – Includes TFA plus:
• What you are – i.e. physical characteristics like thumbprint, face, voice
• Use claims or certificate-based authentication
• Enforce a strong password policy
• Lockout after several invalid attempts
• Delay between unsuccessful attempts
• Password strength
Authentication
• Consider Single Sign On
• Most MDM vendors offer this capability, or…
• You can roll your own using OAuth – take a look at Ping Identity’s SSO dev guide: https://developer.pingidentity.com/en/resources/napps-native-app-sso.html
Authorization
• Should be part of a company-wide strategy
• Should combine security features with content
• Look at Digital Rights Management (DRM) systems like
• Azure Rights Management - https://technet.microsoft.com/en-us/library/jj585026.aspx
• Can sync with AD on premise
• Adobe LiveCycle Policy Server
Protecting Data
• At rest
• iOS – small amounts of data in the Keychain; larger amounts of data can leverage Apple’s File Protection mechanism or a third party container like SQLCipher
• Android – internal storage (per app) or custom content provider (app to app)
• Encrypt your data but strike a balance between key management and a good user experience
• In transit
• Implement Perfect Forward Secrecy (PFS) which encrypts SSL traffic
• Use VPN
• Ex: Microsoft Intune can deploy VPN profiles to specific mobile OS’
• App wrappers provide encryption for data at rest and in transit
• EMM vendors provide app wrapping capabilitiy
Securing Communications
• At a solution level – use TLS 1.2 to encrypt and protect the data stream
• Example: for web-based apps we can leverage the Strict Transport Security header to enforce HTTPS
• At an OS level – encrypt traffic using VPN
• Best of both worlds – per app VPN
• Included with iOS7+ for specific managed apps
• Third party apps like VyprVPN for Android
• Turn off non-securable networks like Bluetooth and WiFi
• Require a firewall app on the device
Application Security
• For BYOD, use a container app as a sandbox to protect company data
• Easy to install and very secure
• Limitations using non-containerized apps. Also requires tie-in to specific vendor
• Use app wrapping feature from EMM providers
• Features:
• Encryption for data at rest and in transit
• Data loss prevention
• Geo-fencing
• Requires the unsigned app binaries
• Provides better UX and security
• Digitally sign and pen test all custom apps
Managing Devices
• Again, decide on whether you want to support COD or BYOD
• Avoid rooted or jailbroken devices at all costs!
• MDM vendors provide the best security
• Enables control of device features
• Allows wiping the device remotely
• Manages the deployment of apps and certificates
• Deploys profiles for email, WiFi, VPN, etc.
• Can use Exchange Active Sync if not using MDM but there are limitations
Enterprise Mobility Management
• Includes Mobile Device Management (MDM), Mobile Application Management (MAM), Mobile Email Management (MEM), profiles, app wrapping, etc.
• Exchange ActiveSync can provide bare-bones MDM but doesn’t manage the entire device. Best security solution for complete device management is to partner with a third-party vendor.
• Vendors include Good Technologies, AirWatch and MobileIron
• Can get some level of MDM via the mobile OS
• iOS has configuration profiles which can be managed with the iPhone Configuration Utility. This gives the same device-level functionality available to MDM providers
• Android MDM is administered as a standalone app via the Device Admin API
Enterprise Mobility Management
• EMM vendors provide a number of advantages over other methods:
• Provide SaaS or on-premise deployments for central management
• Vendors use services like Appthority for verifying the reputation of third-party apps
• Provisioning corporate settings, credentials and apps
• Complying with legal requirements
• The typical user and device enrollment process:
• Creating a new user in the administration console including name and email address
• Generating an email invitation to the user created in the prior step with temporary access credentials and instructions to install the MDM provider’s host application
• Installing the MDM provider’s host application on the device then following the steps to register the device with the vendor
• In the administrative console, verifying the user’s device was registered
And Don’t Forget…
• Users and organizational policies also help with security
• Establish policies to protect against theft, loss, etc.
• Educate users about the risks
Demo
• Using Microsoft Intune
Resources
• Books
• The Mobile Application Hacker’s Handbook by Dominic Chell, et al
http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html
• Mobile Device Security for Dummies by Rich Campagna, et al
http://www.dummies.com/store/product/Mobile-Device-Security-For-Dummies.productCd-0470927534,navId-322496.html
• Enterprise Mobility Management by Jack Madden
http://www.amazon.com/Enterprise-Mobility-Management-Everything-Edition-ebook/dp/B00DK2GHHA
• Mobile Strategy How Your Company Can Win by Embracing Mobile Technologies by Dirk Nicol
http://www.ibmpressbooks.com/store/mobile-strategy-how-your-company-can-win-by-embracing-9780133094961
Resources
• PluralSight Course
• Enterprise Strength Mobile Device Security -https://app.pluralsight.com/library/courses/enterprise-strength-mobile-device-security/table-of-contents
• Websites
• Mobile Security Wiki - https://mobilesecuritywiki.com/
• OWASP Mobile Security Project -https://www.owasp.org/index.php/OWASP_Mobile_Security_Project