Mobile Security for the EnterpriseConsiderations For A Robust Strategy

Will AdamsSoftware ArchitectFiserv, Inc.@RemoteArchitect

Agenda

• Questions that need to be asked

• Defining a security strategy

• Risks and threats

• Authentication & Authorization

• Protecting data

• Securing communications

• Application security

• Managing devices

• Enterprise Mobility Management

• Demo

• Resources

Questions that need to be asked

• What problems are we trying to solve?

• How do we identify users?

• How do we manage what users can do?

• How do we protect our data?

• How do we enforce secure communications?

• How do we secure our apps?

• How do we manage devices?

• What are the risks and threats?

• How do we solve these problems and deliver a mobile solution to our enterprise while mitigating the risks and threats?

Defining a security strategy

• Determine usage scenario(s) – corporate-owned devices (COD) and/or bring your own device (BYOD)

• Least control of hardware, OS and software with BYOD

• Don’t let users do both since it’s harder to support

• Create policies to manage mobile security in the enterprise. For example:

• Set mandatory passcodes

• No rooted or jailbroken devices

• Disable copy-and-paste of business data

• Don’t store sensitive data on the device

• Always require VPN

• Wrap custom apps in a secure container

Mobile Network Managementand Security

At the Device

Mobile DeviceManagement and Security

EnrollRegister owner and services

ConfigureSet appropriate security policies

MonitorEnsure device compliance

ReconfigureAdd new policies over-the-air

De-provisionRemove services and wipe

Mobile Device Management

Device wipe and lockdown

Password management

Configuration policy Compliance

Mobile Network

Protection

Secure communications (VPN)

Mobile Identity & Access

Management

Identity management Authorize and

authenticate Certificate

management Multi-factor

Mobile Threat Management

Antimalware Antispyware Antispam Firewall/IPS Web filtering Web reputation

Mobile ApplicationManagement and Security

On the Network For the mobile app

Mobile Information Protection

Data encryption (device, file and app)

Mobile data loss prevention

Mobile App Development &

Management

Scanning Authenticity

testing Update

enforcement Remote disable

AuthenticateProperly identify mobile users

EncryptSecure network connectivity

MonitorLog network access and events

ControlAllow or deny access to apps

BlockIdentify and stop mobile threats

DevelopUtilize secure coding practices

TestIdentify application vulnerabilities

MonitorCorrelate unauthorized activity

ProtectDefend against app attacks

UpdatePatch old or vulnerable apps

Risks & Threats

• OWASP1 sums it up pretty well in their top 10 list:

• M1 – Improper Platform Usage

• M2 – Insecure Data Storage

• M3 – Insecure Communication

• M4 – Insecure Authentication

• M5 – Insufficient Cryptography

• M6 – Insecure Authorization

• M7 – Client Code Quality

• M8 – Code Tampering

• M9 – Reverse Engineering

• M10 – Extraneous Functionality

1Top 10 Release Candidate for 2016

Authentication

• Two-factor authentication (TFA)

• What you know – e.g. user name, password

• What you have – e.g. physical device

• Multi-factor authentication (MFA) – Includes TFA plus:

• What you are – i.e. physical characteristics like thumbprint, face, voice

• Use claims or certificate-based authentication

• Enforce a strong password policy

• Lockout after several invalid attempts

• Delay between unsuccessful attempts

• Password strength

Authentication

• Consider Single Sign On

• Most MDM vendors offer this capability, or…

• You can roll your own using OAuth – take a look at Ping Identity’s SSO dev guide: https://developer.pingidentity.com/en/resources/napps-native-app-sso.html

Authorization

• Should be part of a company-wide strategy

• Should combine security features with content

• Look at Digital Rights Management (DRM) systems like

• Azure Rights Management - https://technet.microsoft.com/en-us/library/jj585026.aspx

• Can sync with AD on premise

• Adobe LiveCycle Policy Server

Protecting Data

• At rest

• iOS – small amounts of data in the Keychain; larger amounts of data can leverage Apple’s File Protection mechanism or a third party container like SQLCipher

• Android – internal storage (per app) or custom content provider (app to app)

• Encrypt your data but strike a balance between key management and a good user experience

• In transit

• Implement Perfect Forward Secrecy (PFS) which encrypts SSL traffic

• Use VPN

• Ex: Microsoft Intune can deploy VPN profiles to specific mobile OS’

• App wrappers provide encryption for data at rest and in transit

• EMM vendors provide app wrapping capabilitiy

Securing Communications

• At a solution level – use TLS 1.2 to encrypt and protect the data stream

• Example: for web-based apps we can leverage the Strict Transport Security header to enforce HTTPS

• At an OS level – encrypt traffic using VPN

• Best of both worlds – per app VPN

• Included with iOS7+ for specific managed apps

• Third party apps like VyprVPN for Android

• Turn off non-securable networks like Bluetooth and WiFi

• Require a firewall app on the device

Application Security

• For BYOD, use a container app as a sandbox to protect company data

• Easy to install and very secure

• Limitations using non-containerized apps. Also requires tie-in to specific vendor

• Use app wrapping feature from EMM providers

• Features:

• Encryption for data at rest and in transit

• Data loss prevention

• Geo-fencing

• Requires the unsigned app binaries

• Provides better UX and security

• Digitally sign and pen test all custom apps

Managing Devices

• Again, decide on whether you want to support COD or BYOD

• Avoid rooted or jailbroken devices at all costs!

• MDM vendors provide the best security

• Enables control of device features

• Allows wiping the device remotely

• Manages the deployment of apps and certificates

• Deploys profiles for email, WiFi, VPN, etc.

• Can use Exchange Active Sync if not using MDM but there are limitations

Enterprise Mobility Management

• Includes Mobile Device Management (MDM), Mobile Application Management (MAM), Mobile Email Management (MEM), profiles, app wrapping, etc.

• Exchange ActiveSync can provide bare-bones MDM but doesn’t manage the entire device. Best security solution for complete device management is to partner with a third-party vendor.

• Vendors include Good Technologies, AirWatch and MobileIron

• Can get some level of MDM via the mobile OS

• iOS has configuration profiles which can be managed with the iPhone Configuration Utility. This gives the same device-level functionality available to MDM providers

• Android MDM is administered as a standalone app via the Device Admin API

Enterprise Mobility Management

• EMM vendors provide a number of advantages over other methods:

• Provide SaaS or on-premise deployments for central management

• Vendors use services like Appthority for verifying the reputation of third-party apps

• Provisioning corporate settings, credentials and apps

• Complying with legal requirements

• The typical user and device enrollment process:

• Creating a new user in the administration console including name and email address

• Generating an email invitation to the user created in the prior step with temporary access credentials and instructions to install the MDM provider’s host application

• Installing the MDM provider’s host application on the device then following the steps to register the device with the vendor

• In the administrative console, verifying the user’s device was registered

And Don’t Forget…

• Users and organizational policies also help with security

• Establish policies to protect against theft, loss, etc.

• Educate users about the risks

Demo

• Using Microsoft Intune

Resources

• Books

• The Mobile Application Hacker’s Handbook by Dominic Chell, et al

http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html

• Mobile Device Security for Dummies by Rich Campagna, et al

http://www.dummies.com/store/product/Mobile-Device-Security-For-Dummies.productCd-0470927534,navId-322496.html

• Enterprise Mobility Management by Jack Madden

http://www.amazon.com/Enterprise-Mobility-Management-Everything-Edition-ebook/dp/B00DK2GHHA

• Mobile Strategy How Your Company Can Win by Embracing Mobile Technologies by Dirk Nicol

http://www.ibmpressbooks.com/store/mobile-strategy-how-your-company-can-win-by-embracing-9780133094961

Resources

• PluralSight Course

• Enterprise Strength Mobile Device Security -https://app.pluralsight.com/library/courses/enterprise-strength-mobile-device-security/table-of-contents

• Websites

• Mobile Security Wiki - https://mobilesecuritywiki.com/

• OWASP Mobile Security Project -https://www.owasp.org/index.php/OWASP_Mobile_Security_Project