Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
5 Steps to Mobile Risk Management
1. MOBILE SECURITY:
5 STEPS TO MOBILE
RISK MANAGEMENT
Nearly 80 percent of American investors say they aren’t likely to invest in companies that have
suffered multiple cyber attacks1. Analysts estimate that data breaches cost large enterprises an
average of $5.4 million per breach2 and can erode brand value by hundreds of millions of dollars3.
As data breaches have damaged business performance and company valuations, data security
concerns have broken out of the CIO’s office and into the boardroom, where CEOs are being
challenged to explain what they’re doing to ensure that vital revenue streams and shareholder
value are being safeguarded.
As the business stakes have been raised, the explosive growth in mobile devices has multiplied the
threat. Nearly 40% of organizations in another recent study had data breaches resulting from lost
or stolen mobile devices, including tablet computers, smartphones and USB drives that contained
confidential or sensitive data4.
So what does a company need to do to manage the risk of data loss through mobile devices? This
white paper outlines a rational, risk-based approach to data protection that’s designed particularly
for the new world of mobile devices.
1
Zogby Analytics/HBGary Feb 25, 2013
Ponemon Institute 2013 Cost of Data Breach Study
3
Ponemon Institute October 2011
4
Ponemon Institute 2011 Cost of Data Breach Study
2
DMI WHITE PAPER
1
2. Mobile Security: 5 Steps to Mobile Risk Management
Historically, when new business process-changing technologies become available, e.g. Email, Web
Services, Laptops, Wifi, Cloud Services, and now ubiquitous and heterogeneous Mobile Devices,
the focus is on figuring out how to use and manage the technology. Worrying about securing
it comes later. Then a familiar pattern is often repeated: a period of time is spent admiring the
security problem; eventually a myriad of disparate “bolt on” point security solutions are developed;
then finally security is integrated into the technology.
Right now, Mobile technologies are somewhere between admiring the problem, and bolting on
solutions. Mobile security vendors are in a rush to launch new products. Dozens of new point
solutions are flooding the market, and enterprises are challenged to determine what they need,
and how to integrate them into their infrastructure.
The problem is that there is little discussion of what the business requirements for security actually
are. Mobile Security is not just one thing. There are multifaceted threats and risks that need to
be managed. These include secure identity and access control; data protection and content
management; application management and security; malware protection; digital forensics, secure
transport, monitoring and reporting, policy enforcement and device management. Each of these
plays a critical part in managing risk, because no organization has the same risk profile. Balancing
which to prioritize, and how much to implement takes expertise.
Mobile Security Landscape
Secure Identity
Users
Access Control
Privacy Controls
Data & Content
Data Protection
Content Management
Application Management
Apps
Application Security
Malware Protection
Networks
Digital Forensics
Secure Transport
Monitoring/Reporting
Devices
Policy Enforcement
Device Management
DMI WHITE PAPER
2
3. Mobile Security: 5 Steps to Mobile Risk Management
A Risk-Based Approach
The key to real security is taking a risk-based approach. This means developing a set of practical
business and security requirements that point the way to the technologies and policies that
eliminate the most risk without unduly impacting usability and needed business functionality. This
avoids the common backwards approach: buying a technology based on feature set, then figuring
out how to integrate it into the business process.
Establishing business security requirements involves answering the question, “secure from what?”
Almost every organization will have a different answer. There will certainly be standard risk-based
approaches and security features that apply across the board. But the priority of controls, the way
they are implemented, and the way they are managed will be unique to each organization.
The Twenty Critical Security Controls, developed by the SANS Institute, have helped many large
enterprises and government agencies begin to transform security by focusing their spending on the
key controls that block attacks that have the greatest overall impact on security. Several of these
Critical Security Controls apply just as well to mobile devices as to traditional computers:
Asset and configuration management
Strong authentication and identity management
Protection of sensitive data at rest and in transit
Protection against Lost/stolen/decommissioned devices
Protection from malware from email or web
Device-specific Operating System vulnerabilities
Connecting to insecure/rogue wifi
Protection and management of web and email traffic
The organization’s unique business requirements will determine where to start and how to build.
For companies with intellectual property to protect, encryption will be a high priority; organizations
that field many mobile apps might need to focus on application security; companies where users
need to access internal applications might require strong identity management. Many tools are
available for each area. Selecting the right one depends on an organization’s unique environment
and requirements. To help define requirements and determine the best approach, DMI
recommends a Five Step Mobile Risk Management Process.
DMI WHITE PAPER
3
4. Mobile Security: 5 Steps to Mobile Risk Management
5 Step Process for Mobile Risk Management:
1
Understand how employees want to use Mobile Devices and Applications
2
Identify potential threats
3
Define the impact to the business based on probable threat scenarios
4
Develop policies and procedures to protect the business to an acceptable level
Implement manageable procedural and technical controls, and monitor their effectiveness
5
Step 1: Understand User Requirements
This may vary by industry, business needs or organizational culture, but a typical list of user
requirements for a personal mobile device is likely to include:
Access to enterprise applications (email, calendar, contacts, business applications,
Sharepoint servers, etc)
Ability to make both personal and professional calls
Privacy for personal employee activities, data, photos, emails, texts, and applications
(i.e., no corporate collecting, monitoring, or tracking)
Prohibition of organizational backup or wipe of personal data
Step 2: Identify Potential Threats
Some common threats introduced or exacerbated by mobile devices are listed below. Like user
requirements, threats that are relevant to any given organization will vary depending on industry,
corporate culture, and current security program and architecture implementation.
Corporate loss of control of data on device (lost/stolen/decommissioned/employment
separation)
Compromise of user credentials (malicious applications, insecure applications or operating
systems, credentials passed in clear over public networks, phishing web sites)
Unauthorized access to sensitive data (data passed over network in clear, data stored
unencrypted on device, data backed up to uncontrolled system)
Devices (intentionally or unintentionally) used as recording devices (phone, or camera on
during meetings, pictures or video of sensitive information)
DMI WHITE PAPER
4
5. Mobile Security: 5 Steps to Mobile Risk Management
Step 3: Define the impact to the business based on probable
threat scenarios
Business risk is about loss of Confidentiality, Integrity, or Availability (CIA). Each kind of loss is
associated with a different level of business impact. And the approaches to monitoring and
protecting against each type of loss are different. An adversary might use a spear phishing email
to compromise an endpoint to steal user credentials to access a database to exfiltrate data (loss of
Confidentiality). Or, they could corrupt (loss of Integrity) or delete (loss of Availability) that data.
One problem with traditional risk modeling is that it often sets a “value” for an asset based
on a simple measurement, such as the cost of a lost device. But business impact value is more
complicated--value of data, of business process, of loss of future revenue, etc. must all be
considered. And the impact of a loss may even vary depending on how the asset is lost. For a given
set of data, loss of Confidentiality (trade secrets fall into the hands of a competitor) might have a
greater business impact than loss of Availability, or Integrity (the same data is deleted or corrupted).
Standards need to be created that call out different levels of impact and different controls for each
of these three (CIA) risks. More important, the likelihood and impact of a security event need to be
factored in to achieve better prioritization. A whole paper could be written about vulnerabilities in
mobile operating systems, applications, or ActiveSync. But risk management is about playing to the
rule and not the exception. A rational approach addresses the more likely and costly threats before
getting to the more esoteric.
Loss of a device is very common—for most organizations, it’s likely to be a high priority for risk
management. What about a hacker in a coffee shop sniffing WiFi traffic and pulling data or
credentials off the air? This is where it’s necessary to think about unique business characteristics
and how they influence risk: does your company manage a lot of intellectual property? Are there
significant regulatory requirements for how to protect and control data? Do you have a diverse
workforce distributed around the country, or around the globe with different privacy laws? Do
your users only access email, or do you have critical business applications running on your mobile
devices, or do you collect critical business data on them? These are the kinds of questions that
need to be answered, and risks factored for each.
A security program built around the threats that get the most “press” is likely to be both costly and
ineffective. Successful programs address the risks that carry the greatest business impact and that
are most likely to occur--like expecting that users will lose mobile devices.
DMI WHITE PAPER
5
6. Mobile Security: 5 Steps to Mobile Risk Management
Step 4: Develop policies and procedures to protect the business to an
acceptable level
Mobile security can be complicated. If the organization owns the mobile endpoints, the same
security controls and policy processes can be applied as are being used to protect laptops:
Require good passwords
Encrypt the data
Antivirus (only effective on Android)
Educate users about phishing emails that ask for credentials
Educate users about application risks, don’t allow apps over public wifi
Keep phones out of meetings when talking about proprietary information
But BYOD introduces significant privacy issues. Employees might need to sign off on a policy that
authorizes forensics testing on their device. Implementation becomes more complex because it
may require separation for work email, calendar, contacts, phone, and documents from personal
data. A policy should include:
Maintenance and management of a list of devices (linked to users) that are authorized to
access company resources
Tracking of devices and users accessing company resources at any given time
Restricted access from devices with insufficient protection against compromise to data or
user credentials
Controlled access to data, applications, and resources based policies such as data
classification, user, device, network, or location
Secured company data, at rest (at server and locally), and in transit (across mobile network
or wifi)
Protection of devices from unauthorized access or malicious code
Maintenance of user privacy (email, texts, contacts, voicemails, applications, etc)
Regular security evaluation of all business applications to identify data leakage or unnecessary
access to device resources (e.g., camera, contacts list, call history, etc)
Removal of corporate data from personal devices in case of loss, theft, or separation
from employment
An additional item that might require discussion with HR or legal: Geo-location (do you need to
know where your employees are?) This might have privacy implications whether company owned
or BYOD.
DMI WHITE PAPER
6
7. Mobile Security: 5 Steps to Mobile Risk Management
Step 5: Implement manageable procedural and technical controls, and
monitor their effectiveness
Once requirements have been established to mitigate the potential risks to the business it’s
possible to estimate the size, scale, complexity, and budget for implementation. It might be that
having better visibility of what devices are connected and insuring that they are encrypted is
enough. A lot can be done with ActiveSync, which doesn’t cost anything. An MDM platform offers
more control. Container, wrapper, or secure virtualization might be necessary to meet some security
requirements. Requirements drive a progression from simple and inexpensive to more complex and
costly as illustrated below.
Where risk management comes in is identifying what sequence these would be implemented,
based on needs of the business, and priorities for protection.
The bottom line is that it takes a rational plan, and an understanding of available technologies.
The number of mobile security technology tool companies is growing weekly. First MDMs,
then containers, then application wrappers to give more granular control; then encryption tools,
and strong authentication tools; application management tools, and even handsets with secure
virtualization. Today, many enterprises struggle to to achieve application security – this is true
both of commercial apps and custom apps. How to manage secure connectivity to mobile devices;
how to secure the data contained in the apps; how to maintain app security by seamlessly pushing
DMI WHITE PAPER
7
8. Mobile Security: 5 Steps to Mobile Risk Management
updates and patches to user devices… these have all become major concerns. And each layer of
concern brings more cost and complexity. As enterprises are challenged to determine what tools
are needed and how to integrate them, the key is to keep coming back to the question of which
risks are the most impactful to the business. These are the areas that must be secured first.
Deciding what level to achieve is the first step. Then research or assistance may be needed to
understand all these tools and how they work together, how they integrate, and what benefits
they bring. Finally, it’s necessary to set up a monitoring and management structure to maintain
this posture going forward. Some organizations may choose to handle mobile security internally,
others may outsource to specialists. Either way, it’s important to set the balance, applying the
security that’s necessary without over spending on trying to cover everything. It takes a risk-based
approach to prioritize organizational needs and develop a security architecture and process
to match.
The DMI Security Services Approach
DMI has developed a comprehensive security service that effectively manages the risks that mobile
devices bring to the Enterprise. We take a Risk-Based Approach--putting priority on the risks that
carry the greatest business impact; and combine it with a unique security foundation, tailored to
meet each client’s specific needs.
Then we address the whole life cycle by repeatedly applying our 5-Step Process.
Through the entire process, our focus is on defining and matching customer requirements to
protect from the threats that are most relevant to each individual organization today, while
engaging in ongoing monitoring to identify and eliminate the threats of tomorrow.
DMI WHITE PAPER
8