An overview of the security and privacy implications and risks resulting from the wider adoption of mobile devices, apps, cloud and the resultant changes to customer interaction and business processes
2. Introduc)ons
2
01/05/2013
Piers
Wilson
Head
of
Product
Management
Director
of
IISP
Previously
senior
manager
in
Cyber
Security
prac?ce
at
PricewaterhouseCoopers
Tier-‐3
Huntsman®
at
Infosec
• SIEM
/
Event
correla?on
/
“Big
data”
analy?cs
• Behaviour
Anomaly
Detec?on
(BAD
2.0)
• Governance,
Risk,
Compliance
• Cloud/mul?-‐tenancy
support
Stand
K31
3. Agenda
and
scope
• What
this
talk
is
about…
– Iden?fying
the
informa?on
on
users/
ac?vity
that
has
relevance
for
security
and
an?-‐fraud
purposes
– Security
and
fraud
consequences
of
the
wider
business
adop?on
of
mobile
applica?ons
– Privacy
and
security
versus
business
interest
and
usefulness
• What
this
talk
is
not
about…
– Mobile
device
management
– Mobile
applica?on
security
01/05/2013
3
79%
of
the
UK
popula?on
use
the
internet
anywhere,
on
any
device
Ofcom,
2012
11%
of
businesses
report
all
marke?ng
ac?vi?es
are
truly
integrated
across
online
and
offline
channels
Affilinet,
2011
Four
out
of
five
US
smartphone
owners,
use
the
phone
to
help
with
shopping
Google/Ipsos,
2011
Demand
for
security
informa?on
and
event
management
tools
will
grow
to
more
than
$1
billion
worldwide
by
2015
Frost
&
Sullivan
2011
"There
is
no
subs?tute
for
knowledge.”
W.
Edwards
Deming
“Before
undertaking
monitoring,
iden?fy
clearly
the
purpose(s)
behind
the
monitoring
and
the
specific
benefits
it
is
likely
to
bring”
ICO
BYOD
Guidance,
2013
4. Background
• App
“ecosystems”,
consumerisa?on
and
"bring
your
own
device"
are
here
• Users
/
Customers
increasingly
expect
to
access
systems
via
apps
/
personal
devices
• Imminent
explosion
in
mobile
payments
• Opportunity
to
collect,
process
and
understand
considerably
more
data
– Internal
logs,
external
sources,
user
transac?ons,
staff
movements,
habits,
loca?ons,
ac?vi?es,
wider
contexts,
proximity
01/05/2013
4
5. However…
Two
big
ques)ons
1. Can
organisa?ons
iden?fy,
collect
and
effec?vely
analyse
the
data
available
to
them
2. What
are
the
privacy
and
security
implica?ons
of
collec?ng
data
and
using
it
in
this
way
01/05/2013
5
6. Business
intelligence
origins
• Most
businesses
are
comfortable
with:
– Collec?ng
security
log
and
event
informa?on
from
systems
(tradi?onal
SIEM
technologies)
– Monitoring
staff
use,
system
ac?vity
and
network
traffic
for
threat
iden?fica?on
– Gathering
payment
and
transac?on
informa?on
for
fraud
detec?on
and
risk
management
(FMS)
– Profiling
customer
ac?vity
through
on-‐line
accounts
and
loyalty
schemes
– Credit
checking
and
the
concept
of
risk
scoring
01/05/2013
6
7. What
does
mobility
mean
for
security
and
fraud?
Richer
Data
• Loca?on
and
ac?vity
informa?on
for
employees/contractors/customers
becomes
more
available
and
more
useful
• Monitoring
of
browsing
and
buying
habits
can
be
device
and
loca?on
aware
– Richer
than
just
web-‐site
analy?cs
for
tracking
customers
– Loca?on,
proximity
to
outlets
and
real-‐world
marke?ng
and
loca?ons
of
neighbours/
compe?tor
• Loyalty
systems
expand
beyond
what
I
buy
(or
what
I
might
like)
or
where
I
shop
(special
offers)
to
being
more
focussed
• We’ll
see
interest
in
greater
security
and
fraud
insights;
coupled
with
customer
profiling
and
new
flavours
of
data
– “big
data”
Financial
Drivers
• Interfaces
between
systems
to
detect
security
incidents,
events
and
fraud
will
become
more
prevalent
in
the
mobile
space
• Some
intelligence
will
move
from
the
back-‐
end
to
nearer
the
client
end
– What
you
can’t
do
in
a
web
page
you
may
be
able
to
do
within
an
app
• Mobile
payments
will
mean
real
money
flowing
between
real
devices
and/or
terminals
• Real
world
financial
ac?vity,
coupled
with
on-‐line
logging
and
monitoring
and
the
ability
to
track
loca?on
becomes
real
?me
– Who
gets
the
mobile
payment?
– Where
are
the
logs?
8. What
else
does
mobility
mean
for
security
and
fraud?
New
Applica)ons
• Sector-‐specific
applica?ons
with
the
ability
to
gather
and
analyse
logs
and
data
sets
which
“mean
something”
– Searching
for
meaning
in
security
log
data
– Some
uses
will
have
business/customer
benefits
– Could
become
intrusive
• If
we
create
data
with
more
value
the
business
cri?cality
and
the
impact
of
loss/
them/exposure
will
also
increase
– Driving
security
requirements
• Some
obvious
examples:
– Motor
insurance
applica?ons
to
derive
risk
informa?on
or
to
make
post-‐claim
decisions
–
to
log
accidents
and/or
track
movement/speed/
loca?on/risk
factors
prior
to
crash
or
robbery
– Applica?ons
that
turn
on
the
hea?ng
when
you
are
close
to
home
Personal
/
Lifestyle
• Personal
and
social
aspects
of
mobility,
security
and
data
analysis
• In
many
cases
there
is
(or
will
be)
a
social
and
a
business
interpreta?on
of
the
gathered
data
• Whose
data
is
this?
– Work/life
balance
(hours
at
office)
– Health
(exercise/food
consump?on)
– Social
interac?ons
(associa?ons/photos/”near
me”)
– Security
systems
based
on
proximity
between
users/devices/controls
– Emergency
situa?ons/unrest
and
loca?on/
exposure
01/05/2013
8
9. Don’t
collect
more
than
you
need
and
then
struggle
to
protect
it
• Increasing
contextual
data
being
available
to
apps
installed
locally
or
to
back-‐end
systems
• Collec?on
and
analysis
may
be
overt
or
could
become
part
of
the
rou?ne
handling
of
ac?vity
and
transac?ons
– Hence
less
visible
– What
is
a
security
log
and
what
is
a
customer
ac)vity
log?
• The
collec?on
and
use
“purposes”
could
get
blurred
…
with
implica?ons
for
privacy
and
security
– Data
collected
for
fraud
purposes
could
become
useful
for
customer
profiling
and
marke?ng
– If
you
know
“where
I
am”,
you
also
know
“where
I
am
not”
(at
home,
at
work,
at
the
gym);
and
maybe
“who
I’m
with”
or
“what
I’m
doing”
01/05/2013
9
10. Deciding
what
informa)on
to
collect
and
why…
Security
teams
are
used
to
drawing
a
balance
between
benefit
and
risk
• what
data
we
collect
and
its
value
Industry
(more
widely)
is
star?ng
to
invest
in,
and
discover,
the
value
of
data
analy?cs
In
security
the
wider
benefits
of
“big
data”
involves
different
parameters
…
more
data
means:
• Improved
fraud
detec?on
capability
• Beqer
customer
profiling
• More
context
• Richer
user
experience
AND
• Greater
visibility
around
security
threats,
risks,
aqacks
01/05/2013
10
Smarter
data
analy?cs
More useful data sources
More uses / Bigger audience
11. …
and
then
making
sure
we
can
protect
it
Growth
of
security/customer/fraud/business
data
from
the
emerging
mobile
compu?ng
environment
can:
• Challenge
privacy
obliga?ons
• Exceed
expecta?ons
from
users/regulators
• Give
security
teams
another
(and
higher
impact)
data
set
to
protect
Organisa)ons
need
to
evolve
their
security
stance
-‐
even
simple
“big
data”
examples
could
raise
the
risk
levels
much
higher
Need
considera?on
of:
• Balancing
security,
fraud,
privacy
and
func?onality
within
the
mobile
apps/facili?es
used
by
customers
and
staff
• Protect
data
that
we
collect
–
where
privacy
implica?ons
(to
customers)
or
raw
value
(to
us)
is
heightened
Organisa)ons
must
ensure
they
have
the
right
tools
and
approaches
to
gain
the
maximum
value
from
the
security,
fraud,
ac)vity,
loca)on
data
01/05/2013
11
12. So
what?
• The
value
of
(all)
data
is
increasing,
partly
driven
by
a
more
mobile
and
app-‐oriented
environment
…
security
logs,
behaviour
anomaly
detec?on,
cyber
threat
detec?on
…
businesses
increasingly
using
data
to
drive
efficiencies
and
customer
in?macy
through
mobile
channels
• We
have
to
acknowledge
these
trends
and
ensure
that
we
adequately
protect
business
informa?on
where
the
privacy
risk,
exposure
and
value
becomes
more
cri?cal
• Clever
security
technologies
can
really
help,
especially
where
past
controls
become
less
applicable
or
effec?ve
in
a
more
interconnected
space
01/05/2013
12