2. Cloud, mobile and social media synergies
increasingly exploited
Case study 1: Construction safety Case study 2: The board room
PwC 2
3. About this talk
• Context and Emerging Trends
• Pain Points/Imperatives
• Response Framework
PwC 3
4. Context and Emerging Trends
What insights can we glean from emerging
trends?
PwC 4
5. The Context
Mobile Device
Local/Proximity Context
Install/Access/Use Application
Access/Store Data locally
Exchange Information
Use Location Based Services
Remote Context
Cloud
Access/Use Applications
Applications,
Data and
Download/Upload Content
Services
Conduct Mobile Commerce
Social Media
Community Interactions
PwC 5
6. Japan’s social networking trends show importance of
mobile – mobile page views = 85% vs. 14% 4.5 years ago
One of Japan’s leading social network monthly page views, mobile vs. PC,
CQ2:06-CQ4:10
85%
30,000
25,000
Monthly Page Views (MM)
CQ3:09 – Platform opened
20,000 to 3rd-party developers
15,000
10,000
14%
5,000
86% 15%
0
2Q06 3Q06 4Q06 1Q07 2Q07 3Q07 4Q07 1Q08 2Q08 3Q08 4Q08 1Q09 2Q09 3Q09 4Q09 1Q10 2Q10 3Q10 4Q10
Mobile Page Views Desktop Page Views
Source: Morgan Stanley Research
PwC 6
7. Strong mobile trends for leading social companies
Facebook
200MM mobile active users vs. Mobile = 50% of total active users.
50M in 9/09 Vs. 25% Y/Y
2x more active than desktop-only users Mobile = 40% of all tweets
Introduction of mobile product drove 2x conversion
ratio from free to paying subscribers
Mobile users = 25-30% total users in mature markets
SHAZAM Pandora
100MM mobile users vs. Adding 3MM users per month
50MM Y/Y 50% of all users subscribe on mobile
Source: Kleiner Perkins: 2011 Top 10 Mobile Trends-Feb-2011
PwC 7
8. Convenience and ubiquity are driving mobility
Computing growth drivers over time, 1960-2020E
More than Just
Phones
1,000,000
iPad
Mobile Internet
100,000 Smartphone
Kindle
Desktop Internet Tablet
10,000
10B+Units??? MP3
Cell phone/PDA
1,000
Pc Car Electronics
1B+Units/Users GPS, ABS, A/V
100 Mobile Video
Minicomputer 100MM+Units Home
Entertainment
10
Games
10MM+Units
Mainframe
Wireless Home
1 Appliances
1MM+Units
1960 1970 1980 1990 2000 2010 2020
Note: PC installed base reached 100MM in 1993, cellphone/Internet users reached 1B in 2002/2005 respectively;
Source: ITU, Mark Lipacis, Morgan Stanley Research.
PwC 8
9. Mobile is shaping new behaviors
Average Time Spent on Various Mobile Functions, 1/11
10 minutes (12%)
New Activity
Web/Web Apps
40 minutes (47%)
All Other
• Maps
27 minutes (32%)
• Games
Telephony
• Social Networking
• Phone • Utilities
• Skype • More
• Messages
7 minutes (9%)
Mail App
Source: AppsFire 1/11
PwC 9
11. Cloud computing: Many want better enforcement
of provider security policies.
Four out of ten (41%) respondents say their organization uses cloud services – and 54% of those that do say the cloud
has improved their information security. The greatest risks associated with cloud computing? An uncertain ability to
enforce provider security policies and inadequate training and IT auditing are top concerns.
40%
32%
20%
19%
15%
11%
9%
0%
Uncertain ability to Inadequate training Questionable privileged Proximity of data to Uncertain ability to
enforce provider site and IT auditing access control someone else's recover data
security policies at provider site
Question 41: “Does your organization currently use cloud services such as Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS)?”
Question 41c: “What impact has cloud computing had on your company’s information security?” Question 41b: “What is the greatest security risk to your cloud computing
strategy?” (Not all factors shown. Total does not add up to 100%.)
PwC 11
12. 88 percent of mobile professionals use social
networks
14 percent have used cloud computing in the past year
Source: The Business Journals reveals the business habits of the rising number of SMB mobile professionals, 2011
PwC 12
13. In a cloud services environment, providers and
consumers must address familiar security and
risk challenges
Control access to Provision and deprovision Audit and report user
Access Control user access access and data use
sensitive data
Ensure the viability of the Provide business
Business continuity provider and contingency continuity and
of the consumer’s services disaster recovery
Document, audit processes
Maintain compliance
Compliance with regulatory
and procedures for data
access protection
Implement data
Prevent unauthorized data Maintain data
Data protection and classification scheme Securely dispose of data
exposure, loss or segregation in multi-tenet
segregation corruption environment
and processes for handling no longer required
sensitive data
Events - Incident Cooperate during
Detect and correct
response and security events
investigations and
investigation incident responses
PwC 13
14. Recap: Key trends at the Intersection
Business drivers Key trends
1. Mobile Devices with Advanced
Capabilities and Fast Network 1 BYOD/Approved Corporate Mobile devices
Connectivity
2. User Driven Change 2 Compelling Mobile Applications
- Board Room and Senior Identity as a Service, Strong
Executives driving usage 3 Authentication
- Users demanding enhanced
collaboration and productivity 4 Cloud Applications, Data and Services
3. Greater convenience Social Networking for Marketing and
5 Customer Interaction
- Applications moving beyond
Email/Contacts/Calendars
6 Social Media Monitoring/Analytics
- Rich content enables quick
decisioning
PwC 14
16. “Nearly 30% of companies experienced a breach
due to unauthorized mobile device use.”
Source: Q1 Enterprise and SMB Survey, 2009 - Forrester Research
PwC 16
17. Malware by mobile OS
New Mobile Malware Q2 2011
Android
“The MM revolution started
Jave ME
principally in 2004 with the
Symbian
release of the Cabir. A
Blackberry
worm, SymbianOS. Some
MSIL
MM were released before
Python this date, but it was Cabir
VBS and the release of its source
code that caused an
Growth in Mobile Malware
explosion of new MM to
Complete device
Serious attacks
control
emerge.” – Ken
emerge
Dunham, Mobile Malware
Attacks and Defense
Source: McAffee Threats Report: Second Quarter 2011
PwC 17
18. Complicating factors for security
Device Diversity/Complexity
Application Explosion
Data Explosion
Advanced Persistent Threats
Data Transference and Inference
PwC 18
20. Mobile devices and social media: New rules and
new risks
50%
40% 43%
37%
30%
32%
20%
10%
Have a security strategy for Have a security strategy Have a security strategy
employee use of personal devices for mobile devices for social media
Source: PwC/CXO media 2012 Global State of Information Security Survey
Question 17: “What process information security safeguards does your organization currently have in place?” (Not all factors shown. Total does
not add up to 100%.)
PwC 20
25. Key questions remain
• Which policies are enforceable?
• How will we educate our customers, employers and partners?
• Which process and tools to evolve? How to address gaps?
• How to balance productivity, opportunity and risks?
• What is the right approach to changing culture – grass
roots, leadership, hybrid?
• Others?
PwC 25
Two case studies:The first involves a construction project manager utilizing a Mobile applications to perform safety check, upload content and archive to the cloud and use social media to update each other.Second involves a board member who downloaded a board application and while making notes, saved his notes on cloud-based notes application, and used twitter to post a question. Sr. executive also demand access to remote desktop to access applications from their tablet.
Please note that this slide has changed to clarify the usage of services. Important to understand the local and remote usage context to understand where to expect risks. It becomes clear that the potential for data leakage remains high.
Mobile usage is going hand in hand with Social Media:Registration requires a valid Japanese cellphone numberheavily uses open source: Linux, Apache, MySQL, and Perl. It uses several hundred MySQL servershas more than 21.6 million members.Key point Social Media and Mobile usage is correlated and serve as attack vectors
- Like the major Japanese company, the US has also seen a very strong correlation between Mobile and Social Media usage.- Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them- Trusted is exploited when hacked accounts have been used to send malicious messagesMobile indicators are sometimes indicated on social networksPassword sloth is prevalent across social networks, intentional and unintentional leakage of data because of lack of Separation of Personal and Professional Communications A major U.S. operator of ambulance services and provider of emergency room doctors,‖ was sued after firing an employee for criticizing her supervisor on Facebook. The case was brought by the U.S. National Labor Relations Board. It was determined that employees have the right to discuss their working conditions even if the Union is not involved. It was found that the employee was ―illegally fired and denied union representation.‖ ―Among the issues in the case was whether a worker has the right to criticize a boss on a site such as Facebook if co-workers add comments. The case was the first by the NLRB to assert that employers break the law by disciplining workers who post criticisms on social-networking websites.‖ the company promised not to deny union representation in the future and that employees won‘t be threatened with discipline for requesting union representation. In addition, the company is updating their overly broad social media policies and guidelines. A major auto manufacturer considered ending its relationship with the social media agency that was behind an obscene tweet that was posted to the their brand‘s official Twitter account. Shortly after, the tweet was removed from the company‘s Twitter feed.... ... The auto manufacturer said in a follow-up post that the tweet ―obviously‖ was meant to appear on the employee‘s personal Twitter account, rather than on company's, and that automaker did not demand that person be fired. Other Scenarios to considerA software developer posts to a forum or blog regarding his work on a revolutionary new customer application from the company. The developer reveals too much about his product development, thereby enabling a competitor to steal the idea and get to market sooner with a similar application. A marketing manager tips off Facebook friends of several successes in winning new business and mentions the new clients joining the firm. Such information violates client confidentiality and puts the company at great reputational risk (especially among clients and prospective clients), which ultimately could impede the accomplishment of business goals.
More mobile devices means more mobile data, 10 B+ units @ 100GB is a lot of dataWhen thinking about mobile devices, for security practitioners, our thinking should not just be limited to Smartphone or tablets. For example Diabetes Meters too are being connected to the cloud and there have been incidents where such devices could be attacked for malicious purposes resulting in fatal consequences. Tablets will become even more sophisticated and will replace other traditional computing devices.More Mobile data will eventually reside in cloud for ubiquitous access, the lines between public and private cloud will blur because devices are being used for both personal and work purposes.Greater amounts of data will stress Enterprise Data Protection mechanisms
Mobile behaviors present risks both in terms of activities that we know about and activities that are as yet unimagined.New Apps are designed with the cloud and social media in mind (e.g. send photo to Social networks, social media in car)
- Mobile and Social Media will both drive higher cloud usage, the risks stem from intermingling of data, loss of corporate control across geographies, and employee/partners continuing to access data much after separation.- Limited storage, convenience of access and ubiquitous connectivity are driving increasing cloud usage.
The study also reveals that 88 percent of mobile professionals use social networks, with 60 percent of them leveraging social media platforms to market their businesses. Many mobile professionals, 80 percent of them, feel it is critical to have access to information while outside of the office. Devices and services that help them stay connected while away from their desk include WiFi, text messages, smartphones, apps, notebook/netbook, iPad and cloud computing.In addition, 43 percent of mobile professionals polled in the study are familiar with cloud computing, with 14 percent having used cloud computing in the past year, while 64 percent of SMB owners who are considered mobile professionals spend more than 8 hours connected to their businesses via computer, smartphone or iPad; 38 percent spend 11 hours and more on their devices.
So lets review what changes we are seeing and can expect to see as a result of the intersection
Key concerns are on a) unauthorized devices, b) loss of sensitive data due to lost or stolen devices, c) loss of sensitive data to malware/trojanReal stories from the field:1. In 2010, a major bank’s mobile application accidentally saved account numbers, bill payments and security access codes. 2. The Korean Financial Intelligence Unit has recorded cases of cyber gaming, cross border remittance and swindling using mobile FS channels. 3. In Brazil, poor people were targeted and paid by criminals to open bank accounts equipped with remote access channels (internet or mobile). After the accounts were opened, the authorized users would hand over their passwords to criminals. 4. In India, a Duplicate SIM card was issued to an imposter with the fake driver license of the victim resulting in a loss of roughly $5,000.5. Recent Trojan captures all text messages from phone.
Initially J2ME and Symbian but more attacks are emerging for Android OS. According to McAfee Mobile threat report:One significant change in the first quarter of 2011 was Android’s becoming the third-most targeted platform for mobile malware. This quarter the count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware.This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth.We also saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones.
Device Diversity/Complexity – Explosion in device types will create a management nightmare. Short device lifespans will increase management costs. Employee/partner desire to bring their own device will challenge IT organizations. IT organization will need to govern device proliferation.Application Explosion - The diverse range of applications required by knowledge workers today makes it impractical to “lock down” a device to a list of blessed applications. IT organization will need to govern application proliferation, process and technology to protect applications.Data Explosion – Expect more data to transcend Mobility, Cloud and Social Networks. This means greater effort and reliance on automated mechanisms and analytics. IT organization will need to govern corporate data, process and technology to protect corporate data.Advanced Persistent threats– Lost stolen/device, malware will result greater privacy implications than ever before. Expect to see more cases on Advanced Persistent Threats and corresponding process and technologies to protect against APT. Greater opportunities to launch social media attacks using the Mobile and Social Media vectors.Data transference and inference - Location Based Service will reveal additional personal information Allowing for greater data transference and inference. IT organization will need to govern usage of location based services and improve awareness of risks arising from Cloud/mobility/Social Media usage.
Organizations are beginning to implement strategies to keep pace with employee adoption of mobile devices and social networking, as well as use of personal technology within the enterprise. Yet much remains to be done: In the recent PwC/CSO survey, we found that less than half of respondents have implemented safeguards to protect the enterprise from the security hazards that mobile devices and social media can introduce.
Design solutions for global and local operations from the outset, rather than global or localSeparate enterprise data from personal/other data; Identify appropriate measures when data is comingledAssign highly granular, least privilege-based user access to applications data and services from all technology assetsDeny rogue devices access to the enterprise networkControls and standards shall be extensible to all applications, data and services provided by Social networks, Cloud and on Mobile devicesWipe/Archive enterprise data from device and cloud service provider upon separationSecurity measure should enable agility in responding to changing business requirements Require cloud application, data and service providers to meet Information security compliance requirementsApplications/Services shall be reviewed for Cyber-risks and approved prior to usage
My firm PwC recently conducted a survey regarding the privacy and security implications of using Social Media and Mobile devices within the Healthcare space. We found that“Only fewer than 50% of organizations surveyed noted that they have included the approved uses of social media and mobile devices in company privacy training”Update your Policy to address these:Authentication: How often a password must be changed. How many invalid tries are allowed before the device is disabled. Strong authentication using two factor or certificates. Loss / Theft: Lost or stolen device are remotely wiped and disabling of the device over a defined period of time. Device Support: Define what devices are supported by the institution/organization i.e. Blackberry, IphonesEncryption: Sensitive data must be encrypted or devices is encrypted with Whole disc encryption. Backup/Restore: If a device could be lost or stolen, there should be a defined procedure for backing up and restoring the data to another device. Storage Cards: Storage cards are a convenient way to expand memory, but they're also portable and thus a security risk. Do you ban them? Or, encrypt them? Acceptable Use: A good security policy needs to set limits on what users can install on their devices and what is acceptable use. Enforcement: Consequences if there is violation of the policy. Develop Standards and guidelines in support of the policy:Not having a standard will result in organization developing the standards for youDeveloping a standard without the appropriate involvement will cause you to revisit itExpect to update standards with evolving risk landscapeOversight:Federated vs. central – large geographic entities will do better with regional autonomy but in collaboration; Start a cross/functional dialog with business users, IT, finance, legal, HR, and security people Cost vs. Functionality – Currently cost is a key driver, but competition is also leveraging it for business benefit, security has to be an enablerLarge oversight bodies don’t workKeep an eye on Parallel IT – risks loomChampion grass root efforts without waiting too long, involve securityAccommodate hobbies in a lab setting, involve securityInvolve Marketing, e.g. patients expect to interact with Health care providers and payors but engaing with social media may raise privacy issues.Awareness Training:People generally try to do the right thing, they may not know what they are doing is wrong and how it may impact the company/institution The risks associated with using, transmitting, and storing electronic information Risk of posting information on Social networks – vignettes, case studiesConsequences of violating policyWhat to do when device is lost/stolen?The roles and responsibilities of each community member in protecting Corporate data and systems
1. Involve security at the Architect stage. Expect more processes to change than originally imaginable. MIT CISR says “One useful perspective is to group the processes to be mobilized into distinct categories based on process requirements, as the architecture for each will be different. Those internal processes for which employees require data and computing power on a device—along with interaction with workflows, data, and applications on the server—will need a platform for building enterprise mobile applications aimed at hundreds or thousands of users.”2. Establish/update process for managing exceptions to the policies and standards. Monitor to ensure that exceptions don’t become the rule.3. Ensure that processes exist for evaluating and approving new cloud services – mostly in conjunction with Innovation center.4. If pursuing Identity Federation in conjunction with Cloud/Mobility/Social Media, anticipate major changes in process for Identity and Access Management, Log management, Forensics and Incident Management. 5. Evaluate risks of having manual processes as compared to automated ones, especially during transition. e.g. Manual MAC address approval of IPads on Corporate Wireless network.
Strong Authentication for Mobile Device accessCentralize Security Policy Manage Process & ToolsWhole Disk Encryption or File Level EncryptionEndpoint Security ToolsDevice lockdown and remote wipe capabilitiesAccess logging and file integrity monitoring with centralize log repository Data leakage controls and logging Three ways to go about isolating corporate data from personal data on mobile devices: Sandboxing it in a secure container Good Technologies- Sybase (Afaria)- Mobile Active Defense (SaaS) - Touchdown, Whisper Systems (Android encryption) 2. Managing the native environment through a trusted approach that checks for policy compliance - AirWatch- Juniper (Smobile)- McAfee (Trust Digital) MobileIron- Zenprise 3. Hosting it in a data center or public cloud and making it accessible via a desktop virtualization client Citrix- VMware Wine (open source)- Virtualbox (opensource)Which technologies control access to cloud services on mobile devices?How to control data leakage to Social Media sites on Mobile devices?What are supporting technologies?Which cloud storage provides strong encryption and support for strong authentication?