SlideShare uma empresa Scribd logo

BYOD / Mobile-Device Security Guidelines for CxO's

Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)

Here are some Guidelines for CxO's relating to BYOD / Mobile-Device Security at work. Includes some recent Statistics and other Research on the Market.

Celular
1 de 21
Baixar para ler offline
Mobile-Device Trends, BYOD Guidelines and Security-Recommendations for CxO’s Patrick Angel, Asst CISO / Enterprise IT Security – CISSP® CRISC® CISM® CISA®
BYOD / Mobile-Devices at Work - topics (productivity gains possible – but what about the Risk…?) • Brief History of Mobile-Devices and Smart-Phones • What are the RISKS to the Company (data) with BYOD? • Do you know WHO your BYOD Users are? • What Services do you Provide via BYOD-Access ? • What are the Challenges to ensuring Mobile-Device Security ? • Many Vendors – likely Merging / Buyouts (e.g. Boxtone/Good)… • Must-have BYOD-Management platform features • Minimum Standards and Mobile-Vendors’ Market-Share, • Is your Org’s Security-Leader given enough Authority …? • Key Considerations for Preventing problems relating to Mobile-Devices • How do you Measure / Demonstrate BYOD / Mobility (security) ROI…? • How do you Enforce BYOD equipment Rules (and org data) ? • Are Automated methods to Control BYOD (and company data) enough..? • Mobile-Device / BYOD Trends and Future-Direction • Rate your own Company’s BYOD Maturity (ability to secure) • SPECIFIC RECOMMENDATIONS for allowing BYOD at workplace For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
End-user ease-of-use quickly dominated over Device-Management • Gen 1 – Direct-Connect (circa 2004) – required direct (e.g. cable) connectivity to host system for application install, features configuration, etc. Little memory / storage available. • Gen 2 – (2009) Local-Appl direct Install (by hand), restrictive • Gen 3 – (today) Wireless devices, Appl-Store download, Remote-Mgmt / Config, Implement and Enforce Policy, high Memory / large Storage, expandable (via MicroSD card, etc.), • Gen 4 – (the Future…) – ‘Geo-Fencing’ – enabling security policies / features with actual Device- location (GPS), other features to-be-developed. – ‘Mobile-Payment’ – like iPhone Pay® to allow customers to use their smart-phone as financial tool History of Mobile-Devices (1/2) For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
History of Smart-Phones (2/2) (early Leaders did not end up Dominating…) • Blackberry – first to deliver “smart-phone” & SMS-text / data-transfer, failed to keep-up / meet consumer needs, • Palm – early copycat hardware gained significant market-share, but lack of innovation led to demise, • iPhone – quickly innovated, listed to customers, planned-out future of smart- phone design, offered / integrated much-desired phone / data features with other end-user ‘apps’ (e.g. music), • Android – primary team (and skills) behind Apple’s iOS software, launched own O/S, then able to challenge the market-leader, • Windows – new player, leader in desktop platform, little experience in phones, but large market-share and high-capitalization facilitate quick market-growth, • 3G vs 4G – phone networks upgraded both hardware and software for faster data-speed (and throughput) to facilitate more features, data, and video, • Applications – booming # of end-user applications from many, Int’l Vendors. New apps are now integrating with some (back-office) Business-functionality. For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
• Data-Leaks – Sales staff loading volumes of data onto device(s)… • Malware introduced / Lack of control for Patching, updates, • Fraudulent Transactions from unknown (un-trackable) devices, • Possible exposure of sensitive Emails (like SONY ‘the Interview’ movie hack) • Inability to Track Users / maintain Inventory of Devices, • Exposure of Internal Security-Specifics (e.g. Passwords, security- standards) • CLOUD-Based (auto) Storage (data-transfer) – e.g. iCloud®, DropBox®, • Lost / Stolen-Devices - unable to locate, or even identify, • Rogue, unidentified users on Company-network, or Jail-Broken devices, • Theft of Highly-Sensitive Information (e.g. Contracts, sales schedules) • Other – Risk from Not Supporting BYOD in your Company: – appearing ‘outdated’ to Customers / Partners, unable to ‘keep up’ – Giving up possible ‘competitive edge’ from leveraging staff’s devices – Losing Key-Talent (younger staff) with innovative ideas and skills Major Risks due to BYOD For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® Can you control the Risks to create positive value / Benefits ?
BYOD Users – Who are They..? (Do you know Who has Access to Company-data, on their own Device…?) • CxO Management – needing access to highly- sensitive data across Multiple Platforms, possibly out-of-office…, • Partners (Business) – with different needs / levels of Access, • Sales / Road-Warriors – Pros working remotely, • 3rd Party / Consultants – needing minimal, but consistent and secure access, • Support-Staff – internal, trusted, technical employees that provide support off-site, off-hours. For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
What level of Risk will your data be exposed to…? For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® What Services / Data do you Provide via BYOD ?  Company Email, and attachments,  Productivity Software – Word- Processing, Spreadsheet, - Shared-documents, etc.  Company-specific Applications (Sales / Marketing info, Business-Intelligence, etc.),  Collaboration / SharePoint / File-Sharing,  HR Applications (Benefits, Investments, personal Vacation- schedule, etc.). Maturity of Mobile-Device Security is Low
What’s (current) Biggest Challenge to Ensuring Mobile-Device/BYOD Security ? As of 2013 - 30% of Companies forbid BYOD – 60% have No BYOD Program  Inventory of (internal and external) Users.  Regulatory Compliance (HIPAA / PCI, etc),  Data-Privacy / Application-Security,  Device-Management / Lack of Platform / Support,  Identification of Groups and Key Users’ Needs,  Lack of Identity-Management (IDM) / Role-Based Access Control (RBAC) technology,  Monitor / Police Rogue Users / Devices,  Awareness / Security Training, For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Major Players in MDM Market (sampling of current Vendors, no particular order) Implement ‘most-needed’ / Common Functions 1st – biggest ‘bang’ • Airwatch • Good (formerly BoxTone) • Centrify • CITRIX • FancyFon • IBM • ..many others… 9For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Must-have BYOD Features and Criteria (what are most the important functions for my org)  "Containerization" - is about securely separating corporate and business data and apps. Also known as "workspaces" or "sandboxing," containers provide a cleaner separation on a mobile device between work and play. So even in the case that the device itself has no unlock passcode ,etc, the secure container of business apps on the phone cannot be accessed unless a passcode is entered. And inside the container the user can share data btw business apps (e.g. copy / paste from email into CRM record).  Platforms supported – iOS and Android (and …?) – see Minimum (O/S) Standards slide,  MDM / EMM – Mobile-Device Mgt / Enterprise Mobility-Mgmt – 3rd Party Appl that monitors / controls device, data, and implements security-policies / standards,  Remote ‘Wipe’ - able to control the ‘life’ of company data on the device with ability to remotely ‘Wipe’ all enterprise-data completely off the device in case of loss/theft,  Scalability / Admin-console / Profile Mgmt – important when rolling out at Enterprise-Level, remote / Global locations,  Device-Support – password-reset, device-location (if lost / stolen), etc.  LDAP (and A/D) Connectivity / Integration / On-Demand features – validate users’ access through company-directory already available, upgrade access ‘on-the-fly’,  (Mass) Enrollment / Maintenance / Mobile-Configuration – minimize admin costs,  Licensing / Cost – initial-cost will be high and ongoing cost must be re-validated,  Data-Export (and protection) – need to protect Company-data,  Other Key Controls – prevent USB-storage copying, printing, screen-print images, etc. For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
• Must support Apple’s® iOS ® Operating System (market-leader) and should also, • Support ANDROID ® Operating System (close 2nd in market- share), and … • Support for Windows ® is optional (for now..?), but seriously consider w/their growing market-share (& Desktops) 11 MINIMUM Standards & Market-Share (platform) For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® • Recommend consider supporting Blackberry ® O/S as well (market much smaller < 25%, but many CxO’s still carry them).
Security-Leader – How much authority (confidence) has your Org given them..?  Is there a VP-Level / CISO Officer for the company?  Does Security-leader have (bottom-line) authority over the Security-Budget..? Or….  Is the Security-Leader a Major Stakeholder over Budget / Program ?  Does the Security-Leader have some Influence over Budget / Program ?  Security-Leader is available to consult / advise on Budget / Program ?  Security-Leader exists in Title, but has No Real Authority / Influence (we don’t take Security seriously)… For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Key Considerations for Preventing problems relating to Mobile-Devices Provide ‘Guidance’ to Users, before Security becomes a Problem… • Need a Company Policy regarding Mobile-Devices (minimum security-config, ownership, etc.), • Need documented Procedures on how to Administer device(s) and Provision (grant) and Remove Access, • Awareness-Training for End-Users regarding general Usage and handling of Security-Incidents (e.g. loss / theft / sharing with Family), • Require (complex) Passwords on Devices, For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® Between 26-40% of BYOD / Corporate Devices do not use Passwords Only 53% of Users report that a 4-5 digit PIN is needed to access corp-data
(How) Do you Measure / Demonstrate the ROI of Mobility (and Security) Investments ? Visible Benefits make supporting the Technology easier… For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® • Show Efficiencies gained from enabling Mobile-Access (and Security), • Cost-Savings from Staff using own Devices (and Data- Plans / Warranty) for Meetings, Sales-Calls, etc. • Measure / Demonstrate Business-Gains related to BYOD (and Security) via Metrics – (e.g. New Contracts, Sales-calls, Shared Demo’s), • Show Effectiveness of (Security) Controls at preventing / detecting Incidents & Breaches, • Measure / Report increased employee Job- Satisfaction and/or increased Job-Engagement,
How do you ‘Enforce’ security on BYOD Equipment (Mobile-Devices) ? Controls without enforcement are almost useless • Reporting activity to company-management..? • Disciplining ‘repeat-offenders’.. (documented guidelines - up to Termination / Criminal-Prosecution…?) • Regular Audits on devices and usage? • Does a Company Policy exist…? For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® • Lack of Enforcement can be (legally) Equal to ‘Approval’ of security-violations and Acceptance of risk / consequences… (data-breaches, leak of IUO info, etc.) • Can you afford Not Enforcing Security on Mobile-Devices? ESI - (electronically-stored info)
Are Automated Methods to Control Mobile Devices enough..? The mobile device market is the “hottest place for malware & every kind of access risk,” • Standard (basic) Mobile-Device Management…?, • Individual Mobile-Application Wrapper.. • Ongoing Scan/Detect Jail-Break Devices… • Secure File-Share / File-Sync area…? • Virtualization of Desktops / Applications, • Secure Mobile-Browser… • VPN or some Multi-Factor option (SSO) • Mobile-Appl Vulnerability-Scanning… or • Full Enterprise-Level Mobility-Mgt Solution ? For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Mobile-Device Trends / Future-Direction (what’s the future…? where is the Market going…?) • Many Players – likely Merging / Buyouts (e.g. Boxtone/Good)… • 100+ Vendors – features becoming concentric in key areas • Corp-Data Lock-down and End-User Privacy becoming major Focus • ‘Hot-Spots’ – Internet / Network access-points provided via Employee’s Device, allowing others to connect via single-device, • ‘GEO-Fencing’ – combining Policy-Standards with Users-Location (e.g. disable Cameras in High-Risk areas within Company, or LOCK device if reported Lost/Stolen), • Payment-Integration – use smart-phone as Payment Method (e.g. iPhone Pay® ), already common in Europe. Latin-America, India, • Corporate Must-Haves to Managed-BYOD (full list on slide 21) – Policies and Procedures relating to BYOD and Social-Media – Security-Awareness (and responsibility) Training Program – Effective and proven MDM Software installed and running on device – Technical ‘Controls’ over the device, despite individual ownership For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Rate your Company’s ability (maturity) to Secure & Monitor Mobile-Devices Does your company have the Tools / Skills / Staff to Monitor & Secure…?  Superior (no problem at all….)  Above Average (mostly confident, can improve)  Average (hmm – probably.., but not sure)  Below Average (probably not…. incomplete)  Incomplete (no game plan yet, just starting..?)  Unable to Monitor / Measure (rolling the dice) For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Take the initiative and provide guidance / rules before things get out of hand…  Company Policy – create one, which ID’s both allowed and prohibited behavior, – Specify the Terms of usage – allowed / prohibited usage per primary Company-Policy – List specific Consequences of Violations (discipline, warning(s), termination, prosecution), – Device-Configuration must meet / exceed Company’s security-standard (A/V, Patching…) – Make it clear that although Device belongs to employee, the DATA belongs to Company, – Employee-SIGNOFF PAGE, acknowledging Policy, Usage, Standards, Consequences, etc.  Require MDM Software Install and Remote-Wipe of Device / Co. Data (if needed),  Require Anti-Virus software, Patching enabled, Encryption, to match Co. standard,  Create End-User Awareness Training to help guide inexperienced users,  Inventory Device(s) – raise Accountability, easier to track Lost Devices (and Data),  Disable USB Connectivity while *any* Company data stored on Device,  Require Auto-Lock and 2nd-Level, complex Password for accessing Company-Data,  Consider ‘GEO-Fencing’ – combining Policy-Standards with Users-Location,  Consider requiring connection via VPN (2-factor) connectivity for greater security,  Prohibit CLOUD-Based (automatic) Storage – like iTunes®, DropBox®,  Prohibit Rogue, unidentified users or Jail-Broken devices, Specific Recommendations / Best Practices to implement BYOD at the Company Level For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
Patrick Angel Roles: Asst CISO / Global I/T Security-Architect IT Director / Sr. Security Program Manager Areas: Mobile-Appl Testing & Deploy/ ISO-27001 Controls Testing / Enterprise Risk-Evaluation Education Bachelors in IT/Software Development (MIS) Masters in IT Business Administration (MBA) Years of Experience 20+ years in Information Systems 15+ years of IT Security, Secure-SDLC, Risk and Compliance Hands-on Software Developer, Application-Testing, I-T Auditing Note – Certifications shown represent individual achievements / memberships, not endorsements by ISACA, ISC2, or other groups.
Get Started Now… ‘…Chance favors the prepared Mind’ www.RandomAccessTechnology.com (214) 826-3812 For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®

Recomendados

Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
John Rhoton
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it
Moon Technolabs Pvt. Ltd.
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
ForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk Report
Forescout Technologies Inc
 

Recomendados

Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
John Rhoton
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it Bolstering the security of iiot applications – how to go about it
Bolstering the security of iiot applications – how to go about it
Moon Technolabs Pvt. Ltd.
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
ForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk Report
Forescout Technologies Inc
 
Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
Nagarro
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
Sharpe Smith
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
Redspin, Inc.
 
Bank security
Bank securityBank security
Bank security
PLN9 Security Services Pvt. Ltd.
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
Endeavour Software Technologies
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's Here
Forescout Technologies Inc
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
Ivanti
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
Andris Soroka
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
Will Adams
 
The sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceThe sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work force
Icomm Technologies
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identity Defined Security Alliance
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
George Fletcher
 
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
FIDO Alliance
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection Overview
Sophos
 
Classification-HowToBoostInformationProtection
Classification-HowToBoostInformationProtectionClassification-HowToBoostInformationProtection
Classification-HowToBoostInformationProtection
Gianmarco Ferri
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
Dean Iacovelli
 

Mais conteúdo relacionado

Mais procurados

Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
Sharpe Smith
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
Ivanti
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 

Mais procurados (20)

Mobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An IntroductionMobile Apps and Security Attacks: An Introduction
Mobile Apps and Security Attacks: An Introduction
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview2010: Mobile Security - Intense overview
2010: Mobile Security - Intense overview
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Bank security
Bank securityBank security
Bank security
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's Here
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
The sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work forceThe sonic wall clean vpn approach for the mobile work force
The sonic wall clean vpn approach for the mobile work force
 
Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019Identiverse Zero Trust Customer Briefing, Identiverse 2019
Identiverse Zero Trust Customer Briefing, Identiverse 2019
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection Overview
 

Semelhante a BYOD / Mobile-Device Security Guidelines for CxO's

Classification-HowToBoostInformationProtection
Classification-HowToBoostInformationProtectionClassification-HowToBoostInformationProtection
Classification-HowToBoostInformationProtection
Gianmarco Ferri
 
Kaspars Petersons - BYOD - more like BYOP
Kaspars Petersons - BYOD - more like BYOPKaspars Petersons - BYOD - more like BYOP
Kaspars Petersons - BYOD - more like BYOP
DevConFu
 
Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5
Steve Markey
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
EnclaveSecurity
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
scm24
 

Semelhante a BYOD / Mobile-Device Security Guidelines for CxO's (20)

Classification-HowToBoostInformationProtection
Classification-HowToBoostInformationProtectionClassification-HowToBoostInformationProtection
Classification-HowToBoostInformationProtection
 
Information protection and compliance
Information protection and complianceInformation protection and compliance
Information protection and compliance
 
Kaspars Petersons - BYOD - more like BYOP
Kaspars Petersons - BYOD - more like BYOPKaspars Petersons - BYOD - more like BYOP
Kaspars Petersons - BYOD - more like BYOP
 
Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5Going_Mobile_101_IIMC_v5
Going_Mobile_101_IIMC_v5
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Minder Product Demo
Minder Product DemoMinder Product Demo
Minder Product Demo
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)
 
20170613 iasa architecture - Tim Willoughby presentation
20170613 iasa architecture - Tim Willoughby presentation20170613 iasa architecture - Tim Willoughby presentation
20170613 iasa architecture - Tim Willoughby presentation
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big risk
 
iPads on your network? Take Control with Unified Policy and Management
iPads on your network? Take Control with Unified Policy and ManagementiPads on your network? Take Control with Unified Policy and Management
iPads on your network? Take Control with Unified Policy and Management
 
Mobile's influence on IAM
Mobile's influence on IAMMobile's influence on IAM
Mobile's influence on IAM
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
 
Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security Two Peas in a Pod: Cloud Security and Mobile Security
Two Peas in a Pod: Cloud Security and Mobile Security
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 

BYOD / Mobile-Device Security Guidelines for CxO's

  • 1. Mobile-Device Trends, BYOD Guidelines and Security-Recommendations for CxO’s Patrick Angel, Asst CISO / Enterprise IT Security – CISSP® CRISC® CISM® CISA®
  • 2. BYOD / Mobile-Devices at Work - topics (productivity gains possible – but what about the Risk…?) • Brief History of Mobile-Devices and Smart-Phones • What are the RISKS to the Company (data) with BYOD? • Do you know WHO your BYOD Users are? • What Services do you Provide via BYOD-Access ? • What are the Challenges to ensuring Mobile-Device Security ? • Many Vendors – likely Merging / Buyouts (e.g. Boxtone/Good)… • Must-have BYOD-Management platform features • Minimum Standards and Mobile-Vendors’ Market-Share, • Is your Org’s Security-Leader given enough Authority …? • Key Considerations for Preventing problems relating to Mobile-Devices • How do you Measure / Demonstrate BYOD / Mobility (security) ROI…? • How do you Enforce BYOD equipment Rules (and org data) ? • Are Automated methods to Control BYOD (and company data) enough..? • Mobile-Device / BYOD Trends and Future-Direction • Rate your own Company’s BYOD Maturity (ability to secure) • SPECIFIC RECOMMENDATIONS for allowing BYOD at workplace For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 3. End-user ease-of-use quickly dominated over Device-Management • Gen 1 – Direct-Connect (circa 2004) – required direct (e.g. cable) connectivity to host system for application install, features configuration, etc. Little memory / storage available. • Gen 2 – (2009) Local-Appl direct Install (by hand), restrictive • Gen 3 – (today) Wireless devices, Appl-Store download, Remote-Mgmt / Config, Implement and Enforce Policy, high Memory / large Storage, expandable (via MicroSD card, etc.), • Gen 4 – (the Future…) – ‘Geo-Fencing’ – enabling security policies / features with actual Device- location (GPS), other features to-be-developed. – ‘Mobile-Payment’ – like iPhone Pay® to allow customers to use their smart-phone as financial tool History of Mobile-Devices (1/2) For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 4. History of Smart-Phones (2/2) (early Leaders did not end up Dominating…) • Blackberry – first to deliver “smart-phone” & SMS-text / data-transfer, failed to keep-up / meet consumer needs, • Palm – early copycat hardware gained significant market-share, but lack of innovation led to demise, • iPhone – quickly innovated, listed to customers, planned-out future of smart- phone design, offered / integrated much-desired phone / data features with other end-user ‘apps’ (e.g. music), • Android – primary team (and skills) behind Apple’s iOS software, launched own O/S, then able to challenge the market-leader, • Windows – new player, leader in desktop platform, little experience in phones, but large market-share and high-capitalization facilitate quick market-growth, • 3G vs 4G – phone networks upgraded both hardware and software for faster data-speed (and throughput) to facilitate more features, data, and video, • Applications – booming # of end-user applications from many, Int’l Vendors. New apps are now integrating with some (back-office) Business-functionality. For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 5. • Data-Leaks – Sales staff loading volumes of data onto device(s)… • Malware introduced / Lack of control for Patching, updates, • Fraudulent Transactions from unknown (un-trackable) devices, • Possible exposure of sensitive Emails (like SONY ‘the Interview’ movie hack) • Inability to Track Users / maintain Inventory of Devices, • Exposure of Internal Security-Specifics (e.g. Passwords, security- standards) • CLOUD-Based (auto) Storage (data-transfer) – e.g. iCloud®, DropBox®, • Lost / Stolen-Devices - unable to locate, or even identify, • Rogue, unidentified users on Company-network, or Jail-Broken devices, • Theft of Highly-Sensitive Information (e.g. Contracts, sales schedules) • Other – Risk from Not Supporting BYOD in your Company: – appearing ‘outdated’ to Customers / Partners, unable to ‘keep up’ – Giving up possible ‘competitive edge’ from leveraging staff’s devices – Losing Key-Talent (younger staff) with innovative ideas and skills Major Risks due to BYOD For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® Can you control the Risks to create positive value / Benefits ?
  • 6. BYOD Users – Who are They..? (Do you know Who has Access to Company-data, on their own Device…?) • CxO Management – needing access to highly- sensitive data across Multiple Platforms, possibly out-of-office…, • Partners (Business) – with different needs / levels of Access, • Sales / Road-Warriors – Pros working remotely, • 3rd Party / Consultants – needing minimal, but consistent and secure access, • Support-Staff – internal, trusted, technical employees that provide support off-site, off-hours. For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 7. What level of Risk will your data be exposed to…? For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® What Services / Data do you Provide via BYOD ?  Company Email, and attachments,  Productivity Software – Word- Processing, Spreadsheet, - Shared-documents, etc.  Company-specific Applications (Sales / Marketing info, Business-Intelligence, etc.),  Collaboration / SharePoint / File-Sharing,  HR Applications (Benefits, Investments, personal Vacation- schedule, etc.). Maturity of Mobile-Device Security is Low
  • 8. What’s (current) Biggest Challenge to Ensuring Mobile-Device/BYOD Security ? As of 2013 - 30% of Companies forbid BYOD – 60% have No BYOD Program  Inventory of (internal and external) Users.  Regulatory Compliance (HIPAA / PCI, etc),  Data-Privacy / Application-Security,  Device-Management / Lack of Platform / Support,  Identification of Groups and Key Users’ Needs,  Lack of Identity-Management (IDM) / Role-Based Access Control (RBAC) technology,  Monitor / Police Rogue Users / Devices,  Awareness / Security Training, For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 9. Major Players in MDM Market (sampling of current Vendors, no particular order) Implement ‘most-needed’ / Common Functions 1st – biggest ‘bang’ • Airwatch • Good (formerly BoxTone) • Centrify • CITRIX • FancyFon • IBM • ..many others… 9For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 10. Must-have BYOD Features and Criteria (what are most the important functions for my org)  "Containerization" - is about securely separating corporate and business data and apps. Also known as "workspaces" or "sandboxing," containers provide a cleaner separation on a mobile device between work and play. So even in the case that the device itself has no unlock passcode ,etc, the secure container of business apps on the phone cannot be accessed unless a passcode is entered. And inside the container the user can share data btw business apps (e.g. copy / paste from email into CRM record).  Platforms supported – iOS and Android (and …?) – see Minimum (O/S) Standards slide,  MDM / EMM – Mobile-Device Mgt / Enterprise Mobility-Mgmt – 3rd Party Appl that monitors / controls device, data, and implements security-policies / standards,  Remote ‘Wipe’ - able to control the ‘life’ of company data on the device with ability to remotely ‘Wipe’ all enterprise-data completely off the device in case of loss/theft,  Scalability / Admin-console / Profile Mgmt – important when rolling out at Enterprise-Level, remote / Global locations,  Device-Support – password-reset, device-location (if lost / stolen), etc.  LDAP (and A/D) Connectivity / Integration / On-Demand features – validate users’ access through company-directory already available, upgrade access ‘on-the-fly’,  (Mass) Enrollment / Maintenance / Mobile-Configuration – minimize admin costs,  Licensing / Cost – initial-cost will be high and ongoing cost must be re-validated,  Data-Export (and protection) – need to protect Company-data,  Other Key Controls – prevent USB-storage copying, printing, screen-print images, etc. For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 11. • Must support Apple’s® iOS ® Operating System (market-leader) and should also, • Support ANDROID ® Operating System (close 2nd in market- share), and … • Support for Windows ® is optional (for now..?), but seriously consider w/their growing market-share (& Desktops) 11 MINIMUM Standards & Market-Share (platform) For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® • Recommend consider supporting Blackberry ® O/S as well (market much smaller < 25%, but many CxO’s still carry them).
  • 12. Security-Leader – How much authority (confidence) has your Org given them..?  Is there a VP-Level / CISO Officer for the company?  Does Security-leader have (bottom-line) authority over the Security-Budget..? Or….  Is the Security-Leader a Major Stakeholder over Budget / Program ?  Does the Security-Leader have some Influence over Budget / Program ?  Security-Leader is available to consult / advise on Budget / Program ?  Security-Leader exists in Title, but has No Real Authority / Influence (we don’t take Security seriously)… For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 13. Key Considerations for Preventing problems relating to Mobile-Devices Provide ‘Guidance’ to Users, before Security becomes a Problem… • Need a Company Policy regarding Mobile-Devices (minimum security-config, ownership, etc.), • Need documented Procedures on how to Administer device(s) and Provision (grant) and Remove Access, • Awareness-Training for End-Users regarding general Usage and handling of Security-Incidents (e.g. loss / theft / sharing with Family), • Require (complex) Passwords on Devices, For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® Between 26-40% of BYOD / Corporate Devices do not use Passwords Only 53% of Users report that a 4-5 digit PIN is needed to access corp-data
  • 14. (How) Do you Measure / Demonstrate the ROI of Mobility (and Security) Investments ? Visible Benefits make supporting the Technology easier… For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® • Show Efficiencies gained from enabling Mobile-Access (and Security), • Cost-Savings from Staff using own Devices (and Data- Plans / Warranty) for Meetings, Sales-Calls, etc. • Measure / Demonstrate Business-Gains related to BYOD (and Security) via Metrics – (e.g. New Contracts, Sales-calls, Shared Demo’s), • Show Effectiveness of (Security) Controls at preventing / detecting Incidents & Breaches, • Measure / Report increased employee Job- Satisfaction and/or increased Job-Engagement,
  • 15. How do you ‘Enforce’ security on BYOD Equipment (Mobile-Devices) ? Controls without enforcement are almost useless • Reporting activity to company-management..? • Disciplining ‘repeat-offenders’.. (documented guidelines - up to Termination / Criminal-Prosecution…?) • Regular Audits on devices and usage? • Does a Company Policy exist…? For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA® • Lack of Enforcement can be (legally) Equal to ‘Approval’ of security-violations and Acceptance of risk / consequences… (data-breaches, leak of IUO info, etc.) • Can you afford Not Enforcing Security on Mobile-Devices? ESI - (electronically-stored info)
  • 16. Are Automated Methods to Control Mobile Devices enough..? The mobile device market is the “hottest place for malware & every kind of access risk,” • Standard (basic) Mobile-Device Management…?, • Individual Mobile-Application Wrapper.. • Ongoing Scan/Detect Jail-Break Devices… • Secure File-Share / File-Sync area…? • Virtualization of Desktops / Applications, • Secure Mobile-Browser… • VPN or some Multi-Factor option (SSO) • Mobile-Appl Vulnerability-Scanning… or • Full Enterprise-Level Mobility-Mgt Solution ? For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 17. Mobile-Device Trends / Future-Direction (what’s the future…? where is the Market going…?) • Many Players – likely Merging / Buyouts (e.g. Boxtone/Good)… • 100+ Vendors – features becoming concentric in key areas • Corp-Data Lock-down and End-User Privacy becoming major Focus • ‘Hot-Spots’ – Internet / Network access-points provided via Employee’s Device, allowing others to connect via single-device, • ‘GEO-Fencing’ – combining Policy-Standards with Users-Location (e.g. disable Cameras in High-Risk areas within Company, or LOCK device if reported Lost/Stolen), • Payment-Integration – use smart-phone as Payment Method (e.g. iPhone Pay® ), already common in Europe. Latin-America, India, • Corporate Must-Haves to Managed-BYOD (full list on slide 21) – Policies and Procedures relating to BYOD and Social-Media – Security-Awareness (and responsibility) Training Program – Effective and proven MDM Software installed and running on device – Technical ‘Controls’ over the device, despite individual ownership For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 18. Rate your Company’s ability (maturity) to Secure & Monitor Mobile-Devices Does your company have the Tools / Skills / Staff to Monitor & Secure…?  Superior (no problem at all….)  Above Average (mostly confident, can improve)  Average (hmm – probably.., but not sure)  Below Average (probably not…. incomplete)  Incomplete (no game plan yet, just starting..?)  Unable to Monitor / Measure (rolling the dice) For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 19. Take the initiative and provide guidance / rules before things get out of hand…  Company Policy – create one, which ID’s both allowed and prohibited behavior, – Specify the Terms of usage – allowed / prohibited usage per primary Company-Policy – List specific Consequences of Violations (discipline, warning(s), termination, prosecution), – Device-Configuration must meet / exceed Company’s security-standard (A/V, Patching…) – Make it clear that although Device belongs to employee, the DATA belongs to Company, – Employee-SIGNOFF PAGE, acknowledging Policy, Usage, Standards, Consequences, etc.  Require MDM Software Install and Remote-Wipe of Device / Co. Data (if needed),  Require Anti-Virus software, Patching enabled, Encryption, to match Co. standard,  Create End-User Awareness Training to help guide inexperienced users,  Inventory Device(s) – raise Accountability, easier to track Lost Devices (and Data),  Disable USB Connectivity while *any* Company data stored on Device,  Require Auto-Lock and 2nd-Level, complex Password for accessing Company-Data,  Consider ‘GEO-Fencing’ – combining Policy-Standards with Users-Location,  Consider requiring connection via VPN (2-factor) connectivity for greater security,  Prohibit CLOUD-Based (automatic) Storage – like iTunes®, DropBox®,  Prohibit Rogue, unidentified users or Jail-Broken devices, Specific Recommendations / Best Practices to implement BYOD at the Company Level For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®
  • 20. Patrick Angel Roles: Asst CISO / Global I/T Security-Architect IT Director / Sr. Security Program Manager Areas: Mobile-Appl Testing & Deploy/ ISO-27001 Controls Testing / Enterprise Risk-Evaluation Education Bachelors in IT/Software Development (MIS) Masters in IT Business Administration (MBA) Years of Experience 20+ years in Information Systems 15+ years of IT Security, Secure-SDLC, Risk and Compliance Hands-on Software Developer, Application-Testing, I-T Auditing Note – Certifications shown represent individual achievements / memberships, not endorsements by ISACA, ISC2, or other groups.
  • 21. Get Started Now… ‘…Chance favors the prepared Mind’ www.RandomAccessTechnology.com (214) 826-3812 For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®