3. Three Key Take-Aways
• Mobile access transforms the way we think about
work, And, its not going away.
• Unmanaged personal devices at work is the major
cause of security risk
• There is no single, unicorn solution
4. Agenda
• The Mobile landscape: consumer vs. enterprise
• Creating a Mobility Program
• The challenges
• The role of EMM
• Final conclusions
10. Enterprise Mobility
• IT spending for iPad® tablets - $16 billion in 2013
• 87% of global smartphone market is Android
• Average US employee carries 3 devices
• 70% of users doing work on personal devices,
regardless of company policy
InformationWeek Jan 2014
Mobile Landscape
11. Remarkably, only 14% of companies have
instituted a mobile device security policy.
13. CIO Mandate
• Increase IT efficiency
• Improve Employee Productivity
• Help Customers Succeed
Measures of Success
“ All employees accessing data they need
to do their job from any mobile device.”
14. Mobility Program Objectives
• Mobilize processes for smartphones/tablets
• Ensuring corporate data is protected on any device
• Balancing usability and security: “secure-able”
• Making users happy and productive
15. What do employees/users want?
• Not to be a dinosaur! Employees are more productive on
mobile devices they choose.
Measures of Success
16. What do employees/users want?
• Increasing productivity without interrupting usability
• Easy access to company data and documents
• Manage both corporate and personal data
• Ambient security - it runs in the background if it needs to
• Privacy is protected
Measures of Success
18. • BYOD
• Which Mobile Apps to allow?
• Mobile Security
• Do we need an Enterprise Mobile Management Solution?
• Others?
Measures of SuccessWhat you Don’t Know CAN Hurt You…
Ponemon Institute March 2013
19. Are we supposed to go BYOD?
62% of companies to allow BYOD by year’s end, more than
44% of organizations already allow BYOD.
Employee-owned smartphones and tablets used in the
enterprise will exceed 1 billion by 2018 due to BYOD.
ComputerWorld, Aug 2013
20. Are we supposed to go BYOD?
65% of employees said:
- Nothing has been communicated about BYOD
- No official policy guidelines
- Employees are not allowed to use their own
devices at work
ComputerWorld, Aug 2013
25. Risks to Enterprise
• Lost or stolen devices
• Unauthorized access
• Compromised device
• Malware
• Exposure of confidential information
Measures of SuccessMobility Security Incidents: Do the Benefits Outweigh the Risk?
21%
• Perform data wipes
on personal devices
when employees
leave company
Ponemon Institute March 2013
27. Mobile Devices are Harvesting your Data
• Adware grew to 136% to 410,000 apps between
2013 to 2014, giving attackers access to personal
information such as contacts
InformationWeek Jan 2014
29. Mobile Malware
Mobile Malware
• 97% of mobile malware
coming from third-party
Android app stores in
Asia and Middle East
• Apps carrying malware
in Google Play Store is
0.1% (short shelf life if
encountered)
Forbes, March 2014
32. Mobile Device Management
• Ease of deployment: 1000’s of mobile devices can be remotely
provisioned with corporate data and managed
• Selective wipe: removing corporate data, leaving the personal
data on the device
• Enforcing device passcode and hardware encryption
• Device posture: if device is jailbroken/rooted, unencrypted,
doesn’t have min OS, IT can prevent device from connecting to
corporate network
• Disallow Screen Capture/Roaming/iCloud
33. Mobile Device Management
• Application Control: Requiring apps to be installed/removed, prevent app
from being backed up to iCloud/Google Cloud
• Securing email and attachments
– Protect email attachments: personal apps
– ActiveSync is not enough
• Policies can be circumvented
• Device posture is not detected and enforced
– Protect email attachments from being shared with personal applications
– Detect + block jailbreak/root devices
– Cert-based authentication for email
34. Mobile Application Management
• Per App VPN:
• Apps can be automatically configured to
connect to VPN when they are launched
• Not exposing entire device to the
corporate network
• Improves performance
• Privacy
• “Open In”
35. Mobile Application Management
• Share data between:
• Secure apps (Secure Secure)
• Whitelist apps (Secure Secure & Managed)
• With personal apps (Personal Secure)
37. • Figuring this out is critical to the success of your
business
• Risk has to be balanced with usability
• Approach mobility as any other mission critical
project – process, policy and accountability
40. Are we supposed to go BYOD?
• Should you go BYOD?
• IT Leaders (60%): BYOD does not deliver on higher
customer satisfaction
• Assessing the cost/benefit
• IT Leaders (62%): BYOD does not lower IT expenses
• Lowers capital expenditure, but may increase support
costs
• BYOD for corporate-issued devices
• Improve access and re-evaluate restrictive security
policies
ComputerWorld, Aug 2013
What do we make of conflicting data?
41. Are we supposed to go BYOD?
1. Employees need to choose any mobile device/OS
2. Make sure access is easy for authorized users
My Top 11 for a Successful BYOD Program
42. Are we supposed to go BYOD?
3. Pay attention to mobile use cases and LOB
My Top 11 for a Successful BYOD Program
43. Are we supposed to go BYOD?
4. Communication plan. Be transparent with employees.
4. Manage data and not devices:
• Mobile Application Management policies
• Data and User classification
• Isolate network
• Detect and Contain
• Unsecure networks and multi-auth
67% do not have
policies in place that
address sharing of
corporate files in third-
party cloud storage
services.
Acronis, July 2013
My Top 11 for a Successful BYOD Program
44. Are we supposed to go BYOD?
6. Separate personal data from corporate data
6. Don’t forget the basics: password protection & encryption!
6. Lost/stolen device? Wipe corp data and block
My Top 11 for a Successful BYOD Program
45. Are we supposed to go BYOD?
6. Reduce corporate liability with private data
6. Involve stakeholders
6. Run a BYOD pilot!
My Top 11 for a Successful BYOD Program
46. Mobile Corp Data Leakage
• Identify which mobile apps put corporate data at risk vs. which
apps are benign
• Risky app behaviours
• Transferring Contacts
• Cloud-based file storage
• Uses microphone
• Accesses IMEI/UDID
• Single Sign on (social networking)
• Location tracking
• Mobile malware and spyware
Saves password on
device in clear text
Links to credit card
for auto-load
App Reputation – Identifying the Bad Guys
Hinweis der Redaktion
Enable companies to mobilize their workforce by developing their mobile strategy, mobile architecture, implementation and support.
Mobile needs to transform the way we think about work. Just like Uber and Airbnb have transformed the consumer experience for transportation and hospitality respectively, we need to make similar strides in enterprise.
-We are spending 3 hours per day on our mobile devices vs. 2 hours on our desktops/laptops
-Just 2 years ago, this was inversed where we were spending more time on our desktops/laptops. It is changing quickly!
-87% smartphone never leaves their side. (60% believe everything will be done on mobile devices)
-34% prefer to collaborate online than in person vs. 19% for older generations
-45% use personal smartphones for work purposes vs. 18% for older generations
-They are twice as likely to download applications to use for work purposes and use their own money to pay for them vs. older generations
A good place to start is with the mobile landscape as it touches organizations.
IT spending for iPads reached $16 billion in 2013. And the iOS platform continues to lead for corporate-issued devices but this may soon change…
A lot of you have seen this figure that 87% of the global smartphone market is Android. We can bet that if users are allowed to choose their own mobile devices for work, Android is a mobile platform the enterprise must enable and support. We will talk more about how to do that later.
The Average US employee carries 3 devices: smartphone, tablet and a computer or laptop.
How do we protect the integrity of the user’s corporate data across devices? If I make edits to a document or presentation on my tablet, I want to be able to then access that revised document on my smartphone or laptop.
This figure also tells us that there are too many end points to protect and we need to look at more than just device level security.
IDC found that 70% of employees are doing work on personal mobile devices. Interestingly enough, IDC also found that this is much higher than what is actually allowed by organizations.
I see this all the time, personal devices connecting into active sync and uploading of corp documents in the way of email attachments to cloud storage for later use.
The cost of a mobile breach is high however the risk is even higher since few organizations have instituted a mobile device security policy ($5.4 million source: Ponemon)
Cost of data breach at $5.4 million
Success for any CIO ties into the above objectives of:
Increase IT efficiency: easy onboarding, IT costs should go down as savings to hardware should offset the IT support costs for personally owned phones
Improve Employee Productivity: when you give them access to use any mobile device and provide the apps and data they need to contribute to the company’s revenue, you have achieved this
Help Customers Succeed: a mobile workforce means that not only are processes more efficient but you understand how your customers are interacting with your mobile sites and apps. And this translates into direct improvements to your customers.
What are the Measures of Success for an organization?
If smartphones/tablets are replacing laptops, how can we simplify the process when we take it from laptop to mobile? Can we turn these processes into mobile apps that can contribute to your company’s revenue? We can take a page out of mobile cloud apps that have simplified processes that we traditionally did on a desktop onto mobile – whether it be editing a document (Box), attending a web conference (Adobe Connect or Webex), approving a new employee (WorkDay), Messaging (Slack) or following up on a sales lead (Salesforce), we are moving beyond email and operating fully from a mobile device.
Ensure corp data is protected on any device – this is tougher than it sounds and may need different approaches for different mobile platforms. We will talk more about that later.
Balancing usability and security: need to deploy a balanced approach from Users who want increased productivity and IT who are looking to achieve security, control and performance. The Balance has never been more important and if it leans heavier in the direction of security vs. user experience, you have failed.
-Increase productivity without interrupting usability: The same experience users are used to for a personal workflow on the mobile device is what they expect when trying to accomplish this for work. For example, multiple authentication prompts when accessing an enterprise app and this is often multiple prompts to put in your password, is not going to be acceptable. How can we do better here without compromising security?
-Easily access corporate data on their mobile device of choice. Email, documents and apps remotely pushed to the device.
We will talk more about BYOD in a bit but whether it is a corporate issued mobile device, or it is a user’s personal device that they are bringing into the organization, the idea is that users want to manage both corporate and personal data on the same device. So in actuality, we don’t see too much difference in mobile policies between the corporate issued device vs. the employee owned device.
They both have access to same types of data where IT only enforces controls on the corporate data/zone of the device.
Privacy: Most important for employees allowing companies to access their personal mobile device is keeping the personal part of a dual-use device private. Common fear is that IT will lock, disable or remotely wipe personal devices without their consent. Another concern is that employers will get access to social media platforms, view website history, location and record personal conversations. With the existing solutions, some of this is actually not technically possible. But it wasn’t too long ago when on a different mobile platform, IT could lock down a device and had much more control…however, it was also when the majority of employees mobile devices were corporate issued. If IT is to be trusted again, there needs to be transparency.
A good approach to start with is a Mobile Agreement, which is fully transparent to address what types of data, how often and when an employer can get access.
Lock/disable/remotely wipe
Social media platforms
Website history
Location
Record personal conversations/view SMS
-BYOD is happening
-No good solutions so we won’t implement anything
-We are not a financial institution, we don’t care too much about security
-Should we be concerned about Malware? Corp data leakage is more of an issue than malware
Are We Supposed to go BYOD? Before I give you an answer here, let’s look at the data.
62% of companies will allow BYOD (and employee owned smartphones) by year’s end and more than 44% of organizations already allow for BYOD. These numbers are definitely reflected by the organizations I work with today. And that is because BYOD promotes productivity and has the potential to save on hardware costs and data plans.
However, the numbers also confirm something else that I know to be true, we have some work to do if we are going to allow for employee-owned devices in organizations.
In a separate ComputerWorld survey, 65% of employees said either nothing has been communicated about BYOD, there are no official policy guidelines or employees are not allowed to use their own devices at work. Given the threat of a data leak, any employee who does not understand the organization’s stance on BYOD poses a risk.
-Organizations have 730 cloud apps in use on average, 90.8 percent of which aren’t enterprise-ready
-72% of people admit to using unsanctioned cloud apps
-5 of top 10 data breaches involved cloud
-Cloud Storage and Social apps dominate the top 20 and represent 32.0 percent of total usage
-Instead of blocking these apps, it is really about Allowing them safely – and by that, I mean controlling which apps company data is shared with and being able to remove any company data that is cached on the mobile device
-6 of the top 10 apps used globally are Messaging apps. Think about what are the mobile messaging apps you are enabling for your employees
-Slack has become increasingly popular in enterprise but it has also become part of Shadow IT
So what is the risk to enterprise of having a charter that allows for any mobile device in the organization?
The risk really boils down to corporate data loss.
Over half of IT reported experiencing one of these data loss incidents in the past 12 months.
Lost or stolen devices are at the top of the incident list: the potential is a non-employee to gain unauthorized access to both the data at rest on the mobile device and potentially your corporate network. Unauthorized access can lead to jailbreaking or rooting the device and this makes it easy for unauthorized users to install malware on the mobile device.
Mobile Malware: What is it? Well, it can be used to gain remote access into a device without the user being aware. Hackers can then access financial records, passwords, social media accounts and personal as well as business files and folders. Files can be stolen in seconds if your mobile device is connected to the internet. Public WiFi makes it easy for data to be intercepted, risking the security of both personal and business information.
There are definitely ways to mitigate if not eliminate the malware risk and we will be discussing this further.
The most astounding is that ONLY 21% of personal devices are wiped when an employee leaves the company. We spend quite a bit of time obsessing about how foreign governments can intercept our data when data loss is often at the hands of employees…this is data loss we can control for. And perhaps the number points to the fact that IT may not have had the option of a selective wipe and a full wipe on a personal device would be out of the question given the loss of personal data.
These risks are inevitable but we will be looking at how we can mitigate these risks with the approaches and mobile solutions that we choose to deploy.
-Target and Sony are both examples of compromised credentials
-If we look at Target, compromised network credentials were linked to a third party vendor who had network access to upgrade refrigeration software
How are Contacts compromised on mobile devices?
Contacts can subsequently be used in Phishing attacks. Can then send an email to the user who then clicks on a link which installs malware on their desktop which can then give them access to your network and key databases (Example Sony attacks)
The average employee has 50-250 apps on their mobile device and 70% of these apps can access corporate data (AppThority)
This data is from AppThority’s Winter 2014 App Reputation report. And it compares risky behaviours on iOS vs. Android.
Something important to take note of is that there are more or a greater % of Risky App Behaviours on iOS than on Android for the top 200 mobile apps. And typically free apps are riskier than paid apps.
One of the main risky behaviours that is not on this list is mobile malware and when we look at that, the findings are reversed if you will.
App Reputation is a way to identify which mobile apps put corp data at risk vs. which apps are benign.
Let’s look at some of the Risk App Behaviours that allow for this.
Transferring contacts: developers of, especially social networking apps, transfer the contacts or address book from the device without permission. Usually they are trying to increase the viral or network effects of the app. The problem is that these contacts have likely synced with the user’s corporate email and contacts and thus is considered enterprise data, data that is sitting on a consumer managed device with other apps that can affect the security of that data.
Cloud-based file storage: many apps can sync documents for example to Box, DropBox, Sugar Sync, SkyDrive, Google Drive and the list is endless. You want to at the very least, be able to track which apps are synching data to the cloud, so then you can add controls in place for protecting your corporate data. If the proper controls are not in place, even when IT does a selective wipe, the corporate data that is now stored in personal cloud storage applications is not removed.
Uses microphone: scarily enough, there are apps that have access to turn the user’s microphone on their mobile device ON and without even the user’s permission or the user being aware. Malicious users can then record work conversations if they choose.
Accesses IMEI/UDID: there are apps that can access the user’s unique device ID. Even though Apple cracked down on this a few years ago, there are still several apps that can access this information. In this way, developers and ad networks, can track and identity users based on behaviours and location.
Single Sign on: there are many apps out there that leverage your FaceBook and/or Twitter log in information in order to sign into their mobile application. This does make for a better user experience, it is also riskier since if a user’s social login is hacked, all of the apps that a user has logged into using the same password might be compromised as well.
Privacy violations: Location Tracking: Everyone understands the implication here of knowing one’s location at all times and if the user agrees to this, that is their business. However, there are apps that bypass the permission model to track users without their permission. On Android, there are apps that bypass the GeoIP API provided by Google and implement their own clients. Essentially, location can be tracked without the user’s permission.
Mobile apps that enable users to purchase goods or services within the app, may not raise a red flag in your organization as many apps allow for this functionality. However, something to watch for are applications that retain an employees credit card information unencrypted. An example, is one of the most popular apps that is often sited as the most successful mobile payment app, is Starbucks. It saves the user’s password on the device in cleartext and contains links to the user’s credit card information, all of which is not encrypted within the app and the data at rest within this application is not protected.
We can use App Reputation solutions to report on all of these violations and behaviours. We can also automate and execute actions based on devices that have applications reporting these behaviours. For example, if we detect a high risk mobile app, whether it has malware, spyware or has access to employee contacts, we can remove corporate data off the device until the offending app is uninstalled. Or we can send a message to the user if we detect risky app behaviours.
-With 87% of Android now making up the global market share of smartphone shipments, this also has meant that 97% of all mobile malware is Android.
-We now have a record number of devices gaining access, espec with BYOD, to sensitive and sometimes highly classified corporate data, which increase the risks for threats such as data theft and device hacking
-What jumps out at me here is that Android malware jumped from 65% to 97% of all the mobile malware
-Some important things to note is that malware is on third-party Android app stores, and these tend to be in Asia and the Middle East where there may not necessarily be access to the Google Play Store.
-The Google Play Store only accounts for 0.1% of malware and even that is removed as soon as it is discovered
Mobile Malware: isn’t much different than malware on the desktop. Malware-ridden spam emails and phishing scams have moved from desktop to the mobile world. Cybercriminals see mobile as a market opportunity since endpoints are often less protected than corporate desktops.
-Again, in this situation, we can use App Reputation solutions to give us a list of blacklisted apps that we can then import into our EMM Solution in order to enforce action. That action can be sending a message to the user to remove the offending application or blocking their access to their corporate data until they uninstall the malicious app.
-A greater threat than malware is actually high risk apps whereby corporate data is leaked to
We still need an EMM/MDM solution if we are:
Protecting data at rest on the device – for example, we need to do a selective wipe of corporate data because these are personally issued phones
If are looking at email security on mobile
Convenience perspective of distributing email, apps and documents to the device
We can start with basic device management and then move into Application and Content management best practices.
The Device blueprint is a good place to start. And this slide really summarizes the device security policies you should have in place.
We are going to get into each of these in more detail.
Being able to manage devices – since mobile devices are not tied to the domain, a key thing a mobile device management solution does for you is to tie an authorized user or employee to an authorized mobile device, it is validating identity and across all mobile platforms.
Device Protection is essentially being able enforce minimum OS version, passcode, encryption and to ensure it is not compromised, ie jailbroken or rooted and accessing your corp network.
App Management: and we will get into this in more detail when we discuss app management best practices but it refers to being able to deploy apps, whether in-house or app store apps to an enterprise app store that sits on the device, checking the safety of apps already installed on the device, and also protecting corporate documents and data from being shared outside of the corporate area of the device.
Corp integration with LDAP makes it easy to push out corporate email, intranet and in-house apps, that require authentication, already pre-configured.
Remote wipe is really a selective wipe that removes corporate data but does not touch any of the user’s personal apps, text messages, personal email, pictures or other media.
Secure configurations: we will discuss this in more detail but is pushing out configurations for email, apps, wifi and vpn and the option of doing this in a secure corporate workspace.
Security management is being able to mitigate the risks incidents we discussed earlier by detecting device posture – is the device jailbroken/rooted, unencrypted, has a malicious app installed on it? And then enforcing an action to remove access from the corporate network and potentially even deleting corporate data off the device.
Privacy protection: we went into this in detail earlier, it is especially important with BYOD.
So let’s get started…
Very advantageous for IT is 0 touch on the devices, they can remotely set up a device with corporate data (email, wifi, and enterprise apps) and then be able to remotely enforce security policies.
Selective wipe: removing the corporate data…Good to note is that you want the option of a selective wipe occurring automatically if a mobile device is compromised, not encrypted, or has malware installed.
Enforcing device passcode and hardware encryption is important. There are mobile platforms that come out of the box with encryption enabled if the device passcode is set.
Device posture:
Disallow: There are many features you can block however, I would say that disabling screen capture and iCloud or Google cloud for enterprise apps when looking to prevent corporate data loss, are the most important. And of course blocking voice and data roaming if you are concerned about data charges from the carrier.
Application Control: Although whitelisting and blacklisting are good practices, they don’t completely safeguard the organization. A whitelist is not realistic, especially for BYOD users as they have access to thousands of apps and they are likely to ignore the whitelist. It is tricky to enforce. On the other hand, a Blacklist is very difficult to maintain as there are so many malicious apps to include here – the best approach is to leave this to a solution that can evaluate risky apps across mobile platforms for you.
-Securing email attachments: this is often overlooked but you want to be able to prevent employees from opening email attachments in personal applications. Instead you can whitelist which enterprise applications are safe for attachments to be viewed in. Safe are the applications that you retain control over and are able to remove data as well as network access from the app if you need to.
-This is an important piece of any solution. Although mobile device passcode and encryption can be enforced via ActiveSync policies, they can easily be circumvented – and a device that does not have a passcode can present and report itself as compliant. Your mobile data at rest may be compromised.
-Another big reason ActiveSync is not enough is that it does not detect device posture and allows for jailbroken and rooted devices to receive email. Devices store the activesync credentials locally and Android devices that are rooted and unencrypted store the activesync password in cleartext. If your user’s activesync password is also their domain credentials, an unauthorized user now has access to your corporate network…and depending on who the user is, can now access RDP, databases or even code repositories.
-We can’t prevent employees from jailbreaking or rooting their mobile device but we can ensure they don’t have corporate email access and furthermore network access if the device is compromised.
The other recommendation is to look into solutions that support full cert-based email as opposed to using your network password to access email on your mobile device. There are mobile device management solutions who can implement cert-based authentication for email and also deliver the device and user certificates to the smartphone.
-Moving away from “On Demand VPN” and Device Level VPN to Per-App VPN
Stakeholders
Project management
Timelines
Key Performance Indicators – IT cost, employee productivity and satisfaction, reduced security incidences
But if BYOD is supposed to enhance productivity, why are we seeing the opposite results where in a recent survey, 60% of IT leaders reported that BYOD does not deliver on higher customer satisfaction.
I, too, have seen situations where BYOD has frustrated employees more than it has enhanced productivity on mobile. We are going to dig deeper into that and offer solutions on how to make your BYOD implementation successful.
Looking at the cost vs. benefit: Although it brings down capital expenditure because companies are able to leverage devices that employees have already purchased and employees also take better care of devices they buy themselves, it may actually increase IT support costs – BYOD sometimes does result in Bring Your Own Problems! IT helpdesks need to ensure that they can provide support across all mobile platforms. There are also great self-service tools and integrations of self-service tools into mobile device management solutions that can be leveraged to bring down these costs.
…where any mobile device can be reimbursed and supported. And if we are applying more restrictive policies and enabling a less than satisfactory user experience on mobile for these corporate issued devices, this will also impact employee satisfaction.
…make it simple to access corporate resources. If you have to enter multiple passwords on a mobile device just to access the intranet, this is cumbersome. There are authentication solutions that are tailored to mobile that leverage fingerprint, geolocation and even behavioural biometrics to authenticate users to internal resources. They are worth exploring. We can’t use the same authentication mechanisms we have on the desktop for mobile, like a hard token, it just doesn’t offer a good mobile user experience.
…I can’t emphasize this enough. Just providing a bunch of corp data on mobile is not going to cut it if you haven’t thought through what tasks users, from various departments, need to accomplish on their mobile device, what mobile apps are they using to accomplish these tasks and how do they interact with the apps and data on their mobile device? It can be as simple as taking user surveys and polling managers.
-Communication plan: you introduced BYOD to offer employees what they most want but you are seeing that employees would stop using their personal devices for business if they are required to install a specific security app on their mobile device – does this sound familiar? It turns out that a lot of this can be solved with good communication to your user base. Training matters: don’t take the hands off approach with your employees, but provide guidance on what is and is not acceptable.
-Manage data and not devices: you are going to have your work cut out for you if you focus only on the endpoints, there are too many mobile endpoints that are constantly changing, one layer of defense if not enough.
Mobile Application Management policies, in particular data loss prevention policies. Data shows that the majority of organizations (67%) do not have policies in place that address sharing of corporate files in third-party cloud storage services. (Acronis July 2013)
Data and user classification. Important exercise that many organizations have already gone through but it can assist us to leverage this information for mobile. When we do this, we can ensure employees have access Internal corp data they need to get their job done on a mobile device. But confidential data in most situations and Restricted data in all situations – and by Restricted, an example is PCI data, is not likely a necessity on the mobile device. This can help us determine a) what users can access on mobile and b) who those users are that may have varying levels of access dependent on job function.
Isolate network: So that systems with Restricted data are not comingled with Internal or corporate data. Should the average employee accessing the intranet to book a meeting room also have access to confidential and restricted corp data? Remember that employees will always find a way around a BYOD policy and companies should prepare for the inevitable.
Detect and contain (Malware poses a big threat and makes it easy for attackers to access your network from a jailbroken/rooted mobile device. Once malware is detected on the device, remove access to network (ie not allowing users to run enterprise apps) and you can take it a step further and tie this in with wiping corp data from the device and tie that in with disabling their network/AD account)
Are you looking at open connections to unsecured networks and investigating multi factor authentication (which on mobile is tricky to achieve seamless authentication that does not look like a hard token but it can be done and there are many companies doing interesting things in this space that are worth exploring).
-Separate personal data from corporate data: Keeping the personal part of a dual-use device private is the most important to employees agreeing to allow companies to access their personal smartphone or tablet.
-Must protect corporate data at rest on device: password protection, encryption.
-Lost/Stolen device: remove corporate data off the device and block mobile apps from accessing your network
-Reduce corporate liability: think about the personal data that you may have access to and how you can reduce the corporate visibility/control of this data – do you need to locate employees or be able to see all personal applications they have installed? Think of the repercussions of a full wipe on a personally owned device vs. a selective wipe – is there a way to eliminate this risk and only allow for IT to issue a selective wipe?
Involve stakeholders: we have discussed the technical but BYOD goes beyond the technical – finance, legal, HR and operations need to be involved with special emphasis on Legal as just discussed.
Run a BYOD Pilot: A pilot can tell you if your security policies are too draconian or if users are frustrated and not getting the access they need on mobile. Don’t overlook this step…you can also use it as an opportunity to get your IT helpdesk process ironed out and helpdesk resources ramped up to support BYOD.
App Reputation is a way to identify which mobile apps put corp data at risk vs. which apps are benign. The average employee has 50-250 apps on their mobile device and 70% of these apps can access corporate data (AppThority)
Let’s look at some of the Risk App Behaviours that allow for this.
Transferring contacts: developers of, especially social networking apps, transfer the contacts or address book from the device without permission. Usually they are trying to increase the viral or network effects of the app. The problem is that these contacts have likely synced with the user’s corporate email and contacts and thus is considered enterprise data, data that is sitting on a consumer managed device with other apps that can affect the security of that data.
Cloud-based file storage: many apps can sync documents for example to Box, DropBox, Sugar Sync, SkyDrive, Google Drive and the list is endless. You want to at the very least, be able to track which apps are synching data to the cloud, so then you can add controls in place for protecting your corporate data. If the proper controls are not in place, even when IT does a selective wipe, the corporate data that is now stored in personal cloud storage applications is not removed.
Uses microphone: scarily enough, there are apps that have access to turn the user’s microphone on their mobile device ON and without even the user’s permission or the user being aware. Malicious users can then record work conversations if they choose.
Accesses IMEI/UDID: there are apps that can access the user’s unique device ID. Even though Apple cracked down on this a few years ago, there are still several apps that can access this information. In this way, developers and ad networks, can track and identity users based on behaviours and location.
Single Sign on: there are many apps out there that leverage your FaceBook and/or Twitter log in information in order to sign into their mobile application. This does make for a better user experience, it is also riskier since if a user’s social login is hacked, all of the apps that a user has logged into using the same password might be compromised as well.
Privacy violations: Location Tracking: Everyone understands the implication here of knowing one’s location at all times and if the user agrees to this, that is their business. However, there are apps that bypass the permission model to track users without their permission. On Android, there are apps that bypass the GeoIP API provided by Google and implement their own clients. Essentially, location can be tracked without the user’s permission.
Mobile apps that enable users to purchase goods or services within the app, may not raise a red flag in your organization as many apps allow for this functionality. However, something to watch for are applications that retain an employees credit card information unencrypted. An example, is one of the most popular apps that is often sited as the most successful mobile payment app, is Starbucks. It saves the user’s password on the device in cleartext and contains links to the user’s credit card information, all of which is not encrypted within the app and the data at rest within this application is not protected.
Mobile Malware: isn’t much different than malware on the desktop. Malware-ridden spam emails and phishing scams have moved from desktop to the mobile world. Cybercriminals see mobile as a market opportunity since endpoints are often less protected than corporate desktops.
-Once hackers can access a jailbroken/rooted device, they can grab any sensitive corporate data on a victim’s personal phone or tablet. There is even malware that if installed, will root your device.
-Risk of malware increases when it comes to applications available through unofficial outlets such as third-party app stores
-IT is often tempted to combat this by publishing lists of approved apps and blacklisting others but this is unrealistic because a blacklist is difficult for IT to manage. And this is where an app reputation service can assist in dynamically rating applications and ensuring only those applications that are safe are installed, and also monitoring applications that may have already been installed to determine their risk to exposing corporate data.
We can report on all of these violations and behaviours. We can also automate and execute actions based on devices that have applications reporting these behaviours. For example, if malware or spyware is detected on the device, we can issue a selective wipe so the corporate data is removed off the device. Or we can send a message to the user if we detect risky app behaviours.