Slide deck from Code Camp 2016 session

1. Mobile Security for the
Enterprise
Considerations For A Robust Strategy
Will Adams
Software Architect
Fiserv, Inc.
@RemoteArchitect

2. Agenda
• Questions that need to be asked
• Defining a security strategy
• Risks and threats
• Authentication & Authorization
• Protecting data
• Securing communications
• Application security
• Managing devices
• Enterprise Mobility Management
• Demo
• Resources

3. Questions that need to be asked
• What problems are we trying to solve?
• How do we identify users?
• How do we manage what users can do?
• How do we protect our data?
• How do we enforce secure communications?
• How do we secure our apps?
• How do we manage devices?
• What are the risks and threats?
• How do we solve these problems and deliver a mobile solution
to our enterprise while mitigating the risks and threats?

4. Defining a security strategy
• Determine usage scenario(s) – corporate-owned devices (COD) and/or bring your
own device (BYOD)
• Least control of hardware, OS and software with BYOD
• Don’t let users do both since it’s harder to support
• Create policies to manage mobile security in the enterprise. For example:
• Set mandatory passcodes
• No rooted or jailbroken devices
• Disable copy-and-paste of business data
• Don’t store sensitive data on the device
• Always require VPN
• Wrap custom apps in a secure container

5. Mobile Network Management
and Security
At the Device
Mobile Device
Management and Security
Enroll
Register owner and services
Configure
Set appropriate security
policies
Monitor
Ensure device compliance
Reconfigure
Add new policies over-the-air
De-provision
Remove services and wipe
Mobile Device
Management
 Device wipe and
lockdown
 Password
management
 Configuration policy
 Compliance
Mobile
Network
Protection
 Secure
communications
(VPN)
Mobile Identity &
Access
Management
 Identity management
 Authorize and
authenticate
 Certificate
management
 Multi-factor
Mobile Threat
Management
 Antimalware
 Antispyware
 Antispam
 Firewall/IPS
 Web filtering
 Web reputation
Mobile Application
Management and Security
On the Network For the mobile app
Mobile
Information
Protection
 Data encryption
(device, file and
app)
 Mobile data loss
prevention
Mobile App
Development &
Management
 Scanning
 Authenticity
testing
 Update
enforcement
 Remote disable
Authenticate
Properly identify mobile users
Encrypt
Secure network connectivity
Monitor
Log network access and events
Control
Allow or deny access to apps
Block
Identify and stop mobile
threats
Develop
Utilize secure coding practices
Test
Identify application
vulnerabilities
Monitor
Correlate unauthorized activity
Protect
Defend against app attacks
Update
Patch old or vulnerable apps

6. Risks & Threats
• OWASP1 sums it up pretty well in their top 10 list:
• M1 – Improper Platform Usage
• M2 – Insecure Data Storage
• M3 – Insecure Communication
• M4 – Insecure Authentication
• M5 – Insufficient Cryptography
• M6 – Insecure Authorization
• M7 – Client Code Quality
• M8 – Code Tampering
• M9 – Reverse Engineering
• M10 – Extraneous Functionality
1Top 10 Release Candidate for 2016

7. Authentication
• Two-factor authentication (TFA)
• What you know – e.g. user name, password
• What you have – e.g. physical device
• Multi-factor authentication (MFA) – Includes TFA plus:
• What you are – i.e. physical characteristics like thumbprint, face, voice
• Use claims or certificate-based authentication
• Enforce a strong password policy
• Lockout after several invalid attempts
• Delay between unsuccessful attempts
• Password strength

8. Authentication
• Consider Single Sign On
• Most MDM vendors offer this capability, or…
• You can roll your own using OAuth – take a look at Ping Identity’s SSO dev guide:
https://developer.pingidentity.com/en/resources/napps-native-app-sso.html

9. Authorization
• Should be part of a company-wide strategy
• Should combine security features with content
• Look at Digital Rights Management (DRM) systems like
• Azure Rights Management - https://technet.microsoft.com/en-us/library/jj585026.aspx
• Can sync with AD on premise
• Adobe LiveCycle Policy Server

10. Protecting Data
• At rest
• iOS – small amounts of data in the Keychain; larger amounts of data can leverage
Apple’s File Protection mechanism or a third party container like SQLCipher
• Android – internal storage (per app) or custom content provider (app to app)
• Encrypt your data but strike a balance between key management and a good user
experience
• In transit
• Implement Perfect Forward Secrecy (PFS) which encrypts SSL traffic
• Use VPN
• Ex: Microsoft Intune can deploy VPN profiles to specific mobile OS’
• App wrappers provide encryption for data at rest and in transit
• EMM vendors provide app wrapping capabilitiy

11. Securing Communications
• At a solution level – use TLS 1.2 to encrypt and protect the data stream
• Example: for web-based apps we can leverage the Strict Transport Security header to
enforce HTTPS
• At an OS level – encrypt traffic using VPN
• Best of both worlds – per app VPN
• Included with iOS7+ for specific managed apps
• Third party apps like VyprVPN for Android
• Turn off non-securable networks like Bluetooth and WiFi
• Require a firewall app on the device

12. Application Security
• For BYOD, use a container app as a sandbox to protect company data
• Easy to install and very secure
• Limitations using non-containerized apps. Also requires tie-in to specific vendor
• Use app wrapping feature from EMM providers
• Features:
• Encryption for data at rest and in transit
• Data loss prevention
• Geo-fencing
• Requires the unsigned app binaries
• Provides better UX and security
• Digitally sign and pen test all custom apps

13. Managing Devices
• Again, decide on whether you want to support COD or BYOD
• Avoid rooted or jailbroken devices at all costs!
• MDM vendors provide the best security
• Enables control of device features
• Allows wiping the device remotely
• Manages the deployment of apps and certificates
• Deploys profiles for email, WiFi, VPN, etc.
• Can use Exchange Active Sync if not using MDM but there are limitations

14. Enterprise Mobility Management
• Includes Mobile Device Management (MDM), Mobile Application Management
(MAM), Mobile Email Management (MEM), profiles, app wrapping, etc.
• Exchange ActiveSync can provide bare-bones MDM but doesn’t manage the
entire device. Best security solution for complete device management is to
partner with a third-party vendor.
• Vendors include Good Technologies, AirWatch and MobileIron
• Can get some level of MDM via the mobile OS
• iOS has configuration profiles which can be managed with the iPhone Configuration
Utility. This gives the same device-level functionality available to MDM providers
• Android MDM is administered as a standalone app via the Device Admin API

15. Enterprise Mobility Management
• EMM vendors provide a number of advantages over other methods:
• Provide SaaS or on-premise deployments for central management
• Vendors use services like Appthority for verifying the reputation of third-party apps
• Provisioning corporate settings, credentials and apps
• Complying with legal requirements
• The typical user and device enrollment process:
• Creating a new user in the administration console including name and email address
• Generating an email invitation to the user created in the prior step with temporary
access credentials and instructions to install the MDM provider’s host application
• Installing the MDM provider’s host application on the device then following the steps
to register the device with the vendor
• In the administrative console, verifying the user’s device was registered

16. And Don’t Forget…
• Users and organizational policies also help with security
• Establish policies to protect against theft, loss, etc.
• Educate users about the risks

17. Demo
• Using Microsoft Intune

18. Resources
• Books
• The Mobile Application Hacker’s Handbook by Dominic Chell, et al
http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html
• Mobile Device Security for Dummies by Rich Campagna, et al
http://www.dummies.com/store/product/Mobile-Device-Security-For-Dummies.productCd-
0470927534,navId-322496.html
• Enterprise Mobility Management by Jack Madden
http://www.amazon.com/Enterprise-Mobility-Management-Everything-Edition-
ebook/dp/B00DK2GHHA
• Mobile Strategy How Your Company Can Win by Embracing Mobile Technologies by Dirk
Nicol
http://www.ibmpressbooks.com/store/mobile-strategy-how-your-company-can-win-by-
embracing-9780133094961

19. Resources
• PluralSight Course
• Enterprise Strength Mobile Device Security -
https://app.pluralsight.com/library/courses/enterprise-strength-mobile-device-
security/table-of-contents
• Websites
• Mobile Security Wiki - https://mobilesecuritywiki.com/
• OWASP Mobile Security Project -
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project