Security Considerations for Mobile Devices Trent Henry Research
Security Considerations for Mobile Devices Trent Henry Research VP Security & Risk Management This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2012 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day.
“Small” Incidents are Common
Agenda • What’s really new about risks for mobile devices? • Controls you may put on your list of requirements • What about user experience? • How do mobile security architectures compare? • Why and when would you improve on existing platform security controls?
What’s really new about risks for mobile devices? Gartner for Technical Professionals
Threat Agents Malware Thief Evil maid Threat type: logical Threat type: physical Coexists with user Exclusive access Coexists with user Examples: • Redsn 0 w Jailbreak • Plenty in the room • Stealing a file system • Android Foncy. Dropper • Zit. Mo 5
Old risks, in new context Expanding use cases and storage capacity Malware Impact Thief Increased popularity Likelihood It is only a matter of time before the first large data breach concerning a mobile device receives media attention 6
Impact on Security Architecture • The security risks to information have not changed: - Malicious software - Theft/loss of the device - Eavesdropping • But there are new twists: - Endpoint ownership - No dominant operating system or paradigm - Very short device life cycle - Immature management and security tools - Usability and network connectivity
Impact on Security Architecture Risk Management No data on device None Controls in the Apps Limited (manage container only) (Container) Manage the device (required Controls on the for certificates) i. e. MDM device Example 1 – No Data on the Device Native Apps VDI/Web app/App w/ remote data Resident App (dev/COTS) w/security Resident App (dev/COTS) w/o security Application/ User Experience On-line only Offline Connectivity Required
Impact on Security Architecture Risk Management No data on device None Controls in the Apps Limited (manage container only) (Container) Manage the device (required Controls on the for certificates) i. e. MDM device Example 2 – Data within a Container Only Native Apps VDI/Web app/App w/ remote data Resident App (dev/COTS) w/security Resident App (dev/COTS) w/o security Application/ User Experience On-line only Offline Connectivity Required
Impact on Security Architecture Risk Management No data on device None Controls in the Apps Limited (manage container only) (Container) Manage the device (required Controls on the for certificates) i. e. MDM device Example 3 – Data on the Device Native Apps VDI/Web app/App w/ remote data Resident App (dev/COTS) w/security On-line only Offline Resident App (dev/COTS) w/o security Application/ User Experience Connectivity Required
Controls you may put on your list of requirements Gartner for Technical Professionals
Access Control • Aims to reduce the risk of Thieves and Evil Maids by preventing direct logical access to device • Consider - Methods: PIN, password, swipe, face unlock, hardware token, other biometrics - Policies to enforce: password complexity/history/delay/lock, inactivity timer - Risks of keyloggers and other spyware - Limitations facing laboratory attacks that circumvent authentication 12
Encryption • Aims to reduce the risk of Thieves and Evil Maids by preventing logical access to extracted information • Consider • Encryption and keys in hardware/software • Keys derived from device and/or passcode? • What information is encrypted? • Cache management • Known weaknesses and third party validations 13 01 10 10 01 00 01
Application Controls • Aim to reduce the risk of Malware and Evil Maids by preventing direct logical access to applications and their data • Consider • Application and data isolation App Data • Signatures • Key management and encryption APIs • Management hooks • Application store controls • Kill switch: remotely kill an application on all devices 14
Remote and Local Wipe • Aims to reduce the risk of Thieves by remotely or locally wiping applications and data • Consider - Full/partial wipe - Local/remote wipe - What information and apps are wiped - The wiping method - How to confirm completion 15
What about user experience? Gartner for Technical Professionals
An example: Client Virtualization Let’s keep sensitive information off the device entirely! Connection secured with encryption No controls needed on the device …But malware, keyloggers, and jailbroken devices may be a problem User authenticated prior to access 17
You gotta be kidding me! Access to Information Secure Time-to-market Manageability Rich and Immersive UX Offline Native Capabilities Portability
Comparison Assessment * *You are responsible for building your own security controls! 19
Broader Impact: Network Architecture • Increasing radio spectrum consumption - An increasing number of Wi-Fi devices will consume more of your spectrum (Wi-Fi devices > humans) - S L O W networks are not user-friendly - Even unauthorized Wi-Fi devices consume spectrum as they scan for Wi-Fi networks • Solutions include - Selective site survey, mission-critical network design - Capacity planning, 802. 11 n APs - Intrusion detection systems, spectrum monitoring Same goes for WAN and WWAN
How do mobile security architectures compare? (AKA “Know your platforms before adding more stuff”) Gartner for Technical Professionals
Android Security • Type: End-user control • Key elements - Linux process and file isolation - Permissions based • Concerns: - Fragmentation of the platform over OEMs - Encryption support dependent on OEM - Content providers accessible by default - Many OSS components and uncurated appstores may lead to malware - Permissions rely on people’s judgment 22
i. OS Security • Type: Walled garden • Key elements: - Curated Appstore - Sandboxing - Hardware encryption, always on - OTA updates • Concerns: - Vulnerabilities in OS that lead to jailbreak - Few mechanisms that limit the access of an app - Data protection not used by all applications and not validated 23
Black. Berry Security • Type: Guardian • Key elements - Best in class mobile management and security - Data protection capabilities - No jailbreaks for BB smartphones • Concerns - App. World is vetted but its use not mandated, leading to potential for malware - Apps may have extensive access, without jailbreak - Management is critical, e. g. encryption is optional 24
Application Controls for Various Platform Application testing Centralized signing Application control on the device Third-party anti-malware products Black. Berry Yes, but applications can be offered outside of App World Yes, but the requirement to check the signature is configurable Yes i. Phone Yes Limited to major applications No Windows Phone 6. x Yes, but the requirement to check the signature is configurable Available through third-party products or System Center Yes Windows Phone 7 Yes, but the requirement to check the signature is configurable No No Symbian Yes Available through third-party products Yes Android Limited – some app stores perform testing but apps available outside of app stores No No Yes
Recommendations Gartner for Technical Professionals
Recommendations ü Understand the risks and the threats you are trying to protect against and accept that some risks cannot be mitigated ü Limit support to handhelds that satisfy minimal security requirements ü Balance UX with security and connectivity üUsers will go around security if you don’t have a good UX ü Conduct data analysis to determine what is acceptable on the device and what is not ü Deal with related infrastructure issues: network, authentication, provisioning, …
Recommended Gartner Research è Comparing Security Controls for Handheld Devices Mario de Boer, Eric Maiwald, 22 January 2012 è Decision Point for Mobile Endpoint Security Eric Maiwald è Client Virtualization: Reducing Malware and Information Sprawl Mario de Boer, Dan Blum è Solution Path: How to Create a Mobile Architecture Paul Debeasi è Field Research Summary: Mobility and Security Eric Maiwald, 26 January 2012
- Slides: 29