The Workplace of the Future and Mobile Device Risk ISACA ... · ... The Workplace of the Future and...

The Workplace of the Future and Mobile Device Risk

ISACA Pittsburgh May 20th, 2013

[2] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk

Three major consumption models:

1. Improving productivity

Improving employee productivity by extending reach of existing apps. Ex. mobile timesheets

2. Enabling employees Enabling employees via new or more efficient business processes. Ex. mobile field support, mobile CRM.

3. Enabling new business Targeting new markets or offering clients new products/services. Ex mobile commerce apps.

Transform infrastructure by changing application delivery method.

Arming your people with the best tools to increase productivity.

Deliver a new service, or existing service to a new market.

Companies are leveraging mobile computing today


The future mobile workplace will be driven by an empowered employee

► Work will be done by open, interconnected, global communities where knowledge is collective and accessible

► The workforce will be more mobile, flexible, agile, and adaptable to the changing business needs

► The tools of work will be easy to use, seamless and always available

The Old World:

Corporate Owned Device

The New World:

Employee Owned Device

Anytime

Anywhere

Any Connection

Any Trusted Device


Access to the

Information they Need

Any Trusted Device

Mobile nirvana? Make getting work done easier by empowering the employee

Enablement Platforms

Anytime

Anywhere

Any Connection

Public Private

IT Apps Cloud


The big picture – the mobile security risk surface

External

Internal

Private Cloud / Services Enterprise Mobile Applications Mobile Device Management

Cloud Service Devices

Apps

Third party

data leakage

Application Vulnerabilities

Insecure service configuration

Jailbreak or rooting

Unsecure MDM Configuration Insecure

Services

Application Vulnerabilities

Theft and Data Extraction

Malware Unencrypted

data in transit

Data Leakage

Social Engineering

NFC/Bluetooth exploits

Unencrypted Local Storage

Privacy legislation

Industry regulations


How can your organization strike a balance between risk and reward?

Employee view:

► Corporate devices are old-fashioned

► Many employees already own as their personal device and bring to work

► Some C-level executives may already be using one for business as a “special request”

► Arguments for increased innovation, flexibility and productivity

► “I want one for work too!”

Enterprise view:

► Devices built for the consumer market

► Concern regarding device management, security, scalability and data protection

► Impact on meeting regulatory compliance obligations

► What happens if we don’t support?

► “Is it secure and reliable enough for handling corporate information?”


There is no “one size fits all” solution; instead, organizations should focus on addressing risk within four core areas

Securing mobile devices

Ensure that lost and stolen devices are handled securely, and that access to data is

protected 1

Addressing application risk

Minimize risk of malware and insecure mobile apps affecting the organization’s

data 2

Managing the mobile environment

Address risk tied to enrollment, deprovisioning, patching and monitoring

3

Addressing governance and

compliance

Proactively handle regulatory risk tied to industry regulations and in-country privacy

legislation 4

Area Goal


The greatest mobile risk is still device loss/theft but the risks are shifting as a function of new usage scenarios

Mobile device loss

Lost device recovery rate

Finder voyeurism

Employee data access

More data/access + more devices + more theft/loss = Increased risk


The evolution of threats Device security controls should be tailored based on mobile use cases and threats


8 steps to secure your devices

1. Evaluate current and future usage scenarios

2. Invest in a MDM solution 3. Enforce the “Big 4” security

policies as a minimum 4. Set a device security

baseline 5. Layer the infrastructure 6. Consider more stringent

access controls to critical business apps

7. Monitor usage and access 8. Amend the organization’s

awareness program

The Big 4

Device encryption

PIN

Wipe after 10 failed PIN attempts

Remote wipe


Mobile banking malware in the wild: Sophisticated malware modus operandi

The bank implements two factor authentication. To complete a transaction, a

transaction authorization number (TAN) is needed. TAN is sent to end-users via SMS

Victim downloads malware to desktop. Malware waits until

user begins banking session

Victim clicks on a link sent via spam or available on a malicious website

Malware creates fake pages during the session requesting user to install

a security upgrade. The link to this “upgrade” is sent via SMS

Victim clicks on the “upgrade” link and installs mobile malware. This

malware now waits for the user to receive a TAN number

Malware intercepts the TAN number and processes transactions

Malware sample: “Eurograbber”

1

2

3

4

5

6


5 steps to counter application risk 1. Protect malware-prone mobile

operating systems with anti-virus

2. Ensure your secure development lifecycle contains security processes to cover mobile application development

3. Manage applications through an in-house app store, and monitor external apps

4. Proactively bring in or develop services that enables data sharing between devices

5. Continually assess the need for apps to increase productivity and security


Failing to handle the management issue will ensure ballooning risk

Mobile operating system distribution …

iOS

Android

3000 devices


Mobile Device Management (MDM) is a first step for risk mitigation in diverse mobile deployments

Without MDM With MDM

► Limited security controls ► Inability to securely wipe devices

► No application management

► No way to restrict devices based on security settings

► Hard to control enrollment / deprovisioning

► Limited manageability ► Difficult to manage devices

► Little or no control over device status

► Doesn’t scale

► Consistent controls ► Secure, confirmed remote wipe

► Compartmentalization and app management

► Restrict based on policy

► Control enrollment and deprovisioning

► Better manageability ► Easier to manage and support

diverse devices

► Better control over device status

► Scales to many types of devices


6 Steps to securely manage mobile devices

1. Create a cross-functional mobile working group and a mobile strategy

2. Create a BYOD policy (if applicable) and invest in a MDM

3. Re-vamp existing support processes

4. Create a patch education process to encourage users to update their mobile devices

5. Monitor deviations from security baseline

6. Implement a wiki/knowledge base employee self-service support solution


Addressing governance and compliance


Mobile deployments must account for global privacy regulation (and surveillance) risks Relevant U.S. / international regulations:

► PCI-DSS – recently published on BYOD

► HIPAA HITECH – refers to NIST standards, but will likely change

► FINRA

► SOX

Core EU privacy concepts: ► Privacy governance

► Data protection

► Monitoring (privacy at work)

► Breach investigation and notification

► Right to be forgotten and erasure

► Data ownership and recovery

The trend is for more specific regulation around mobile data protection to be released


5 steps to handle regulatory/compliance risk

1. Engage legal and HR in the respective countries where devices are to be supported

2. Create tiered policies per geographical segment

3. Ensure that local management has the right processes in place to support the policy

4. Monitor and revise policies regularly

5. Segment business environments and data from personal employee data as much as possible

§


Using these four areas to scope your audit will help you focus on the right risks


1


2


3

Addressing governance and compliance

4

Mobile audit scope


Questions?


Ernst & Young contacts

Paul Chabot Senior Manager IT Transformation

San Francisco, CA

[email protected] +1 415 601 7466

Michael Janosko Senior Manager, Advanced Security Center

New York, NY

[email protected] +1 212 773 1646

Carsten Maartmann-Moe Manager, Advanced Security Center

New York, NY

carsten. [email protected] +1 212 773 0133


BYOD pitfalls and leading practices


BYOD Strategy

Scope Pitfalls Leading Practices

User segments

One size fits all strategy

• Analyze the requirements of different user types and define user segments

• Keep the number of segments manageable to reduce the complexity of your BYOD strategy

• Consider long-term plans to use mobile enterprise applications as part of your usage scenarios

Device Certification

Considering only currently available devices

• New devices are introduced into the market every 3-6 months

• The certification process must be ongoing and continually evolving

• IT must become an expert on device and operating system evolution

Pitfalls and leading practices when developing your BYOD strategy


Scope Pitfalls Leading Practices Mobile TCO

Cost savings

Ignoring TCO and expected benefits can result in a very costly BYOD solution.

• Develop a business case

• Quantify the expected BYOD benefits.

- Don’t focus only on cost savings as costs will likely increase by 7-10%

- Focus on increased employee productivity and satisfaction

Usage Variation

Ignoring regional or international diversity

• Multi-national firms should consider the impact of device availability, usage habits, provider capabilities on use cases for different user types

BYOD Strategy


BYOD Design

Pitfalls and leading practices when developing your BYOD solution


Policy Describing technical standards that users do not understand or focusing on “what is not allowed”

• Create a BYOD policy that is easy to understand

• Augment the policy with education and communications so users understand their options and can better select devices to meet their needs

• This will improve adoption, increases satisfaction, and decreases support calls

BYOD Program

Treating BYOD as a one time project and not considering ongoing operations

• Define processes and allocate sufficient resources to support ongoing operations and mature the BYOD program

• Support continuous improvement of policies and solutions to maintain a positive end-to-end experience and continue to realize BYOD benefits

• Establish a team that can monitor and evaluate new technology

• Maintain relationships with device and technology providers


Scope Pitfalls Leading Practices Mobile risk and cost

Regulatory risk

BYOD exposes company to security and regulatory risks

• Design BYOD strategy with both security and regulatory compliance in mind

• Plan for security monitoring and regular testing of devices and infrastructure

• Consider in-country data requirements

Policy design

Trying to design a policy that covers all possible scenarios

• Establishing a governing body and processes for ruling on the inevitable exceptions to the policy

• Devise a policy with a dimension of “Ownership” where personal and corporate data each have different sets of policies for security, privacy, and apps

BYOD Design


BYOD Deployment

Pitfalls and leading practices when deploying BYOD in your organization


Employee communication

Creating a negative perception that BYOD is designed “to shift the cost burden to the employee”

• Don’t underestimate the required communication and change management- validate that communications are working and adjust your plans as necessary

• Be ultimately accountable for providing a positive end-to-end user experience

• Educate employees on mobile data security, scams, phishing schemes, etc…

Resistance to change

Not involving key stakeholders early

• By engaging key stakeholders early, you will ultimately overcome resistance to change

• Have representation from: Executives, HR, Support, Finance, Legal and User groups/segments to ensure concerns are addressed during design

Big bang deployment

Neglecting to test the waters with a pilot before doing a more extensive roll-out

• Perform a pilot before doing a more extensive roll out

• Capture lessons learned and adjust you BYOD solution and deployment plans to increase adoption and user satisfaction

• Identify early adopters that can become champions the greater deployment


Scope Pitfalls Leading Practices Mobile support

Measured benefit

Not monitoring adoption and usage

• Establish success metrics and targets as part of the deployment plan:

• Adoption metrics (#devices, #user, data usage)

• Benefit realization metrics (user satisfaction, employee productivity, cost/user)

Support costs

Ballooning support costs

• Make sure your support model makes extensive use of:

• Self help - web help, FAQs, support workflow automation

• Community support – use social technology to enable peer support, leverage early adopter champions

BYOD Deployment

The Workplace of the Future and Mobile Device Risk ISACA ... · ... The Workplace of the Future and...

Documents

Transcript of The Workplace of the Future and Mobile Device Risk ISACA ... · ... The Workplace of the Future and...