[2] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Three major consumption models:
1. Improving productivity
Improving employee productivity by extending reach of existing apps. Ex. mobile timesheets
2. Enabling employees Enabling employees via new or more efficient business processes. Ex. mobile field support, mobile CRM.
3. Enabling new business Targeting new markets or offering clients new products/services. Ex mobile commerce apps.
Transform infrastructure by changing application delivery method.
Arming your people with the best tools to increase productivity.
Deliver a new service, or existing service to a new market.
Companies are leveraging mobile computing today
[3] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
The future mobile workplace will be driven by an empowered employee
► Work will be done by open, interconnected, global communities where knowledge is collective and accessible
► The workforce will be more mobile, flexible, agile, and adaptable to the changing business needs
► The tools of work will be easy to use, seamless and always available
The Old World:
Corporate Owned Device
The New World:
Employee Owned Device
Anytime
Anywhere
Any Connection
Any Trusted Device
[4] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Access to the
Information they Need
Any Trusted Device
Mobile nirvana? Make getting work done easier by empowering the employee
Enablement Platforms
Anytime
Anywhere
Any Connection
Public Private
IT Apps Cloud
[5] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
The big picture – the mobile security risk surface
External
Internal
Private Cloud / Services Enterprise Mobile Applications Mobile Device Management
Cloud Service Devices
Apps
Third party
data leakage
Application Vulnerabilities
Insecure service configuration
Jailbreak or rooting
Unsecure MDM Configuration Insecure
Services
Application Vulnerabilities
Theft and Data Extraction
Malware Unencrypted
data in transit
Data Leakage
Social Engineering
NFC/Bluetooth exploits
Unencrypted Local Storage
Privacy legislation
Industry regulations
[6] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
How can your organization strike a balance between risk and reward?
Employee view:
► Corporate devices are old-fashioned
► Many employees already own as their personal device and bring to work
► Some C-level executives may already be using one for business as a “special request”
► Arguments for increased innovation, flexibility and productivity
► “I want one for work too!”
Enterprise view:
► Devices built for the consumer market
► Concern regarding device management, security, scalability and data protection
► Impact on meeting regulatory compliance obligations
► What happens if we don’t support?
► “Is it secure and reliable enough for handling corporate information?”
[7] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
There is no “one size fits all” solution; instead, organizations should focus on addressing risk within four core areas
Securing mobile devices
Ensure that lost and stolen devices are handled securely, and that access to data is
protected 1
Addressing application risk
Minimize risk of malware and insecure mobile apps affecting the organization’s
data 2
Managing the mobile environment
Address risk tied to enrollment, deprovisioning, patching and monitoring
3
Addressing governance and
compliance
Proactively handle regulatory risk tied to industry regulations and in-country privacy
legislation 4
Area Goal
[9] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
The greatest mobile risk is still device loss/theft but the risks are shifting as a function of new usage scenarios
Mobile device loss
Lost device recovery rate
Finder voyeurism
Employee data access
More data/access + more devices + more theft/loss = Increased risk
[10] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
The evolution of threats Device security controls should be tailored based on mobile use cases and threats
[11] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
8 steps to secure your devices
1. Evaluate current and future usage scenarios
2. Invest in a MDM solution 3. Enforce the “Big 4” security
policies as a minimum 4. Set a device security
baseline 5. Layer the infrastructure 6. Consider more stringent
access controls to critical business apps
7. Monitor usage and access 8. Amend the organization’s
awareness program
The Big 4
Device encryption
PIN
Wipe after 10 failed PIN attempts
Remote wipe
[12] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Addressing application risk
[13] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Mobile banking malware in the wild: Sophisticated malware modus operandi
The bank implements two factor authentication. To complete a transaction, a
transaction authorization number (TAN) is needed. TAN is sent to end-users via SMS
Victim downloads malware to desktop. Malware waits until
user begins banking session
Victim clicks on a link sent via spam or available on a malicious website
Malware creates fake pages during the session requesting user to install
a security upgrade. The link to this “upgrade” is sent via SMS
Victim clicks on the “upgrade” link and installs mobile malware. This
malware now waits for the user to receive a TAN number
Malware intercepts the TAN number and processes transactions
Malware sample: “Eurograbber”
1
2
3
4
5
6
[14] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
5 steps to counter application risk 1. Protect malware-prone mobile
operating systems with anti-virus
2. Ensure your secure development lifecycle contains security processes to cover mobile application development
3. Manage applications through an in-house app store, and monitor external apps
4. Proactively bring in or develop services that enables data sharing between devices
5. Continually assess the need for apps to increase productivity and security
[15] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Managing the mobile environment
[16] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Failing to handle the management issue will ensure ballooning risk
Mobile operating system distribution …
iOS
Android
3000 devices
[17] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Mobile Device Management (MDM) is a first step for risk mitigation in diverse mobile deployments
Without MDM With MDM
► Limited security controls ► Inability to securely wipe devices
► No application management
► No way to restrict devices based on security settings
► Hard to control enrollment / deprovisioning
► Limited manageability ► Difficult to manage devices
► Little or no control over device status
► Doesn’t scale
► Consistent controls ► Secure, confirmed remote wipe
► Compartmentalization and app management
► Restrict based on policy
► Control enrollment and deprovisioning
► Better manageability ► Easier to manage and support
diverse devices
► Better control over device status
► Scales to many types of devices
[18] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
6 Steps to securely manage mobile devices
1. Create a cross-functional mobile working group and a mobile strategy
2. Create a BYOD policy (if applicable) and invest in a MDM
3. Re-vamp existing support processes
4. Create a patch education process to encourage users to update their mobile devices
5. Monitor deviations from security baseline
6. Implement a wiki/knowledge base employee self-service support solution
[19] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Addressing governance and compliance
[20] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Mobile deployments must account for global privacy regulation (and surveillance) risks Relevant U.S. / international regulations:
► PCI-DSS – recently published on BYOD
► HIPAA HITECH – refers to NIST standards, but will likely change
► FINRA
► SOX
Core EU privacy concepts: ► Privacy governance
► Data protection
► Monitoring (privacy at work)
► Breach investigation and notification
► Right to be forgotten and erasure
► Data ownership and recovery
The trend is for more specific regulation around mobile data protection to be released
[21] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
5 steps to handle regulatory/compliance risk
1. Engage legal and HR in the respective countries where devices are to be supported
2. Create tiered policies per geographical segment
3. Ensure that local management has the right processes in place to support the policy
4. Monitor and revise policies regularly
5. Segment business environments and data from personal employee data as much as possible
§
[22] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Using these four areas to scope your audit will help you focus on the right risks
Securing mobile devices
1
Addressing application risk
2
Managing the mobile environment
3
Addressing governance and compliance
4
Mobile audit scope
[24] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Ernst & Young contacts
Paul Chabot Senior Manager IT Transformation
San Francisco, CA
[email protected] +1 415 601 7466
Michael Janosko Senior Manager, Advanced Security Center
New York, NY
[email protected] +1 212 773 1646
Carsten Maartmann-Moe Manager, Advanced Security Center
New York, NY
carsten. [email protected] +1 212 773 0133
[25] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
BYOD pitfalls and leading practices
[26] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
BYOD Strategy
Scope Pitfalls Leading Practices
User segments
One size fits all strategy
• Analyze the requirements of different user types and define user segments
• Keep the number of segments manageable to reduce the complexity of your BYOD strategy
• Consider long-term plans to use mobile enterprise applications as part of your usage scenarios
Device Certification
Considering only currently available devices
• New devices are introduced into the market every 3-6 months
• The certification process must be ongoing and continually evolving
• IT must become an expert on device and operating system evolution
Pitfalls and leading practices when developing your BYOD strategy
[27] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Scope Pitfalls Leading Practices Mobile TCO
Cost savings
Ignoring TCO and expected benefits can result in a very costly BYOD solution.
• Develop a business case
• Quantify the expected BYOD benefits.
- Don’t focus only on cost savings as costs will likely increase by 7-10%
- Focus on increased employee productivity and satisfaction
Usage Variation
Ignoring regional or international diversity
• Multi-national firms should consider the impact of device availability, usage habits, provider capabilities on use cases for different user types
BYOD Strategy
[28] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
BYOD Design
Pitfalls and leading practices when developing your BYOD solution
Scope Pitfalls Leading Practices
Policy Describing technical standards that users do not understand or focusing on “what is not allowed”
• Create a BYOD policy that is easy to understand
• Augment the policy with education and communications so users understand their options and can better select devices to meet their needs
• This will improve adoption, increases satisfaction, and decreases support calls
BYOD Program
Treating BYOD as a one time project and not considering ongoing operations
• Define processes and allocate sufficient resources to support ongoing operations and mature the BYOD program
• Support continuous improvement of policies and solutions to maintain a positive end-to-end experience and continue to realize BYOD benefits
• Establish a team that can monitor and evaluate new technology
• Maintain relationships with device and technology providers
[29] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Scope Pitfalls Leading Practices Mobile risk and cost
Regulatory risk
BYOD exposes company to security and regulatory risks
• Design BYOD strategy with both security and regulatory compliance in mind
• Plan for security monitoring and regular testing of devices and infrastructure
• Consider in-country data requirements
Policy design
Trying to design a policy that covers all possible scenarios
• Establishing a governing body and processes for ruling on the inevitable exceptions to the policy
• Devise a policy with a dimension of “Ownership” where personal and corporate data each have different sets of policies for security, privacy, and apps
BYOD Design
[30] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
BYOD Deployment
Pitfalls and leading practices when deploying BYOD in your organization
Scope Pitfalls Leading Practices
Employee communication
Creating a negative perception that BYOD is designed “to shift the cost burden to the employee”
• Don’t underestimate the required communication and change management- validate that communications are working and adjust your plans as necessary
• Be ultimately accountable for providing a positive end-to-end user experience
• Educate employees on mobile data security, scams, phishing schemes, etc…
Resistance to change
Not involving key stakeholders early
• By engaging key stakeholders early, you will ultimately overcome resistance to change
• Have representation from: Executives, HR, Support, Finance, Legal and User groups/segments to ensure concerns are addressed during design
Big bang deployment
Neglecting to test the waters with a pilot before doing a more extensive roll-out
• Perform a pilot before doing a more extensive roll out
• Capture lessons learned and adjust you BYOD solution and deployment plans to increase adoption and user satisfaction
• Identify early adopters that can become champions the greater deployment
[31] | ISACA Pittsburgh - The Workplace of the Future and Mobile Device Risk
Scope Pitfalls Leading Practices Mobile support
Measured benefit
Not monitoring adoption and usage
• Establish success metrics and targets as part of the deployment plan:
• Adoption metrics (#devices, #user, data usage)
• Benefit realization metrics (user satisfaction, employee productivity, cost/user)
Support costs
Ballooning support costs
• Make sure your support model makes extensive use of:
• Self help - web help, FAQs, support workflow automation
• Community support – use social technology to enable peer support, leverage early adopter champions
BYOD Deployment
Top Related