Questions 1) How many people have at least one smart mobile device - - PDF document

1 Questions 1) How many people have at least one smart mobile device that you use for business? 2) How many people have Android? 3) How many iOS devices? 4) How many people have jailbroken devices?

1. The Smart Mobile Device Environment 2. Rising Risks and Concerns with Smart Devices 3. Managing Mobile Devices In The Enterprise 4. Other Issues and Concerns 2

3

They are everywhere

• At the end of 2011, there were 6 billion mobile subscriptions,

worldwide

• That is equivalent to 80 percent of the world population
• In the US mobile cellular subscriptions 100% of population
• In Europe around 120%
• Other areas ranging from 74% to over 150%

4

• In terms of geographic distribution smart Mobile devices are everywhere
• Developing nations might be currently lagging behind in total numbers

and per capita use

• However developing nations also among the fastest growing smart mobile

user base

• Partly because there is very little terrestrial infrastructure for other forms
• f connectivity like fixed wire line telephone or broadband service
• Its cheaper and easier to build a cellular infrastructure than a wired one
• And that infrastructure is less likely to be washed out by a flood or

damaged by an earthquake 5

When it comes to Internet connectivity, mobile broadband usage eclipses fixed wire-line broadband services

• Vastly more people have a mobile broadband connection than a

fixed broadband connection

• This is true even in the United States, where there are almost

double the number of mobile broadband vs. fixed broadband 6

1. Smart mobile devices have had a phenomenal adoption rate

• The iPad has the fastest adoption rate of any technology,

ever, possibly eclipsing even the wheel, or fire if you believe Apple

• 2011 numbers are a huge increase from 5.4 billion in 2010

and 4.7 billion mobile subscriptions in 2009 – up over 50% in some areas

• Market growth is being driven by demand in the

developing world, led by rapid mobile adoption in China, Africa and India

• Mobile subscriptions outnumber fixed lines 5:1 (more so in

developing nations);

• Mobile broadband outnumbers fixed broadband 2:1.
• Total smartphone sales in 2011 were almost 500 million

units up over 60 percent from 2010. This makes smartphones about 32 percent of all handsets shipped. 7

• Looking at smartphone growth, In terms of the major players in

the market, I don’t think there is a lot of surprise here

• When it comes to hardware sales, the top five smart

phone vendors worldwide in 2011 were Samsung, Apple, Nokia, RIM, HTC

• Of those Nokia sales declined 23% and RIM’s sales were

almost stagnant at 5% growth

• Samsung, Apple, and HTC had a 310%, 96%, and 100%

growth rate respectively

• Growth by operating system reflects the hardware sales
• Android had almost 250% year on year growth 2011 vs

2010

• iOS had almost 100% growth in the same period
• Interesting newcomer Bada from Samsung – aimed at

being a low end smartphone OS for not so smart hardware platforms – small market share but huge growth – worth keeping an eye on

• Nobody else in the market even comes close –Symbian

and Windows phone had negative growth 8

• What are the driving factors for integrating smart mobile devices into the

enterprise?

• One that is often talked about is cost reduction
• That is, off setting the cost of corporate provided or corporate

subsidized handsets by allowing employees to to use their own devices

• Quite frankly, I have never seen any numbers to support the cost

reduction argument, MDM vendors are also backing away from it

• Another factor that is often discussed in the media is increased

productivity

• Again, I have yet to see any numbers supporting this claim
• I do believe there is a significant potential value, as new and imaginative

ways of leveraging smart mobile devices arrive,

• there may be some other arguments to support enterprise mobile device

integration

• And as we will see, there are some significant concerns that need to be

considered 9

Considerations

What are the goals for allowing mobile devices into your enterprise? How can you measure how well you achieve these goals? What data will and will not be allowed on mobile devices? Which employees and contractors will be allowed to connect?

10

11

• Based on some recent surveys, there is at least C level recognition of the

risks associated with mobile devices in the enterprise

• Given this level of concern, and in light of the amount of customer data

stored on mobile devices,

• it is definitely worth taking a hard look at the risks and potential

mitigating factors when considering mobile devices in the enterprise 12

• So what are the security concerns with smart mobile devices?
• Well, obviously given that there is customer data stored on half of the

devices used for business, physical security of the device is a huge concern

• Stored data, including access credentials, is at risk anytime a

devices is lost, stolen, an employee leaves the company, the device is recycled, or sold on ebay

• How can the enterprise be sure that sensitive data, or network

access, does not into the wrong hands?

• Encryption of locally stored data is available in iOS since about iOS 4.3,

as long as a passcode is configured

• iPad2 and iPhone4 and later have hardware based encryption
• Android is a different story, no device encryption until 4.0 aka Ice Cream

Sandwich, and then it depends on vendor support

• Even more troubling however, is the official stance by both Android and

Apple that ultimately the security of the device rests with the end user

• Obviously a disturbing position for those with responsibility for securing

corporate data 13

• Second to the physical security issue, but rapidly gaining ground, is the

mobile malware risk

• Mobile malware is becoming more and more sophisticated
• Mirroring malware in the desktop world, but evolving at a much greater

pace

• 2011 saw an incredible growth in mobile malware
• over 1,500% as compared to 2009, almost 370% over 2010
• Amost a 2,000% increase in December vs January
• 2012 is on track to be the year of mobile malware
• Mobile malware is borrowing technology from the desktop world
• adapting to not only the mobile technology, but the mobile usage patterns
• In particular leveraging social networking and social engineering

approaches

• By far the greatest growth in malware is in Androids
• Last week the first Android Bootkit – DKFBootKit – was discovered –

raising the ante again

• DKFBootKit piggybacks on legitimate applications to infect the device,

then replaces key daemons to compromise the device at boot time before the Android framework is fully loaded 14

• Mobile malware exhibits all the same types of behavior we’re used

to in other environments

• In addition mobile malware can monetize the infection directly by

sending SMS messages to premium rate numbers

• Further, device features like cameras, microphones, and GPS receivers

can all be controlled and accessed remotely

• This is a real concern when executives are traveling with devices,

bringing them into sensitive meetings etc.

• There is some evidence malware authors leveraging this

information to gain advantage in stock trades 15

• The Android mobile platform is considered to introduce the greatest

security risks from mobile malware

• almost 11 million infected Android devices world wide
• 472% increase in Android malware July through November last year
• China leads the infection rate
• India, Russia, and the US roughly equal with a little over 10% of total

infections each 16

• Several reasons exist for this, one of the most significant is simply

market share

• Malware written for Android has the potential to infect many more

devices than any other mobile OS

• 49% of smart phones run some version of Android
• 19% run Apple iOS
• 16% run Nokia’s Symbian – However, Nokia is ceasing

support for Symbian and moving to Windows Mobile

• Symbian malware’s decline mirrors the growth of Android

malware, perhaps the malware authors are switching platforms

• Only 10% of devices run RIM’s Blackberry OS – RIM is

rapidly losing ground to the others

• Windows Mobile OS only accounts for 1.4% - and is

expected to grow slowly 17

1. However market is not the whole story – to really understand the issue we need to take a closer look at the almost 50% of the market that Android owns 1. While iOS is only available from Apple, and only on Apple devices 2. The Android market is split between Samsung (35%), HTC (24%), LG (11%), Motorola (9%), Sanyo, Sony, and a myriad of smaller players (21%) 3. Each device, and each carrier’s version of that device, has their own slightly different version of Android 4. Each one is tweaked to support different hardware, different software bundles, and other offerings and carrier requirements 5. This presents some significant concerns with respect to platform security, and security of carrier-bundled software 18

• Its when we start looking at the relative update history of the devices

that the real story comes out – and its not a pretty one for Android

• Just like in the desktop and server world
• Keeping operating systems updated and properly patched is a

central tenet to maintaining information systems security

• The next three slides show the update history of every smart mobile

phones released in the US between 2009 and 2011

• Green indicates that updates were available to keep the device
• n the current major version
• Yellow 1 major version behind, orange two versions behind, red

three versions

• The X’s indicate when the device was being actively sold
• Updates and patches were available for all iOS based phones sold since

day one

• Apple updates iOS regularly and they updates are published by

Apple direct to device owners

• Since iOS 5 updates are pushed OTA, and don’t require

computer connectivity 19

• Android updates on the other hand go from Google/Android, to the

hardware vendors, to the carriers, and thence to the device users

• Or more often don’t….
• Android updating, or lack thereof, is a major security problem
• Of the 18 Android phones shipped in the US between 2009 and 2011, 7 of

them never ran a current version of the OS.

• 12 of 18 only ran a current version of the OS for a matter of weeks
• r less.
• 10 of 18 were at least two major versions behind well within their

two-year contract period.

• 11 of 18 stopped getting any support updates less than a year after

release. 20

• 13 of 18 stopped getting any support updates before they even

stopped selling the device or very shortly thereafter.

• 15 of 18 don’t run Gingerbread, v2.3, which shipped in December

2010.

• When 4.0, or Ice Cream Sandwich, came out in November, every

device on this list was another major version behind.

• At least 16 of 18 will almost certainly never get Ice Cream

Sandwich. 21

• There are three primary ways that malware infects a mobile device
• The most significant is piggy backing off a legitimate application
• Generally the malware author will download a popular legitimate

application from an app store, disassemble it, compile in the malware then reupload it to the app store as a different version

• Angry Birds, one of the most popular applications, had at least one

version infected in this fashion

• Sometimes the malware isn’t included, just some code to download the

malware as an in app upgrade once the program is started

• Malware can also be loaded by tricking users to go to malicious web sites

that then attack via browser vulnerabilities – just like in the desktop world 22

• The single biggest source of malware for mobile devices are the various

app stores

• Neither Apple nor Google do much to vet software for security issues
• Although Apple seems to do a slightly better job
• Google is starting to make changes – it remains to be seen how well they

will do

• In addition to the official Android Market, Android devices can also “side

load” applications and download applications from unofficial app stores

• As you might expect, the unofficial Android stores contain significantly

more malware

• To make matters words, with Android in particular, the security model

depends on the end user to make a determination regarding the specific permissions granted to the application

• Most users just blindly accept whatever the application asks for

23

• As it stands right now, there are only very limited anti-malware

protections available

• There are some tools to scan email attachments, but this is really focused
• n preventing forwarding on malware rather than preventing local device

infection

• Ironically, it’s the architecture of the device operating systems that keep

each application in its own segregated application space that also prevents anti-malware software similar to what we see on the desktop

• Desktop like anti-malware would require a jail break
• Jailbreaking devices, popular on both iOS and Android, breaks the

security model of each application in its own space

• Jail broken devices are much, much more likely to be infected

with malware

• By the jailbreak itself
• By other malware that takes advantage of the removal of security

by the jailbreak

• Best option currently user training and education, blacklisting known

malware, not allowing jailbroken devices 24

Considerations

What devices will be allowed to connect to the enterprise? Apple? Android? Will devices be required to be up to date/patched? If so, how will this impact Android use? Will jailbroken devices be allowed? How will these requirements be monitored and enforced? How will you detect or prevent malware?

25

26

• Managing Mobile Devices
• APIs built into the mobile operating systems allow management
• f the devices
• Each OS has its own specifics, there is no standardization
• Currently Apple’s MDM API is by far the most capable and

flexible

• Allows restrictions on device passcode length, complexity,

expiration, re-use history, # failed attempts before wipe

• Deny or allow use of various applications, restricts some

application settings to administrator proscribed settings, allow or deny cloud backups, and force various browser and application settings, lock device, and clear passcode

• Apple MDM APIs can provision email accounts including

username and password

• Allows either a corporate wipe or a full wipe

27

• Android MDM APIs much weaker than iOS, though slightly better in 3.0
• Android API’s provide much less control – essentially a limited

subset of password controls

• One of the most significant problems with the Android API is the

lack of an “enterprise wipe” –it’s a Nuke from high orbit only

• Lack of enterprise wipe is a significant problem, especially in

BYOD environments – no way to avoid deleting personal data

• Additionally, our testing shows that sometimes the device does not

even restore to the configuration and software that came from the carrier 28

• Samsung SAFE devices – custom APIs to allow much greater

control of security on a limited subset of new Samsung Android devices

• It is possible that LG might be coming out with additional MDM

APIs of their own also 29

Considerations

What are the specific security controls that you would like to enforce? Which devices support those controls? How will you protect the enterprise from liability of wiping personal data? What controls (technology or policy) can you put in place around Android devices? Are you willing to support older/weaker versions of Android that have limited security controls?

30

• Two Primary Architectures for Mobile Device Management
• “API Based” and “VPN and Proxy”
• API based – installs restrictive profiles on device, generally use

some additional agent

• Once the profiles are installed, all communication between

device and network services is direct – MDM plays no part in the communication

• Agent does on-device monitoring and compliance checking –

reports back to the MDM service periodically

• Can verify compliance with required security settings as well as

detect jailbreaks and installation of blacklisted software

• There is another component, eliminated from this drawing for simplicity
• Both Google and Apple have a mechanism for store and forward

asynchronous messaging between the MDM provider and the device

• These allow MDM to send a message to the device, and for that

message to be held until the phone is online

• When it comes online if can then respond to the message by

checking in with the MDM service

• Apple’s is called the Apple Push Notification Service, or APNS

31

• The other primary architecture is the VPN and Proxy method
• VPN and Proxy - Forces all traffic back to enterprise proxy via

IPSEC VPN

• Proxy may be in the enterprise data center, cloud, or vendor site(s)
• Again, there is usually an agent that does on-device monitoring

and compliance checking

• May allow browser content filtering and URL black listing
• May provide email filtering on cloud email/personal email
• Architecture could allow for network-based DLP
• Architecture could allow for IDS/IPS and other network-based

malware detection/protection

• On iOS forces an automatic VPN configuration

32

• In general, the VPN-based architecture will provide a higher level of

control and security

• However, as always it comes at a price
• Requires all traffic to come back to the proxy – eliminates many
• f the advantages of cloud based enterprise services e.g. email
• Depending on enterprise architecture, may increase bandwidth

requirements and costs – particularly if proxy in the cloud, could double or quadruple bandwidth costs

• Possible reduction in fault tolerance – issues with data center may

take all mobile devices offline

• For global companies, and/or those with highly distributed mobile

work force, VPN and Proxy might require building out a global infrastructure to support them

• However, one of the biggest issues with VPN and proxy, there is no

IPSEC VPN possible on Android 2.x devices

• Android 2.x is by a long way the majority of Android devices in

the field today

• The only way to support it on Android 2.x is a custom ROM –

essentially your own jail break

• This raises huge device management issues for a remote work

force, help desk 33

Considerations

Is the potential for increased security in the VPN and Proxy model worth the costs, complexities, reduced flexibility? If so, and if Android will be supported? Will you use a custom ROM/custom jailbreak? How will you manage devices in the field? How does this impact your BYOD stance?

34

35

• There are other, non-technical issues that any enterprise considering smart

mobile device integration should consider

• Especially if the enterprise will be providing help desk service for mobile

devices

• Consider that the current crop of devices are consumer devices
• Also, If the enterprise is using, or intends to use, cloud services for email/

contacts/calendars such as Google Apps – which we see a lot and which is

• ften associated with a mobile initiative
• Realize that many of these services are consumer focused services

as well

• Additionally, the mobile device vendors and the cloud service provides

aren’t talking as often as they should

• Also, Mobile Device Management software is still early stage technology
• Take a look at the Gartner Magic Quadrant for MDM, they are all almost

all in the lower left Niche Player/Start up Quadrant

• When you try to combine two consumer items, the mobile device and the

cloud service, and manage it with an early stage technology, You will not get enterprise grade service levels

• its simply not possible

36

• Also, especially in large enterprises, properly integrating mobile devices

into the enterprise is likely to require some organizational reshuffling

• We all know how smoothly that is likely to be
• It is imperative to realize, the latest crop of smart mobile devices are not

just phones

• They are generally as powerful as a 3-4 year old laptop
• They should not be considered a telephone, they should not be managed

like a telephone

• When coupled with always-online technology, and some of the other

concerns I've discussed,

• It should be clear that smart mobile devices should be managed through

IT/technology channels

• And that security policies and procedures must be reviewed and

properly applied to the devices and the business processes

• In particular, HR processes around separation are critical for enterprise

data protection

• Timely recovery and/or erasure of enterprise data

37

• Integrating smart mobile devices into the enterprise also brings additional

liability risks

• This is particularly true if you are allowing BYOD
• There is a potential for wiping an employees personal data from their

device if the enterprise is managing it

• Either accidentally, or deliberately – particularly at separation
• What happens if this is the employee’s only picture of his dead Granny? -

Actual case!

• What happens if the employee then goes to work for another company,

and your HR processes don’t get around to wiping his or her device until a few days later

• Now you are wiping some other companies data off their employee’s

device

• Remember – There is no such thing as a selective wipe in Android – it’s a

nuke from high orbit 38

• Also, consider that smart mobile devices aren’t for everyone
• Consider making only certain job functions or payroll bands eligible
• Also, consider the costs/impacts of rising help desk calls with these

devices

• It might also be worth reviewing employment terms for non-exempt

employees and hourly contractors.

• If they are receiving enterprise email on their phone at night, is there an

expectation that they respond and has that been communicated clearly?

• If so, how does that impact hours worked or billing? Can the bill for that

time? What about the intervening time between the end of the day and the 2am email?

• What if the employee is on vacation? Can he or she now claim that is not

a vacation day?

• Another critical issue to consider for enterprises that utilize cloud services

for email or customer management for example

• If you do not integrate provisioning of these services and mobile devices

with some sort of central Identity Management mechanism, and mobile device users have a password rather than using SAML or OAUTH, the enterprise has very little visibility into and control over the data

• It is impossible to ensure that data is erased as it could have been

synched anywhere 39

• A final consideration must be given to enterprises statutory and regulatory
• bligations when it comes to data on mobile devices
• Consider PCI, GLBA, HIPAA, FTC Red Flags
• If a device is lost, and there is a possibility for regulated data on it, it may

trigger obligations for reporting and breach notification

• For global companies, it is likely that EU Data Protection laws may

impact the monitoring and management of devices in those regions

• In which case your US based data center must comply with the

Safe Harbor principles

• Also consider the use of these devices by your executives and board

members

• It is worth determining if they need additional protections
• And what the legal and other implications of a potential breach of

security on one of their mobile devices 40

How will HR policies and processes change to support secure use of smart mobile devices throughout an employee’s tenure, especially at separation? Are there any local or national employment laws or collective bargaining agreements that should be considered? Will only corporate liable devices be allowed, or will you allow BYOD? If BYOD is considered, what are the constraints? 41

Mobile devices are ubiquitous The power and connectedness of mobile devices is increasing rapidly IT departments under increasing pressure to integrate them into the environment There are significant technical and non-technical risks to using mobile devices in the enterprise Particularly if BYOD is considered IT, InfoSec, HR, and Legal at a minimum need to been involved in the decision making process 42

43