2012 04-27%20%20 mobile%20security%20ppt%20presentation[1]

Developing a Mobile Security
Strategy

Webinar for the institutions in the University
of Texas System

Kieran Norton
Principal, Deloitte & Touche LLP
April 2012

Webinar Essentials

 Session is currently being recorded, and will be available on our website
at http://www.utsystem.edu/compliance/SWCAcademy.html.
 If you wish to ask questions:
• Click on the “Raise Hand” button . The webinar administrator will
un-mute you at the appropriate time. Note: Remember to turn down
your speaker volume to avoid feedback.
• Questions may also be typed in the GoToWebinar Question panel.
 CPE credit is available for this webinar for attendees who attend the live
webinar. Please request credit by sending an email to the UT
Systemwide Compliance Office at systemwidecomp@utsystem.edu.
 Please provide your feedback in the post-session survey.

1 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Table of Contents

Problem Statement 2

Background 3-5

Mobile Ecosystem and Risk Landscape 6-12

Strategic Approach 13-16

Bring Your Own Device (BYOD) 17-19

Technology and Vendor Considerations 20-22

Key Takeaways 23-24

Appendix 25-29


Problem statement

Summary observations from the security assessments related to mobile
devices:

• Lack of appropriate policies/guidance and procedures related to the use of
mobile devices; e.g., PDAs, tablets, etc.

• Proliferation of mobile devices with access to networks and applications, and
no capability to track or inventory.

• Increased risk of unauthorized exposure of sensitive information through
mobile devices (e.g., patient information, proprietary research data, etc.)
resulting in adverse impacts to UTS and the institutions, such as financial
penalties, legal implications and damaged public image.


The mobility landscape

Mobile computing has been growing at a staggering rate across all age groups,
income groups, industries, geographies and cultures and is widely expected to
continue its exponential growth rate over the next five years.
Current mobile landscape1 Expected growth1
 Mobile cellular subscriptions  Approximately 470M smartphones
surpassed 5B in 2010 (Gartner) will be sold globally in 2011 (IDC)
 83% of US population owns  Approximately 980M smartphones
cellphones; 35% of these are will be sold globally in 2016 (IMS)
smartphones (Pew Research)  By 2015, global mobile data traffic
 More than 410M smartphone devices volume will be approximately 25
have been sold globally so far times 2010 volume (FCC)
(Forrester)  Tablets will reach one-third of US
 Nearly 18M tablets were sold in 2010 adults by 2015 (Forrester)
(IDC)  Tablet unit sales to total around
54.8M in 2011 and top 208M in 2014
(Gartner)
Mobility and mobility services are not only gaining ground among consumers but
also among enterprises
1Note: Please refer Appendix for statistic references

Adoption of mobility trends

At a high level, entities go through three stages of adoption for mobility.
Mobility-Centric Innovation:
• Develop completely new apps
Business Impact/Number of Mobile Apps

Mobilize Existing that leverage mobility benefits
Applications: • Result: User-centered UX and
• Develop new graphical user new productivity, CRM and
interfaces (GUIs) on top of revenue opportunities
existing business logic
• Result: Acceptable UX and
Mobile Veneer: noticeable productivity, CRM
& revenue gains
• Mobile access to existing
apps
• No mobile app development
• Result: Poor user experience
(UX) and negligible
productivity, customer
satisfaction or revenue gains

Stage 1 Stage 2 Stage 3

Though mobility offers wide range of products and services, it has its own set of
security vulnerabilities due to the changing threat landscape

Mobile ecosystem and risk
landscape

Mobile security: Threat overlay on mobility ecosystem


Mobility risk categories

Enabling mobility is a balance of technology, return on investment and risk. These
need to be aligned with business needs and strategies. When considering
developing mobile solutions, or fine tuning an existing solution, it is necessary to
gain an understanding of the risks associated with mobility. These risks fall into four
main categories:
Mobility risk categories

What makes mobile devices valuable
4. Infrastructure & 1. Operational from a business perspective –
Device portability, usability and connectivity to
the internet and corporate infrastructure
– also presents significant risk.
New risks have been introduced at the
3. Legal & 2. Technology & device, application and infrastructure
Regulatory Data Protection
levels requiring changes in corporate
security policy and strategy.


4. Infrastructure & 1. Operational
Device

1. Operational
3. Legal & 2. Technology &

Mobility poses unique risks and existing security and IT support resources and
infrastructure cannot be extended to cover mobile devices and applications without
significant investment - in developing new skills, technical capabilities, operational
processes and deployment of a ‘mobility infrastructure’.
A. Executives, users and customers are driving mobility decisions;
operational risk considerations are not driving mobile security strategy
B. Security controls can negatively impact usability, causing friction with
employees and slowing adoption
C. Increasing support demands may in turn outpace resource skill sets and
technical capabilities
D. Varied mobile OS implementations make it difficult to deploy a singular
security solution
E. Existing operational processes may not be efficiently designed or
“mobile-ready” which can hinder expected productivity
In one Deloitte case study, implementation of significant security controls led to 20% of
the company’s mobile device users voluntarily opting out of the corporate program ...
however it is unlikely users stopped using a mobile device

Device

2. Technology and data protection

Mobile devices are valuable from a business perspective due to internet
connectivity, access to corporate infrastructure as well as mobile/cloud based
applications. These benefits also result in greater potential exposure for the
enterprise – with risks introduced at the device, application and infrastructure levels.
A. End users may have the ability to modify device security parameters thus
weakening the security controls
B. Devices and memory cards are not encrypted by default or configured
appropriately thus leading to potential data leakage/loss
C. With use of cloud based applications, data protection becomes
increasingly complex
D. Many organizations are not able to enforce mobile OS patching and
updating which may result in vulnerable devices
E. Users often install unapproved applications or applications containing
malware which poses information security risks

As an example, 58 malicious apps were uploaded to an app store and then
downloaded to around 260,000 devices before the app store pulled the apps

Device

3. Legal and regulatory

Security requirements may be complex, particularly if the organization operates in
regulated industries. Employment labor laws, HIPAA requirements, privacy
requirements, e-discovery requirements, etc., may impact the overall mobile
strategy.
A. Employees using use corporate devices for personal purposes and vice
versa may give rise to significant data privacy issues
B. The “bring your own device” trend raises ethical and legal questions
around monitoring, device wiping, etc., upon employee termination
C. Corporate usage of mobile devices by hourly employees can/will raise
concerns around overtime labor law considerations
D. Regulatory requirements to address e-discovery, monitoring, data
archiving etc., can be complex and difficult to implement
E. Data ownership and liability for corporate and employee owned devices
used for business purposes is yet to determined

In the Massachusetts data protection law (MA 201), responsibilities for
protecting information on employee-owned devices used to access company
resources may apply equally to the enterprise and the individual

Device

4. Infrastructure and device

The diversity of device options and underlying operating system/application
platforms introduces a myriad of security risks and challenges.

A. Mobile device attacks and varying attack vectors increases the overall risk
exposure (extending the enterprise risk profile)
B. Multiple choices in the devices, OS platforms, apps, etc., requires
companies to employ diverse technologies expanding the attack surface
C. Third party apps installed on corporate devices may contain
vulnerabilities caused by developer mistakes or re-packaged malware
D. Securing of mobile transmissions and channels is complex given a varied
protocol landscape & the newer communication channels
E. Mobile devices are easily lost or stolen in comparison with other IT assets
(e.g., laptops) and remote wipe efforts frequently fail

According to a recent survey, 36% of consumers in the US have either lost their
mobile phone or had it stolen

Strategies for tackling mobile risks
Defining a Mobile Security Approach
After gaining an understanding of the key risks that affect your business, the next step is
determining and defining your approach to a mobile security solution deployment. When
determining the right approach, it is important to understand your specific use cases and
incorporate your key business drivers and objectives.

Device centric Data centric Application centric

Mobile device Minimal device data
Developer training
management (MDM) footprint
Example controls

Strict device policy Communications System development life
enforcement encryption cycle

Primary or multi-platform
Local data encryption Virtualization
IDE

Secure Application distribution &
containers/partitions Data integrity maintenance


Deployment decisions
Key decision points that drive strategy and the resulting architecture

Bring-Your-Own vs. Corporate Provided

Manage Security In-House vs. Outsource Security

3rd Party Tools vs. Native Platform Tools

Application Management vs. Application Guidance

Full Data Access vs. Restricted Data Access


Mobility reference architecture
Strategy Development Applications Development (Design, Implement, Test)

Business Analysis Creative/UX/UI Design Enterprise Mobility App concept to
(Opportunity ID, Infrastructure development
Business Case)
Cross-Platform Dev Native Development

Mobile Enablement Sybase SUP, Objective C (iOS),
Strategy/Roadmap HTML5, Adobe Java
Business
Mobile Solution Enterprise Systems Integration Strategy
Architecture
ERP, Web/Ecommerce Reporting/BI/DW
End-to-end Network and Legacy Systems Enablement
Design
Mobile Middleware
Mobility Readiness Enterprise
Assessment Integration Data Mgmt Integration Security
Industry
Mobile Analytics
Regulatory/Compliance/ Cloud and Social
Feedback
Security Analysis

Security
Business Strategy
Mobile application Mobile security policy Mobile security strategy Mobile device and
security and governance and architecture operations security App Concept to Development

Mobility Infrastructure
Deployment, Distribution, Management, Operations
Mobile Device Operational / Organizational
Management Enterprise Integration Strategy
Readiness
Product Mgmt
IT Governance Security, Privacy & Compliance
Enterprise App Store Enablement Support Readiness

Note: Products listed for the above technology product vendors are their respective property.


BYOD considerations
Employees increasingly want to use their favorite mobile device for personal and
business use. They want to store personal data and install games on devices they are
also using to access enterprise applications and data.

If employees purchase their own device and plan, this can reduce telecom costs,
however it creates several business challenges and security risks.

Key Considerations
• Bearing of device costs and associated usage fees
• Support considerations associated with highly differentiated OS’s, platforms,
hardware/devices, apps, etc.
• Employee usage monitoring and device oversight
• Legal, regulatory and privacy risk mitigation associated with corporate data made
available on mobile devices
• IT staffing and skill set requirements to support corporate issued and/or employee
owned devices


Bring-Your-Own vs. Corporate Provided
Bring Your Own
 Device and possibly line costs incurred by employee
PROS

 Meets user desire to choose the device they like most, have a single phone number, etc.
 Addresses increased demand by employees to connect personal devices to corporate networks

 Limited device oversight and control
 Increased challenges with enforcing legal and regulatory requirements
CONS

 Device and data ownership questions
 Requires support for diverse platforms, OSes, devices; may negatively impact app strategy
 Varied device service fees, lack of purchasing leverage (when chargeback/subsidies allowed)
Corporate Provided
 Tighter device oversight and control, more heterogeneous device environment (app strategy)
 Streamlining devices, platforms and OSes simplifies IT support
PROS

 Direct relationship with carrier may be advantageous from a monitoring and security perspective
 Device costs and service fees negotiated with service providers; increased purchasing power

 Cost of providing devices and service fees
 High employee demand for broader diversity in devices can lead to lower satisfaction and
CONS

adoption
 May require potential increase in IT support staffing and skill set requirements
 Privacy considerations with monitoring of employee usage and activity, etc.


Technology and vendor
considerations

Mobile device and app management
Technology Key Features Example Vendors
Microsoft • Over-the-air sync on mobile • EAS is a native tool included with
Exchange devices to existing Exchange Microsoft Exchange Server. If an
ActiveSync (EAS) Server infrastructure for email, organization has an existing
contacts, calendar data, and more Exchange infrastructure they have
• Basic device management access to EAS and its capabilities
capabilities including
allowing/blocking devices, and
enforcing password requirements
Mobile Device • Secure enrollment of mobile • Good Technology
Management devices to be managed • MobileIron
(MDM) • Wireless configuration and • AirWatch
updating of device settings • Zenprise
• Monitoring and enforcing • Many others
compliance with corporate policies
Mobile • Secure mobile application • Apperian
Application distribution • Appcelerator
Management • Monitoring and enforcing • App47
(MAM) compliance with app policies • Nukona
• Reporting on approved/rogue • Mocana
apps • MobileIron*
• AirWatch*
• Zenprise*
* MAM functionality included with primary MDM offering
Copyright © 2012 Deloitte Development LLC. All rights reserved.

Secure containers and mobile virtualization
Technology Key Features Example Vendors
Secure Container • Secure area on device for housing • Good Technology
Solutions enterprise data and applications • Sky Technology
• Container content is encrypted
and separated from rest of device
• Allows more granular control of
enterprise data (e.g., remote wipe
container only)

Mobile • Allows multiple mobile operating • VMWare
Virtualization systems to run simultaneously on • Open Kernel Labs
a single device • Red Bend Software
• Personal and corporate content is
separated with each running in its
own virtual device



What are early adopters doing?
Taking an organization and user-centric approach

1. Understand the specific mobility use
cases
2. Understand key mobility risks that
affect the organization and its
constituents
3. Incorporate key business drivers and
objectives
4. Implement security controls through
both policy and technology
5. Enable, not disable adoption of new
innovations (it’s not stopping here…)

Define Mobile Technology
Architect &
Security Acquisition &
Design
Requirements Deployment


Appendix A: References
Current mobile landscape Expected growth
 Mobile cellular subscriptions surpassed 5B in  Approximately 470M smartphones will be sold
2010 (Gartner) globally in 2011 (IDC)
http://my.gartner.com/resources/213800/213866/m http://www.idc.com/getdoc.jsp?containerId=prUS
obile_and_contextaware_bran_213866.pdf?li=1 22871611
 83% of US population owns cellphones; 35% of  Approximately 980M smartphones will be sold
these are smartphones (Pew Research) globally in 2016 (IMS)
http://pewresearch.org/pubs/2054/smartphone- http://news.softpedia.com/news/One-Billion-
ownership-demographics-iphone-blackberry- Smartphones-a-Year-by-2016-IMS-Research-
android Says-213740.shtml
 More than 275 million iPhones and BlackBerrys  By 2015, global mobile data traffic volume will be
and 135 million Android devices have been sold approximately 25 times 2010 volume (FCC)
globally (Forrester) http://www.cisco.com/en/US/solutions/collateral/n
http://www.forrester.com/rb/Research/global_main s341/ns525/ns537/ns705/ns827/VNI_Hyperconn
streaming_of_smartphones/q/id/60762/t/2 ectivity_WP.html
 Nearly 18 Million Tablets were sold in 2010 (IDC)  Tablets will reach one-third of US adults by 2015
http://www.engadget.com/2011/03/10/idc-18- (Gartner)
million-tablets-12-million-e-readers-shipped-in- http://www.forrester.com/rb/Research/why_tablet
2010/ _commerce_may_soon_trump_mobile/q/id/5909
6/t/2
Other  Tablet unit sales to total around 54.8 million next
year and top 208 million in 2014 (Gartner)
 MA 201 http://my.gartner.com/portal/server.pt?open=512
http://www.mass.gov/ocabr/docs/idtheft/201cmr17 &objID=260&mode=2&PageID=3460702&resId=
00reg.pdf 1451714&ref=QuickSearch&sthkw=milanesi
 Lost phone survey
http://www.symantec.com/about/news/release/arti
cle.jsp?prid=20110208_01


Deloitte mobile security services
Deloitte can assist you in creating a secure delivery framework for your mobility
initiatives from inception to ongoing operation. We can help you set the proper risk
balance between control, efficiency and user experience. Our security and privacy
specific services include:
Deloitte’s mobility security services
Mobile security strategy & architecture Mobile security risk assessment

Mobile infrastructure security Mobile device & operations security

Mobile application security testing Secure SDLC for mobile applications

Mobile security policy management Mobile security training & awareness

Incident investigation & response Mobile device forensics

We also leverage the resources of the Deloitte Center for Security & Privacy
Solutions that conduct original research and develop substantive points of view to
help executives make sense of and profit from emerging opportunities on the edge
of business and technology.


This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or
services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Member of Deloitte Touche Tohmatsu Limited

2012 04-27%20%20 mobile%20security%20ppt%20presentation[1]

More Related Content

What's hot

Viewers also liked

Similar to 2012 04-27%20%20 mobile%20security%20ppt%20presentation[1]

Recently uploaded

2012 04-27%20%20 mobile%20security%20ppt%20presentation[1]