security considerations for mobile devices

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.© 2012 Gartner, Inc. and/or its affiliates. All rights reserved.

Trent HenryResearch VP

Security & Risk Management

Security Considerations for Mobile Devices

Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day.

“Small” Incidents are Common

Agenda

• What’s really new about risks for mobile devices?• Controls you may put on your list of requirements• What about user experience?• How do mobile security architectures compare?• Why and when would you improve on existing platform

security controls?

Gartner for Technical Professionals

What’s really new about risks for mobile devices?

Threat Agents

Malware

Threat type: logical Coexists with user

Examples:• Redsn0w Jailbreak• Android

FoncyDropper • ZitMo

Thief

Threat type: physical Exclusive access

Example:• Plenty in the room

6

Evil maid

Threat type: physical Coexists with user

Examples:• Stealing a file

system

Old risks, in new context

7

Impa

ct

Likelihood

Thief Malware

It is only a matter of time before the first large data breach concerning a mobile device receives media attention

Impa

ctLikelihood

Expanding use cases

and storage capacity

Increased popularity

Impact on Security Architecture

• The security risks to information have not changed:- Malicious software- Theft/loss of the device- Eavesdropping

• But there are new twists:- Endpoint ownership- No dominant operating system or paradigm- Very short device life cycle- Immature management and security tools- Usability and network connectivity

Impact on Security ArchitectureRisk

ManagementNo data on device

Controls in the Apps(Container)

Controls on thedevice

ManagementNone

Manage the device (requiredfor certificates) i.e. MDM

Limited (manage container only)

ConnectivityRequired

On-line only

Offline

Application/User Experience

VDI/Web app/App w/ remote data

Resident App (dev/COTS) w/security

Resident App (dev/COTS) w/o security

Native Apps

Example 1 – No Data on the Device





ManagementNone




On-line only

Offline





Native Apps

Example 2 – Data within a Container Only





ManagementNone




On-line only

Offline





Native Apps

Example 3 – Data on the Device


Controls you may put on your list of requirements

Access Control

• Consider- Methods: PIN, password, swipe, face unlock,

hardware token, other biometrics- Policies to enforce: password

complexity/history/delay/lock, inactivity timer- Risks of keyloggers and other spyware- Limitations facing laboratory attacks that

circumvent authentication

13

• Aims to reduce the risk of Thieves and Evil Maids by preventing direct logical access to device

Encryption

• Aims to reduce the risk of Thieves and Evil Maids by preventing logical access to extracted information

• Consider• Encryption and keys in hardware/software• Keys derived from device and/or passcode?• What information is encrypted?• Cache management• Known weaknesses and third party validations

14

011010000101

Application Controls

15

• Aim to reduce the risk of Malware and Evil Maids by preventing direct logical access to applications and their data

• Consider• Application and data isolation• Signatures• Key management and encryption APIs• Management hooks• Application store controls• Kill switch: remotely kill an application on all devices

App App

Data Data

Remote and Local Wipe

• Aims to reduce the risk of Thieves by remotely or locally wiping applications and data

• Consider- Full/partial wipe- Local/remote wipe- What information and apps are wiped- The wiping method - How to confirm completion

16


What about user experience?

Let’s keep sensitive information off the device entirely!

18

An example: Client Virtualization

No controls needed on the device

Connection secured with encryption

User authenticated prior to access

…But malware, keyloggers, and jailbroken devices may be a problem

You gotta be kidding me! Access to Information Secure Time-to-market Manageability Rich and Immersive UX Offline Native Capabilities Portability

Comparison Assessment

20

*You are responsible for building your own security controls!

*

Broader Impact: Network Architecture

• Increasing radio spectrum consumption - An increasing number of Wi-Fi devices will consume

more of your spectrum (Wi-Fi devices > humans)- S L O W networks are not user-friendly- Even unauthorized Wi-Fi devices consume spectrum as

they scan for Wi-Fi networks

• Solutions include- Selective site survey, mission-critical network design- Capacity planning, 802.11n APs- Intrusion detection systems, spectrum monitoring

Same goes for WAN and WWAN


(AKA “Know your platforms before adding more stuff”)

How do mobile security architectures compare?

Android Security

• Type: End-user control• Key elements

- Linux process and file isolation- Permissions based

• Concerns:- Fragmentation of the platform over OEMs- Encryption support dependent on OEM- Content providers accessible by default- Many OSS components and uncurated

appstores may lead to malware- Permissions rely on people’s judgment

23

iOS Security

• Type: Walled garden• Key elements:

- Curated Appstore - Sandboxing- Hardware encryption, always on- OTA updates

• Concerns:- Vulnerabilities in OS that lead to jailbreak- Few mechanisms that limit the access of an app- Data protection not used by all applications and not validated

24

BlackBerry Security

• Type: Guardian• Key elements

- Best in class mobile management and security

- Data protection capabilities- No jailbreaks for BB smartphones

• Concerns- AppWorld is vetted but its use not mandated,

leading to potential for malware- Apps may have extensive access, without

jailbreak- Management is critical, e.g. encryption is

optional

25

Application Controls for Various PlatformsPlatform Application

testingCentralized signing Application

control on the device

Third-party anti-malware

productsBlackBerry Yes, but applications

can be offered outside of App World

Yes, but the requirement to check the signature is

configurable

Yes Yes

iPhone Yes Yes Limited to major applications

No

Windows Phone 6.x

Yes Yes, but the requirement to check the signature is

configurable

Available through third-party products or

System Center

Yes

Windows Phone 7

Yes Yes, but the requirement to check the signature is

configurable

No No

Symbian Yes Yes Available through third-party products

Yes

Android Limited – some app stores perform testing

but apps available outside of app stores

No No Yes


Recommendations

Recommendations

Understand the risks and the threats you are trying to protect against and accept that some risks cannot be mitigated

Limit support to handhelds that satisfy minimal security requirements

Balance UX with security and connectivityUsers will go around security if you don’t have a good UX

Conduct data analysis to determine what is acceptable on the device and what is not

Deal with related infrastructure issues: network, authentication, provisioning, …

Recommended Gartner Research

Comparing Security Controls for Handheld DevicesMario de Boer, Eric Maiwald, 22 January 2012

Decision Point for Mobile Endpoint SecurityEric Maiwald

Client Virtualization: Reducing Malware and Information SprawlMario de Boer, Dan Blum

Solution Path: How to Create a Mobile ArchitecturePaul Debeasi

Field Research Summary: Mobility and SecurityEric Maiwald, 26 January 2012

security considerations for mobile devices

Documents

intended gartner audience

boerthis presentation

supporting materials

sole use

authorized recipients

technical insights

written approval

photo hand