www.cloudsecurityalliance.org copyright © 2011 cloud security alliance mobile working group session
TRANSCRIPT
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Working Group Session
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Thank You
Dan HubbardGuido SanchidrianMark Cunningham Nadeem BhukariAlice DeckerSatheesh SudarsanMatt BrodaRandy BunnellMegan BellJim HunterPam FuscoTyler Shields
Jeff ShafferGovind TatachariKen HuangMats NäslundGiles HogbenEric FisherSam WilkeSteven MichaloveAllen LumGirish BhatWarren TsaiJay Munsterman
Initiative Leads/ContributorsCo-chairsDavid LingenfelterCesare GarlatiFreddy Kasprzykowski
CSA StaffLuciano SantosJohn YeohAaron AlvaEvan ScoboriaKendall Scoboria
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Guidance v1.0Security Guidance for
Critical Areas of Mobile ComputingPublished Nov. 2012
Mobile Computing Definition
Threats to Mobile Computing
Maturity of the Mobile Landscape
BYOD Policies
Mobile Authentication
App Stores
Mobile Device Management
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Authentication Apps
MDMBYOD
Mobile Guidance Defined
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
THREATS AND MATURITY
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Top Mobile Threats – Evil 8
1. Data loss from lost, stolen or decommissioned devices.
2. Information-stealing mobile malware.
3. Data loss and data leakage through poorly written third-party
apps.
4. Vulnerabilities within devices, OS, design and third-party
applications.
5. Unsecured Wi-Fi, network access and rogue access points.
6. Unsecured or rogue marketplaces.
7. Insufficient management tools, capabilities and access to APIs
(includes personas).
8. NFC and proximity-based hacking.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Maturity
…there’s room for improvement
78%Have Mobile
Policy
86%Allow BYOD
47%Utilize MDM
36%Have App Restriction
41%Have
Security Controls
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
BYODJay Munsterman
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
BYOD Charter
Analyze new challenges of:• Policy• Privacy• Device and Data Segmentation
Delivered Policy Guidance for v1 Guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Next Steps for BYOD
• Need more team members!! Help us out!• Conference call late March• Decide on next steps, consider:
• Policy Templates• Policy Examples• Evaluation of emerging containerization options
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
MDMDavid Lingenfelter
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
MDM OpportunitiesIncrease security and compliance enforcement
Reduce the cost of supporting mobile assets
Enhance application and performance management
Ensure better business continuity
Increase productivity and employee satisfaction
Beyond Simple MDM
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
MOBILE AUTHENTICATIONMark Cunningham
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Authentication Guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Authentication Guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Authentication Guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Authentication Guidance
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Authentication Guidance
• Ease of Use
• Future Authentication Technologies
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
APP STORES SECURITY
What you download may be compromised!
James Hunter
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
State of the App Market
•Apple and Google control 80% of the App Market•By the end of 2013 an estimated 50 Billion downloads•There are over 1 million different Apps
The summary doesn't consider Amazon and Samsung. Corporate sites offering downloads for their flavor Apps, Developers, in all sizes and Apps Distributors.
We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
What are the areas of concern?•How trustworthy is the App Store?•How trustworthy is the Developer?•Can the user report issues found in the App?•Who should get the report?•Does the App use more permissions than
needed?•Does the App make connections to the
Internet?•Does the user need anti-virus, malware, etc.?•Will this be an issue with BYOD?
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
The status of the working group?•Initial draft of the policy guideline submitted in
late October-early November 2012, for Orlando.•November 2012 decision made to develop a
stand-alone document.•December 2012 received updated peer review
info from J. Yeoh.•January 2013 started efforts to recruit more
volunteers for App Store Security working group?•February 2013 re-started efforts to make contact
with App Store Management at Microsoft.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
The status of the working group?•March 2013 start update of draft guideline to a
stand alone document.•March 2013 continue efforts to recruit several
volunteers to work on the stand alone document.•March 2013 request CSA Global support for
contacts with Apple, Google, Amazon, Samsung Appstore contacts.
•April-June 2013 pursue App Store management contacts, involvement and support.
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
App Store Security InitiativeThanks to the following individuals:
John Yeoh, Research Analyst, Global CSAAuthors/ContributorsGroup Lead James Hunter, Net Effects Inc.
Peer ReviewersTom Jones; Ionnis Kounelis; Sandeep Mahajan; Henry St. Andre, InContact
Co Chair, Mobile Security, Cesare Garlati Trend Micro
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
MOBILE 2013
Moving at the speed of mobile!
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Where do we go from here?
Charter review
Cooperation Between Working Groups
New Mobile Controls In CCM
Maturity questionnaire v2.0
Top Threats Review
Stand Alone App Store Document
Stand Alone Authentication Document
New Section On Data Protection
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Mobile Working Group Charter
Securing public and private application stores
Analysis of mobile security features of key mobile operating systems
Mobile device management, provisioning, policy, and data management
Guidelines for the mobile device security framework
Scalable authentication for mobile
Best practices for secure mobile application
Identification of primary risks related BYOD – Bring Your Own Device
Solutions for resolving multiple usage roles related to BYOD
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Chapter Cooperation
Information sharing across working groups
Already working with CCM
More guidance and input from Corporate, GRC and SME
Timeframes/Deadlines/Review Periods
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
Reference MaterialsCreate more material people will want to use to develop their mobile business plans
Baseline Controls
Policy Templates
App Security Guidelines
Threats and Risks
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
CSA 2013 Events
BlackHat (July 27-Aug1)
EMEA Congress (September)
ASIAPAC Events (Congress, May 14-17)
CSA Congress Orlando (November)
https://cloudsecurityalliance.org/events/
www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance
THANK YOU
Chapter meetings every other Thursday @ 9:00am PST
LinkedIn: Cloud Security Alliance: Mobile Working Group
Basecamp