- Cloud Security Alliance

Download Report

Transcript - Cloud Security Alliance 

Mobile Working Group Session
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Co-chairs
David Lingenfelter
Cesare Garlati
Freddy Kasprzykowski
CSA Staff
Luciano Santos
John Yeoh
Aaron Alva
Evan Scoboria
Kendall Scoboria
Initiative Leads/Contributors
Dan Hubbard
Guido Sanchidrian
Mark Cunningham
Nadeem Bhukari
Alice Decker
Satheesh Sudarsan
Matt Broda
Randy Bunnell
Megan Bell
Jim Hunter
Pam Fusco
Tyler Shields
Copyright © 2011 Cloud Security Alliance
Jeff Shaffer
Govind Tatachari
Ken Huang
Mats Näslund
Giles Hogben
Eric Fisher
Sam Wilke
Steven Michalove
Allen Lum
Girish Bhat
Warren Tsai
Jay Munsterman
www.cloudsecurityalliance.org
Security Guidance for
Critical Areas of Mobile Computing
Published Nov. 2012
 Mobile Computing Definition
 Threats to Mobile Computing
 Maturity of the Mobile Landscape
 BYOD Policies
 Mobile Authentication
 App Stores
 Mobile Device Management
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Authentication
Apps
BYOD
MDM
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
1.
2.
3.
4.
5.
6.
7.
Data loss from lost, stolen or decommissioned devices.
Information-stealing mobile malware.
Data loss and data leakage through poorly written third-party apps.
Vulnerabilities within devices, OS, design and third-party applications.
Unsecured Wi-Fi, network access and rogue access points.
Unsecured or rogue marketplaces.
Insufficient management tools, capabilities and access to APIs (includes
personas).
8.
NFC and proximity-based hacking.
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
78%
Have Mobile
Policy
86%
Allow BYOD
36%
Have App
Restriction
47%
Utilize MDM
41%
Have Security
Controls
…there’s room for improvement
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Jay Munsterman
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Analyze new challenges of:
• Policy
• Privacy
• Device and Data Segmentation
Delivered Policy Guidance for v1 Guidance
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
• Need more team members!! Help us out!
• Conference call late March
• Decide on next steps, consider:
• Policy Templates
• Policy Examples
• Evaluation of emerging containerization options
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
David Lingenfelter
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Increase security and compliance
enforcement
Reduce the cost of supporting
mobile assets
Enhance application and
performance management
Ensure better business continuity
Increase productivity
and employee satisfaction
Beyond Simple MDM
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Mark Cunningham
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
• Ease of Use
• Future Authentication Technologies
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
What you download may be compromised!
James Hunter
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
• Apple and Google control 80% of the App Market
• By the end of 2013 an estimated 50 Billion downloads
• There are over 1 million different Apps
The summary doesn't consider Amazon and Samsung.
Corporate sites offering downloads for their flavor Apps,
Developers, in all sizes and Apps Distributors.
We have a chaotic marketplace depending on the
participants "best efforts", to insure the end user privacy
and security, as well as that of others (Companies who
employ them, even ones they visit and use WiFi
service).
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
• How trustworthy is the App Store?
• How trustworthy is the Developer?
• Can the user report issues found in the App?
• Who should get the report?
• Does the App use more permissions than
needed?
• Does the App make connections to the
Internet?
• Does the user need anti-virus, malware, etc.?
• Will this be an issue with BYOD?
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
• Initial draft of the policy guideline submitted in late
October-early November 2012, for Orlando.
• November 2012 decision made to develop a standalone document.
• December 2012 received updated peer review info from
J. Yeoh.
• January 2013 started efforts to recruit more volunteers
for App Store Security working group?
• February 2013 re-started efforts to make contact with
App Store Management at Microsoft.
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
• March 2013 start update of draft guideline to a stand
alone document.
• March 2013 continue efforts to recruit several volunteers
to work on the stand alone document.
• March 2013 request CSA Global support for contacts
•
with Apple, Google, Amazon, Samsung Appstore
contacts.
April-June 2013 pursue App Store management
contacts, involvement and support.
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Thanks to the following individuals:
John Yeoh, Research Analyst, Global
CSAAuthors/Contributors
Group Lead James Hunter, Net Effects Inc.
Peer Reviewers
Tom Jones; Ionnis Kounelis; Sandeep Mahajan; Henry
St. Andre, InContact
Co Chair, Mobile Security, Cesare Garlati Trend Micro
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Moving at the speed of mobile!
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Charter review
Cooperation Between Working Groups
New Mobile Controls In CCM
Maturity questionnaire v2.0
Top Threats Review
Stand Alone App Store Document
Stand Alone Authentication Document
New Section On Data Protection
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Securing public and private application stores
Analysis of mobile security features of key mobile operating systems
Mobile device management, provisioning, policy, and data
management
Guidelines for the mobile device security framework
Scalable authentication for mobile
Best practices for secure mobile application
Identification of primary risks related BYOD – Bring Your Own
Device
Solutions for resolving multiple usage roles related to BYOD
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Information sharing across working groups
Already working with CCM
More guidance and input from Corporate,
GRC and SME
Timeframes/Deadlines/Review Periods
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Create more material people will want to use
to develop their mobile business plans
Baseline Controls
Policy Templates
App Security Guidelines
Threats and Risks
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
BlackHat (July 27-Aug1)
EMEA Congress (September)
ASIAPAC Events (Congress, May 14-17)
CSA Congress Orlando (November)
https://cloudsecurityalliance.org/events/
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org
Chapter meetings every other Thursday @ 9:00am PST
LinkedIn: Cloud Security Alliance: Mobile Working Group
Basecamp
Copyright © 2011 Cloud Security Alliance
www.cloudsecurityalliance.org