Reference Security Architecture for Mobility- Insurance
- 2. Agenda
• Introduction
• Business drivers
• Generic Mobility Models
• Sample Risk Assessment
• Mobility Threats
• Challenges
• Introduction to Security Framework
• Mobility Security Architecture Governance framework
• User specific solution
Annexure
• Generic Deployment Architecture
• Regulatory perspective
• Sample Implementation
• EMM Solutions
- 3. Introduction
Mobile devices security required a shift from traditional control methods to ensure
robust security while simultaneously ensuring ease of use and adoption.
This document provides a overview of current aspects of mobility , use cases, Control
measures available and overview of architecture components to ensure maintenance of
Confidentiality, Integrity and Availability.
It also briefly touches on People and Process level issues as well
Few Sample implementation are also mentioned
Risk assessment to Secure usage of Mobile Devices , Data and Applications in constantly
changing and Evolving technology landscape is must to ensure appropriate controls are
chosen which fits the environment
- 4. Generic Mobility Models
• Company Provided for Corporate use – MDM insures complete lockdown
including Camera, App Download , USB features etc.
• Company Provided for Personal use- Allowed for personal use also. All trusted apps
within Container and MDM to ensure risky apps are blacklisted.
• BYOD ( Corporate App Corporate use)- Personal devices where container
applications can secure enterprise content
• BYOD (Personal App Corporate use) Personal devices where you want to use
existing applications for work as well as Personal use. ( Android for work)
- 5. Business drivers for Mobility
1- Scalability of resources
2. Increase Productivity
3. Enhanced end User experience
4. Process Simplification
5. Digitization
- 6. Sample Risk Assessment
-
2
No enforcement of
security measures,
manually and
voluntary only
Data
Text
Screen lock
Remote wipe
Data
Text
Option1
Full Native
Browser
Option2
Browser +
MDM*
Residual Risks Recommendation
Access to the sensitive data
with
• No controls against file
upload via Dropbox,
Evernote, etc.
• No email controls
• No enforced PW lock nor
remote wipe
• No traceability (log)
Almost the same residual risks
with the Option 1, although
remote wipe can work
NOT recommended
NOT recommended
*MDM: Mobile Device
Management (to lock down
device configuration).
- 7. 3
Option3
MDM + App
Tunnel
(VPN*) +
Browser
Option4
MDM +
Secure
Browser
Residual Risks Recommendation
• Can print out via
Bluetooth
• Can cut & paste texts
• Can Print-screen
(but technically it’s
impossible to prevent with
any smart-devices)
Almost the same residual risks
with the Option 3
App Tunnel
Data
Text
Secure
Browser
3rd party apps,
out of MDM
control
Data
Text
Recommended
Recommended
(Most Secure)
. However the challenges are:
- Tests of all the applications
needed
- Decreased user experience on
mobile
Sample Risk Assessment (cont.)
*VPN: Virtual Private
Network to limit
internet access when
using Business App
- 8. Threats
• Loss and Theft
• Compromised devices : Malware infected and Jail broken devices
1. 96% increase in mobile malware infections
2. 55% increase in spear phishing campaigns
• Malicious and risk apps - stealing information and sending content
• Wireless Network Intrusion, Juice Jacking
• Data loss due to Copying, Mail forwarding, Screenshots etc
- 10. Introduction to Security Framework
Secure Devices Secure Data Secure Application
Secure Transaction
& Collaboration
• Enroll, Authorize,
Manage security
policies,
• Remote wipe
• Secure access
controls including
2 FA,
• Malware
protection
• Encrypt local
data,
• Separate work
&Personal data
• Digital rights
management
• DLP ( Web
filtering, Email
filtering)
• Secure
Application
throughout SDLC
• Secure Publishing
• Security for
Existing APK files
• Encrypted
communication
• Secure sharing of
documents with
SSO enabled for
document
repositories
Log management, Vulnerability management, Anomaly detection
- 11. InformationSecurityFramework
GovernanceManagement
Context and Leadership Evaluation and
Directions
Compliance, Audit and
Review
Security Compliance
Management
External Security Audit
Internal Security Audit
Management Review of
Security
Security Risk
Management
Security Policies
Security Stratey and
Communication
Information Security
Organizational Structure
Information Security
Charter
Culture and Awareness
Brand Protection
Identity and Access
Management
Strong Authentication
Configuration and
Change
Management
HR Security
HR Policies
Vendor
Management
Device Management Threat Intel &
Protection
Security
Architecture review
DLP
Secure Browser
Configuration
ManagementApplication
Security- Secure
Dev and Wrapper
Device & Software
Control
Response and Recovery
recoverySecurity Incident
Management
Information Security
in BCM
Security eDiscovery &
Forensics
Backup and Recovery
Measurement
Metrics Program
Continuous
ImprovementSecurity Threat
Detection and
Management
Log and Event
Management
DRM- Content
Management
Container Solution
- 12. Maturity Model
• Brand Protection
• DRM- Content Management
• Metric Program
• Continual Improvement
• Security threat detection and Management
Optimized
• Application Security ( Secure Development & App Wrapping)
• Threat Intelligence & Protection
• Log and Event Management
• Security Architecture review
• DLP
• Content management
Advanced
• Container solution
• Device Management
• Device & Software control
• Secure Browser
• IDAM
• Strong Authentication
• Configuration and Change management
Minimum
Policy, Culture and Awareness, Security Audit, Compliance Management, Management review of
Security, Incident Management, Backup & Recovery, Vendor Management, Security Charter,
- 14. User Specific Solutions
S. No Security Function Employee
Third Party
Users
External
User
1
Mobile Device Management ( includes Android
for work etc)
2
Mobile Application Management -Container for
Mail, Chat , Applications
3 Mobile Content Management
4 Mobile Threat management
5 Mobile Identity Management
6 Secure Browser
7 Secure Collaboration (Box, Sharepoint etc)
8 Custom and Enterprise App Security
- 15. Sample Implementations
• Secure Email access
• Secure Document Repository Access
• Securing Business Application for collecting End user data
• Secure Enterprise resource access
- 19. EMM features:
1. Mobile Application Management (MAM)
Management of devices from application level, like putting a wrapper around an app or
configuring how applications access information, both from the business network and
from other apps on the device.
2. Mobile Identity Management (MIM)
Functions like role-based access that apply context such as geo-fencing to determine
not only who’s using the device, but also where they’re using it from
3. Mobile Content Management (MCM)
Oversight and control at a content level, which can include copy and paste restriction
and access to business content repositories like Sharepoint
- 20. How to Choose From All Those Features
The EMM solution that’s right for your business will satisfy your immediate criteria while
leaving room for expansion via integration.
At its core, every enterprise mobility solution should manage devices (even if the information
is the priority, remote wipe is still important for security), manage applications, blacklist apps
based on certain characteristics (high data usage for example), allow for application and
authentication controls, and manage content, both that employees access through the
device as well as that admins push to the employee.
- 21. Must-Haves for an EMM Solution
1. Device management (MDM)
Offer remote device reset; over-the-air hardware, software and network
inventory capabilities; and mobile software management, including app
delivery. Select an EMM solution that has broad platform coverage.
2. App management (or App Policies and App Store)
App management is about applying policies to individual apps so that you do not
have to control the device. Approaches include Software Development Kit (SDK)
allowing developers to pre-integrate features such as user authentication,
compromised device detection, data loss prevention policies, certificates, branding,
over-the-air app configurations and app tunneling. Policies might include
authentication requirements, copy/paste restrictions, content sharing restrictions.
App wrapping is another way to give existing internal applications an extra level of
security and management capabilities
- 22. 3. Threat protection
EMM solution should allow IT to centrally manage mobile threat protection and
leverage app risk data by implementing policies, for example the ability to blacklist
apps based on certain risk characteristics or an app that has high data usage.
Central management includes things such as distributing a mobile security app to
devices, running remote scans of the device, viewing threats and setting
compliance policies based on the device’s security posture.
4. Access and authentication controls
EMM suites allow IT to group users – by department, for example – and grant
access only to the resources a specific group needs. A EMM solution should also
offer authentication with time-saving features such as single sign-on, whereby
employees can use the same credentials to log into a laptop and other corporate
systems. Single sign-on also makes it easy for a user to move from app to app
without re-authenticating every time an app is opened.
5 Must-Haves for an EMM Solution Cont..
- 23. 5. Content management
MCM allows users to access content from mobile devices in a secure and managed
way. An EMM solution should give employees a secure way to access files, view
mobile documents and collaborate on corporate content. Content management
also includes data loss prevention. It should offer encrypted on-device data
storage, authentication options, policy-defined cut-and-paste controls and/or
change to open-in controls to prevent content from being opened/accessed by
non-approved apps.
5 Must-Haves for an EMM Solution Cont..