Lock Down Mobile and Cloud Data Leaks. Presenter: Reza Nabavi, Director, Mobile Product Marketing Accellion, Inc. Presented at SC Magazine Virtual Trade Show.
7. Dual Persona Mobility Model:
Risk and Challenges
Enable mobile user productivity without
jeopardizing content security.
7
8. Key Risks and Challenges
Risks
• Lost devices
• Personal use (BYOD problem)
• The “Dropbox” problem
• Jail-broken, rooted devices
• Consistency and legal risks
Challenges
• Enabling social collaboration
• Privileged access and protection of enterprise content
• Compliance
8
11. EMM = MDM + MAM + MCM
Mobile
Application
Management
Mobile Content
Delivery, Control &
Mobile Device
Management
Management
11
Notes de l'éditeur
At work, we are both a consumer and a business user, all in the same body.We take the same device that we use to Text, to check-in where we eat dinner, The same device we use to post our kid’s soccer tournament pics to FB;and bring it to the office and use it on corporate network, and access corporate content.
That desire to bring our own devices to work was morphed by 1stthe rapid ascension of Smartphones and then the introduction of tablets let by iPad, and it was driven by Efficiency and higher productivity and perceived costs savings: including DEVICE COSTS, DATA COSTS, IT MANGEMENT COSTS, INEFFICIENCIESMOBILECorporate demand for smartphones Q212 – planned purchases: 39%Corporate demand for Tablets Q212 – planned purchases – 18% o 31%"Today, 27% of companies support the iPad, and another 31% report plans to support or interest in supporting the iPad, not to mention the additional 23% that report employee interest despite a lack of IT interest. A recent Gartner press release forecasts 118.1 million tablets will be sold this yea worldwide. iPad =61.4%. 54.8M will be in the US.Not sure if it’s Apple that is causing the continued growth of the overall BYOD trend, or the overall BYOD trend by business users that is causing the proactive enterprise deployment of iPad/tablets.We’ll leave that debate for another time. What is clear is the BYOD trend is growing significantly with a spectrum of devices used in the enterprise that have never been broader.Gartner’s Stats on TabletsRead more here: http://www.kansascity.com/2012/08/15/3763368/worldwide-market-share-for-tablet.html#storylink=copy2012 Forecast = 73+37.9+4.9+1.3+0.510 = 118.9M Tablets sold
As consumers we use hundreds of apps (some of which you are familiar with) to connect with friends, listen to music, and check our balances, play games, and etc. And guess what, as business users, we also use the same set of apps, plus a few more that are content manipulation purposes.
CLOUDThere is another phenomenon that is happening in the Enterprises is the introduction of consumer grade, cloud storage and file sharing services.Today, 450M people have Dropbox accounts, several Mil have Box or YouSendIt accounts, and it’s a market that Big Brand names have also entered with their Cloud file sharing offering: Google with GoogleDrive, MSFT with SkyDrive, Apple with iCloud, not including the smaller players. No one disputes the legitimate need for consumer cloud file sharing and storage services. It’s just that consumer clouds have no place being mingled with private enterprise content. They are a source for corporate data leak. The BYOD business user, who has access to these services puts corporate content on there for later access, which could then be subject to leak. Once that happens, the files are out of control. Corporate content can begin to leak outside this way.As you may have heard, Dropbox admitted yesterday that it was breached. With this development, many data security conversations are going to focus on the cloud and external threats; however, when it comes to file storage and sharing, the story is broader than that and it’s important for enterprises to consider the multiple facets needed for secure file sharing. When evaluating vendors, buyers need to consider multiple factors for security including deployment options (private -, public-, hybrid cloud), AV capabilities, file transfer tracking and reporting tools (especially important in regulated industries) as well as a vendor’s ability to integrate with data loss prevention (DLP) platforms. This last piece gives organizations the ability to inspect all data before it leaves an organization – scanning for confidential data (social security numbers, credit card numbers, product information, etc.) and blocking and/or quarantining file transfers that violate established policies. Accellion, provider of enterprise-class secure file sharing solutions, would happy to speak with you in more detail around what organizations need to do to make sure they are getting the security they need with their file sharing service. Top Articles Dropbox: Yes, we were hackedGigaOm, Barb Darrow, August 1, 2012http://gigaom.com/cloud/dropbox-yes-we-were-hacked/ Dropbox Admits To User Data Theft, Bolsters SecurityFast Company, Kit Eaton, August 1, 2012http://www.fastcompany.com/1844342/dropbox-admits-to-user-data-theft-bolsters-security?partner=rss Dropbox spam explained – new security features addedInfo security Magazine, August 1, 2012http://www.infosecurity-magazine.com/view/27337/dropbox-spam-explained-new-security-features-added/ Dropbox gets hacked ... againZDNet, Ed But, August 1, 2012http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/ Dropbox Reports User Accounts Were Hijacked, Adds New Security FeaturesTechCrunch, Rip Empson, July 31, 2012http://techcrunch.com/2012/07/31/dropbox-admits-user-accounts-were-hijacked-adds-new-security-features/ Dropbox hack confirmed while company assures renewed securitySlashGear, Chris Burns, July 31, 2012http://www.slashgear.com/dropbox-hack-confirmed-while-company-assures-renewed-security-31241139/ Dropbox confirms user info was stolen, adds new security measureshttp://www.engadget.com/2012/08/01/dropbox-confirms-security-breach-new-measures/
Why Social:At the center of all businesses are people. Social collaboration has shown that wisdom can be gained from crowds, from Virtual teams that can lead to ideation for new products and strategiesSo, there is no question that Businesses are trending toward social, mobile and the cloud with a tremendous velocity that can not be stopped, because of its promises of higher agility, efficiency and productivityand that the nexus of these 3 forces of social mobile and cloud are having game changing impacts on IT, and how they implemented security, making them out of sync with the trends! http://www.zdnet.com/blog/hinchcliffe/cloud-computing-a-new-era-of-it-opportunity-and-challenges/261
The challenge is how to embrace this new dual persona Mobile Enterprise model,without the risk of Jeopardizing Security?The challenge is how to regain control and provide management and delivery of content, for everybody in the enterprise while ensuring security.
What’s top of mind of many CISO/CIO and IT decision makers Is how to:Manage BYOD Users rights and Privileges for Access of Corporate Data using their own devicesavoid the creation of a Shadow IT and losing control of corporate content through business users use of consumer cloud servicesEnable social and mobile content delivery and collaboration Ensure Compliance with regulatory requirements of SOX, HiPPA and othersAvoid the dreaded Xmas eve call from the IT personnel that there’s been a leak, and that all YouSendIt accounts are now compromised, Protect confidential content by locking down mobile users an Cloud data leaks?Let’s look at how these goals can be well attained.
The report studied 230 top apps -- including the Top 100 Paid apps on Android and iOS -- and found that 92% of iOS apps have been hacked, with this rising to an incredible 100% on the Android platform.Free apps weren’t immune from attacks either, as Arxan found that 40% of popular free iOS apps had been hacked, with this rising to 80% for apps running Google's operating system.Researchers found hacking to be prevalent across all mobile apps irrespective of category (including business and productivity), and indicated that hacking presides in a number of forms, from disabling security to unlocking and modifying app features. Hackers also resort to code/IP theft and pushing illegal malware-infested versions.To counter this, Arxan Technologies says that developers should harden the code against reverse engineering (reproducing the app based on how it is built) and make their apps tamper-proof and self-defending."We envision a thriving App Economy with freedom and confidence to innovate and distribute new apps”, said Jukka Alanen, vice president at Arxan and the lead author of the new study.“However, this potential is being threatened by hackers, and most enterprises, security teams, and app developers are not prepared for these attacks.”
The most common remedy IT departments employ is to: Restrict the device, i.e. Prohibit BYODIE, No personal devices allowed in corporate environment, and you know how that turned out when he was asked to stop using WWF on his phone.Limiting BYOD (limited employees, limited data, connectivity and devices)And if allowed, and a malware or jail-broken app is detected, wipe the whole deviceAnd, make everyone go through a secure transport layer like VPNApplication data not protectedWiping personal dataExpose corporate network
Embracing the Dual Persona enterprise mobility model and addressing all of the challenges we enumerated in previous slides is accomplished by deploying an Enterprise Mobility Management solution.An EMM has three components to it: Mobile Device Management, that is concerned with restricting, controlling devices, Mobile Application Management which focuses on Application Data protection, and Mobile Content Management that is concerned solely on control and delivery of content. Hence the formula that I am showing here: EMM = MDM + MAM + MCM.Many of the MDM vendors today offer some level of app security, in addition to their fundamental MDM offering.It is through a walled Garden of ISV Apps that they have wrapped with a secure layer, or creating an enterprise app store . So, an MDM vendor today is likely able to address application management for you as well. Content delivery and control solution, however, has to be a solution of its own, which almost none of the MDM and MAM players in the market today offer. And that is exactly what Accellion offers with its Cloud-based mobile file sharing solution. We are kind of a best kept secret, that is why I have a couple of slides to tell you who we are toward the end.For now, what I’d like to do to share with you what are the best practices, or some of the key criteria that you ought to employ, whether you’re looking at Accellion or another provider, as you look for a Content Mobility Solution to lock down mobile and cloud data leaks.