Mobile Security Models
Every organization today needs to have a mobile security road map. According to the 2016 Mobile Security & Business Transformation Study from ISMG, 99 percent of enterprise workers currently use mobile devices to perform their work tasks. Securing all of those devices requires that organizations take a formal approach to mobile security models — an ad hoc approach is not sufficient to manage enterprise risk from mobile threats.
To enable businesses to embrace mobility in a secure manner, Samsung has forged a partnership with Booz Allen Hamilton to provide organizations with a comprehensive mobile security risk assessment. The risk assessment process is divided into seven domains, based around common themes and incorporating standards such as ISO 27001 and FedRAMP.
1. Business Management and Governance
The first two domains concern policy, and are centered around the business goals and the overall business strategy driving the company. The first covers business management and governance, looking to substantiate the threats that organizations face and tying them back to business needs, such as what devices are in use, where they come from, and designating trusted sources and locations. With this knowledge, your organization can better manage business risk, establish the right mobile policies and refine investment for effective and secure use of mobile services and tools.
2. Legal Policies and Regulatory Requirements
The second area looked at is legal policies and regulatory requirements in order to ensure compliance and the right management practices, policies and standards for the industry in which you operate. It looks at what controls are in place for dealing with requirements that are specific to your industry or location, such as data management, privacy, mobile-specific regulations and employee working time requirements, which vary by region.
3. Mobility Infrastructure
How does the mobility infrastructure interface with the core infrastructure, including data centers, servers, applications, and wired and wireless networks? How do you manage your mobile fleet, including enterprise mobility management (EMM) and mobile device management (MDM) tools? The aim here is to help you understand how best to onboard devices, ensure they’re used properly throughout their life cycles and manage the risks associated with the infrastructure they’re connected to. How do you manage the risk of public access points, such as at airports or other locations offering free Wi-Fi? Is the mobile network managed and monitored for abuse and other problems? This domain seeks to implement a unified mobile communications and usage strategy, looking at the physical and logical security components that prevent malicious activities in addition to providing accountability and access control.
4. Mobility Applications
The fourth domain centers on mobility applications, including apps for tablets and wearables. This is an essential component, since two in five enterprises are affected by dangerous mobile apps from rogue marketplaces. How do you develop apps for particular devices and how do you understand the threat model that applies to each? This understanding must underpin how apps are developed and managed in order to ensure their integrity. Should you build your own app store or use someone else’s? How do you assess the security of the applications you develop, as well as the ones you use from third parties, and how do they connect to back-end systems and services? While this ties back to infrastructure, the focus here is on data movement and application integrity.
5. Data Protection
Data protection is a core component of mobile security models. This domain helps you understand the life cycle management of data in the mobile environment, such as what data is in use and how are you managing it? How is data being protected and how are you validating its integrity, especially when in transit? Are you performing access control checks and using tools such as data loss prevention (DLP) to detect malicious activity? How are you destroying data at the end of its useful life or when it’s no longer needed or required? This domain will enable you to understand what data is being moved on and off of devices, what mechanisms are being used to protect data at rest or in transit, and who or what has access to the data. Is it being managed as intended? How do you validate that data is destroyed in line with specific regulations and requirements? Data destruction is one area in which many companies perform poorly. In industries such as financial services and healthcare and government agencies, there’s a life cycle associated with data, which mandates that it must be destroyed after a certain amount of time or when it’s no longer needed, reducing the opportunity for abuse. The Data Protection domain will help you to understand the risks to your data and what actions should be taken to protect it to meet your requirements and needs.
6. Mobility ENDPOINTS
Understanding the capabilities of mobile devices and tying these capabilities back to the business–based security requirements is key to success. This domain helps you understand what devices are appropriate for what purposes within your business. Does the use case require device-level encryption at rest and in transit? Are the access controls adequate to meet your needs? Do you have a life cycle management policy that ensures devices are configured correctly when initially deployed and throughout their life cycle? Do you have a decommissioning process that takes into account the need to remove evidence of the applications and data that may have been stored on the device?
7. Risk and Threat Management
Finally, the mobile security assessments consider risk and threat management, looking at incident management and threat response for mobility environments. How does this fit with the overall risk management program and legacy infrastructure? What should you be doing? There’s a lot involved, including vulnerability assessments, paper exercises and pen testing, all of which are mainly focused around legacy infrastructure, not mobility. Do you have a mobile threat program or are you leveraging one from a partner? Do you have a device loss prevention strategy? Can you locate and erase data, or even brick a device? What are the threat requirements?