SANS Survey on Mobility/BYOD Security Policies and Practices
SANS Survey on Mobility/BYOD Security Policies and Practices
SANS Survey on Mobility/BYOD Security Policies and Practices
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Sp<strong>on</strong>sored by<br />
Box, F5 Networks, McAfee, MobileIr<strong>on</strong>, Oracle <strong>and</strong> RSA<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong><br />
<strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong><br />
October 2012<br />
A <str<strong>on</strong>g>SANS</str<strong>on</strong>g> Whitepaper<br />
Written by: Kevin Johns<strong>on</strong> <strong>and</strong> T<strong>on</strong>y DeLaGrange<br />
Advisor: Barbara Filkins<br />
<str<strong>on</strong>g>Survey</str<strong>on</strong>g> Participants PAGE 2<br />
<strong>Policies</strong> <strong>and</strong> <strong>BYOD</strong> PAGE 4<br />
<strong>Mobility</strong>/<strong>BYOD</strong> <strong>Practices</strong> PAGE 7<br />
C<strong>on</strong>fidence in Their Programs PAGE 10<br />
Protecting Access <strong>and</strong> Informati<strong>on</strong> PAGE 13
Introducti<strong>on</strong><br />
Based <strong>on</strong> our rst <str<strong>on</strong>g>SANS</str<strong>on</strong>g> mobile device survey (released in March of this year), 1 it is obvious that mobile devices<br />
have become comm<strong>on</strong>place in organizati<strong>on</strong>s. The survey also revealed that organizati<strong>on</strong>s are nowhere near<br />
ready for this user-driven evoluti<strong>on</strong>. In the last survey, which drew more than 650 resp<strong>on</strong>dents, 61% allowed<br />
pers<strong>on</strong>al devices to c<strong>on</strong>nect to protected network resources, yet <strong>on</strong>ly 9% were “fully aware” of what those<br />
devices were <strong>and</strong> what they were accessing. Furthermore, 50% either didn’t have policies or depended <strong>on</strong> the<br />
user to comply with corporate policies for securing pers<strong>on</strong>ally owned devices.<br />
This lack of awareness <strong>and</strong> policy around mobile access to company resources has all the makings of what IT<br />
professi<strong>on</strong>als comm<strong>on</strong>ly refer to as a “perfect storm.” The threat against mobile devices has already been proven<br />
as text, web, applicati<strong>on</strong>, media <strong>and</strong> e-mail-based attacks proliferate against the Google Android, Windows<br />
Mobile, iPh<strong>on</strong>e <strong>and</strong> tablets. Without security policies, allowing employee-owned devices to access company<br />
resources makes our protected IT networks sitting ducks.<br />
For this reas<strong>on</strong>, <str<strong>on</strong>g>SANS</str<strong>on</strong>g> decided to c<strong>on</strong>duct a sec<strong>on</strong>d mobility survey to determine the level of policy <strong>and</strong> c<strong>on</strong>trols<br />
around these emerging threats. Of those resp<strong>on</strong>ding, 60% indicated they have some form of risk management<br />
policies around their mobile/<strong>BYOD</strong>; but what are those policies? How well are they working? And how do they<br />
map to c<strong>on</strong>trols within organizati<strong>on</strong>s?<br />
In this new survey <strong>on</strong> <strong>BYOD</strong> policy <strong>and</strong> c<strong>on</strong>trols, more than 95% of the 650-plus resp<strong>on</strong>dents said that policy is<br />
a critical protecti<strong>on</strong> that needs to be integrated into overall risk management policy. Yet, 38% do not have the<br />
policies they feel are necessary. This is an improvement over our original survey released in March, wherein <strong>on</strong>ly<br />
14% felt fully c<strong>on</strong>dent in the comprehensiveness of their security policies <strong>and</strong> 58% had no policy at all. And,<br />
while they may not have policy yet, many resp<strong>on</strong>dents indicated that <strong>BYOD</strong> policy adopti<strong>on</strong> is currently being<br />
implemented. This is great; however, the c<strong>on</strong>cern is that building the policy after devices are allowed to c<strong>on</strong>nect<br />
means organizati<strong>on</strong>s are ghting a losing battle.<br />
As to practices <strong>and</strong> c<strong>on</strong>trols, this new survey shows that those who do have policies are predominately using<br />
proven tools such as authenticati<strong>on</strong> <strong>and</strong> access c<strong>on</strong>trols, rewalls <strong>and</strong> VPNs. Interestingly, mobile-specic<br />
soluti<strong>on</strong>s, such as mobile device management (MDM), are not as high <strong>on</strong> the list as many would have thought.<br />
This is not surprising c<strong>on</strong>sidering some of the c<strong>on</strong>fusi<strong>on</strong> around agent, agentless <strong>and</strong> best-of-breed issues in a<br />
c<strong>on</strong>stantly changing market. Also, as our rst survey showed, employers are reluctant to add c<strong>on</strong>trols directly<br />
<strong>on</strong>to employee-owned devices because the devices d<strong>on</strong>’t bel<strong>on</strong>g to the organizati<strong>on</strong>. At this stage, many<br />
organizati<strong>on</strong>s seem to be relying heavily <strong>on</strong> employee agreements <strong>and</strong> educati<strong>on</strong>.<br />
1 www.sans.org/reading_room/analysts_program/mobility-sec-survey.pdf<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 1 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
<str<strong>on</strong>g>Survey</str<strong>on</strong>g> Participants<br />
Approximately 650 people resp<strong>on</strong>ded to this survey. Fewer government employees took this survey than took<br />
the rst survey, resulting in a more representative split of government <strong>and</strong> private organizati<strong>on</strong>s. The next<br />
largest group, at 14%, was from the nancial sector. Certainly, the banking industry has been a fr<strong>on</strong>t-runner in<br />
adopting <strong>on</strong>line <strong>and</strong> mobile computing for end users. Their involvement in this survey bodes well for securing<br />
<strong>BYOD</strong> in this highly sensitive industry. Figure 1 shows the industries providing perspective in this survey.<br />
Figure 1. Industries Participating in the <str<strong>on</strong>g>Survey</str<strong>on</strong>g><br />
While our rst survey showed that 61% of the resp<strong>on</strong>dents said their organizati<strong>on</strong>s allowed <strong>BYOD</strong>, that survey<br />
didn’t ask how many devices employees were using. So, in this survey, when asked about the size of their<br />
mobile workforce, almost 58% answered that their mobile workforce is less than 1,001 people, even though<br />
65% worked for organizati<strong>on</strong>s with more than 1,000 people (see Figure 2).<br />
Figure 2. Size of the Mobile Workforce<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 2 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
<str<strong>on</strong>g>Survey</str<strong>on</strong>g> Participants (CONTINUED)<br />
This indicates a lower number of devices than we thought were being allowed into organizati<strong>on</strong>s. Of those<br />
using mobile devices, resp<strong>on</strong>dents estimated that <strong>on</strong>ly 10% of their workforce is using pers<strong>on</strong>ally owned<br />
devices.<br />
Resp<strong>on</strong>dents to the survey came from a wide spectrum of roles. Resp<strong>on</strong>dents were able to select several<br />
dierent roles. However, their resp<strong>on</strong>ses (see Figure 3) show a group well versed in security, business <strong>and</strong><br />
operati<strong>on</strong>al needs.<br />
Figure 3. Roles of Resp<strong>on</strong>dents<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 3 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
<strong>Policies</strong> <strong>and</strong> <strong>BYOD</strong><br />
The goal of this survey was to determine how well organizati<strong>on</strong>s were protecting themselves with <strong>BYOD</strong><br />
policies <strong>and</strong> where organizati<strong>on</strong>s need to focus their eorts. The results point to vulnerabilities that need to be<br />
addressed, but also provide examples of organizati<strong>on</strong>s that have taken the appropriate steps. The informati<strong>on</strong><br />
gathered can help other organizati<strong>on</strong>s moving into the <strong>BYOD</strong> model prepare their security policies <strong>and</strong><br />
c<strong>on</strong>trols before jumping in. Far too many, unfortunately, have engaged security around <strong>BYOD</strong> <strong>and</strong> mobile<br />
devices after the fact.<br />
From this survey, it is obvious how vitally important organizati<strong>on</strong>s c<strong>on</strong>sider mobile/<strong>BYOD</strong> policy. An<br />
overwhelming 97% thought incorporating mobile access <strong>and</strong> security policy into their overall security<br />
<strong>and</strong> compliance framework is important, with 37% believing it is critical <strong>and</strong> 40% believing it is extremely<br />
important (see Figure 4).<br />
Figure 4. The Criticality of Mobile <strong>Security</strong> Policy<br />
Given the almost unanimous agreement that mobile policies are important, it is surprising that almost 38% of<br />
the resp<strong>on</strong>dents d<strong>on</strong>’t have any formal policy around <strong>BYOD</strong> <strong>and</strong> that fewer organizati<strong>on</strong>s are forbidding usage<br />
of pers<strong>on</strong>ally-owned devices. According to resp<strong>on</strong>dents to this policy survey, 25% forbid usage of pers<strong>on</strong>al<br />
devices for network <strong>and</strong> resources today, whereas at the beginning of the year 37% didn’t allow <strong>BYOD</strong>.<br />
Maybe the change in those results reects that more organizati<strong>on</strong>s are implementing policy now than at the<br />
beginning of the year—38% is an improvement from the rst survey results, wherein 58% had no policy.<br />
Protecting sensitive informati<strong>on</strong> is the main driver for the majority of organizati<strong>on</strong>s implementing security<br />
c<strong>on</strong>trols in their <strong>BYOD</strong> envir<strong>on</strong>ments, <strong>and</strong> compliance follows as a close sec<strong>on</strong>d. Interestingly, less than 50%<br />
of resp<strong>on</strong>dents said that supporting new innovati<strong>on</strong>s or changes were a reas<strong>on</strong> for implementing policy—<br />
indicating that IT organizati<strong>on</strong>s still d<strong>on</strong>’t underst<strong>and</strong> or work within the language of business. Given the<br />
availability <strong>and</strong> power of smartph<strong>on</strong>es, al<strong>on</strong>g with the shift to using mobile applicati<strong>on</strong>s, the change in the<br />
typical IT infrastructure is already occurring. So this attitude was surprising. Figure 5 summarizes the reas<strong>on</strong>s<br />
for their policy c<strong>on</strong>trol points.<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 4 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
<strong>Policies</strong> <strong>and</strong> <strong>BYOD</strong> (CONTINUED)<br />
Figure 5. Reas<strong>on</strong>s for Implementing Mobile <strong>Policies</strong><br />
With respect to c<strong>on</strong>trol points included in their policy, <strong>on</strong>ly 27% rely <strong>on</strong> the c<strong>on</strong>trols they have instituted<br />
without c<strong>on</strong>cern for who owns the device (see Figure 6).<br />
Figure 6. <strong>Mobility</strong> <strong>Policies</strong>, Current <str<strong>on</strong>g>Survey</str<strong>on</strong>g><br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 5 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
The change in results between our March survey <strong>and</strong> now is also evident in resp<strong>on</strong>dents’ basic policy points.<br />
Although we asked the questi<strong>on</strong> dierently in our rst survey, some of the answers align <strong>and</strong> some diverge.<br />
For example, employee educati<strong>on</strong> <strong>and</strong> usage agreements were the number <strong>on</strong>e policy points in both surveys.<br />
Yet the use of mobile device management as a c<strong>on</strong>trol point seems to have g<strong>on</strong>e down from nearly 40% of<br />
those with policy using this as a c<strong>on</strong>trol last year, as compared to just over 20% who are using it in this survey.<br />
Expect this <strong>BYOD</strong> security l<strong>and</strong>scape to c<strong>on</strong>tinue to change like this. Many resp<strong>on</strong>dents to our current survey<br />
<strong>on</strong> policy <strong>and</strong> c<strong>on</strong>trols commented that their organizati<strong>on</strong>s are in the process of developing <strong>BYOD</strong> policies,<br />
<strong>and</strong> some are “forming” or “thinking” about policies. The questi<strong>on</strong> is, how str<strong>on</strong>g will those policies turn out to<br />
be? For now, the comm<strong>on</strong> <strong>BYOD</strong> security practice is to require employees to sign use agreements. But, how<br />
do you m<strong>on</strong>itor a term of use agreement <strong>on</strong> an employee-owned device? Are such policies just b<strong>and</strong>aging<br />
gaping wounds? These resp<strong>on</strong>ses raise questi<strong>on</strong>s about the eectiveness of current policies <strong>and</strong> how to<br />
implement them in the mobile arena.<br />
These are the kinds of questi<strong>on</strong>s that need to be c<strong>on</strong>sidered in each point pertaining to your overall policy.<br />
You should also include means for reporting violati<strong>on</strong>s, chain of comm<strong>and</strong> <strong>and</strong> what to do with an employee-<br />
owned device implicated in an investigati<strong>on</strong>. See our previous survey for advice <strong>on</strong> getting started <strong>on</strong> policy. 2<br />
The next secti<strong>on</strong>s of this document cover what resp<strong>on</strong>dents are doing to enforce policy <strong>and</strong> how c<strong>on</strong>dent<br />
organizati<strong>on</strong>s are in their policies today.<br />
<strong>Policies</strong> <strong>and</strong> <strong>BYOD</strong> (CONTINUED)<br />
2 www.sans.org/reading_room/analysts_program/mobility-sec-survey.pdf, Page 7, sidebar, “Mobile Policy Best <strong>Practices</strong>”<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 6 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
<strong>Mobility</strong>/<strong>BYOD</strong> <strong>Practices</strong><br />
A number of practices can be put in place to secure mobile devices. Some involve touching the mobile<br />
endpoints, installing agents <strong>on</strong> them <strong>and</strong> scanning them before allowing entry to the network. Others focus<br />
<strong>on</strong> c<strong>on</strong>trolling access to applicati<strong>on</strong>s based <strong>on</strong> device type or state, or through creating new segmented<br />
access through Network Access C<strong>on</strong>trols (NAC) <strong>and</strong> guest networking. Protecting data from potentially<br />
hostile devices <strong>and</strong> protecting devices from malicious applicati<strong>on</strong>s are also practices that organizati<strong>on</strong>s can<br />
incorporate.<br />
What They’re Doing<br />
In this survey, just as in our March survey, it’s apparent that organizati<strong>on</strong>s are reaching for a number of these<br />
c<strong>on</strong>trol types. Figure 7 illustrates the importance resp<strong>on</strong>dents currently place <strong>on</strong> a variety of dierent types of<br />
c<strong>on</strong>trols.<br />
Figure 7. Critical Mobile <strong>Security</strong> <strong>Practices</strong><br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 7 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
According to survey resp<strong>on</strong>dents, the most critical practices to implement include the following:<br />
<br />
<br />
<br />
<br />
browsing (38%)<br />
Surprisingly, although approximately 50% c<strong>on</strong>sidered registrati<strong>on</strong> of devices to be important, almost 32%<br />
of those with policy haven’t implemented this required c<strong>on</strong>trol for mobile device management. It is not<br />
surprising that more than 50% think it is critical to know about <strong>and</strong> secure access to resources <strong>and</strong> encrypt<br />
the data <strong>on</strong> the device, yet 40% d<strong>on</strong>’t track the devices, <strong>and</strong> 21% think it’s <strong>on</strong>ly somewhat important to have<br />
centralized management of the devices (also known as mobile device management or MDM for short).<br />
Protecting mobile devices from malicious applicati<strong>on</strong>s that can be used to hijack the device to gain access to<br />
the secured enterprise is <strong>on</strong>e of the areas organizati<strong>on</strong>s must manage carefully. We asked what organizati<strong>on</strong>s<br />
were doing to protect against malicious applicati<strong>on</strong>s <strong>on</strong> their employee-owned devices, giving resp<strong>on</strong>dents<br />
the following opti<strong>on</strong>s:<br />
<br />
<br />
<br />
<br />
<br />
Just as with our original survey, the highest-ranking answer about practices deployed was user educati<strong>on</strong>,<br />
with more than 50% of resp<strong>on</strong>dents relying <strong>on</strong> users to protect their devices from potentially hostile<br />
applicati<strong>on</strong>s. This is something we know doesn’t work in the PC world, so how do we suppose it will work in<br />
the smaller device world? Whitelisting <strong>and</strong> blacklisting of applicati<strong>on</strong>s (primarily agent-based) ranked the<br />
next highest at 22%. Applicati<strong>on</strong> stores—or the secure distributi<strong>on</strong> of applicati<strong>on</strong>s that employees purchase<br />
through their companies or through approved secure marketplaces —had a 27% resp<strong>on</strong>se rate, which tied<br />
with inventorying applicati<strong>on</strong>s <strong>on</strong> a device requesting access. No protecti<strong>on</strong>s had a 28% resp<strong>on</strong>se rate, as<br />
illustrated in Figure 8.<br />
<strong>Mobility</strong>/<strong>BYOD</strong> <strong>Practices</strong> (CONTINUED)<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 8 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
<strong>Mobility</strong>/<strong>BYOD</strong> <strong>Practices</strong> (CONTINUED)<br />
Figure 8. Protecti<strong>on</strong> against Hostile Applicati<strong>on</strong>s<br />
As time moves forward, protecti<strong>on</strong>s against user-installed malicious applicati<strong>on</strong>s will become more critical.<br />
But just try <strong>and</strong> tell your employees they cannot install Angry Birds or the latest ashlight applicati<strong>on</strong> <strong>on</strong> their<br />
pers<strong>on</strong>al ph<strong>on</strong>e because they use it to access the internal systems!<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 9 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
C<strong>on</strong>fidence in Their Programs<br />
Most resp<strong>on</strong>dents indicate that their organizati<strong>on</strong>s aren’t deploying centralized management of devices<br />
<strong>and</strong> c<strong>on</strong>trol of applicati<strong>on</strong>s. So, it’s logical to assume that this lack of c<strong>on</strong>trols maps to resp<strong>on</strong>dents’ lack of<br />
c<strong>on</strong>dence in their protecti<strong>on</strong>s deployed so far. In the four areas we asked about—securing applicati<strong>on</strong>s <strong>and</strong><br />
e-mail, protecting against evolving threats, provisi<strong>on</strong>ing devices <strong>and</strong> scaling the infrastructure <strong>and</strong> c<strong>on</strong>trols<br />
to manage mobile security <strong>and</strong> devices—the <strong>on</strong>ly area that a majority of people were c<strong>on</strong>dent in was<br />
protecting e-mail (See Figure 9).<br />
Figure 9. Mobile <strong>Security</strong> C<strong>on</strong>dence Levels<br />
This makes sense, because e-mail is a relatively well-secured applicati<strong>on</strong> that can be leveraged <strong>on</strong> mobile<br />
endpoints. Inversely, access to e-mail has been a major reas<strong>on</strong> for using mobile ph<strong>on</strong>es in organizati<strong>on</strong>s,<br />
sec<strong>on</strong>d <strong>on</strong>ly to making ph<strong>on</strong>e calls.<br />
From this data, it can be inferred that most resp<strong>on</strong>dents are not sure they are prepared to h<strong>and</strong>le the<br />
security needs of their growing mobile workforces. This is even more troubling when you see that 70% of the<br />
resp<strong>on</strong>dents didn’t have c<strong>on</strong>dence or were <strong>on</strong>ly somewhat c<strong>on</strong>dent that the c<strong>on</strong>trols they do have in place<br />
are able to scale to support a mobile workforce.<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 10 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
The same is true for their ability to c<strong>on</strong>trol applicati<strong>on</strong>s. In the survey, we asked resp<strong>on</strong>dents to check o what<br />
applicati<strong>on</strong>s they are granting mobile access to <strong>and</strong> their level of c<strong>on</strong>dence in security of that access. These<br />
include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C<strong>on</strong>fidence in Their Programs (CONTINUED)<br />
A majority of the resp<strong>on</strong>dents were c<strong>on</strong>dent that e-mail was a securely accessed applicati<strong>on</strong>. This would<br />
make sense, given that the applicati<strong>on</strong>-based c<strong>on</strong>trols around e-mail are mature <strong>and</strong> solid. For other<br />
applicati<strong>on</strong> types, resp<strong>on</strong>dents highlighted two areas of c<strong>on</strong>cern: intranet access <strong>and</strong> remote access systems.<br />
C<strong>on</strong>sidering how important these access points are, the lack of c<strong>on</strong>dence is both surprising <strong>and</strong> c<strong>on</strong>cerning.<br />
C<strong>on</strong>dence levels are illustrated in Figure 10.<br />
Figure 10. C<strong>on</strong>dence Levels in Securing Mobile Applicati<strong>on</strong>s <strong>and</strong> Data<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 11 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
C<strong>on</strong>fidence in Their Programs (CONTINUED)<br />
They were also not c<strong>on</strong>dent in the use of social media. The majority of people were either not c<strong>on</strong>dent of<br />
the security or were not allowing access to social media <strong>and</strong> cloud services. And, 56% d<strong>on</strong>’t deal with custom<br />
applicati<strong>on</strong>s.<br />
A total of 41% of the resp<strong>on</strong>dents said their organizati<strong>on</strong> had allowed mobile access to native applicati<strong>on</strong>s<br />
in the previous year, <strong>and</strong> 47% plan <strong>on</strong> doing so in the next year. The number of applicati<strong>on</strong>s made available<br />
ranged from n<strong>on</strong>e to more than 10, with two to four applicati<strong>on</strong>s being the most comm<strong>on</strong> resp<strong>on</strong>se (14%<br />
currently <strong>and</strong> 21% in the next year).<br />
The rules are dierent for managing access to custom applicati<strong>on</strong>s. Creating access c<strong>on</strong>trols may or may not<br />
be easier, for example, <strong>and</strong> adding rules <strong>on</strong>to old applicati<strong>on</strong>s is always problematic. It is our hope that, if<br />
organizati<strong>on</strong>s start using secure development <strong>and</strong> business processes at the applicati<strong>on</strong>’s <strong>on</strong>set, there will be<br />
lower levels of security risk when those applicati<strong>on</strong>s are accessed by mobile devices.<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 12 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
Protecting Access <strong>and</strong> Informati<strong>on</strong><br />
In additi<strong>on</strong> to, or in lieu of MDM protecti<strong>on</strong>s, organizati<strong>on</strong>s are also looking at security from an access <strong>and</strong> data<br />
c<strong>on</strong>trol point of view.<br />
Al<strong>on</strong>g with e-mail security, VPN (virtual private networking) technology is another tried <strong>and</strong> tested<br />
methodology that security practiti<strong>on</strong>ers <strong>and</strong> security appliance vendors are translating well to the mobile<br />
world. In this survey, almost two-thirds of the resp<strong>on</strong>dents either use or will use a full VPN client for access to<br />
resources.<br />
Network Access C<strong>on</strong>trol (NAC) is another mature technology nding a renaissance in the mobile world.<br />
Approximately 58% of resp<strong>on</strong>dents currently limit or segregate mobile devices <strong>on</strong>to a separate network space<br />
(or plan to). This is often achieved through the use of NAC <strong>and</strong> guest networking. Figure 11 details the various<br />
access c<strong>on</strong>trols in place today or planned in the next year.<br />
Figure 11. Remote Access C<strong>on</strong>trols<br />
Of importance to cloud-based vendors is that 67% of the resp<strong>on</strong>dents expect to implement cloud-based<br />
provisi<strong>on</strong>ing within the next 12 m<strong>on</strong>ths. This increased reliance <strong>on</strong> the cloud will present additi<strong>on</strong>al challenges<br />
to security of data going back <strong>and</strong> forth between mobile devices. For example, who owns the data if both<br />
pers<strong>on</strong>al <strong>and</strong> business data are synced in a cloud service such as iCloud?<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 13 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
Access C<strong>on</strong>trol Methods<br />
Protecting Access <strong>and</strong> Informati<strong>on</strong> (CONTINUED)<br />
Access <strong>and</strong> data protecti<strong>on</strong> go h<strong>and</strong> in h<strong>and</strong>. To this end, resp<strong>on</strong>dents are making use of multiple systems <strong>and</strong><br />
c<strong>on</strong>trols. As seen earlier, VPN access is quite popular, with 61% of the resp<strong>on</strong>dents using it as a data protecti<strong>on</strong><br />
mechanism. We also see an expected high dependence <strong>on</strong> traditi<strong>on</strong>al c<strong>on</strong>trols such as rewalls <strong>and</strong> authenticati<strong>on</strong>.<br />
Interestingly, 38% use a proxy server to allow <strong>and</strong> c<strong>on</strong>trol access to the internal network <strong>and</strong> informati<strong>on</strong><br />
within, dem<strong>on</strong>strating a focus <strong>on</strong> providing access to internal web-based applicati<strong>on</strong>s (see Figure 12).<br />
Figure 12. Means of C<strong>on</strong>trolling Access<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 14 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
Authenticati<strong>on</strong><br />
Protecting Access <strong>and</strong> Informati<strong>on</strong> (CONTINUED)<br />
For any device with access to a network, authenticati<strong>on</strong> becomes a c<strong>on</strong>cern. How we ensure that the right<br />
pers<strong>on</strong> is using the device to reach approved assets is <strong>on</strong>e of the most important steps in allowing access <strong>and</strong><br />
protecting our systems <strong>and</strong> data. The sec<strong>on</strong>d least secure method of authenticati<strong>on</strong>—password-<strong>on</strong>ly access—is<br />
used for the majority (62%) of the mobile authenticati<strong>on</strong> being d<strong>on</strong>e today. However, certicates <strong>and</strong> <strong>on</strong>e-time<br />
passwords are also being used by many organizati<strong>on</strong>s to authenticate the devices, as illustrated in Figure 13.<br />
Figure 13. Authenticati<strong>on</strong> C<strong>on</strong>trols<br />
In the next 12 m<strong>on</strong>ths, you can also see less reliance <strong>on</strong> the insecure methodologies (password <strong>on</strong>ly access)<br />
as more secure forms of authenticati<strong>on</strong> (such as multifactor, <strong>on</strong>e-time passwords <strong>and</strong> tokens) become<br />
ubiquitous. Resp<strong>on</strong>dents expect to be using more of the same technologies for their mobile applicati<strong>on</strong> users,<br />
while also increasing the use of multifactor authenticati<strong>on</strong>, device ngerprinting <strong>and</strong> ID capabilities.<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 15 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
Data Protecti<strong>on</strong>s<br />
Protecting Access <strong>and</strong> Informati<strong>on</strong> (CONTINUED)<br />
Data within services <strong>and</strong> applicati<strong>on</strong>s comm<strong>on</strong>ly used <strong>on</strong> mobile devices raise additi<strong>on</strong>al c<strong>on</strong>cerns when<br />
downloaded to mobile devices. There are many methods to protect this data: View <strong>on</strong>ly, segmentati<strong>on</strong>,<br />
encrypti<strong>on</strong> <strong>and</strong> good user behavior. In this survey, resp<strong>on</strong>dents chose VPN tunneling as their top means of<br />
protecting data from mobile device risk. Figure 14 illustrates the dierent levels of c<strong>on</strong>trol for sensitive data <strong>on</strong><br />
<strong>BYOD</strong> devices.<br />
Figure 14. Protecti<strong>on</strong> of Sensitive Data <strong>on</strong> <strong>BYOD</strong><br />
We should be c<strong>on</strong>cerned that 24% of resp<strong>on</strong>dents do not have protecti<strong>on</strong>s regarding sensitive data <strong>on</strong><br />
mobile devices, <strong>and</strong> that there is a low percentage of resp<strong>on</strong>dents actually deploying VPN, encrypti<strong>on</strong> <strong>and</strong><br />
segmentati<strong>on</strong>. Fewer still (less than 10%) are taking any comprehensive approach to ngerprint data, classify,<br />
m<strong>on</strong>itor <strong>and</strong> encrypt data. Data protecti<strong>on</strong> is <strong>on</strong>e area the market really needs to mature in.<br />
Most surprisingly, 32% of the organizati<strong>on</strong>s count <strong>on</strong> the user to protect the device <strong>and</strong> remove data when<br />
they are nished with it. Such an approach has failed in almost every other technology operated by end users.<br />
Devices are routinely lost, <strong>and</strong> data can linger <strong>on</strong> devices simply because the user doesn’t know if or when<br />
he or she will need that data again. A lost device, then, can result in sensitive data being compromised—<br />
something the 2011 P<strong>on</strong>em<strong>on</strong> Institute study says is resp<strong>on</strong>sible for 39% of mobile-device-related breaches! 3<br />
At the very least, encrypti<strong>on</strong> of the device at the boot level is critical <strong>and</strong> most easily deployed am<strong>on</strong>g the user<br />
populati<strong>on</strong>.<br />
3 www.infolawgroup.com/2012/03/articles/breach-noticati<strong>on</strong>/new-p<strong>on</strong>em<strong>on</strong>-data-breach-study-nds-breach-costs-have-fallen<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 16 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
C<strong>on</strong>clusi<strong>on</strong><br />
While many people believe that we need to c<strong>on</strong>trol mobile devices <strong>and</strong> that policy is crucial, we have not<br />
met the security needs of the mobile workforce of today <strong>and</strong> tomorrow. <strong>Practices</strong> rely heavily <strong>on</strong> traditi<strong>on</strong>al<br />
c<strong>on</strong>trols such as VPN, authenticati<strong>on</strong> <strong>and</strong> network rewalls. More alarmingly, most organizati<strong>on</strong>s fall back <strong>on</strong><br />
user awareness <strong>and</strong> user agreements to provide security. While users are the <strong>on</strong>es dem<strong>and</strong>ing mobile access,<br />
depending <strong>on</strong> them to do the right thing is a path to failure.<br />
Data protecti<strong>on</strong> is <strong>on</strong>e of the key requirements for mobile security <strong>and</strong> a large area of improvement for<br />
resp<strong>on</strong>dents <strong>and</strong> data protecti<strong>on</strong> vendors. For example, less than 10% of the resp<strong>on</strong>dents ngerprint sensitive<br />
data or roll out device-level encrypti<strong>on</strong>. That means these technologies are either not important enough—or<br />
not c<strong>on</strong>venient enough—for them to use with their employee-owned devices. This lack of asset inventory<br />
spills over to the larger issue: no central c<strong>on</strong>trol around the devices. Based <strong>on</strong> resp<strong>on</strong>ses to both our surveys,<br />
MDM has yet to take a dominant positi<strong>on</strong> in the mobile security market, mainly because organizati<strong>on</strong>s are<br />
hesitant to install technology <strong>on</strong> devices they do not own (based <strong>on</strong> our March survey).<br />
Fortunately, resp<strong>on</strong>dents are implementing str<strong>on</strong>ger policy <strong>and</strong> mobile-focused c<strong>on</strong>trols, such as MDM. So<br />
next year’s survey should show much improvement in the adopti<strong>on</strong> of policies <strong>and</strong> c<strong>on</strong>trols. While some are<br />
already down that path, we need to accelerate this process if we hope to protect our organizati<strong>on</strong>s <strong>and</strong> our<br />
data from malware, intellectual property theft or compliance violati<strong>on</strong>s.<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 17 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>
About the Authors<br />
Kevin Johns<strong>on</strong><br />
including system administrati<strong>on</strong>, network architecture <strong>and</strong> applicati<strong>on</strong> development. He has been involved<br />
in building incident resp<strong>on</strong>se <strong>and</strong> forensic teams, architecting security soluti<strong>on</strong>s for large enterprises <strong>and</strong><br />
<br />
of three classes: SEC542: Web Applicati<strong>on</strong> Penetrati<strong>on</strong> Testing, Ethical Hacking, SEC642: Advanced Web<br />
Applicati<strong>on</strong> Penetrati<strong>on</strong> Testing <strong>and</strong> SEC571: Mobile Device <strong>Security</strong>. In additi<strong>on</strong>, he is an instructor <strong>and</strong><br />
author for the <str<strong>on</strong>g>SANS</str<strong>on</strong>g> Institute, a faculty member at IANS <strong>and</strong> a c<strong>on</strong>tributing blogger at The<strong>Mobility</strong>Hub.<br />
T<strong>on</strong>y DeLaGrange is a senior security analyst with Secure Ideas, bringing over 25 years of informati<strong>on</strong><br />
technology experience in the healthcare <strong>and</strong> nancial services industries. For over the past decade, T<strong>on</strong>y<br />
has focused <strong>on</strong> informati<strong>on</strong> security within a leading Fortune 50 nancial instituti<strong>on</strong>, providing the design<br />
of security reference architecture, development of informati<strong>on</strong> security policies, st<strong>and</strong>ards, <strong>and</strong> baselines,<br />
as well as the assessment <strong>and</strong> testing of emerging technologies. For many years, T<strong>on</strong>y has had a keen<br />
interest in mobile security, specically with mobile devices within a corporate envir<strong>on</strong>ment, <strong>and</strong> is currently<br />
focused <strong>on</strong> the development of open source mobile testing tools.<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> would like to thank its sp<strong>on</strong>sors:<br />
<str<strong>on</strong>g>SANS</str<strong>on</strong>g> Analyst Program 18 <str<strong>on</strong>g>SANS</str<strong>on</strong>g> <str<strong>on</strong>g>Survey</str<strong>on</strong>g> <strong>on</strong> <strong>Mobility</strong>/<strong>BYOD</strong> <strong>Security</strong> <strong>Policies</strong> <strong>and</strong> <strong>Practices</strong>