Mobility is a game changer in many ways, and in some ways it is another manifestation of the same security problems plaguing enterprises. The client, or last tactical mile as we like to put it, is often a common target of a malicious attack. The client is where all of the security controls, decryption, and authorization decisions have run their course: an end customer is viewing data in the clear.

A web browser is the most notoriously unstable and vulnerable client since it effectively is running remote code locally. Many cross-site scripting attacks have leveraged weak clients (i.e., web browsers) to steal privileged information.

In the enterprise, mobility presents an added layer of security concern: most users prefer to operate on their personal mobile device instead of a separate corporate issued phone. This adds an unknown to the mix since IT security professionals won’t necessarily know what a user has running on their device. In addition, it might not always be possible to have the ability and permission to perform important emergency security functions such as remote wiping. Finally, data on mobile devices literally travels and can be lost, stolen, or seized.

Fortunately, both iOS and Android operating systems provide sophisticated security frameworks that if understood and followed can dramatically reduce the risk posed to your data operating on a mobile device. Furthermore, restrictions can be placed on the device based on its network connection, physical proximity, and other controls that can manage decryption functions and ensure the device is fully within the security perimeter before it is able to present data in the clear.

The Shattuck Group is helping clients understand the implications of incorporating mobility into the security landscape. In some ways, mobility adds many security enhancing features such as Google’s authenticator application that be used as a multi-factor authentication device without having to purchase key cards for every employee. Sophisticated security models in iOS and Android also enforce many industry best practices such as code signing. Leveraging some of these enhancements allow employees to use their personal device while improving security, saving time and money, and enhancing morale.

Most people are familiar with the need to authenticate a person. Equally important is the need to authenticate software and systems in conjunction with the person using them. In other words, you should authenticate both the person and the manner in which he or she is accessing data. This forms the beginning of establishing trust principals throughout your enterprise.

In some cases, it is necessary to include end customers as participants in the security process by prompting them to validate or approve the system they are operating. In other cases, management should only allow approved systems to access certain data, and have means for enforcing these policy decisions and security verifications.

Identity management plays a critical role in providing enterprise controls with non-repudiation of people and workloads. Successful identity management implementations often improve organizational efficiencies. Through the use of single sign-on and additional authentication factors, our customers can eliminate the need for overkill password policies and a host of other quasi security controls that do not enhance security or mission effectiveness.

These principals form the foundation for an automated authorization and access framework that becomes the start of an organization’s authorization fabric. By moving in this direction, CIO, CISOs and other cyber executives can stipulate workload policies for accessing data as a combination of the following components:

• A user (human or system) as having membership in a role
• A role performing an action
• An action as part of a workload
• A policy authorizing a role to perform a specific action in a specific workload

The Shattuck Group has helped organizations establish robust policies and in building tools to enforce those policies through a strong authorization fabric. With this approach to identity management they gain control and visibility into the who, what, when, why, and how data is being accessed and in accordance with (or violation of) deliberate policy decisions. Furthermore, organizations are able to better understand the ramifications of data security policy changes, measure a shrinking (or growing) attack surface, and safeguard data from systems and people that do not possess a valid business case for accessing the data.

How do you build a security apparatus that has to defend against an insider who has perfect knowledge of your IT infrastructure, elevated administrator privileges, and resides within your security perimeter? A growing number of organizations are beginning to ask this question, but many do not know where to begin.

For most potential customers, the prospect of their system administrators doing evil is preposterous. What isn’t preposterous is the credentials and access they have, and potential for a nefarious actor or cyber criminal to exploit their compromised credentials.

Generally speaking, it is difficult to differentiate between an administrator with evil intent, a cyber criminal operating with an administrator’s compromised credentials, or someone simply making a mistake. Therefore, these and other use cases fall within the purview of insider threat management.

Implementing insider threat management can seem daunting; however, there are some basic actions that can initially be taken to dramatically reduce risk in this area. Here are a few basic examples of how the Shattuck Group is helping customers manage this problem space:

• Encrypt all data, only de-crypt for trusted workloads and end-users. Minimize or eliminate clear text compute.
• Automate everything, especially production configuration and deployments. Remove human logical access to servers.
• Employ role separation with policy based access to privileged data, functions, and servers. Explicitly grant access based on role, action, system, and policy.

With these simple steps you remove an insider’s ability to directly access sensitive data; when necessary, the data is accessible but the encryption keys to decrypt it are not; and by removing direct access to production servers, it minimizes the risk of malware installation or accidental misconfiguration of production workloads.

These basic steps are helpful forcing mechanisms that will drive architectural decisions that you must be prepared to make. For instance, removing direct human access to production servers will require establishing a continuous integration and deployment environment with tools such as Puppet or Chef, Hudson and Bamboo. Encrypting data will require establishing a key management and authorization approach with KMS or other solution. Role separation will require you to identify and validate organizational responsibilities and privileges.

With a basic approach to insider threat management, you can dramatically reduce risk of customer or sensitive data compromise. Coupled with enhanced audit and security alarms, you can stay informed in the event of a security incident, but sleep well knowing at worst an adversary will only walk away with cipher text.