Thursday Jan 03, 2013

Partner Blog Series: Deloitte Talks Part 1: Mobile Security - An Enterprise View

Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will examine the different aspects of mobile security. Our future blogs will expand deeper into mobile security topics including: a) Bring Your Own Device (BYOD), b) Securing Mobile Applications, and c) Building a Secure Mobile Environment.  Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.

It should come as no surprise the extent mobile technology touches our lives today. So much so that the traditional model of a workplace is being challenged with employees not only questioning the need for traditional laptops or desktops, but opting for and demanding easier to use tablets and business applications enabled on mobile devices.

Smart devices today are not only used for voice communication, but present themselves as productivity enablers. These include the usual tools for scheduling, planning and email and also business applications and reporting dashboards.

This growth, while in line with expectations, continues to expand with no immediate signs of a slowdown.


Concerns around mobile security continue to rise with the increase in the number of devices. It is one of the main blockers to enterprise-wide mobile technology acceptance and also why many CIOs may be hesitant to adopt concepts like Bring Your Own Device (BYOD) or moving towards mobile app development for customers and employees. BYOD has become a smart business decision because it allows employees to be connected to corporate applications without a significant increase in overhead and management costs. Devices today have the ability to collect, collate and store sensitive information in increasing amounts that may even include corporate intellectual property in addition to any personal data.

Any mobile device can be targeted for attacks that may potentially lead to a data breach. With mobile hardware, the attack surface is also increased considerably, simply because of the ease of access, sheer numbers of devices and vendors competing to offer more features and experiences to consumers. The attacks look to exploit any weaknesses that may be within the hardware, software, network and even the people that use them.

There are several vendors, software providers, networks and standards that play in the mobile space. This is the reason why a variety of components and touch points exist as part of the mobile ecosystem which increases the level of security that needs to be addressed at each layer.

A key differentiator between mobile devices in relation to traditional computing hardware is the number of interfaces exposed by a device to communicate with networks, other devices and other complementary hardware. With BYOD, the risk is multiplied greatly simply because of the number and variety of devices, operating systems, browsers, applications and especially communication interfaces. Some examples of evolving threats to mobile devices can be within QR code scans, “SMishing”, pirating apps, Wi-Fi hacking (including man-in-the-middle attacks), Bluetooth attacks (like “Bluesnarfing”) etc.

Mobile device attack surface

What would a corresponding “mobile security threat response” strategy look like? Would it be perceived as difficult to implement or even complicated? The short answer is “It should not be”, if incorporated into an overall enterprise security model. While mobile devices and associated threats are newer and evolving technologies, it should be considered as an additional channel being leveraged to access corporate data and applications.

If policies around data protection and application access are sound, then mobile security and associated risks can be simply broken down into hardware, software, network components and the people that use the devices. Once this is done, appropriate security measures may be developed and applied - from security within different layers of software to how and what information is exposed to end users.



Examples of risk

Mitigation options


Devices that are used to access data over networks, host applications and have local storage

Firmware manipulation, Other hardwired and connected devices.

Firmware and OS signature validation, Continuous threat monitoring and updates, device model exclusion, application integrity/scanning, device provisioning


The application layer

Operating System (OS) backdoors, Malware, Installed applications like web browsers

Digital certificates, OS signature, Remote wiping


The communication channels over which data is transmitted from or received by the device.

Network spoofing, protocol vulnerabilities, Short Message Service/Multimedia Message Service (SMS/MMS) attacks, Global System for Mobile Communication (GSM), Wireless-Fidelity (Wi-Fi) Honeypots, Bluetooth and even Global Positioning Systems (GPS)

Network security for Wi-Fi, Encryption


Operators of the devices

Impersonation, Incorrect access levels

User verification and identity management, access protection, Device registration, Device authentication

The focus of security should be on the protection of corporate data and how it is accessed and/or stored.

Mobile computing is here to stay and brings with it an associated baggage of risks, vulnerabilities and threats. With the growth in cloud-based services, mobile technology is ideally positioned to not only allow for a productive workforce regardless of location, but is also blurring the traditional corporate intranet/extranet/internet/VPN model even further.

So how are companies acting to address security concerns around this mobility trend? If not already defined, every company today should consider, at the very least, having a base mobile security strategy in place. Some guidelines towards this are:

  • Follow the data: As with any other type of access, identify the data that will be presented to or stored by the device, and then work to secure it. This includes situations when either processes are being defined or when technologies are being implemented to protect and control access. Securing and protecting data should continue to be a higher priority than protecting the device itself. This includes residual data on the device, data being accessed via the device (pull) or data being transmitted to the device (push).

  • Do not focus on the device: When addressing mobile security, it is important to consider the overall mobile ecosystem – not just the most visible component, which in this case is the device itself. Analyzing each layer for defense in depth, and assessing the surface of attack overall may help in the development of a more efficient, wide range risk mitigation strategy. These could include implementing device and user registration/provisioning tools, disabling non-secure access, leveraging technologies to harden/protect devices etc. and establishing corporate policy prior to allowing access to the network, applications or data.

  • The People Factor: Not all threats can be addressed by tools, technologies and policies alone. Educating the end user and establishing simple, but effective policies may go a long way in mobile device security. A decision that may potentially have implications on which direction security must go is whether to use standard corporate-approved (or provided) devices or implementing a BYOD program. Hardware provisioning, implementing secure authentication and access control mechanisms thus become important in verifying credentials and attesting to the actual identity of the person managing the device.

  • Simplify. Simplify. Simplify: This is often overlooked but cannot be stressed enough. Given the concept of “mobility”, it is important to maintain a balance between ease of access, data availability and enterprise risk. There are tools and technologies available today that provide depth and strength in security with minimal overhead and a short learning curve. When you think about it, one of the main reasons for the speed of adoption of mobile devices has been the simplicity of applications and convenience of access. Why should a strategy around mobile security be presented differently?

In conclusion, developing an overall enterprise strategy for mobility will typically be more effective if security is incorporated as a part of the process at every stage rather than as bolt-on afterthought.

Mobility and productivity moving together is the status quo for the modern workforce and will be for some time to come. As such it is inevitable there will always be challenges regarding mobile security and continuously evolving threats. Staying ahead of the curve and keeping it simple may help information security act as an enabler rather than a crutch to mobile adoption within the enterprise.

We welcome your thoughts and feedback on this blog. What is the current adoption level of mobile technologies within your enterprise? What risks/threats have you seen around mobile security and how were they addressed? Do you feel security has been an enabler or a crutch in quickly enabling a mobile workforce?

Look for our next post on Mobile Security coming next Thursday.

Gilson Wilson is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with a focus on Identity and Access management and Information Security. He advises several Fortune 100 clients globally on cloud and mobile security, privacy and identity & access management. He has co-authored a paper titled “Unified Security Framework” published at the International Symposium on Information and Communication Technologies. He has also been a part of Oracle’s Deputy CTO program and has received an honorable mention Titan Award at Oracle Open World for Identity Management.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016