Monthly Archives: September 2014

Risk Management in a Mobile World

SmartphoneIntroduction

Mobile devices are rapidly becoming the primary end-user computing platform at area companies. The broad user-experience, computing capabilities, and always-on connectivity combined make mobile devices very compelling PC replacements.  However, this shift to mobile computing represents a challenge to existing secure IT environments.  IT management must consider new approaches to securing corporate data and minimizing risk when so many new variables are introduced.  “How do these mobile devices expose our company?” is a common question.  Because organizations want to take a mobile first approach, many employees and managers are enjoying resulting benefits which include efficiency, competitive differentiation and heightened innovation.  Finally, every new approach needs to be evaluated for new risks and benefits, so let’s take a minute to survey this new landscape of risk/benefit.

Going Mobile

Consider the two key reasons why IT needs to adopt new strategies for securing corporate data on mobile, as compared to PCs, when pursuing a strategy to heighten user productivity.

Reduced IT control over mobile devices: The mobile era is all about the end user. They get to pick a mobile platform that best meets their personal preferences, with the expectation that the device should also work in a business context for the full range of apps and content needed to stay productive. This is in stark contrast from the PC era where IT offered end-users an approved PC with a set of pre-selected apps. End-users had very limited say on what the PC was able to access and IT had the ability to control every aspect of the corporate-owned device from physical ports, to software and application versions. For mobile, end-users make the decision for many of these variables and IT can only recommend devices and applications. IT has no way to enforce a standard OS, device or app across the organization.  In fact, the more IT tries to lock down devices, the more end-users will try to by-pass policies, increasing risk to the organization.

Old security models must adapt to stay relevant: In the PC operating system scenario, the agent-based security method worked well. This involved a piece of software residing on the PC that controlled the process and data belonging to other applications. Unfortunately, this agent-based security model cannot be used to secure Mobile because of the differences in the way these operating systems are designed. Mobile operating systems are designed using a sandboxed architecture which enables for isolation of apps and associated data which can only interact and share data through very well-defined mechanisms. This allows for greater security than the open-file system used by PC OS, and needs new tools that leverage specific security capabilities made available by the device vendor itself.

Threats to Mobility

As trends such as the use of Mobile devices to enhance enterprise productivity, organizations are being exposed to a variety of information security risks and threats. Threats introduced by mobile can be grouped in to three categories:

Device based threat vectors

Mobile devices enable end-users to perform a variety of business-related tasks such as receiving email and accessing, editing and sharing corporate content via a variety of productivity apps. As a result, mobile devices store a significant amount of sensitive data. This data can be compromised in a variety of ways due to:

  • Always-on connectivity which could allow unauthorized parties to access business data.
  • Software that allows “jailbreak” or “rooting” of devices, compromising data security.
  • Portability making the devices susceptible to theft and misplacement.

Network based threat vectors

The always-on model requires mobile devices to be constantly connected to the internet. As a result, end-users might rely on untrusted public networks enabling malicious parties to access and intercept transmitted data using

  • Rouge access points
  • Wi-Fi sniffing tools
  • Sophisticated Man-in-the-Middle attacks

User based threat vectors

Mobile empowers end-users. While this is great for user-choice, well-meaning end-users often indulge in risky behaviors that could compromise business data. Examples of risky behaviors include:

  • Using un-approved cloud-based apps to share and sync data
  • Using un-approved productivity apps that maintain copies of corporate data
  • Jail breaking/ rooting devices to bypass security controls
  • Using malicious apps from un-approved app-stores
  • Exposing business data with malicious intent

While one may argue that the list of threat vectors introduced by Mobile devices are similar to those introduced by laptops and similar portable PC-based devices, the fundamental differences between Mobile and PC operating systems require IT to adopt purpose-built Enterprise Mobility Platforms to mitigate risks introduced by Mobile.

Countermeasures for New Risks

Implementing data loss prevention on mobile devices requires a layered security approach. This layered security approach can be implemented using the controls listed below:

1) Secure operating system

2) Strong Authentication

3) Remote wipe

4) Device Encryption

5) Data sharing

6) Network security

7) Application lifecycle management

8) Secure browsing

Below are descriptions of the data loss prevention requirements and specific controls.  Each class of controls can include basic controls, which directly address the requirements, supplemental controls, which strengthen the basic controls, and compensating controls, which apply when no basic control is available. These layered security controls, together, establish a data loss prevention model for Mobile.

Secure operating system

Secure applications to prevent malware from accessing application data – Configure apps to access data only when essential.

Provide a safe application ecosystem – Stores such as Google Play and the Apple App Store are tightly curated to minimize the likelihood of malware in posted apps. Apple prohibits certain backdoors, like the download of new, executable code into an already approved app. Apps can also be immediately revoked from app stores if they are later found to break to violate policies.  Add additional tools to ensure malware is minimized.

Patch OS vulnerabilities quickly – Ensure devices are configured to automatically update as patches are released.

Strong Authentication

Remotely configure password policy

Auto-wipe device after a certain number of failed authentication attempts

Enforce identity for enterprise services

Remote wipe

For company-owned devices, remotely wipe all the data on the device

For employee-owned devices, remotely wipe ONLY if enterprise data is the device

Encryption

Encrypt all enterprise data-at-rest on the device

Encrypt all enterprise data-in-motion to and from the device

Encrypt all enterprise data in secure apps

Data sharing

For corporate email in the native email app:

  • Do not allow attachments to be opened in an unauthorized app
  • Do not allow forwarding through a personal email account
  • Do not allow copy/paste, printing, or screenshots of email text
  • Do not allow backup of email outside IT control

For corporate apps:

  • Do not allow app data to be accessed by unauthorized apps
  • Do not allow copy/paste, printing, or screenshots of app data
  • Do not allow backup of app data outside IT control

Network security

Prevent data loss as enterprise data traffic travels through public cellular and Wi-Fi networks outside IT control.  VPN: For companies that have standardized on device-wide VPN technology from vendors like Cisco and Juniper, the VPN service should be configured to provide a secure channel for data.

Application lifecycle management

Prevent rogue apps from being downloaded to device

Blacklist unauthorized apps

Whitelist authorized apps

Publish and distribute enterprise apps

Update enterprise apps

Secure browsing

Allow secure access to enterprise web apps located behind the firewall

Prevent data loss of downloaded documents and cached web content

Protect against “drive by” malware browser attacks

Conclusion

The pressure to support new mobile operating systems will be a constant challenge for IT departments because operating system and device choice are now determined by the consumer, not by the enterprise, and can change frequently.  Mobile operating systems such as Android and iOS as an enterprise mobility management (EMM) platform have matured to provide the layered security controls enterprise requires to mitigate the risk of data loss on both corporate-owned and personally-owned devices.   As a result of these controls, organizations can now support the new generation of mobile operating systems and devices that their user communities demand.

Feel free to contact Jeff Sheets or Bill Long with your questions about mobile device security.

jsheets@packerthomas.com

wlong@packerthomas.com

(800) 943-4278
(330) 533-9777

My 2%’s Worth

two percentAny time I review an estate or trust income tax return, Form 1041, I pause on Line 15.  That’s the spot where a decision must be made to subject “Other deductions” to the 2% of income floor or to take full advantage of those deductions.

When I arrive at Line 15 I have already fully deducted, legitimately, several items that individuals would not be able to fully deduct on their personal returns.  For example, fiduciary fees, attorney fees, accounting fees, and return preparation fees are all fully deductible on Form 1041, but not on Form 1040.  On Form 1040, they would be subject to a 2% of adjusted gross income floor.

It is not surprising that I pause on Line 15.  This has been an unsettled area of the tax law for the past 28 years.  A lot of court cases have looked at the expenses being deducted there and compared them to the expenses incurred by individuals for the same services.  The cases have concluded that the fees are fully deductible if they were only incurred because the property is held in a trust or estate. If the fees could have been incurred by individuals owning the same type of property, the expenses are subject to the 2% floor.

This is illogical and inconsistent.  Welcome to the world of tax law.  It is just like the world of parenting, where we were often told, “You will do it that way because I said so.”

The vast majority of the expenses under scrutiny are normally labeled investment fees.  Well, we finally have final regulations about what to do with those fees, effective for tax years beginning on or after May 9, 2014.  That would include a decedent whose date of death is on or after that date.  On calendar 2015 returns, we will handle the five types of costs discussed in the regulations as follows:

1.  Ownership costs. Any costs incurred simply by owning the property will be subject to the 2% floor.   For example, these include: condominium fees, insurance premiums, maintenance and lawn service, and miscellaneous itemized deductions from passthrough entities.

2.  Tax preparation fees. Continuing to be fully deductible are the preparation of estate and GST tax returns, fiduciary income tax returns (the Form 1041), and the decedent’s final individual income tax return.

Bizarrely omitted from full deductibility is any other type of tax return, including the decedent’s final gift tax returns and final Form 114, Report of Foreign Bank and Financial Accounts.  In other words, all other return preparation costs are subject to the 2% floor.

3.  Appraisal fees. These are fully deductible by an estate or trust if incurred for determining the value of assets of a decedent’s estate; determining distributions, such as a unitrust payment; or preparing tax returns. All other appraisals are subject to the 2% floor.

4.  Fiduciary expenses. These costs to administer an estate, such as probate court costs, surety bond premiums, publishing legal notices, cost of death certificates, etc., are fully deductible.

5.  Investment advisory fees. This is usually the largest expense on Form 1041. It is now officially limited by the 2% floor. Banks and trust companies are allowed to break out the portion of their fees that relate to fiduciary, legal, and accounting fees. If broken out for you, you can fully deduct fiduciary, legal, and accounting fees.

In the years leading up the final regulations, we were at various times told we could fully deduct investment fees and could not fully deduct investment fees.  As we tend to be consistent from year to year on tax returns, we will have to be vigilant to adopt the final regulations when preparing Form 1041.

The final regulations are fairly consistent with the proposed regulations that were issued for this in 2011.  So, for 2013 and 2014 returns and beyond, we should be limiting pure investment fees to the 2% floor.

Karen S. Cohen, CPA
Principal – Packer Thomas
Feel free to contact Karen with your questions: kcohen@packerthomas.com
(800) 943-4278
(330) 533-9777