applied mobile chaos theory
DESCRIPTION
A 12 Step plan for ending the madness.TRANSCRIPT
Applied ‘Mobile Chaos Theory’
…and NCA’s 12-step plan
to end the madness
© 2011 Network Computing Architects, all rights reserved
Presented by Brad Bemis
Our Modern Mobile Workforce
© 2011 Network Computing Architects, all rights reserved
The term ‘mobile’ has changed.
It’s not just about phone calls
and web surfing though…
• ‘Always on’ availability
• Location-based services
• Credit card transactions
• Patient medical records
• Supply chain management
• Customer and partner collaboration
• Social media and social marketing
• Predictive analysis and unique targeting
The technology is getting smaller, faster, and smarter…
The Mobile Challenges We Face
© 2011 Network Computing Architects, all rights reserved
While keeping up with the rapid pace
of innovation is our biggest challenge,
it’s only one of many…
• Our data is on the move
• The network perimeter is gone
• The edge is now driving the core
• IT services are now a commodity
• Cloud and social challenge tie ins
• Blurring of personal and business
• Balancing emerging risks vs. benefits
We must find ways to incorporate security controls
that address the four dimensions of mobility above…
Applied Mobile Chaos Theory
© 2011 Network Computing Architects, all rights reserved
Chaos theory is more complicated
than what’s presented here, but:
• Chaos underlies complex systems
• Patterns can emerge from chaos
• Initial conditions play a big part
• Indicators of possible outcomes
• Equilibrium based on attractors
Mobile chaos theory is based on the idea that:
• Mobility is a complex system challenge
• Success is determined by initial conditions
• To achieve equilibrium takes real effort
Ending the Madness
© 2011 Network Computing Architects, all rights reserved
We can’t just solve part of the problem. In order to fully
enable a modern mobile workforce, we should be looking
at things from a more holistic perspective:
This approach is consistent with our long-standing
principles of ‘defense-in-depth’.
Needs
Risks
Policy
Ecosystem
Virtualization
Device Management
Identity Management
End-Point Protection
Remote Access
Data Protection
Training and Awareness
Loss and Incident Handling
Needs
© 2011 Network Computing Architects, all rights reserved
The needs of the many
The needs of the few
The needs of the one
What are your business needs?
What needs do various groups have?
What needs do specific individuals have?
• Identify the key stakeholders
• Gather formal requirements
• Define group/user profiles
Don’t forget about your compliance needs!
• Legal, regulatory, contractual…
Risks
© 2011 Network Computing Architects, all rights reserved
What is your current risk posture?
What are your risk tolerance thresholds?
What are you doing to measure/manage risk?
• Understand the threat landscape
• Establish well-defined decision-making criteria
• Build an overall mobile strategy covering all bases
Include a risk assessment /analysis to help with planning!
• Use FAIR in a contextual manner…
Policy
© 2011 Network Computing Architects, all rights reserved
What does your policy framework cover?
What other security policies might apply?
What are your data classification policies?
• Define acceptable use
• Clarify and explain all expectations
• Get formal sign-off and acceptance
Mobile devices are just another end-point!
• Leverage what you already have…
Ecosystem
© 2011 Network Computing Architects, all rights reserved
What platforms and models?
What carrier service provider(s)?
What kind of back-end infrastructure?
• Decide on purchased, BYOD, or mixed
• Research what carriers can offer you
• Consider virtualizing the back-end
These are some of the most critical decision points!
• Be sure to plan for the future (3 to 5 years)…
Virtualization
© 2011 Network Computing Architects, all rights reserved
What are you doing about data mixing?
What are you doing to fully enable people?
What are you doing to keep the security balance?
• Consider mobile virtual machines
• Keep the current limitations in mind
• Understand how it’s different from sandboxing
Virtualization really is the answer to many challenges!
• Watch this technology closely as it evolves…
Device Management
© 2011 Network Computing Architects, all rights reserved
What are you doing to lock devices down?
What are you doing to manage all of them?
What are you doing to keep track of everything?
• Review scope, capabilities, and limitations
• Build out written configuration standards
• Simplify provisioning and de-provisioning
Probably the single most important investment made!
• Make your decision based on clear requirements…
Identity Management
© 2011 Network Computing Architects, all rights reserved
How are you authenticating to the device?
How are you authenticating to remote assets?
How are you authenticating with third parties?
• Enforce pins and passphrases
• Look at multi-factor authentication
• Tie in to federated identity management
Identity is everything in a mobile, social, cloud-based world!
• Applies to people and assets…
End-Point Protection
© 2011 Network Computing Architects, all rights reserved
What are you doing about mobile malware?
What are you doing to limit network dangers?
What are you doing to gain visibility into things?
• Use AV on the platforms it’s available for
• Consider available mobile FW options
• Look into mobile end-point reporting
There are a lot of platform dependency issue here!
• Stay up to date on how the industry responds…
Remote Access
© 2011 Network Computing Architects, all rights reserved
How are you providing access to resources?
How are you resolving file management issues?
How are you keeping data out of the public cloud?
• Use a reliable SSL client for remote access
• Consider a VDI-based model for mobility
• Build your own file management solution
File management is one of the biggest issues right now!
• Keep your data out of the public cloud…
Data Protection
© 2011 Network Computing Architects, all rights reserved
How are you protecting the local data store?
How are you protecting data on removable cards?
How are you protecting data leaving the device?
• Disk encryption is still a key requirement
• Look into data loss prevention options
• Don’t forget about data classification
Routing data back to the corporate network may be possible!
• Keep an eye on this to use your existing tools…
Training and Awareness
© 2011 Network Computing Architects, all rights reserved
How do people know what the policies say?
How do people know what is/isn’t acceptable?
How do people know where to go with issues?
• Have a formal awareness and training program
• Fold mobility into this larger program
• Keep folks up to date on changes
Security training/awareness is still the absolute best tool!
• Unfortunately it’s still the least used…
Loss and Incident Handling
© 2011 Network Computing Architects, all rights reserved
What happens if a device is lost or stolen?
What happens if something suspicious occurs?
What happens if you experience an actual incident?
• Have a formal incident response plan
• Fold mobility into your existing plan
• Make sure folks know what to do
Everything we do is to avoid incidents – be prepared though!
• It only takes one for everything to change…
Closing the Loop
© 2011 Network Computing Architects, all rights reserved
Needs
Risks
Policy
Ecosystem
Virtualization
Device Management
Identity Management
End-Point Protection
Remote Access
Data Protection
Training and Awareness
Loss and Incident Handling
Everything is happening at such an incredibly fast pace –
it’s hard to keep up. In the future we may see more and
more integration between security options, but as it stands
today a holistic approach is needed, one that includes:
…and, of course, NCA is happy to help!
Questions?
© 2011 Network Computing Architects, all rights reserved
© 2011 Network Computing Architects, all rights reserved
Brad Bemis is the CISO, Security Practice Manager, and Principle Security Consultant for Network
Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and
information security. He is also a Certified Information Systems Security Professional (CISSP),
Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and
Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco,
Microsoft, and CompTIA.
Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of
Science in Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in
graduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology.
Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in
roles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between).
Although highly skilled across multiple security disciplines, his main passion is information security awareness and training –
evangelizing the message and engaging others. He is also very active in the security community, including: contributions to
the Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and
the Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several other
professional associations, sharing insights and experience across a number of on-line security forums, and much much more.
Additional information can be found on Brad's professional blog at www.secureitexpert.com.
About the Author:
© 2011 Network Computing Architects, all rights reserved
NCA’s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in
Bellevue WA, Portland OR, and Los Gatos CA. We offer a wide range of professional security services that can be scaled
and customized to meet the business needs of any organization. Our major core competencies include:
• Program Management: Building and managing a holistic information security program.
• Governance: Incorporating security into enterprise or IT governance frameworks.
• Risk Management: Measuring and managing information security and other related risks.
• Compliance: Ensuring that all internal and external requirements are being met.
• Identity & Access Management: Managing identities and permissions for systems and users.
• Perimeter Defense & Firewall Management: Defending the borders between networks.
• Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices.
• Virtualization & Cloud Computing: Migrating customers to the cloud safely and securely.
• Event Management & Incident Response: Detecting and responding to security incidents.
• Awareness & Training: Engaging people in the process of security on a daily basis.
Through a number of strategic partnerships we can also deliver additional services in the areas of:
• Managed Services: Managing the day-to-day operational security of information systems.
• Application Security & Penetration Testing: Validating controls for business applications.
About NCA’s Information Security Practice:
Learn more today at http://www.ncanet.com
Or call 877-KNOW NCA (877-566-9622)