secure mobile working 1.0
DESCRIPTION
A presentation on the challenges of secure mobile working and what to do about them, for Infosec 2007. The data may be getting long in the tooth but the points are still valid today.TRANSCRIPT
- 1 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
Best practice security for the mobile enterpriseA review of the challenges and approaches
Jon Collins, Service DirectorFreeform Dynamics [email protected] 2007
www.freeformdynamics.com
- 2 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
AGENDAAGENDA
► Business drivers for mobile access
► Challenges of remote access
► Securing the mobile enterprise
- 3 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
Does mobile email create a business advantage?Does mobile email create a business advantage?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Enterprise (5000 plusemps)
Mid-Market (250 to500 emps)
SMB/SOHO (lessthan 250 emps)
YesUnsure - the jury is still outNoIt's not something we've ever looked at
- 4 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
Do you permit employees to access your Do you permit employees to access your systems from any of the following?systems from any of the following?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Company laptop or handhelddevice while mobile
Workstations other than their ownon your premises
Home PC, Web kiosk, internetcafé, etc
Personal mobile device (smartphone, PDA, etc)
- 5 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
How prominent are the following threats to IT How prominent are the following threats to IT security?security?
-40% -20% 0% 20% 40% 60%
Decreasing Increasing
0% 20% 40% 60% 80% 100%
External parties attacking systemsindiscriminately via spyware, viruses, etc
External parties targeting your systemsspecifically via hacking, denial of service,
etc
Systems security breaches or exposuresvia employees acting carelessly or
deliberately
Ad hoc exposures from loss or theft ofmobile devices, snooping of public
networks, etc
high Medium Low
A net increase is expected in the level of threat across the board
- 6 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
The issues are exacerbated by a conspiracy of The issues are exacerbated by a conspiracy of circumstances…circumstances…
► People are buying their own devices► Mobile technologies are a work in progress► Organisations have not thought things out in
advance► Lack of a joined up architecture for mobility► Broadband and always-on access leave no
breathing space
- 7 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007FREQUENTLY OVERLOOKED OR ILL-CONSIDERED RISKS
Handheld devices
Notebook PCs
Public/home terminals
Inadvertent publishing
Careless mobile phone conversations allowing
eavesdropping by those within earshot in public
places
Displaying confidential data on planes, trains
and in other places where people can look
over your shoulder
Displaying confidential data in internet cafes
and other places where people can look over
your shoulder
Electronic snooping/theft
Leaving Bluetooth device in discoverable
mode risking high jacking or theft of on
board data
Connecting to unknown or insecure WiFi
networks or irresponsible use of ad
hoc WiFi networks
Use of insecure connections from public
terminals or saving data/login information on home/public PCs
Physical loss or theft
Pick pocketing, snatching, burglary, leaving devices on
public transport, client sites, in public places
Snatching, theft from car, theft from desk,
burglary, leaving PC on public transport, client sites, in public places
Burglary, loss or theft of removable storage
devices (USB keys, SD cards) used to move data between PCs
- 8 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
How easy is it to control the security risk arising from How easy is it to control the security risk arising from the proliferation of confidential data across workgroup the proliferation of confidential data across workgroup servers, PCs, mobile devices, remote sites, etc?servers, PCs, mobile devices, remote sites, etc?
0% 10% 20% 30% 40% 50% 60%
Cannot completelycontrol
Controlling is achallenge
Easy to control
Unsure
Just the way in which technology use grows organically in a distributed manner represents a threat to security in itself
- 9 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
How prominent is the risk from security breaches or How prominent is the risk from security breaches or exposures via employees acting carelessly or exposures via employees acting carelessly or deliberately?deliberately?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Tier 1 (5000+ emps)
Tier 2 (500-5000 emps)
Public Sector
Communications
Financial Services
General Industry/Commerce
Oil & Gas
High Medium Low
Larger organisations in general are more concerned about the threat from employees, reflecting the “depersonalised” corporate culture.
- 10 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
Have concerns of risk exposure specifically held you Have concerns of risk exposure specifically held you back from taking full advantage of any of the following?back from taking full advantage of any of the following?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
IP communications, e.g. IPTelephony, unified comms
Direct access to systemsby partners, suppliers, etc
Adoption of “software as aservice”
Adoption of home workingpractices
Yes No Not relevant to us
The opportunity cost associated with risk related concerns is clear
- 11 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
Considering IT security measures, what is the status of Considering IT security measures, what is the status of your capability in the following areas? your capability in the following areas?
0% 20% 40% 60% 80% 100%
Secure remote access (VPN, secure web access, etc)
Content filtering, blocking and cleaning
HR policies to deal with actual or suspected breaches
Centralised security management and administration
Advanced authentication, including Single Sign-on (SSO)
Encryption of data on live storage devices
Digital rights management, inc digital signatures
Intrusion detection and prevention
Identity management, inc role based access & provisioning
Forensic tools to investigate security breaches & attempts
Fully implemented More work required Future activity No interest Not answered
- 12 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
RIGHT SUPPLIERS
Try to select vendors who understand your type of business and are willing to provide
help and advice
RIGHT TECHNOLOGYEnsure that selected
technologies are securable as well as functional
SMART DEPLOYMENTImplement technology
in a controlled and structured manner and strive for consistency
wherever possible
SMART USEEnsure that users are properly
trained, appreciate the risks and know how to deal with them
KEYS TO SECUREMOBILE WORKING
- 13 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
What does this mean in practice?What does this mean in practice?
► Always remember who is in charge► Remind users of their obligations► Spell out the risks very clearly► Consider all aspects of mobile working► Make it easy for users to cooperate► Put the necessary support into place► Provide the right kind of instruction
- 14 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
How would you rate your employees' attitude How would you rate your employees' attitude towards mobile data security?towards mobile data security?
0% 20% 40% 60% 80% 100%
Those providing instruction viaformal classroom training
Those providing individualtraining when issuing devices
Those relying on writtenguidelines
Those relying on users figuring itout for themselves
Good Variable Poor
There’s no substitute for proactive training when it comes to security
- 15 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007
Thank YouJon Collins, Service DirectorFreeform Dynamics [email protected] 2007
www.freeformdynamics.com