secure mobile working 1.0

- 1 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007

Best practice security for the mobile enterpriseA review of the challenges and approaches

Jon Collins, Service DirectorFreeform Dynamics [email protected] 2007

www.freeformdynamics.com


AGENDAAGENDA

► Business drivers for mobile access

► Challenges of remote access

► Securing the mobile enterprise


Does mobile email create a business advantage?Does mobile email create a business advantage?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Enterprise (5000 plusemps)

Mid-Market (250 to500 emps)

SMB/SOHO (lessthan 250 emps)

YesUnsure - the jury is still outNoIt's not something we've ever looked at


Do you permit employees to access your Do you permit employees to access your systems from any of the following?systems from any of the following?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Company laptop or handhelddevice while mobile

Workstations other than their ownon your premises

Home PC, Web kiosk, internetcafé, etc

Personal mobile device (smartphone, PDA, etc)


How prominent are the following threats to IT How prominent are the following threats to IT security?security?

-40% -20% 0% 20% 40% 60%

Decreasing Increasing

0% 20% 40% 60% 80% 100%

External parties attacking systemsindiscriminately via spyware, viruses, etc

External parties targeting your systemsspecifically via hacking, denial of service,

etc

Systems security breaches or exposuresvia employees acting carelessly or

deliberately

Ad hoc exposures from loss or theft ofmobile devices, snooping of public

networks, etc

high Medium Low

A net increase is expected in the level of threat across the board


The issues are exacerbated by a conspiracy of The issues are exacerbated by a conspiracy of circumstances…circumstances…

► People are buying their own devices► Mobile technologies are a work in progress► Organisations have not thought things out in

advance► Lack of a joined up architecture for mobility► Broadband and always-on access leave no

breathing space

- 7 - Best practice security for the mobile enterpriseJon Collins, Freeform Dynamics, July 2007FREQUENTLY OVERLOOKED OR ILL-CONSIDERED RISKS

Handheld devices

Notebook PCs

Public/home terminals

Inadvertent publishing

Careless mobile phone conversations allowing

eavesdropping by those within earshot in public

places

Displaying confidential data on planes, trains

and in other places where people can look

over your shoulder

Displaying confidential data in internet cafes

and other places where people can look over

your shoulder

Electronic snooping/theft

Leaving Bluetooth device in discoverable

mode risking high jacking or theft of on

board data

Connecting to unknown or insecure WiFi

networks or irresponsible use of ad

hoc WiFi networks

Use of insecure connections from public

terminals or saving data/login information on home/public PCs

Physical loss or theft

Pick pocketing, snatching, burglary, leaving devices on

public transport, client sites, in public places

Snatching, theft from car, theft from desk,

burglary, leaving PC on public transport, client sites, in public places

Burglary, loss or theft of removable storage

devices (USB keys, SD cards) used to move data between PCs


How easy is it to control the security risk arising from How easy is it to control the security risk arising from the proliferation of confidential data across workgroup the proliferation of confidential data across workgroup servers, PCs, mobile devices, remote sites, etc?servers, PCs, mobile devices, remote sites, etc?

0% 10% 20% 30% 40% 50% 60%

Cannot completelycontrol

Controlling is achallenge

Easy to control

Unsure

Just the way in which technology use grows organically in a distributed manner represents a threat to security in itself


How prominent is the risk from security breaches or How prominent is the risk from security breaches or exposures via employees acting carelessly or exposures via employees acting carelessly or deliberately?deliberately?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Tier 1 (5000+ emps)

Tier 2 (500-5000 emps)

Public Sector

Communications

Financial Services

General Industry/Commerce

Oil & Gas

High Medium Low

Larger organisations in general are more concerned about the threat from employees, reflecting the “depersonalised” corporate culture.


Have concerns of risk exposure specifically held you Have concerns of risk exposure specifically held you back from taking full advantage of any of the following?back from taking full advantage of any of the following?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

IP communications, e.g. IPTelephony, unified comms

Direct access to systemsby partners, suppliers, etc

Adoption of “software as aservice”

Adoption of home workingpractices

Yes No Not relevant to us

The opportunity cost associated with risk related concerns is clear


Considering IT security measures, what is the status of Considering IT security measures, what is the status of your capability in the following areas? your capability in the following areas?

0% 20% 40% 60% 80% 100%

Secure remote access (VPN, secure web access, etc)

Content filtering, blocking and cleaning

HR policies to deal with actual or suspected breaches

Centralised security management and administration

Advanced authentication, including Single Sign-on (SSO)

Encryption of data on live storage devices

Digital rights management, inc digital signatures

Intrusion detection and prevention

Identity management, inc role based access & provisioning

Forensic tools to investigate security breaches & attempts

Fully implemented More work required Future activity No interest Not answered


RIGHT SUPPLIERS

Try to select vendors who understand your type of business and are willing to provide

help and advice

RIGHT TECHNOLOGYEnsure that selected

technologies are securable as well as functional

SMART DEPLOYMENTImplement technology

in a controlled and structured manner and strive for consistency

wherever possible

SMART USEEnsure that users are properly

trained, appreciate the risks and know how to deal with them

KEYS TO SECUREMOBILE WORKING


What does this mean in practice?What does this mean in practice?

► Always remember who is in charge► Remind users of their obligations► Spell out the risks very clearly► Consider all aspects of mobile working► Make it easy for users to cooperate► Put the necessary support into place► Provide the right kind of instruction


How would you rate your employees' attitude How would you rate your employees' attitude towards mobile data security?towards mobile data security?

0% 20% 40% 60% 80% 100%

Those providing instruction viaformal classroom training

Those providing individualtraining when issuing devices

Those relying on writtenguidelines

Those relying on users figuring itout for themselves

Good Variable Poor

There’s no substitute for proactive training when it comes to security


Thank YouJon Collins, Service DirectorFreeform Dynamics [email protected] 2007

www.freeformdynamics.com

secure mobile working 1.0

Technology

mobile data security

mobile devices

mobile email

mobile enterprise

security risk

devices mobile technologies

public places burglary

security breaches