security in a mobile age
DESCRIPTION
Security in a Mobile Age. The IT Manager ’ s Nightmare. “ Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please have these set up for us by next Friday so that we can read the board minutes, - PowerPoint PPT PresentationTRANSCRIPT
The IT Manager’s Nightmare...“Good morning, the board decided last
night that we need to have iPads in order to do our work properly.
Can you please have these set up for us by next Friday so that we can read the board minutes,
… oh, and I decided I couldn’t wait, so here is mine so that you can get me connected today”
Disruptive Technologies
1980’s The Microcomputer 1980’s The Network 1990’s Personal Email 1990’s The Web 2000’s Smart Phones 2010’s Mobile Computing Devices
Mobile Computing Security Challenges What ever happened to the network
perimeter? Is that one of our devices? Is that really one of our users? Where is our data? No, I said it’s our data, not your data Yes, I know that it’s a clever app Who’s in charge of these !@(*#^)* things
anyway?
Security Taxonomy
Physical Security
Storage Security
Perimeter Security
Identity Management
Internal Security
Security Management
Encryption
Mobile Device Security
Mobile Device Policy
Best Practices for Policy
Engage the businessUnderstand their mobile computing
requirementsSurvey your workforceEstablish a corporate strategy based on
requirement vs risk
Best Practices for Policy Establish levels of ‘service’
Tier 1○ Corporate owned devices○ PIM and business applications
Tier 2○ Corporate or user owned devices○ Lightly managed and supported (eg mail/calendar)
Tier 3 ○ User owned devices○ Web based access only○ Unsupported
Best Practices for Policy
Reserve to right to manage ALL devices with access to corporate resourcesIncludes connections to internal wireless
LANs and connections to PC’s.Require installation of your security profile
on all devices as a condition of access.
Best Practices for Policy
Isolate corporate data from private dataSandboxingPolicy compliance Application publication (no data at rest)
Best Practices for Policy
Enforce strong security controlsPasswordsAuto lockRemote wipeCertificatesEncryptionEnforced device policy
Best Practices for Policy
Consider disabling device functions that conflict with business activitiesCameraApp storesCloud storage servicesYouTubeExplicit content
Best Practices for Policy
Enforce acceptable use policyCover current and future devices“everywhere” access means wiping a device
when the employee leaves the organisation... And that may include their own personal device if it
has been used to access corporate systems.
Best Practices for Policy
Determine how users with be provisioned with applicationsThe use of ‘app’ stores is fine with only a
few users but can become unwieldy with many users
Start with basic applications (email, collaboration, productivity)
Layer on advanced applications
Best Practices for Policy
Proactively monitor voice and data usageImplement ongoing recording of usage
Best Practices for Policy
Require users to backup their own dataIf it’s their information, they are responsible
for it.Assert the right to wipe the device if it is lost
or stolenAssert the right to wipe the device when the
employee leaves
Best Practices for Policy
Teach Users about ‘Stranger Danger’No reading of sensitive information in
uncontrolled areas...○ Aircraft○ Trains○ Supplier offices
Close/lock the devices when not in use. Beware of theft
Best Practices for Policy
Require users to understand and agree with policySecurity policies don’t belong in a bookPublish policies for all users to readReview the policies annually
Best Practices for Policy
Address the ramifications of non compliance to policyUsage infractionsUnauthorised application installationInappropriate materialNot reporting lost devicesExcessive personal use
OK, So You’ve Got Your New Toys, Now What?
Learn to walk before you can fly!
Implement a mobile device management system
Establish a base device policy
Enforce that policy
Device Policy #1Enable Password Protection
Require a PIN code after power on
Require a PIN code after auto lock
Minimum of 4 digits Preferably longer if the
device supports it
Device Policy #2Lock the Device
Always enable auto-lock on mobile devices
Keep the lock period to as short as possible
Device Policy #3Enable Wiping
Wipe on more than five invalid PIN code entries
Remote wipe in the event of loss or theftEasily implemented in
Exchange, Keriomail and BES
Setup a lost device hotline
Wipe devices prior to disposal
Device Policy #4Turn on Device Encryption
IOS4.x, 5.xAll user data is automatically
encrypted Android
Information on removable media is not encrypted by default.
Windows Mobile 7Encryption not supported
○ “It's important to note that Windows Phone 7 (WP7) primarily was developed as a consumer device and not an enterprise device”.
Windows 8Expected to be supported
when it is released
Device Policy #5Encrypt Data in Transit
Enable SSL encryption Use digital certificates
Device Policy #6Update Frequently
Keep the operating system and applications up to date
Enable auto update if available
Device Policy #7Control Network Connections
Disable network services if not required
○ Wifi○ Bluetooth○ Infrared
Restrict WiFi Connections to authorised networks
Device Policy #8Install AntiVirus Software
Install AntiVirus software wherever practical
Controlled and scrutinised application release minimises the threat
Strategy Decisions: BYOD Bring Your Own Device Your data, their device, your risk Firmly establish a data centric security
strategy before even considering a BYOD strategy
Strategy Decisions: Application Publication Model Securely publish applications to mobile
devices from your data centre Removes data at rest risk Device agnostic approach Requires good data centre bandwidth Enabler for BYOD strategy
Going Full Circle?
Going Full Circle?
Conclusion
Mobile devices/tablets are a game changing technology
Successful (and secure) deployment requires an effective policy and an effective strategy