1 / 32

Mobile Device Security

Mobile Device Security. Presented by Terry Daus , CISSP. To the ISSA Las Vegas Chapter April 13, 2011. Agenda. Definition People Technology Policy. SmartPhone Definition. A cellular telephone with built-in applications and Internet access.

denali
Download Presentation

Mobile Device Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Device Security Presented by Terry Daus, CISSP To the ISSA Las Vegas Chapter April 13, 2011

  2. Agenda • Definition • People • Technology • Policy

  3. SmartPhone Definition A cellular telephone with built-in applications and Internet access. Smartphones provide digital voice service as well as text messaging, e-mail, Web browsing, still and video cameras, MP3 player, video viewing and often video calling. In addition to their built-in functions, smartphones can run myriad applications, turning the once single-minded cellphone into a mobile computer. Source: PC Magazine Encyclopedia

  4. People What do they want? • “Only carry one” • Anywhere access • Any device supported • Transparent security

  5. Trying to Stop the Inevitable?

  6. Business What does management want? • Lower cost • Low support overhead • “Increased Productivity” • Any device supported • Transparent security

  7. Business Implications/Questions • Is the business willing to securely support a mix of personal/business data and smartphones/tablets? • Remote access - to how much? • Authority over data? • Is the value worth the cost?

  8. Policy Source: Symantec

  9. No Easy Answers • What are your organization’s compliance requirements? • Which rewards does management want to balance against risk and cost? • Compliance • Strategic mobility • Employee productivity/creativity/retention

  10. More Management Questions… • Is confidential data allowed on mobile devices? • Are personally-owned mobile devices allowed access? • Who has authority/responsibility for… • Who gets company-issued smartphones • Who gets access from smartphones, and to what? • Purchasing smartphones • Provisioning smartphones • Securing/monitoring smartphones? • Support of Organization-owned (O)? Personally-owned (P)?

  11. Standards/Operational Notes… • What are O mobile devices allowed access to? Is it different for P? • Will you list specific devices supported, or just OS versions? • Who is going to test all the new devices? How often? What about application maintenance? • (how) Do you wipe a P phone at term? • Crawl/Walk/Run or Flash Cut?

  12. Policy Design Suggestions • Review other’s policies for ideas • Review your laptop policy • Involve stakeholders in requirements and design • Communicate early and often • Stakeholders • IT (they have to make the tech work) • Finance (our buddies with the budget) • Users (they hate change too – be nice)

  13. Technology

  14. Device Scenarios • Pure Monolithic – typically BES • Organization (O) owned only • Mixed Monolithic • O or Personally (P) owned • Mail System w/Supported Security • O, O/P, limited to native OS’s • 3rd Party Mgmt Software (in-house, hosted, managed) – multiple device types

  15. Device Market Share

  16. Native Security in the OS • From Most to Least Complete Options • Blackberry • Windows Mobile (6.1 and 6.5 only) • iPhone • Android • Windows Mobile 7 • Symbian? • Nokia?

  17. Mobile Security Basic Req’mts • Passwords not pins • Remote wipe • Secure Email/Calendar sync • Device and storage card encryption

  18. Mobile Security Advanced Req’s • Disable capabilities (removable storage, camera, BlueTooth, IR, etc…) • Two-factor authentication • Failed attempts lock/wipe

  19. ActiveSync Client Comparison • Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-client-comparison-table.aspx#cite_note-3

  20. ActiveSync Client Comparison 2 • Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-client-comparison-table.aspx#cite_note-3

  21. Interesting Android Factoids • Android 2.2 supports all the basic security requirements except encryption • Android 3.0 (Honeycomb) provides encryption, but is currently only on tablets and one phone • Carriers modify Android, sometimes badly • NitroDesk Touchdown (Android Market or direct, $20) adds device and storage card encryption (3DES) to 2.2

  22. 3rd Party Security Options • Mobile Device Management (MDM) • Not just security – can have operations management and deployment capabilities • Asset management • Application whitelist • Deploy in-house apps • Deploy patches/upgrades

  23. MDM Deployment Options • Which one fits your organization better? • In-House • In-House with external comm center • Hosted • Managed Service

  24. Example MDM 1 Good Technology • Encrypts Android 2.1 and above, and iPhone 3G and above • Separation of data and apps from OS in encrypted sandbox • Can control transfer of data to personal side (contacts typically) • Onsite servers transmit through Good telecomm datacenters – no ActiveSync

  25. Example MDM 2 Mobile Iron • Suite of applications for security, asset management, and expense • Self-service portal for apps, communications search/history, and usage • Encrypts iPhones, Androids (with integrated Touchdown), integrates with BES

  26. Example MDM 3 Air-Watch • Can be purchased as a cloud service, appliance, or software • Encrypts iPhones but not Android 2.x

  27. Example MDM 4 Verizon Managed Mobility Service • 750 employee accounts minimum • Based on Sybase solutions • Services include inventory & expense mgmt, provisioning and logistics, and Sybase (policies, security, app store) • Note: Sybase did not support iOS4 or Android until Oct 2010

  28. Can you say “complex”?

  29. CISO Mobility Challenges • Employee and management requirements often conflict • Consumer-grade products = security an afterthought or non-existent • Proprietary OS = complexity, inequality, lack of standards • Immature market = rapid change

  30. CISO Mobility Recommendations • Perform constant market research • Provide non-technical executive management enough information to make informed risk decision(s) regarding mobile devices • Immature market = limited choices, constant change • Set realistic expectations – no Holy Grail • Communicate risks in business terms • Crawl/Walk/Run

  31. Story Time – Anyone? • Hi, my name’s Terry and I’m a CISO…

  32. End? Open for Questions and Stories

More Related