1 / 33

Security in a Mobile Age

Security in a Mobile Age. The IT Manager ’ s Nightmare. “ Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please have these set up for us by next Friday so that we can read the board minutes,

sheng
Download Presentation

Security in a Mobile Age

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in a Mobile Age

  2. The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please have these set up for us by next Friday so that we can read the board minutes, … oh, and I decided I couldn’t wait, so here is mine so that you can get me connected today”

  3. Disruptive Technologies • 1980’s The Microcomputer • 1980’s The Network • 1990’s Personal Email • 1990’s The Web • 2000’s Smart Phones • 2010’s Mobile Computing Devices

  4. Mobile Computing Security Challenges • What ever happened to the network perimeter? • Is that one of our devices? • Is that really one of our users? • Where is our data? • No, I said it’s our data, not your data • Yes, I know that it’s a clever app • Who’s in charge of these !@(*#^)* things anyway?

  5. Security Taxonomy Mobile Device Policy Mobile Device Security Encryption Security Management Internal Security Identity Management Perimeter Security Storage Security Physical Security

  6. Best Practices for Policy • Engage the business • Understand their mobile computing requirements • Survey your workforce • Establish a corporate strategy based on requirement vs risk

  7. Best Practices for Policy • Establish levels of ‘service’ • Tier 1 • Corporate owned devices • PIM and business applications • Tier 2 • Corporate or user owned devices • Lightly managed and supported (eg mail/calendar) • Tier 3 • User owned devices • Web based access only • Unsupported

  8. Best Practices for Policy • Reserve to right to manage ALL devices with access to corporate resources • Includes connections to internal wireless LANs and connections to PC’s. • Require installation of your security profile on all devices as a condition of access.

  9. Best Practices for Policy • Isolate corporate data from private data • Sandboxing • Policy compliance • Application publication (no data at rest)

  10. Best Practices for Policy • Enforce strong security controls • Passwords • Auto lock • Remote wipe • Certificates • Encryption • Enforced device policy

  11. Best Practices for Policy • Consider disabling device functions that conflict with business activities • Camera • App stores • Cloud storage services • YouTube • Explicit content

  12. Best Practices for Policy • Enforce acceptable use policy • Cover current and future devices • “everywhere” access means wiping a device when the employee leaves the organisation. • .. And that may include their own personal device if it has been used to access corporate systems.

  13. Best Practices for Policy • Determine how users with be provisioned with applications • The use of ‘app’ stores is fine with only a few users but can become unwieldy with many users • Start with basic applications (email, collaboration, productivity) • Layer on advanced applications

  14. Best Practices for Policy • Proactively monitor voice and data usage • Implement ongoing recording of usage

  15. Best Practices for Policy • Require users to backup their own data • If it’s their information, they are responsible for it. • Assert the right to wipe the device if it is lost or stolen • Assert the right to wipe the device when the employee leaves

  16. Best Practices for Policy • Teach Users about ‘Stranger Danger’ • No reading of sensitive information in uncontrolled areas... • Aircraft • Trains • Supplier offices • Close/lock the devices when not in use. • Beware of theft

  17. Best Practices for Policy • Require users to understand and agree with policy • Security policies don’t belong in a book • Publish policies for all users to read • Review the policies annually

  18. Best Practices for Policy • Address the ramifications of non compliance to policy • Usage infractions • Unauthorised application installation • Inappropriate material • Not reporting lost devices • Excessive personal use

  19. OK, So You’ve Got Your New Toys, Now What? • Learn to walk before you can fly! • Implement a mobile device management system • Establish a base device policy • Enforce that policy

  20. Device Policy #1Enable Password Protection • Require a PIN code after power on • Require a PIN code after auto lock • Minimum of 4 digits • Preferably longer if the device supports it

  21. Device Policy #2Lock the Device • Always enable auto-lock on mobile devices • Keep the lock period to as short as possible

  22. Device Policy #3Enable Wiping • Wipe on more than five invalid PIN code entries • Remote wipe in the event of loss or theft • Easily implemented in Exchange, Keriomail and BES • Setup a lost device hotline • Wipe devices prior to disposal

  23. Device Policy #4Turn on Device Encryption • IOS4.x, 5.x • All user data is automatically encrypted • Android • Information on removable media is not encrypted by default. • Windows Mobile 7 • Encryption not supported • “It's important to note that Windows Phone 7 (WP7) primarily was developed as a consumer device and not an enterprise device”. • Windows 8 • Expected to be supported when it is released

  24. Device Policy #5Encrypt Data in Transit • Enable SSL encryption • Use digital certificates

  25. Device Policy #6Update Frequently • Keep the operating system and applications up to date • Enable auto update if available

  26. Device Policy #7Control Network Connections • Disable network services if not required • Wifi • Bluetooth • Infrared • Restrict WiFi Connections to authorised networks

  27. Device Policy #8Install AntiVirus Software • Install AntiVirus software wherever practical • Controlled and scrutinised application release minimises the threat

  28. Strategy Decisions: BYOD • Bring Your Own Device • Your data, their device, your risk • Firmly establish a data centric security strategy before even considering a BYOD strategy

  29. Strategy Decisions: Application Publication Model • Securely publish applications to mobile devices from your data centre • Removes data at rest risk • Device agnostic approach • Requires good data centre bandwidth • Enabler for BYOD strategy

  30. Going Full Circle?

  31. Going Full Circle?

  32. Conclusion • Mobile devices/tablets are a game changing technology • Successful (and secure) deployment requires an effective policy and an effective strategy

  33. Tony Krzyzewski Kaon Technologies Ltd tonyk@kaon.co.nz www.kaon.co.nz www.kaonsecurity.co.nz

More Related