320 likes | 502 Views
Mobile Device Security. Presented by Terry Daus , CISSP. To the ISSA Las Vegas Chapter April 13, 2011. Agenda. Definition People Technology Policy. SmartPhone Definition. A cellular telephone with built-in applications and Internet access.
E N D
Mobile Device Security Presented by Terry Daus, CISSP To the ISSA Las Vegas Chapter April 13, 2011
Agenda • Definition • People • Technology • Policy
SmartPhone Definition A cellular telephone with built-in applications and Internet access. Smartphones provide digital voice service as well as text messaging, e-mail, Web browsing, still and video cameras, MP3 player, video viewing and often video calling. In addition to their built-in functions, smartphones can run myriad applications, turning the once single-minded cellphone into a mobile computer. Source: PC Magazine Encyclopedia
People What do they want? • “Only carry one” • Anywhere access • Any device supported • Transparent security
Business What does management want? • Lower cost • Low support overhead • “Increased Productivity” • Any device supported • Transparent security
Business Implications/Questions • Is the business willing to securely support a mix of personal/business data and smartphones/tablets? • Remote access - to how much? • Authority over data? • Is the value worth the cost?
Policy Source: Symantec
No Easy Answers • What are your organization’s compliance requirements? • Which rewards does management want to balance against risk and cost? • Compliance • Strategic mobility • Employee productivity/creativity/retention
More Management Questions… • Is confidential data allowed on mobile devices? • Are personally-owned mobile devices allowed access? • Who has authority/responsibility for… • Who gets company-issued smartphones • Who gets access from smartphones, and to what? • Purchasing smartphones • Provisioning smartphones • Securing/monitoring smartphones? • Support of Organization-owned (O)? Personally-owned (P)?
Standards/Operational Notes… • What are O mobile devices allowed access to? Is it different for P? • Will you list specific devices supported, or just OS versions? • Who is going to test all the new devices? How often? What about application maintenance? • (how) Do you wipe a P phone at term? • Crawl/Walk/Run or Flash Cut?
Policy Design Suggestions • Review other’s policies for ideas • Review your laptop policy • Involve stakeholders in requirements and design • Communicate early and often • Stakeholders • IT (they have to make the tech work) • Finance (our buddies with the budget) • Users (they hate change too – be nice)
Device Scenarios • Pure Monolithic – typically BES • Organization (O) owned only • Mixed Monolithic • O or Personally (P) owned • Mail System w/Supported Security • O, O/P, limited to native OS’s • 3rd Party Mgmt Software (in-house, hosted, managed) – multiple device types
Native Security in the OS • From Most to Least Complete Options • Blackberry • Windows Mobile (6.1 and 6.5 only) • iPhone • Android • Windows Mobile 7 • Symbian? • Nokia?
Mobile Security Basic Req’mts • Passwords not pins • Remote wipe • Secure Email/Calendar sync • Device and storage card encryption
Mobile Security Advanced Req’s • Disable capabilities (removable storage, camera, BlueTooth, IR, etc…) • Two-factor authentication • Failed attempts lock/wipe
ActiveSync Client Comparison • Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-client-comparison-table.aspx#cite_note-3
ActiveSync Client Comparison 2 • Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-client-comparison-table.aspx#cite_note-3
Interesting Android Factoids • Android 2.2 supports all the basic security requirements except encryption • Android 3.0 (Honeycomb) provides encryption, but is currently only on tablets and one phone • Carriers modify Android, sometimes badly • NitroDesk Touchdown (Android Market or direct, $20) adds device and storage card encryption (3DES) to 2.2
3rd Party Security Options • Mobile Device Management (MDM) • Not just security – can have operations management and deployment capabilities • Asset management • Application whitelist • Deploy in-house apps • Deploy patches/upgrades
MDM Deployment Options • Which one fits your organization better? • In-House • In-House with external comm center • Hosted • Managed Service
Example MDM 1 Good Technology • Encrypts Android 2.1 and above, and iPhone 3G and above • Separation of data and apps from OS in encrypted sandbox • Can control transfer of data to personal side (contacts typically) • Onsite servers transmit through Good telecomm datacenters – no ActiveSync
Example MDM 2 Mobile Iron • Suite of applications for security, asset management, and expense • Self-service portal for apps, communications search/history, and usage • Encrypts iPhones, Androids (with integrated Touchdown), integrates with BES
Example MDM 3 Air-Watch • Can be purchased as a cloud service, appliance, or software • Encrypts iPhones but not Android 2.x
Example MDM 4 Verizon Managed Mobility Service • 750 employee accounts minimum • Based on Sybase solutions • Services include inventory & expense mgmt, provisioning and logistics, and Sybase (policies, security, app store) • Note: Sybase did not support iOS4 or Android until Oct 2010
CISO Mobility Challenges • Employee and management requirements often conflict • Consumer-grade products = security an afterthought or non-existent • Proprietary OS = complexity, inequality, lack of standards • Immature market = rapid change
CISO Mobility Recommendations • Perform constant market research • Provide non-technical executive management enough information to make informed risk decision(s) regarding mobile devices • Immature market = limited choices, constant change • Set realistic expectations – no Holy Grail • Communicate risks in business terms • Crawl/Walk/Run
Story Time – Anyone? • Hi, my name’s Terry and I’m a CISO…
End? Open for Questions and Stories