180 likes | 302 Views
Deployment of iPads Lessons from the Trenches. Jim Horwath March 2012 GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC , GSIP. 1. SANS Technology Institute - Candidate for Master of Science Degree. Objective. Overview of the iPad and the effect it will have on business
E N D
Deployment of iPads Lessons from the Trenches Jim Horwath March 2012 GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP 1 SANS Technology Institute - Candidate for Master of Science Degree
Objective • Overview of the iPad and the effect it will have on business • Security risks of bringing a consumer oriented device such as an iPad into a corporate environment • Security and lack of controls on an iPad - what you need to know • Operational costs and headaches associated with deploying iPads to users • The management nightmare of deploying iPad - patching, securing, keeping users safe from themselves • This is NOT an explanation concerning iPad forensics 2 SANS Technology Institute - Candidate for Master of Science Degree
The iPad Storm • Apple’s incredible sales numbers and market penetration • Time magazine gave the iPad one of the 50 best inventions of 2010 • Medical, legal, and sales staff were early adopters of iPads • Apple’s App Store imposes censorship of content causing issues with books and magazines • Closed system – but still more applications available for iOS than Androids • No support for flash SANS Technology Institute - Candidate for Master of Science Degree 3
Consumer Device – Security an Afterthought • Penetration into Fortune 100 companies and other businesses made iPads THE status symbol • Executives see convenience, increased productivity, and freedom • Status symbol cost - This addictive appeal has a cost to it – device + monthly fees • Default configuration has few security controls e.g. No password • Consumers want ease – especially younger users • Closed platform - not too much security information available • No anti-virus or malware controls 4 SANS Technology Institute - Candidate for Master of Science Degree
Policy Is Your Friend • Policy will become your best friend – develop early and involve the right people • Acceptable Use Policy (AUP) • Change Management • Device is meant for employee use only – not spouse, children or relatives • Security Awareness • Make users aware of common problems • Shoulder surfing – gets worse with complex passcodes 5 SANS Technology Institute - Candidate for Master of Science Degree
Security Issues - Strengths • Hardware encryption uses AES 256-bit encryption • APIs with the ability to lock-down access • Controlled environment with non-jailbroken devices • Applications receive a sandbox and are separate from each other • API provides a method for device lock/unlock/password reset/wipe • Implementation and engineering guarded IP secret • Cellular communications harder (but not impossible) to capture • Need to test security controls very thoroughly and keep notes regarding the test results 6 SANS Technology Institute - Candidate for Master of Science Degree
SANS Technology Institute - Candidate for Master of Science Degree
Security Issues - Challenges • Limited number of configurable items • There are items the user can change and there is no GPO-like facility to reinforce settings • No logging or event log like facility • Implementation and engineering guarded IP secret • Bluecoat K9 to use as a WEB proxy – but user can choose not to use it – you have to use a 3rd party product to enforce it • Companies lose control of data – dropbox, Google docs, iCloud • Alphanumeric credentials anywhere on the device echo characters as you type them • No warning or acceptable banner, network connectivity is always on 8 SANS Technology Institute - Candidate for Master of Science Degree
SANS Technology Institute - Candidate for Master of Science Degree
Infrastructure Issues • Where do employees sync devices • Is your corporate infrastructure ready for iTunes (packaging, updates, etc.) • If iPad users sync to corporate assets, is your storage and backup environment ready • Is there a business requirement to access internal resources - example Citrix for applications • Can devices connect internally to wireless infrastructure – how do you control it • Data leaves daily with employees and their iPads 10 SANS Technology Institute - Candidate for Master of Science Degree
Operational Challenges • Keeping iOS current – no mass distribution method • iOS 5.0 does allow software updates outside of iTunes • Apple provides a low-cost configuration utility iPhone Configuration Utility (ICU) • Mobile Device Management (MDM) software is young • Creation of a “Gold Image” is difficult • iTunes and corporate acceptance • Backing up devices onto personal employee assets – who owns the data • On corporate owned assets does your infrastructure allow for the additional overhead of iTunes and backups 11 SANS Technology Institute - Candidate for Master of Science Degree
More Operational Challenges • Blocking pop-ups -- users cannot change it – blocking pop-ups can stop things like SANS OnDemand from working • Very confusing with some terms: “Auto-Lock” and “Grace-Period” • How do you handle provisioning – corporate vs. personal devices • What happens after employee separation, companies cannot verify • License cost of software is unknown (productivity software for example) • Decreases productivity for some workers 12 SANS Technology Institute - Candidate for Master of Science Degree
Hello Help Desk... • Users are scary • Problems range from common to the bizarre • Calling for device setup – most common • Documentation of common problems should be available to users • Added cost to train help desk staff on iPad triage • Younger help desk staff are better than older staff due to familiarity of the technology • Mail stopped and I need it now – the higher up the food chain the more demanding the user 13 SANS Technology Institute - Candidate for Master of Science Degree
Enterprise Management of iPads • Apple provides iPhone Configuration Utility (ICU) – good for just a few devices and proof of concepts • Mobile Device Management (MDM) products are young and lack maturity • Some examples: McAfee, Sybase, Good, AirWatch, BoxTone • Microsoft Active Sync will allow any device with a valid user name and password to connect • Lotus Notes requires granting access to Lotus traveler • How does this integrate into your authentication source LDAP/AD/Domino LDAP/Token • Do your homework! SANS Technology Institute - Candidate for Master of Science Degree 14
Mobile Device Management (MDM) Software • Policy, awareness, education and AUP are critical • Managing a fleet of iPads requires management software • MDM market place is emerging and not mature • Employees – especially executives - quickly become “addicted” to an iPad, stability is a key issue • Apple’s closed platform limits what vendors can do – most vendors do the same thing • Managed service versus in-house, versus hybrid • Managing a fleet of iPads requires management software 15 SANS Technology Institute - Candidate for Master of Science Degree
MDM Lessons • Survey says e-mail and calendaring are the most important applications to an executive • Be careful with demonstrations • Negotiations - be prepared for push-back on policies from executive – they want convenience and not necessarily security • Field communications is critical – leverage company communications and change management process • Implement a test environment that is similar to production • Be careful of firewall rules if using an in-house managed product • Be very careful with destruction capabilities – a mistake can be career ending 16 SANS Technology Institute - Candidate for Master of Science Degree
SANS Technology Institute - Candidate for Master of Science Degree
Summary • Mobile computing is here to stay – learn it, embrace it, and control it the best you can • Mobile computing can give your firm a competitive advantage • Develop policy based on business need and use cases • Continual user education and awareness will go a long way • Invest in MDM software to manage devices • Avoid being an early adopter 18 SANS Technology Institute - Candidate for Master of Science Degree