Security in a Mobile Age
description
Transcript of Security in a Mobile Age
![Page 1: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/1.jpg)
![Page 2: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/2.jpg)
The IT Manager’s Nightmare...“Good morning, the board decided last
night that we need to have iPads in order to do our work properly.
Can you please have these set up for us by next Friday so that we can read the board minutes,
… oh, and I decided I couldn’t wait, so here is mine so that you can get me connected today”
![Page 3: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/3.jpg)
Disruptive Technologies
1980’s The Microcomputer 1980’s The Network 1990’s Personal Email 1990’s The Web 2000’s Smart Phones 2010’s Mobile Computing Devices
![Page 4: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/4.jpg)
Mobile Computing Security Challenges What ever happened to the network
perimeter? Is that one of our devices? Is that really one of our users? Where is our data? No, I said it’s our data, not your data Yes, I know that it’s a clever app Who’s in charge of these !@(*#^)* things
anyway?
![Page 5: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/5.jpg)
Security Taxonomy
Physical Security
Storage Security
Perimeter Security
Identity Management
Internal Security
Security Management
Encryption
Mobile Device Security
Mobile Device Policy
![Page 6: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/6.jpg)
Best Practices for Policy
Engage the businessUnderstand their mobile computing
requirementsSurvey your workforceEstablish a corporate strategy based on
requirement vs risk
![Page 7: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/7.jpg)
Best Practices for Policy Establish levels of ‘service’
Tier 1○ Corporate owned devices○ PIM and business applications
Tier 2○ Corporate or user owned devices○ Lightly managed and supported (eg mail/calendar)
Tier 3 ○ User owned devices○ Web based access only○ Unsupported
![Page 8: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/8.jpg)
Best Practices for Policy
Reserve to right to manage ALL devices with access to corporate resourcesIncludes connections to internal wireless
LANs and connections to PC’s.Require installation of your security profile
on all devices as a condition of access.
![Page 9: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/9.jpg)
Best Practices for Policy
Isolate corporate data from private dataSandboxingPolicy compliance Application publication (no data at rest)
![Page 10: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/10.jpg)
Best Practices for Policy
Enforce strong security controlsPasswordsAuto lockRemote wipeCertificatesEncryptionEnforced device policy
![Page 11: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/11.jpg)
Best Practices for Policy
Consider disabling device functions that conflict with business activitiesCameraApp storesCloud storage servicesYouTubeExplicit content
![Page 12: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/12.jpg)
Best Practices for Policy
Enforce acceptable use policyCover current and future devices“everywhere” access means wiping a device
when the employee leaves the organisation... And that may include their own personal device if it
has been used to access corporate systems.
![Page 13: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/13.jpg)
Best Practices for Policy
Determine how users with be provisioned with applicationsThe use of ‘app’ stores is fine with only a
few users but can become unwieldy with many users
Start with basic applications (email, collaboration, productivity)
Layer on advanced applications
![Page 14: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/14.jpg)
Best Practices for Policy
Proactively monitor voice and data usageImplement ongoing recording of usage
![Page 15: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/15.jpg)
Best Practices for Policy
Require users to backup their own dataIf it’s their information, they are responsible
for it.Assert the right to wipe the device if it is lost
or stolenAssert the right to wipe the device when the
employee leaves
![Page 16: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/16.jpg)
Best Practices for Policy
Teach Users about ‘Stranger Danger’No reading of sensitive information in
uncontrolled areas...○ Aircraft○ Trains○ Supplier offices
Close/lock the devices when not in use. Beware of theft
![Page 17: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/17.jpg)
Best Practices for Policy
Require users to understand and agree with policySecurity policies don’t belong in a bookPublish policies for all users to readReview the policies annually
![Page 18: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/18.jpg)
Best Practices for Policy
Address the ramifications of non compliance to policyUsage infractionsUnauthorised application installationInappropriate materialNot reporting lost devicesExcessive personal use
![Page 19: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/19.jpg)
OK, So You’ve Got Your New Toys, Now What?
Learn to walk before you can fly!
Implement a mobile device management system
Establish a base device policy
Enforce that policy
![Page 20: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/20.jpg)
Device Policy #1Enable Password Protection
Require a PIN code after power on
Require a PIN code after auto lock
Minimum of 4 digits Preferably longer if the
device supports it
![Page 21: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/21.jpg)
Device Policy #2Lock the Device
Always enable auto-lock on mobile devices
Keep the lock period to as short as possible
![Page 22: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/22.jpg)
Device Policy #3Enable Wiping
Wipe on more than five invalid PIN code entries
Remote wipe in the event of loss or theftEasily implemented in
Exchange, Keriomail and BES
Setup a lost device hotline
Wipe devices prior to disposal
![Page 23: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/23.jpg)
Device Policy #4Turn on Device Encryption
IOS4.x, 5.xAll user data is automatically
encrypted Android
Information on removable media is not encrypted by default.
Windows Mobile 7Encryption not supported
○ “It's important to note that Windows Phone 7 (WP7) primarily was developed as a consumer device and not an enterprise device”.
Windows 8Expected to be supported
when it is released
![Page 24: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/24.jpg)
Device Policy #5Encrypt Data in Transit
Enable SSL encryption Use digital certificates
![Page 25: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/25.jpg)
Device Policy #6Update Frequently
Keep the operating system and applications up to date
Enable auto update if available
![Page 26: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/26.jpg)
Device Policy #7Control Network Connections
Disable network services if not required
○ Wifi○ Bluetooth○ Infrared
Restrict WiFi Connections to authorised networks
![Page 27: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/27.jpg)
Device Policy #8Install AntiVirus Software
Install AntiVirus software wherever practical
Controlled and scrutinised application release minimises the threat
![Page 28: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/28.jpg)
Strategy Decisions: BYOD Bring Your Own Device Your data, their device, your risk Firmly establish a data centric security
strategy before even considering a BYOD strategy
![Page 29: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/29.jpg)
Strategy Decisions: Application Publication Model Securely publish applications to mobile
devices from your data centre Removes data at rest risk Device agnostic approach Requires good data centre bandwidth Enabler for BYOD strategy
![Page 30: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/30.jpg)
Going Full Circle?
![Page 31: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/31.jpg)
Going Full Circle?
![Page 32: Security in a Mobile Age](https://reader035.fdocuments.us/reader035/viewer/2022062410/568151d6550346895dc00fce/html5/thumbnails/32.jpg)
Conclusion
Mobile devices/tablets are a game changing technology
Successful (and secure) deployment requires an effective policy and an effective strategy