Security Strategies for Mobile Devices
State of Oregon
Enterprise Security OfficeJan. 14th, 2010
Welcome
John Ritchie, CISSP State of Oregon Enterprise Security Office Information Security Analysis and Consultation
2
Introduction
Enterprise Security Office (ESO) State Enterprise
Perspective Multi-Agency, Cross-
Agency Enterprise Policy and
Oversight Not Operations
Enterprise Security Plan
ISO Domains 5.0 Asset Management 7.0 Access Control 9.0 Communications & Operations Management 11.0 System Development and Maintenance
Enterprise Security Standards & Processes
Enterprise Security Architecture
ISO Domains8.0 Incident Management
ESO Strategic InitiativeStatewide Incident Response
Program
ISO Domains3.0 Compliance
6.0 Physical & Environmental10.0 Business Continuity Plan
ESO Strategic InitiativeInformation Security Consulting Services
ISO Domains1.0 Security Organization
2.0 Security Policy
ESO Strategic InitiativeIdentify & Evaluate Security
Opportunities
ISO Domains2.0 Security Policy
ESO Strategic InitiativePolicy Development
ISO Domains3.0 Compliance
ESO Strategic InitiativeVulnerability Assessment
ISO Domains1.0 Security Organization
ESO Strategic InitiativeInformation Security Communication Plan
Agency Information Security Plans
ISO Domains4.0 Human Resources
ESO Strategic InitiativeUser Awareness Program
ISO Domains5.0 Asset Management
ESO Strategic InitiativeInformation Security Risk
Assessment
Enterprise Security Policies
ISO 27001Information Security Management System
ISO 27002 – Technical Standards
Agenda
Overview of Issues
Strategies For Developing Solutions
Future Trends
4
Issue: Portable Storage
Storage, Storage and more Storage Easy Data Sharing
Small, Smaller, Smallest, Lost
Data Loss Prevention
Bypass Security Controls
5
Issue: Mobile Workforce
Culture Change Can’t Be Ignored
Huge Benefits
Technical Challenges Porous Perimeter
Firewalls?
Personal Devices
6
Issue: Mobile Workforce
Everything Connects
Hostile Environments
7
Strategies For Coping
Step By Step
Define Business Needs
Develop Policy
Technical Implementation
Audit Device Use and Compliance
Step By Step (Refrain)
Strategy: Step By Step
Start Somewhere
Develop A Plan
Something Is Better Than Nothing
It All Costs Money
9
Strategy: Business Needs
Define Benefits What Are Your Goals?
Data Classification – Task #1 Where’s Your Sensitive Data?
What Will Your Employees Store On Mobile Devices?
10
Strategy: Policy
Decision Points Strict Or Lenient?
Device Ownership Decision
Device Management Decisions
Security
11
Policy
Device Ownership Company-owned (stricter)
Control and Security
Responsibility (mostly) company’s
Separation of Church and State
Personal Devices (more lenient) Flexibility
Employee Satisfaction
Cost?12
Policy
Device Management Corporate vs. Personal Management
Supported Models vs. All Models
Standard Configuration
Lost/Stolen/Sold Devices
Employee Termination
13
Policy
Security Data At Rest Data In Transit Access To Device Access to Enterprise Assets
14
Comic by XKCD.com
Policy
Responsibility Should Employee Share Responsibility?
Policy Education Critical Component
15
Strategy: Technical Controls
Intersect With Policy And Security
Policy Without Controls Is…
Integrate Solutions With Architecture
Don’t Forget About Existing Policies Acceptable Use
16
Strategy: Audit Device Use
Education
Visual Audits Manager drive-by
Technical Audits Logging
“Lessons Learned” Audits After-the-fact
17
Strategy: Step By Step (Refrain)
Start Somewhere
Develop A Plan
Something Is Better Than Nothing
It All Costs Money
18
Trends For the Future
Increasingly Mobile WorkforceBetter Tools
Current: Remote Access, Minimize Local Storage
Developing Market for Tools
Increasing Risk Targets For Attack
Increasing Awareness? History of PC Security Awareness
State Reference Material
Policies http://www.oregon.gov/DAS/EISPD/ESO/Policies.shtml
Statewide Information Security Plan and Standards http://www.oregon.gov/DAS/EISPD/ESO/SW_Plan_Standards.shtml
20
Drive Encryption Tools Pointsec:
http://www.checkpoint.com/products/datasecurity/pc/index.html CREDANT: http://www.credant.com/products.html GuardianEdge:
http://www.guardianedge.com/products/guardianedge-hard-disk-encryption.php PGP:
http://www.pgp.com/products/wholediskencryption/index.html McAfee Endpoint Encryption:
http://www.mcafee.com/us/enterprise/products/data_protection/data_encryption/endpoint_encryption.html Microsoft BitLocker:
http://technet.microsoft.com/en-us/windows/aa905065.aspx
22
Drive Encryption Tools Mobile Armor:
http://www.mobilearmor.com/dataarmor.php SafeNet:
http://www.safenet-inc.com/products/data_protection/disk_and_file_encryption/protectdrive.aspx SecurStar: http://www.securstar.com/products.php Utimaco Software:
http://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/device-encryption/
WinMagic: http://www.winmagic.com/products
23
Remote Device Wipe
BlackBerry Enterprise Server
Microsoft’s System Center Mobile Device Manager
Apple’s iPhone 3.0 (with MobileMe)
24
Lost Device Tracking
Adeona Project (Open Source): http://adeona.cs.washington.edu/
Absolute Software: http://www.absolute.com/
zTrace Technologies: http://www.ztrace.com/
25
Presentation, Desktop Virtualization Citrix XenDesktop:
http://www.citrix.com/english/ps2/products/product.asp?contentID=163057
Citrix XenApp: http://www.citrix.com/english/ps2/products/product.asp?contentid=186
VMware View: http://www.vmware.com/products/view/
Microsoft’s Remote Desktop Services: http://www.microsoft.com/windowsserver2008/en/us/presentation-terminal.aspx?pf=true
Top Related