Upload
jdbear23
View
5
Download
0
Embed Size (px)
DESCRIPTION
Deployment of-ipads.pptx
Citation preview
1SANS Technology Institute - Candidate for Master of Science Degree 1
Deployment of iPads Lessons from the Trenches
Jim HorwathMarch 2012
GIAC GSE, GCUX, GCIA, GCIH, GREM, GSEC, GSIP
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
Overview of the iPad and the effect it will have on business
Security risks of bringing a consumer oriented device such as an iPad into a corporate environment
Security and lack of controls on an iPad - what you need to know
Operational costs and headaches associated with deploying iPads to users
The management nightmare of deploying iPad - patching, securing, keeping users safe from themselves
This is NOT an explanation concerning iPad forensics
SANS Technology Institute - Candidate for Master of Science Degree3
The iPad Storm
• Apple’s incredible sales numbers and market penetration
• Time magazine gave the iPad one of the 50 best inventions of 2010
• Medical, legal, and sales staff were early adopters of iPads
• Apple’s App Store imposes censorship of content causing issues with books and magazines
• Closed system – but still more applications available for iOS than Androids
• No support for flash
SANS Technology Institute - Candidate for Master of Science Degree 4
Consumer Device – Security an Afterthought
• Penetration into Fortune 100 companies and other businesses made iPads THE status symbol
Executives see convenience, increased productivity, and freedom
Status symbol cost - This addictive appeal has a cost to it – device + monthly fees
Default configuration has few security controls e.g. No password
Consumers want ease – especially younger users Closed platform - not too much security information
available No anti-virus or malware controls
SANS Technology Institute - Candidate for Master of Science Degree 5
Policy Is Your Friend
• Policy will become your best friend – develop early and involve the right people
Acceptable Use Policy (AUP) Change Management Device is meant for employee use only – not spouse,
children or relatives Security Awareness Make users aware of common problems Shoulder surfing – gets worse with complex passcodes
SANS Technology Institute - Candidate for Master of Science Degree 6
Security Issues - Strengths
Hardware encryption uses AES 256-bit encryption APIs with the ability to lock-down access Controlled environment with non-jailbroken devices Applications receive a sandbox and are separate from
each other API provides a method for device lock/unlock/password
reset/wipe Implementation and engineering guarded IP secret Cellular communications harder (but not impossible) to
capture Need to test security controls very thoroughly and keep
notes regarding the test results
SANS Technology Institute - Candidate for Master of Science Degree
SANS Technology Institute - Candidate for Master of Science Degree 8
Security Issues - Challenges
Limited number of configurable items There are items the user can change and there is no
GPO-like facility to reinforce settings No logging or event log like facility Implementation and engineering guarded IP secret Bluecoat K9 to use as a WEB proxy – but user can
choose not to use it – you have to use a 3rd party product to enforce it
Companies lose control of data – dropbox, Google docs, iCloud
Alphanumeric credentials anywhere on the device echo characters as you type them
No warning or acceptable banner, network connectivity is always on
SANS Technology Institute - Candidate for Master of Science Degree
SANS Technology Institute - Candidate for Master of Science Degree 10
Infrastructure Issues
• Where do employees sync devices• Is your corporate infrastructure ready for iTunes
(packaging, updates, etc.)• If iPad users sync to corporate assets, is your storage
and backup environment ready• Is there a business requirement to access internal
resources - example Citrix for applications• Can devices connect internally to wireless infrastructure
– how do you control it• Data leaves daily with employees and their iPads
SANS Technology Institute - Candidate for Master of Science Degree 11
Operational Challenges
Keeping iOS current – no mass distribution method iOS 5.0 does allow software updates outside of iTunes Apple provides a low-cost configuration utility iPhone
Configuration Utility (ICU) Mobile Device Management (MDM) software is young Creation of a “Gold Image” is difficult iTunes and corporate acceptance Backing up devices onto personal employee assets –
who owns the data On corporate owned assets does your infrastructure
allow for the additional overhead of iTunes and backups
SANS Technology Institute - Candidate for Master of Science Degree 12
More Operational Challenges
Blocking pop-ups -- users cannot change it – blocking pop-ups can stop things like SANS OnDemand from working
Very confusing with some terms: “Auto-Lock” and “Grace-Period”
How do you handle provisioning – corporate vs. personal devices
What happens after employee separation, companies cannot verify
License cost of software is unknown (productivity software for example)
Decreases productivity for some workers
SANS Technology Institute - Candidate for Master of Science Degree 13
Hello Help Desk...
• Users are scary• Problems range from common to the bizarre• Calling for device setup – most common• Documentation of common problems should be
available to users• Added cost to train help desk staff on iPad triage• Younger help desk staff are better than older staff due
to familiarity of the technology• Mail stopped and I need it now – the higher up the
food chain the more demanding the user
SANS Technology Institute - Candidate for Master of Science Degree 14
Enterprise Management of iPads
Apple provides iPhone Configuration Utility (ICU) – good for just a few devices and proof of concepts
Mobile Device Management (MDM) products are young and lack maturity
Some examples: McAfee, Sybase, Good, AirWatch, BoxTone
Microsoft Active Sync will allow any device with a valid user name and password to connect
Lotus Notes requires granting access to Lotus traveler How does this integrate into your authentication source
LDAP/AD/Domino LDAP/Token Do your homework!
SANS Technology Institute - Candidate for Master of Science Degree 15
Mobile Device Management (MDM) Software
• Policy, awareness, education and AUP are critical• Managing a fleet of iPads requires management
software• MDM market place is emerging and not mature• Employees – especially executives - quickly become
“addicted” to an iPad, stability is a key issue• Apple’s closed platform limits what vendors can do –
most vendors do the same thing• Managed service versus in-house, versus hybrid• Managing a fleet of iPads requires management
software
SANS Technology Institute - Candidate for Master of Science Degree 16
MDM Lessons
• Survey says e-mail and calendaring are the most important applications to an executive
• Be careful with demonstrations • Negotiations - be prepared for push-back on policies
from executive – they want convenience and not necessarily security
• Field communications is critical – leverage company communications and change management process
• Implement a test environment that is similar to production
• Be careful of firewall rules if using an in-house managed product
• Be very careful with destruction capabilities – a mistake can be career ending
SANS Technology Institute - Candidate for Master of Science Degree
SANS Technology Institute - Candidate for Master of Science Degree 18
Summary
Mobile computing is here to stay – learn it, embrace it, and control it the best you can
Mobile computing can give your firm a competitive advantage
Develop policy based on business need and use cases Continual user education and awareness will go a long
way Invest in MDM software to manage devices Avoid being an early adopter