Embed Size (px)
DESCRIPTION
Enterprise Mobile Device Security. Bryan Glancey Vice President of Research & Development. Devices are the Weakest link. "Because that's where the money is." ( Willie Sutton , his response when asked why he robs banks) - PowerPoint PPT Presentation
Citation preview
Enterprise Mobile Device Security
Bryan Glancey
Vice President of Research & Development
Devices are the Weakest link
• "Because that's where the money is." (Willie Sutton, his response when asked why he robs banks)
• This is the rock-solid principle on which the whole of the Corporation's [IBM's] Galaxy-wide success is founded...their fundamental design flaws are completely hidden by their superficial design flaws. – TH Nelson, Computer Lib., 1988, London: Penguin.
Mobile Devices Devices – Our Friends?
• PDAs & SmartPhones
• 802.11 Devices• Wireless Modems
– CDPD
Why Mobile wireless devices are great!!!
• Remote E-mail
• Remote Contacts
• Remote Calendar
• Remote Applications
Why wireless devices are the worst thing that
ever happened to information security.
Confidential informationConfidential information
• Remote E-mail
• Remote Contacts
• Remote Calendar
Regulatory Compliance
• Lots of legislation regarding information assets
• HIPAA – Health Insurance Portability & Accountability Act– Mandates Protection of Medical Information– Liability for both Organization and Individuals
• Gramm-Leach-Bliley Act of 1999– Mandates protection of financial information
– Active as of July 2001
• http://www.cdt.org/privacy/plif.shtml
Identity theft and Fraud
• Your Palmtop often contains all the information needed to assume your identity
•Bank Accounts •Credit Cards
•Contact Info •Historic Information
•E-mail •Schedule
•Your home address
•Passwords & PINs
Meet Mike
• Mike is an Executive
• Mike is Successful• Mike Travels 50%
of the time• Mike wants to keep
in touch with minimum hassle
Meet Mike’s Wireless Device
Mike can:
• Read E-mail
•Access his Contacts
•View his Calendar
•Make Meeting Notes
•Generate Sales!!
Mike sinks up his Device
• Communications Protocol Issues– CDPD Security– 802.11 Security
• Let’s assume that the data makes it safely to his device
• Let’s take a look at what’s in Let’s take a look at what’s in there -there -
What’s in Mike’s Device?
• Contacts– Contact information for
his entire companies contact database
– Personal information regarding his customers
– Personal information about company employees
– Customer Sales information
– Pricing/contracts data
What’s in Mike’s Device?• Calendar
– Information about customer meetings – with contact info and subject
– Information about competitive situations
– Information that presents competitive advantage!!
What’s in Mike’s Device?
• Mail– Negotiating
Positions
– Price lists
– Order information
– Product information
– Legal Discussions
So where does Mike go with this information?
• Airports• Airplanes• Taxi Cabs• Hotels• Rental Cars• Restaurants • Baseball Games• Everywhere he goes!
So? What’s the difference? All that information was already on
their Laptop!
Devices vs. Laptops• Wireless Devices are sometimes
Laptop replacements
13’’
5.25’’
6.7 oz
7.5 lbs
Wireless devices are extremely prone to theft!
• The information stored on the device is a corporate asset
• The information stored on the Device is a Liability – and possibly protected by legislation
• Even with secure transport, the data remains on the device
Steps to take
• Put some thought into extending your security policy to include mobile devices– What data can be stored on Mobile Devices?– Are there any regulatory implications?– Is there any business Risk in disclosure?
• Pick a standard Device!– Easier in include in Security Policy if they are all the same – if it’s
not too late!
Steps to take & Trends
• Look into Access control products for your Mobile Devices
•Focus on Integrating Mobile Devices into your existing Security Policy
•Start with the expectation that PDAs will meet the same security standards as PCs
Why none of the current solutions work - yet
• Bad Management
• Poor User experience
• Different solutions on different platforms
• No Enterprise Visibility
• ‘Insecurity is in the implementation not the math’ – Bruce Schneier
History of Device Security
• Hard Disk Encryption– PC-DACS– Protect Data (Pointsec)– Safeguard Easy
• PDA Protection– PDA Bomb– F-Secure
2003 – “The Year of Convergence” - Gartner
• The Pitfalls of Multi-Vendor Security– Management
• “Which proprietary Management tool do I use for the Palm Security?”
– User Acceptance• “Why does the security on My PDA work
different then the one on my Laptop?”
Uniform Security – Cross Platform
• Policies & Procedures are Enterprise Wide without exception
• Same/Similar operation on all Devices
• Enterprise Management Tools – Manage all platforms from one place
• Single Enterprise Security Policy
Uniform Reporting
• Enterprise visibility for Security
• Simple Executive Reports – ‘Show me the ROI for this security Stuff!’
• E-mail notifications, Pager notifications based on events – just like the Firewall people
Uniform Management
• Common Tool Administration– Microsoft Management Console– Active Directory– SNMP
Conclusion
• Mobile Devices provide easy access to corporate information assets
• Mobile Devices are extremely mobile – therefore prone to theft
• Look for pragmatic solutions to your problems
• Extend your security policy to include mobile devices
Thank You
Reminder:
• Please be sure to complete your session evaluation forms and place them in the box outside the room. We appreciate your feedback.
