Embed Size (px)
Citation preview
Agenda
l Overview: stating the obvious
l Plan A
l Plan B
• Policy
• Technologies for Data Protection
• Malware Protection
• Authentication Thanks to Andy Briney and CraigMathias for helping prepare this!
Mobile Devices Means…
l Smart Phones & Laptops
l But mostly Smart Phones
Insert Statistics Here
of corporate data resideson mobile devices.
Mobile devices lost orstolen over a 2yr period
(stolen from: Dean Ocampo)
Insert More Statistics Here
Direct costs - $50 per customer(Legal, notification, etc.)
Indirect costs - $15 per customer(Lost employee productivity)
Opportunity costs - $75 per customer(Loss of customer and recruiting new ones)
Government Fines; Regulatory ActionsExposure to legal actionShareholder value lossDiminished Goodwill33 States with Legislation
Data Loss ImpactAverages $140 Per Customer
(stolen from: Dean Ocampo)
Plan ASolve Mobility Security by ForbiddingUse of Mobile Devices
Plan BUse Policy and Technology to providemobility … securely!
Five Pieces of Mobility Security
l Policy for Mobile Devicesl Technology to Protect Data in Motionl Technology to Protect Data at Restl Protection From Malwarel Authentication
FIRST: Start By Building Policy
#1: Policy
l Without a policy…
No Advice:“Employee
IT” inefficient
Liability forLoss:
Negligence?PCI 1.1?
No Boundaries:Anything Goes!
Policy Covers Lifecycle of DevicesDevice
Selection
DeviceDeployment
DeviceUse
DeviceRecovery
Provisioning
ConfigurationMaintenance/Loss
Disposal
#1: Policy
Technology Can Support Your Policy
DeviceSelection
DeviceDeployment
DeviceUse
DeviceRecovery
Provisioning
ConfigurationMaintenance/Loss
Disposal
This is MostlyTechnology
#1: Policy
Users Must Support Your Policy
DeviceSelection
DeviceDeployment
DeviceUse
DeviceRecovery
Provisioning
ConfigurationMaintenance/Loss
Disposal
Device Useincludes:
User signing anAcceptable UsePolicy (AUP)
User beingeducated aboutand buying intosecurity issues
#1: Policy
The Most Fundamental Policy Decision Is
#1: Policy
Who “Owns” This Phone?
Don’t screw up for the sake ofhaving the coolest device!
home work
Generation Y Applies Massive Pressure
home workincludes home
workhomeincludes work
#1: Policy
SECOND: Nothing ImportantMoves Unencrypted
#2: Data In Motion
l There is no spectrum of“important” to“unimportant”
l If you originated thedata, we define it as“important”
Reallyimportant
Not at allimportant
SortaImportant
OursNotOurs
“Moving” means any wirelesscommunication
#2: Data In Motion
l Mobile Data Serviceshave a relatively lowerrisk, but must beprotected
l 802.11 (WiFi) serviceshave huge risk, and mustbe protected
l Bluetooth is notgenerally used for datatransfer… and should notbe, due to design issues
I don’t have to listthe threats here,
do I?
#2: Data In Motion
Cellular Network
IP Layer
App. Layer
Protecting Mobile Data Services CanOccur at Application or IP Layer
l Application Layer requires each application/URL beindividually protected
l Enforces at the firewall
l Opens larger attack surface in the network
l Limits access to “what you can get over Internet”
l Less intrusiveto end-user
l More deviceindependent
Policy element:personal webmail
to be HTTPSencrypted
l IP Layer requires a compatible VPN client to beinstalled on each device–a potential support issue
l Enforces at the firewall and VPN concentrator
l Provides smallest attack surface and greatestaccess
l Can be veryintrusive &annoying
l Need thatVPN client!
#2: Data In Motion
Cellular Network
IP Layer
App. Layer
IP Layer Protection Offers GreaterAccess, but Lower Interoperability
#2: Data In Motion
Wi-Fi is Harder To Control
l Existing corporatestandards for Wi-Fi apply
l And those standardsmust be
• WPA or
• WPA2
l Hot-spots rarely supportlink encryption (T-Mobilethe exception)
l Link encryption good;end-to-end encryptionbetter required
#2: Data In Motion
Wi-Fi is Harder To Control… so we go back to either IP Layer orApplication Layer encryption
Wi-Fi Network
IP Layer
App. LayerIf it’s encryptedhereor here,you don’t have toencrypt it here
THIRD: Nothing Sits AroundUnencrypted
#3: Data at Rest
l As long as no one ever loses a device, youcan safely ignore this one
University of Arizona, Cell Phone Lost and Found collection
Start by Making Sure Your Own DataAre Encrypted
#3: Data at Rest
Encrypted Trafficcipherclear
l Could encrypt individual documentsl Could encrypt partitions within the devicel Could just encrypt the whole volume
But what about devices thatare just too dumb to encrypt?
#3: Data at Rest
Look Beyond The Obvious For FullProtection
Your corporatephone directory hasvaluable & sensitiveinformation
Web browserscache data of allsorts, whether theyare sensitive or not
Emails are cached;SMS/MMS arestored and nottracked.All are sensitive.
Key to remember:Just because it’s not
corporate email,doesn’t mean it’s
not corporate email.
#3: Data at Rest
Device Vendors Don’t Care AboutThis, So Use Third-Party Packages
challengers leaders
niche players visionaries
abili
ty t
o ex
ecute
completeness of vision
Check Point
UltimacoSafeBoot
Credant
GuardianEdge
Entrust
SecuwareBeCrypt
iAnywhere
PGPWinMagic
Info.Security
Vendorswho gaveGartnermoney(July/ 2007)
#3: Data at Rest
On the Other Hand, Craig’s Law SaysWe Will See Organic Growth Here:
“It is inevitable that securityfeatures will roll-up intooperating systems overtime.”
So While Device Vendors Don’t Care,They Will Eventually Fix It!Perhaps Not in Your Lifetime, tho.
#4: Malware Protection
Mobile Devices are Current, HighPriority Targets for Malware
l Threats to Device
• Malware/Viruses/etc.spread throughBluetooth
• … spread through email
• … spread throughringtones
• … spread throughdownloads
l Threats To Organization
• Cost of “900-number”phone calls§ Or International…
• Lost productivity whenmobile worker’s devicecrashes
• Stolen data by Malware
Obvious Answer: Anti-Malware
Equally Obvious Problem: Each Devicehas a different operating system!
#4: Malware Protection
Malware Protection is anOpportunity for Policy to Help
#4: Malware Protection
Policy: Turn offyour Bluetooth
Policy: Don’t beDownloadin’
Policy: Don’tFeel Lucky andOpenAttachments
Policy: Buyyour 12-year-old their ownphone
Policy:Backup!
If You Only Do One Thing…
#4: Malware Protection
Policy: Turn offyour Bluetooth Bluetooth is
your biggestunmitigatedthreat!
Device Management Software CanEnforce Policy and Protect You
#4: Malware Protection
Open Mobile Alliance Device Management
Over The Air (OTA) Management
Password Recovery (Encryption)
Remote Device Lock and Unlock
Remote Device Wipe
Download Policy Enforcement; Backups
Application (Email, Usually) Configuration
Device Provisioning
Features To Look For
Some of this canbe outsourced,with the rightcarrier and plan.
Did I Mention That Your DeviceManagement System Must BeCross-Platform?
#4: Malware Protection
Hint: 6 out of 6 is impossible. Sorry.
Your Last Defense:Authentication
#5: Authentication
Chicago Taxi Statistics, 2005
Authentication Can Occur atMultiple Points During Device Use
#5: Authentication
PeriodicPasswords
Power OnPassword
Application &EncryptionPasswords
Most secure Least secure
Crossing ofFingers
New Technologies May Help…Or Not
#5: Authentication
FingerprintReader
4.4mm
TCG TrustedPlatform Module
Two-FactorAuthentication
Is Available!
Pick Your Authentication StyleBased On Two Key Factors
#5: Authentication
UserCompliance
Risk ofDisclosure
What will the usercommunity put upwith?
Do I need the samepolicy for all users?
How valuable are thedata on this device?
What is my risk if thedata are lost ordisclosed?
Five Steps To Solving the MobilitySecurity Puzzle
Require user authentication at points required foracceptable risk/aggravation.
Authenti-cation
Protect against malware with policy (Bluetooth,downloads) and technology (anti-malware SW).
MalwareProtection
Encrypt data stored on device. Manage cacheddata with 3rd party software and passwords.
Data atRest
Encrypt all data over cell and WiFi networks. UseVPN clients or application layer encryption.
Data InMotion
Create a policy that covers the device lifecycle,from selection to recovery.
Policy
