Infrastructure security of mobile devices in the enterprise Ulrik Van Schepdael uvs@mobco.be

Ceci n’est pas un téléphone

The user is in control

(WIRED Feb 28 ‘11) -- From the earliest days of

aviation, pilots have relied upon paper maps to

help find their way. Even in an era of GPS and

advanced avionics, you still see pilots lugging

around 20 pounds or more of charts.

But those days are numbered, because maps

are giving way to iPads.

The Federal Aviation Administration is allowing

charter company Executive Jet Management

to use Apple's tablet as an approved

alternative to paper charts.

Bi: Before iPad

2010 2007 1996 1984

26 Bi 14 Bi 3 Bi

Multi OS

Professionals with a Smart Phone work 15 hours extra per week,

earn 27% less and they love it!

(Peninsula UK Sept ‘09 - EarlySail picture)

Worldwide Smartphone Sales to End Users in 2Q09 (Thousands of Units)

Work More

New challenges for IT !

• Manage the Multi-OS

• Control the Cost

• Mixed Personal and Corporate content

• Security of data at rest, travel, …

• AppstorM is here

Implementation scenario

Policy Server

Mail server

One size does not fit all

(Forrester research) – not one company has the

exact same needs let alone the individual users within

the company

How many profiles do you need ?

1 is enough

3 should do

…

everybody is

different

A mobile profile

contains:

- telecom

- applications

- network access

- support level

- …

Implementation scenario

LDAP

Policy Server

Mail server

Stalin versus Dalai Lama

75% of 1000 interviewed Belgian companies do NOT

agree employees connect their personal smartphone

or tablet to the corporate network.

+50% finds it unacceptable. (Datanews survey November 2010)

More than double of what is thought connects its

own device to the corporate network (IDC 2010)

What’s your style?

Control Choice Innovation Hands-Off

Primary Management goal

Guarantee service level and strictly control risk

Satisfy users without incurring excessive risk

Empower users to develop new techniques and processes

Minimize management responsibility and liability

Responsibility for service Quality

Enterprise IT Enterprise IT and Users

Users and Enterprise IT

Users

Support level Everything All, but limited on device

Self support, limited IT

Self support

Information assurance

Enterprise responsibility

Enterprise and User

User and Enterprise

User

?

What’s your style?

Control Choice Innovation Hands-Off

Primary Management goal

Guarantee service level and strictly control risk

Satisfy users without incurring excessive risk

Empower users to develop new techniques and processes

Minimize management responsibility and liability

Responsibility for service Quality

Enterprise IT Enterprise IT and Users

Users and Enterprise IT

Users

Support level Everything All, but limited on device

Self support, limited IT

Self support

Information assurance

Enterprise responsibility

Enterprise and User

User and Enterprise

User

?

What’s your style?

Control Choice Innovation Hands-Off

Primary Management goal

Guarantee service level and strictly control risk

Satisfy users without incurring excessive risk

Empower users to develop new techniques and processes

Minimize management responsibility and liability

Responsibility for service Quality

Enterprise IT Enterprise IT and Users

Users and Enterprise IT

Users

Support level Everything All, but limited on device

Self support, limited IT

Self support

Information assurance

Enterprise responsibility

Enterprise and User

User and Enterprise

User

?

What’s your style?

Control Choice Innovation Hands-Off

Primary Management goal

Guarantee service level and strictly control risk

Satisfy users without incurring excessive risk

Empower users to develop new techniques and processes

Minimize management responsibility and liability

Responsibility for service Quality

Enterprise IT Enterprise IT and Users

Users and Enterprise IT

Users

Support level Everything All, but limited on device

Self support, limited IT

Self support

Information assurance

Enterprise responsibility

Enterprise and User

User and Enterprise

User

?

What are the consequences ?

Control Choice Innovation Hands-Off

Policy Enforced Applied and Controlled

Applied and Controlled

Checked

Device Ownership

Enterprise Enterprise or User Enterprise or User User

Device choice Limited Medium range Anything Anything

Application portfolio

Clearly defined Managed and limited

Unconstrained Limited enterprise apps

App store policy Forbidden Permitted but following policy

Permitted Permitted

Mobile Expenses Enterprise Mixed Mixed User

Device choice!

Implementation scenario

LDAP

Policy Server

Mail server Intranet

Posture

(wikipedia) – Primarily, posture is a reflex to keep the body upright.

MobileIron - Confidential

Audit/ Logging Regulatory

Compliance

Help Desk

Remote Access Trouble Spot Detection Broadcast SMS Recovery/Restore Safety

Asset Management

Operational Status

Connection Status

System Details

Multi-OS Inventory

Security and Policy

Cert distribution

Anti-virus and DLP*

Encryption

Enforcement Provisioning

Over-the-Air

(OTA) Self Service

End of Life

Data Migration

Selective Wipe

Applications

Push and Publish

Enterprise App Store

Internal and 3rd Party

Recommendations*

Content/Files

Push and Publish

Inventory

Mobile Access PC*

Search and Share*

Lost Phone

Lock and Wipe

Location Tracking

Selective Wipe

Content Visibility

Activity

Usage Patterns

Service Quality

Location

Threshold Alerts

Privacy Settings

Enterprise

Voice, SMS

Data

Employee- &

Company-owned

managed life cycle

Implementation scenario

LDAP

Policy Server

Mail server Intranet

???

Appstore is my freedom

appstore is on or off

Enforced policy!

cable is the biggest threat for mobile

Implementation scenario

LDAP

Policy Server

Posture Check

Mail server Intranet

???

Impossible to ‘lock’ a mobile device,

but not impossible to manage it!

• Create a balanced (user/IT) policy

• Implement user centric profiles

• Control the policy on the device

• Secure your resource access