Upload
jodie-marshall
View
216
Download
0
Embed Size (px)
Citation preview
May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa
Mobile SecurityMobile SecurityWindows Mobile 5Windows Mobile 5Mobile SecurityMobile SecurityWindows Mobile 5Windows Mobile 5
Rick ClausRick ClausIT Pro AdvisorIT Pro AdvisorMicrosoft CanadaMicrosoft Canada
[email protected]@microsoft.comhttp://blogs.technet.com/canitprohttp://blogs.technet.com/canitpro
AgendaAgenda
Define Mobile EnvironmentDefine Mobile Environment
Windows Mobile devices in CanadaWindows Mobile devices in Canada
Windows Mobile 5Windows Mobile 5ProductivityProductivity
Policy & SecurityPolicy & Security
Direct PushDirect Push
Myths and ObjectionsMyths and Objections
What is Mobile Data?What is Mobile Data?
Mobile Messaging Mobile Messaging InfrastructureInfrastructureMobile access to Exchange “that just works”Mobile access to Exchange “that just works”
Smartphone Smartphone Platform Platform
OutlookOutlook2003 2003
Outlook Outlook Web Web Access Access
Wireless Wireless Pocket PC&PEPocket PC&PE
Wireless Wireless 33rdrd Party Sync Party Sync
Outlook Outlook Mobile Mobile Access Access
Enable a greater number of customers, out-of-the-Enable a greater number of customers, out-of-the-box box
User experience optimized for mobile device User experience optimized for mobile device scenarioscenario
Exchange Server 2003 Mobility Exchange Server 2003 Mobility ScenariosScenarios
IW Mobile OfficeIW Mobile Office
•Rich web Access companion for Rich web Access companion for OutlookOutlook•Best companion to OutlookBest companion to Outlook•Part Time “Home Office”Part Time “Home Office”
•Airport Kiosk, Internet Café Airport Kiosk, Internet Café •Factory floor deploymentFactory floor deployment
Outlook Web AccessOutlook Web Access
IW Mobile On-The-RoadIW Mobile On-The-Road
•RPC over HTTP(S) ; No VPNRPC over HTTP(S) ; No VPN•Low bandwidth, latent connectionsLow bandwidth, latent connections•Hotel Dial-upHotel Dial-up•HotspotsHotspots•WWAN – Mobile OperatorWWAN – Mobile Operator
Outlook and ExchangeOutlook and Exchange
•Reach device companion for Reach device companion for OutlookOutlook
•E-mail triage and quick reviewE-mail triage and quick review•On-line GAL and contacts lookup with On-line GAL and contacts lookup with one touch callone touch call•Calendar and task managementCalendar and task management
Mobile Reach for IWMobile Reach for IW
Outlook Mobile AccessOutlook Mobile Access
“Kiosk”Laptop
PhoneSmart/PDA
•Rich/Smart device companion to Rich/Smart device companion to OutlookOutlook•Active e-mail/PIM management – Active e-mail/PIM management – preferably up-to-datepreferably up-to-date•WWAN – Mobile OperatorsWWAN – Mobile Operators•HotspotsHotspots
Highly Mobile IWHighly Mobile IW
Exchange ActiveSync (EAS)Exchange ActiveSync (EAS)
Mobile Messaging InfrastructureMobile Messaging Infrastructure
Exchange Front End Server(s)
Mailbox Server
Mailbox Server
Mobile Operator Network
Wired line
Wireless line
Legend
Wireless PDA
HTTPS (443)HTTPS (443)
Smartphone
Wi-FiPDA
Wi-FiSmartphone
Internet(802.11x - hotspots)
Wi-FiPDA
Wi-FiSmart phone
Wireless Intranet(802.11x)
Corporate Network
ISA Server(Optional)
HTTPS (443)HTTPS (443)
Outlook from home(rpc/http)
OWA from kiosk or from home
Wi-Fi Laptop
Wi-Fi Laptop
AgendaAgenda
Define Mobile EnvironmentDefine Mobile Environment
Windows Mobile devices in CanadaWindows Mobile devices in Canada
Windows Mobile 5Windows Mobile 5ProductivityProductivity
Policy & SecurityPolicy & Security
Direct PushDirect Push
Myths and ObjectionsMyths and Objections
6600 Pocket PC Phone 6600 Pocket PC Phone EditionEdition
CDMA/1xRTTCDMA/1xRTT
Windows Mobile 2003 Windows Mobile 2003 Second EditionSecond Edition
Landscape supportLandscape support
128 Mb ROM, 64 Mb RAM128 Mb ROM, 64 Mb RAM
SDIO Memory SlotSDIO Memory Slot
BluetoothBluetooth
1.1 Megapixel camera1.1 Megapixel camera
Built-in QWERTY keyboard, Built-in QWERTY keyboard, with Backlightingwith Backlighting
Windows Mobile Devices in Canada Windows Mobile Devices in Canada …… Today!Today!
SMT 5600 SmartphoneSMT 5600 Smartphone
•GSM/GPRSGSM/GPRS
•Windows Mobile 2003 Second EditionWindows Mobile 2003 Second Edition
•64 Mb ROM, 32 Mb RAM64 Mb ROM, 32 Mb RAM
•MiniSD Memory SlotMiniSD Memory Slot
•BluetoothBluetooth
•1.1 Megapixel camera1.1 Megapixel camera
•850/1800/1900 MHz Support850/1800/1900 MHz Support
•Mini USB connector Mini USB connector
•First Smartphone in Canada!First Smartphone in Canada!
Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Today!Today!
h6320/6325 Pocket PC Phone Edition h6320/6325 Pocket PC Phone Edition
•GSM/GPRSGSM/GPRS
•Windows Mobile 2003Windows Mobile 2003
•64 Mb ROM, 64 Mb RAM64 Mb ROM, 64 Mb RAM
•SDIO Memory Slot SDIO Memory Slot
•Integrated BluetoothIntegrated Bluetooth
•Integrated WiFiIntegrated WiFi
•850/900/1800/1900 MHz Support850/900/1800/1900 MHz Support
•Snap-on keyboardSnap-on keyboard
–6325 with camera6325 with camera
Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Today!Today!
hw6515 Pocket PC Phone Edition hw6515 Pocket PC Phone Edition
•GSM/GPRS/EDGEGSM/GPRS/EDGE
•Windows Mobile 2003 Second EditionWindows Mobile 2003 Second Edition
•64 Mb ROM, 64 Mb RAM64 Mb ROM, 64 Mb RAM
•SDIO & MiniSD Memory Slot SDIO & MiniSD Memory Slot
•Integrated BluetoothIntegrated Bluetooth
•Integrated GPSIntegrated GPS
•850/900/1800/1900 MHz Support850/900/1800/1900 MHz Support
•Built-in Qwerty keyboardBuilt-in Qwerty keyboard
•1.3 MP Camera 8x Zoom1.3 MP Camera 8x Zoom
Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Today!Today!
6700 Pocket PC Phone 6700 Pocket PC Phone EditionEdition
CDMA/1xRTT/EvDOCDMA/1xRTT/EvDO
Windows Mobile 5.0Windows Mobile 5.0
128 Mb ROM, 64 Mb RAM128 Mb ROM, 64 Mb RAM
MiniSD Memory SlotMiniSD Memory Slot
Bluetooth, WiFiBluetooth, WiFi
1.3 Megapixel camera1.3 Megapixel camera
Built-in Sliding QWERTY Built-in Sliding QWERTY keyboardkeyboard
Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Today! Today!
Treo 700w Pocket PC Phone EditionTreo 700w Pocket PC Phone Edition
CDMA/1xRTT/EvDO CDMA/1xRTT/EvDO GSM/GPRS/EDGE/UMTSGSM/GPRS/EDGE/UMTS
Windows Mobile 5.0Windows Mobile 5.0
MiniSD Memory SlotMiniSD Memory Slot
BluetoothBluetooth
1.3 Megapixel camera1.3 Megapixel camera
Built-in QWERTY keyboardBuilt-in QWERTY keyboard
Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Soon!Soon!
CDMA/1xRTT/EvDOCDMA/1xRTT/EvDO
Windows Mobile 5.0Windows Mobile 5.0
128 Mb ROM, 64 Mb RAM128 Mb ROM, 64 Mb RAM
MiniSD Memory SlotMiniSD Memory Slot
BluetoothBluetooth
1.3 Megapixel camera1.3 Megapixel camera
Built-in QWERTY keyboardBuilt-in QWERTY keyboard
Scroll Wheel NavigationScroll Wheel Navigation
Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Soon!Soon!
AgendaAgenda
Define Mobile EnvironmentDefine Mobile Environment
Windows Mobile devices in CanadaWindows Mobile devices in Canada
Windows Mobile 5Windows Mobile 5ProductivityProductivity
Policy & SecurityPolicy & Security
Direct PushDirect Push
Myths and ObjectionsMyths and Objections
Windows Mobile 5.0 Windows Mobile 5.0 StrengthsStrengthsWorks with Exchange Server 2003Works with Exchange Server 2003
Built-in mobile access – Windows Mobile, Outlook 2003, OMA, OWABuilt-in mobile access – Windows Mobile, Outlook 2003, OMA, OWA
Great mobile experience with Windows Mobile 5.0 + Great mobile experience with Windows Mobile 5.0 + MSFPMSFP
E-mail and PIM OTA Direct Push sync is built-in – with Outlook E-mail and PIM OTA Direct Push sync is built-in – with Outlook Mobile and Exchange ActiveSyncMobile and Exchange ActiveSyncNo client or 3No client or 3rdrd party server software to load reduces set-up time party server software to load reduces set-up time and costand costFamiliar Outlook experienceFamiliar Outlook experienceRange of powerful Windows Mobile devicesRange of powerful Windows Mobile devicesGreat client platform for LOB, other solutionsGreat client platform for LOB, other solutions
Scalable solution for enterprisesScalable solution for enterprisesE-mail front-end & back-end scalabilityE-mail front-end & back-end scalability
Easy to manage and consolidate serversEasy to manage and consolidate serversHigh number of users per serverHigh number of users per server
Scalable cost per userScalable cost per userRange of devices, form factors, prices and data plans Range of devices, form factors, prices and data plans No incremental server license costsNo incremental server license costsRemoves need for separate monitoring, directoryRemoves need for separate monitoring, directory
What is MSFP?What is MSFP?
Direct Push TechnologyDirect Push Technology – near real-time – near real-time sync between Exchange Server and the sync between Exchange Server and the mobile devicemobile device
GAL AccessGAL Access – corporate contact database – corporate contact database
Security Portfolio:Security Portfolio:Policy push/Device Wipe – protects the mobile device if it is ever Policy push/Device Wipe – protects the mobile device if it is ever lost or stolenlost or stolen
Native SSL, S/MIME and 3DES (w/FIPS 140-2) supportNative SSL, S/MIME and 3DES (w/FIPS 140-2) support
Certificate-based authenticationCertificate-based authentication
SecurID and VPNSecurID and VPN
Windows Mobile 5.0 + Messaging & Security Feature Windows Mobile 5.0 + Messaging & Security Feature Pack (MSFP) builds on the familiar Outlook Mobile with Pack (MSFP) builds on the familiar Outlook Mobile with new features that enhance mobile messaging usability new features that enhance mobile messaging usability and device management for the enterprise.and device management for the enterprise.
Device And Server Device And Server RequirementsRequirementsWinMobile Device RequirementsWinMobile Device Requirements
Requires a Windows Mobile 5 deviceRequires a Windows Mobile 5 deviceMSFP will not work on devices MSFP will not work on devices
with versions prior to Magnetowith versions prior to Magneto
MSFP features will not need PC sync MSFP features will not need PC sync except Certificate-based except Certificate-based AuthenticationAuthentication
Certificate-based authentication Certificate-based authentication will require a one-time will require a one-time connection to ActiveSync for connection to ActiveSync for certificate deploymentcertificate deployment
Exchange Server RequirementsExchange Server Requirements
Requires upgrade from Exchange Requires upgrade from Exchange Server 2003 to Exchange Server 2003 Server 2003 to Exchange Server 2003 SP2 SP2
No major changes beyond SP No major changes beyond SP upgradeupgrade
Need to increase IIS and Firewall Need to increase IIS and Firewall https connection timeout to the https connection timeout to the ActiveSync virtual directoryActiveSync virtual directory
Recommend 15min to 30min for Recommend 15min to 30min for timeouttimeout
Certificate-based Authentication Certificate-based Authentication feature will require a Certificate feature will require a Certificate Authority (CA) deploymentAuthority (CA) deployment
1.1.Enhances The Outlook Mobile ExperienceEnhances The Outlook Mobile Experience
A.A. Keep your Outlook Mobile up-to-date with the new Direct Keep your Outlook Mobile up-to-date with the new Direct Push Technology that delivers Inbox, Calendar, Contacts Push Technology that delivers Inbox, Calendar, Contacts and Tasks information quickly and directly to your device and Tasks information quickly and directly to your device
B.B. Maintain an up-to-date to-do list with new synchronization Maintain an up-to-date to-do list with new synchronization of the Outlook Mobile Tasks list with Exchange 2003 SP2of the Outlook Mobile Tasks list with Exchange 2003 SP2
C.C. Access the corporate contact database while on-the-go with Access the corporate contact database while on-the-go with over-the-air lookup and browsing of the Global Address List over-the-air lookup and browsing of the Global Address List on Exchange 2003 SP2on Exchange 2003 SP2
A.A. Remotely manage and enforce corporate IT policy Remotely manage and enforce corporate IT policy over-the-air via Exchange 03 SP2 consoleover-the-air via Exchange 03 SP2 console
B.B. Enable automatic reset of data when password is Enable automatic reset of data when password is entered incorrectly X number of timesentered incorrectly X number of times
C.C. Help to better protect device data with remote Help to better protect device data with remote reset of on-device data reset of on-device data via Exchange 03 SP2 via Exchange 03 SP2 consoleconsole
D.D. Increase access security to Exchange 03 SP2 Increase access security to Exchange 03 SP2 using Certificate-based Authentication to the using Certificate-based Authentication to the serverserver
E.E. Help protect email content with native support for Help protect email content with native support for S/MIMES/MIME
2. Helps Businesses To Better Protect Device 2. Helps Businesses To Better Protect Device DataData
Usability vs. SecurityUsability vs. Security
I Just I Just Want To Want To Make a Make a
Call!Call!
Exchange Server Exchange Server controls access controls access to the device by to the device by pushing pushing PIN/password PIN/password policy and policy and lockdown time-lockdown time-out to the device out to the device OTA the next OTA the next time a sync is time a sync is initiatedinitiated
Policy ProvisioningPolicy ProvisioningHow does this strengthen security?How does this strengthen security?
Device Security SettngsDevice Security Settngs
Enable PIN on device
4
Require both numbers and letters
Wipe device after failed (attempts): 4
Exceptions...Specify an exception list of users that are except from the setting enforcement
OK Cancel Help
Minimum PIN Length (digits):
Refresh settings on the device (hours): 24
Allow access to devices that do not support PIN settings
Inactivity time (minutes): 5
……but the end-but the end-user sets his/her user sets his/her personal PIN or personal PIN or password password according to the according to the policy requiredpolicy required
After lockdown, After lockdown, entering the entering the correct correct PIN/password is PIN/password is the only way to the only way to access data or access data or use the device*use the device*
Policy EnforcementPolicy EnforcementIT controls the password strength…IT controls the password strength…
* Emergency calls can be made during lockdown* Emergency calls can be made during lockdown
IT initiates the remote wipe via the Mobile Admin IT initiates the remote wipe via the Mobile Admin Web tool after a device is reported lost or stolenWeb tool after a device is reported lost or stolen
Remote wipe command status is relayed via Remote wipe command status is relayed via ActiveSync back to the Mobile Admin Web tool for ActiveSync back to the Mobile Admin Web tool for logginglogging
Remote Device WipeRemote Device WipeIT-initiated Data ProtectionIT-initiated Data Protection
IT configures the number of allowed attempts via IT configures the number of allowed attempts via the Exchange Server Consolethe Exchange Server Console
Local Device WipeLocal Device WipePassword-based Data ProtectionPassword-based Data Protection
Only local memory is erased (hard reset) with either device Only local memory is erased (hard reset) with either device wipe, external memory (such as a SD card) remains intactwipe, external memory (such as a SD card) remains intact
SSL (Secure Sockets Layer) is a secure SSL (Secure Sockets Layer) is a secure channel of communication between a Web channel of communication between a Web server and client (mobile device). server and client (mobile device).
Native SSL SupportNative SSL SupportThe end-to-end security standardThe end-to-end security standard
Windows Mobile uses SSL with RC4 cipher (128bit) as the Windows Mobile uses SSL with RC4 cipher (128bit) as the default. This is the standard for default. This is the standard for online bankingonline banking and other secure and other secure transactions on the Internet.transactions on the Internet.
SSL can make use of variety of encryption ciphers, including SSL can make use of variety of encryption ciphers, including 3DES by enabling FIPS on the front-end server.3DES by enabling FIPS on the front-end server.
SSL can’t be used by 3SSL can’t be used by 3rdrd party relay solutions because of the party relay solutions because of the discontinuous store-and-forward model they use. SSL is session-discontinuous store-and-forward model they use. SSL is session-based and requires an uninterrupted point-to-point connection based and requires an uninterrupted point-to-point connection between the data source (server) and the recipient client (mobile between the data source (server) and the recipient client (mobile device).device).
MSFP requires that a MSFP requires that a firewall port (443 firewall port (443 recommended) be recommended) be made available* as the made available* as the “Web Listener” in order “Web Listener” in order to allow Direct Push to to allow Direct Push to work. work.
To secure that port, 443 To secure that port, 443 is designated as the SSL is designated as the SSL port. Traffic into and out port. Traffic into and out of the port will then be of the port will then be doubly filtered because doubly filtered because it is:it is:
Security ArchitectureSecurity ArchitectureMaking the most of SSLMaking the most of SSL
Encrypted with SSLEncrypted with SSL
AuthenticatedAuthenticated
* Maximum duration of the “Web Listening” connection should be greater than the lowest * Maximum duration of the “Web Listening” connection should be greater than the lowest network timeout in the path between the device and the server. network timeout in the path between the device and the server.
S/MIME (Secure Multipurpose Internet Mail S/MIME (Secure Multipurpose Internet Mail Extensions) is a standard protocol that Extensions) is a standard protocol that provides protection and verification of provides protection and verification of messages as they are transferred by using messages as they are transferred by using content encryption and digital signatures content encryption and digital signatures features. features.
Native S/MIME SupportNative S/MIME SupportSecuring the payload…Securing the payload…
SigningSigning ensures the integrity of your message and attachments ensures the integrity of your message and attachments and ensures the recipient that they have not been tampered with and ensures the recipient that they have not been tampered with during transit.during transit.
EncryptionEncryption ensures data confidentiality by only allowing the ensures data confidentiality by only allowing the intended recipient to decrypt and access the contents of the intended recipient to decrypt and access the contents of the message.message.
Requires a S/MIME certificate on the device or via peripheral Requires a S/MIME certificate on the device or via peripheral reader.reader.
WM Smartcard SolutionWM Smartcard SolutionCurrently creating for US DoDCurrently creating for US DoD
Partners contributing:Partners contributing:Saflink (smartcard software)Saflink (smartcard software)
Axcess Technology (reader hardware)Axcess Technology (reader hardware)
Commercial Availability summer 05Commercial Availability summer 05
Certificates on the mobile device (or via cert-Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the reading peripheral) authenticate the user to the server for gaining sync privilegesserver for gaining sync privileges
Requires Exchange Server 2003Requires Exchange Server 2003
Cert-based AuthenticationCert-based AuthenticationThe next step in authenticationThe next step in authentication
Using Basic Using Basic AuthenticationAuthentication
Using Using Certificate Certificate
AuthenticationAuthentication
Native basic authentication for Exchange Native basic authentication for Exchange ActiveSync uses NT credentials ActiveSync uses NT credentials (userid/password/domain) – one-factor (userid/password/domain) – one-factor authentication (the NT password) cached authentication (the NT password) cached by the device. by the device.
Many enterprise customers are requiring Many enterprise customers are requiring two-factor security solutions (human-two-factor security solutions (human-memorized password AND some other memorized password AND some other physical object or certificate).physical object or certificate).
RSA’s SecurID is currently the most RSA’s SecurID is currently the most popular corporate solution for two-factor popular corporate solution for two-factor authentication – in Europe, it is a de authentication – in Europe, it is a de facto standard. facto standard. This is now supported This is now supported by Exchange ActiveSyncby Exchange ActiveSync..
Very important for the Finance vertical Very important for the Finance vertical where two-factor authentication is often where two-factor authentication is often required.required.
SecurIDSecurIDRSA’s two-factor authenticationRSA’s two-factor authentication
SecurIDSecurIDArchitecture with ISAArchitecture with ISA
Carrier Network
Corporate Network
Internet
ISAServer
SecurIDACE/Server
SSLF
ire
wa
ll
Fir
ew
all
MIS 2002EE
Data
Se
curI
D A
CE
/Ag
en
t
WAP Gateway
WTLS
Mobile Device
Windows MobileWindows MobilePlatform Security FeaturesPlatform Security Features
Support industry standard certificatesSupport industry standard certificates
Support Open Mobile Alliance device Support Open Mobile Alliance device management standards *management standards *
AES 256 *, PFX/PKCS12 APIs support *AES 256 *, PFX/PKCS12 APIs support *
FIPS 140-2 Certification *FIPS 140-2 Certification *
Smartcard Resource Manager *Smartcard Resource Manager *Support Network Authentication StandardsSupport Network Authentication Standards
NTLM 1 & 2, KerberosNTLM 1 & 2, Kerberos
SSL TLS Client AuthenticationSSL TLS Client Authentication
802.1x user auth using PEAP, EAP/TLS802.1x user auth using PEAP, EAP/TLS
WPAWPA
* New for Windows Mobile 5.0* New for Windows Mobile 5.0
AgendaAgenda
Define Mobile EnvironmentDefine Mobile Environment
Windows Mobile devices in CanadaWindows Mobile devices in Canada
Windows Mobile 5Windows Mobile 5ProductivityProductivity
Policy & SecurityPolicy & Security
Direct PushDirect Push
Myths and ObjectionsMyths and Objections
Before Direct PushBefore Direct PushHow did it work?How did it work?
Short Messaging Service (SMS)
IP Data Connection
IP Data Connection
1. Server Trigger Binary “blob” 1. Server Trigger Binary “blob” including:including:
• Message digest (hash)Message digest (hash)• Server ID (pre-configured on device)Server ID (pre-configured on device)
3. Server-Controlled Interchange 3. Server-Controlled Interchange passes data via ActiveSyncpasses data via ActiveSync
2. Client initiates 2. Client initiates sessionsession
Direct Push TechnologyDirect Push TechnologyHow does it work now?How does it work now?
4. If server state changes 4. If server state changes before heartbeat interval before heartbeat interval expires, Exchange 2003 expires, Exchange 2003 notifies device that notifies device that changes have occurred changes have occurred in the mail boxin the mail box
1. Device sends PING 1. Device sends PING request to Exchange 2003 request to Exchange 2003 SP2 server after SP2 server after establishing data/SSL establishing data/SSL connectionconnection
2. Exchange 2003 holds the 2. Exchange 2003 holds the request pending until request pending until heartbeat interval expiresheartbeat interval expires
5. Device immediately 5. Device immediately issues SYNC request to issues SYNC request to pull data. Upon SYNC pull data. Upon SYNC completion, go to step 1completion, go to step 1
3. If no server 3. If no server state changes state changes occur before occur before heartbeat expires, heartbeat expires, device sends device sends another PING another PING requestrequest
Windows Mobile Windows Mobile Device with MSFPDevice with MSFP
Server running Server running Exchange 2003 SP2Exchange 2003 SP2
The device controls the heartbeat interval duration as shown on the next slide…The device controls the heartbeat interval duration as shown on the next slide…
Less radio & battery overheadLess radio & battery overheadPersistent data connection does not require Persistent data connection does not require the data connection to be built up and torn the data connection to be built up and torn down for each ActiveSync sessiondown for each ActiveSync session
Less data usage requiredLess data usage requiredEach MSFP ping (~350 bits of data) uses less Each MSFP ping (~350 bits of data) uses less data than that needed to do a Scheduled data than that needed to do a Scheduled Sync even when no data is transferred during Sync even when no data is transferred during the syncthe sync
No need for SMS sync initiationNo need for SMS sync initiation
Direct Push TechnologyDirect Push TechnologyWhy is this better?Why is this better?
Windows Mobile 5.0: Why Direct is Windows Mobile 5.0: Why Direct is BetterBetter
No 3No 3rdrd party relay NOCs outside of enterprise IT control party relay NOCs outside of enterprise IT controlNo 3No 3rdrd party relay failure or access points party relay failure or access pointsUtilizes existing investments in Exchange Server – highly scalable Utilizes existing investments in Exchange Server – highly scalable messaging platformmessaging platformNo additional client or server licenses for devices No additional client or server licenses for devices No additional 3No additional 3rdrd party relay hardware or software required behind party relay hardware or software required behind the enterprise firewallthe enterprise firewallLeading platform for LOB applications: .NET Framework and Visual Leading platform for LOB applications: .NET Framework and Visual Studio porting to WMStudio porting to WMSingle source for product support included with Exchange 2003Single source for product support included with Exchange 2003
AgendaAgenda
Define Mobile EnvironmentDefine Mobile Environment
Windows Mobile devices in CanadaWindows Mobile devices in Canada
Windows Mobile 5Windows Mobile 5ProductivityProductivity
Policy & SecurityPolicy & Security
Direct PushDirect Push
Myths and ObjectionsMyths and Objections
Security Myths & Security Myths & ObjectionsObjectionsMyth: 3DES is “better” than SSLMyth: 3DES is “better” than SSL
Much online banking, e-commerce uses SSLMuch online banking, e-commerce uses SSL128-bit SSL—never hacked over the Internet128-bit SSL—never hacked over the InternetMS Solution—no dependence on 3MS Solution—no dependence on 3rdrd-party NOC-party NOC
Objection: Storing Corp credentials on deviceObjection: Storing Corp credentials on deviceCredentials stored in protected registryCredentials stored in protected registryCan use Certificate authentication insteadCan use Certificate authentication instead
Objection: Using Corp credentials for authenticationObjection: Using Corp credentials for authenticationCan use Certificate authentication insteadCan use Certificate authentication instead
Myth: Allowing inbound connections from devices to Myth: Allowing inbound connections from devices to corporate data center is unsecurecorporate data center is unsecure
Windows Mobile uses same data flow, authentication, Windows Mobile uses same data flow, authentication, encryption, architecture as Outlook Web Accessencryption, architecture as Outlook Web Access
Security Myths & Security Myths & ObjectionsObjectionsMyth: Sending all data through NOC is goodMyth: Sending all data through NOC is good
A 3A 3rdrd party has control of corporate data party has control of corporate data
Objection: Must encrypt data and pipeObjection: Must encrypt data and pipeTraffic encrypted between device & server; data doesn’t Traffic encrypted between device & server; data doesn’t need to be encryptedneed to be encrypted
Myth: Windows Mobile is not secure enoughMyth: Windows Mobile is not secure enoughReceived US Govt. Federal Information Processing Received US Govt. Federal Information Processing Standards Cryptographic certification (FIPS 140-2)Standards Cryptographic certification (FIPS 140-2)
Myth: Remote Wipe by itself is good enoughMyth: Remote Wipe by itself is good enoughShould require PIN lock to protect device prior to report of Should require PIN lock to protect device prior to report of lossloss
If device radio is turned off, remote wipe won’t work—need If device radio is turned off, remote wipe won’t work—need local wipe as welllocal wipe as well
ResourcesResourcesAdditional Third Party SecurityAdditional Third Party Security
Signature authenticationSignature authenticationCerticom CorporationCerticom CorporationCommunication Intelligence CorporationCommunication Intelligence CorporationTSI/Crypto-SignTSI/Crypto-SignVASCOVASCO
Enhanced password protectionEnhanced password protectionHewlett-PackardHewlett-Packard
Pictograph authenticationPictograph authenticationPointsec Mobile TechnologiesPointsec Mobile Technologies
Fingerprint authenticationFingerprint authenticationBiocentric Solutions Inc.Biocentric Solutions Inc.HP iPAQ 5400HP iPAQ 5400
Card-based authenticationCard-based authenticationRSA SecurityRSA Security
Certificate Authentication on a Storage Certificate Authentication on a Storage CardCard
JGUIJGUISoftware Storage EncryptionSoftware Storage Encryption
F-SecureF-SecurePointsec Mobile TechnologiesPointsec Mobile TechnologiesTrust Digital LLCTrust Digital LLC
802.1x WPA Encryption Method802.1x WPA Encryption MethodFunk SoftwareFunk Software
S/MIMES/MIMECerticomCerticom
Encrypt Application DataEncrypt Application DataCerticom CorporationCerticom CorporationGlück & Kanja GroupGlück & Kanja GroupNtrū Cryptosystems, Inc.Ntrū Cryptosystems, Inc.
Virtual Private NetworkingVirtual Private NetworkingCerticom CorporationCerticom CorporationCheck Point Software Technologies Ltd.Check Point Software Technologies Ltd.ColumbitechColumbitechEntrust, Inc.Entrust, Inc.Epiphan Consulting Inc.Epiphan Consulting Inc.
Disable ApplicationsDisable ApplicationsOdyssey SoftwareOdyssey SoftwareTrust Digital LLCTrust Digital LLC
Device WipeDevice WipeAsynchrony.comAsynchrony.com
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certicom CorporationCerticom CorporationDiversinet Corp.Diversinet Corp.Dreamsecurity Co., Ltd.Dreamsecurity Co., Ltd.Glück & Kanja GroupGlück & Kanja Group
Thin Client TechnologyThin Client TechnologyCitrixCitrixFinTech Solutions Ltd.FinTech Solutions Ltd.
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,
Rick ClausRick ClausIT Pro AdvisorIT Pro AdvisorMicrosoft CanadaMicrosoft Canada
[email protected]@microsoft.comhttp://blogs.technet.com/canitprohttp://blogs.technet.com/canitpro