Security in a Mobile Age

The IT Manager’s Nightmare...“Good morning, the board decided last

night that we need to have iPads in order to do our work properly.

Can you please have these set up for us by next Friday so that we can read the board minutes,

… oh, and I decided I couldn’t wait, so here is mine so that you can get me connected today”

Disruptive Technologies

1980’s The Microcomputer 1980’s The Network 1990’s Personal Email 1990’s The Web 2000’s Smart Phones 2010’s Mobile Computing Devices

Mobile Computing Security Challenges What ever happened to the network

perimeter? Is that one of our devices? Is that really one of our users? Where is our data? No, I said it’s our data, not your data Yes, I know that it’s a clever app Who’s in charge of these !@(*#^)* things

anyway?

Security Taxonomy

Physical Security

Storage Security

Perimeter Security

Identity Management

Internal Security

Security Management

Encryption

Mobile Device Security

Mobile Device Policy

Best Practices for Policy

Engage the businessUnderstand their mobile computing

requirementsSurvey your workforceEstablish a corporate strategy based on

requirement vs risk

Best Practices for Policy Establish levels of ‘service’

Tier 1○ Corporate owned devices○ PIM and business applications

Tier 2○ Corporate or user owned devices○ Lightly managed and supported (eg mail/calendar)

Tier 3 ○ User owned devices○ Web based access only○ Unsupported


Reserve to right to manage ALL devices with access to corporate resourcesIncludes connections to internal wireless

LANs and connections to PC’s.Require installation of your security profile

on all devices as a condition of access.


Isolate corporate data from private dataSandboxingPolicy compliance Application publication (no data at rest)


Enforce strong security controlsPasswordsAuto lockRemote wipeCertificatesEncryptionEnforced device policy


Consider disabling device functions that conflict with business activitiesCameraApp storesCloud storage servicesYouTubeExplicit content


Enforce acceptable use policyCover current and future devices“everywhere” access means wiping a device

when the employee leaves the organisation... And that may include their own personal device if it

has been used to access corporate systems.


Determine how users with be provisioned with applicationsThe use of ‘app’ stores is fine with only a

few users but can become unwieldy with many users

Start with basic applications (email, collaboration, productivity)

Layer on advanced applications


Proactively monitor voice and data usageImplement ongoing recording of usage


Require users to backup their own dataIf it’s their information, they are responsible

for it.Assert the right to wipe the device if it is lost

or stolenAssert the right to wipe the device when the

employee leaves


Teach Users about ‘Stranger Danger’No reading of sensitive information in

uncontrolled areas...○ Aircraft○ Trains○ Supplier offices

Close/lock the devices when not in use. Beware of theft


Require users to understand and agree with policySecurity policies don’t belong in a bookPublish policies for all users to readReview the policies annually


Address the ramifications of non compliance to policyUsage infractionsUnauthorised application installationInappropriate materialNot reporting lost devicesExcessive personal use

OK, So You’ve Got Your New Toys, Now What?

Learn to walk before you can fly!

Implement a mobile device management system

Establish a base device policy

Enforce that policy

Device Policy #1Enable Password Protection

Require a PIN code after power on

Require a PIN code after auto lock

Minimum of 4 digits Preferably longer if the

device supports it

Device Policy #2Lock the Device

Always enable auto-lock on mobile devices

Keep the lock period to as short as possible

Device Policy #3Enable Wiping

Wipe on more than five invalid PIN code entries

Remote wipe in the event of loss or theftEasily implemented in

Exchange, Keriomail and BES

Setup a lost device hotline

Wipe devices prior to disposal

Device Policy #4Turn on Device Encryption

IOS4.x, 5.xAll user data is automatically

encrypted Android

Information on removable media is not encrypted by default.

Windows Mobile 7Encryption not supported

○ “It's important to note that Windows Phone 7 (WP7) primarily was developed as a consumer device and not an enterprise device”.

Windows 8Expected to be supported

when it is released

Device Policy #5Encrypt Data in Transit

Enable SSL encryption Use digital certificates

Device Policy #6Update Frequently

Keep the operating system and applications up to date

Enable auto update if available

Device Policy #7Control Network Connections

Disable network services if not required

○ Wifi○ Bluetooth○ Infrared

Restrict WiFi Connections to authorised networks

Device Policy #8Install AntiVirus Software

Install AntiVirus software wherever practical

Controlled and scrutinised application release minimises the threat

Strategy Decisions: BYOD Bring Your Own Device Your data, their device, your risk Firmly establish a data centric security

strategy before even considering a BYOD strategy

Strategy Decisions: Application Publication Model Securely publish applications to mobile

devices from your data centre Removes data at rest risk Device agnostic approach Requires good data centre bandwidth Enabler for BYOD strategy

Going Full Circle?

Going Full Circle?

Conclusion

Mobile devices/tablets are a game changing technology

Successful (and secure) deployment requires an effective policy and an effective strategy

Tony KrzyzewskiKaon Technologies Ltd

[email protected]

www.kaon.co.nzwww.kaonsecurity.co.nz

Documents

Security in a Mobile Age