Slide 1

To the ISSA Las Vegas Chapter April 13, 2011 Slide 2 Definition People Technology Policy Slide 3 A cellular telephone with built-in applications and Internet access. Smartphones provide digital voice service as well as text messaging, e-mail, Web browsing, still and video cameras, MP3 player, video viewing and often video calling. In addition to their built-in functions, smartphones can run myriad applications, turning the once single- minded cellphone into a mobile computer. Source: PC Magazine Encyclopedia Slide 4 What do they want? Only carry one Anywhere access Any device supported Transparent security Slide 5 Slide 6 What does management want? Lower cost Low support overhead Increased Productivity Any device supported Transparent security Slide 7 Is the business willing to securely support a mix of personal/business data and smartphones/tablets? Remote access - to how much? Authority over data? Is the value worth the cost? Slide 8 Source: Symantec Slide 9 What are your organizations compliance requirements? Which rewards does management want to balance against risk and cost? Compliance Strategic mobility Employee productivity/creativity/retention Slide 10 Is confidential data allowed on mobile devices? Are personally-owned mobile devices allowed access? Who has authority/responsibility for Who gets company-issued smartphones Who gets access from smartphones, and to what? Purchasing smartphones Provisioning smartphones Securing/monitoring smartphones? Support of Organization-owned (O)? Personally- owned (P)? Slide 11 What are O mobile devices allowed access to? Is it different for P? Will you list specific devices supported, or just OS versions? Who is going to test all the new devices? How often? What about application maintenance? (how) Do you wipe a P phone at term? Crawl/Walk/Run or Flash Cut? Slide 12 Review others policies for ideas Review your laptop policy Involve stakeholders in requirements and design Communicate early and often Stakeholders IT (they have to make the tech work) Finance (our buddies with the budget) Users (they hate change too be nice) Slide 13 Slide 14 Pure Monolithic typically BES Organization (O) owned only Mixed Monolithic O or Personally (P) owned Mail System w/Supported Security O, O/P, limited to native OSs 3 rd Party Mgmt Software (in-house, hosted, managed) multiple device types Slide 15 Slide 16 From Most to Least Complete Options Blackberry Windows Mobile (6.1 and 6.5 only) iPhone Android Windows Mobile 7 Symbian? Nokia? Slide 17 Passwords not pins Remote wipe Secure Email/Calendar sync Device and storage card encryption Slide 18 Disable capabilities (removable storage, camera, BlueTooth, IR, etc) Two-factor authentication Failed attempts lock/wipe Slide 19 Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-client- comparison-table.aspx#cite_note-3 Slide 20 Slide 21 Android 2.2 supports all the basic security requirements except encryption Android 3.0 (Honeycomb) provides encryption, but is currently only on tablets and one phone Carriers modify Android, sometimes badly NitroDesk Touchdown (Android Market or direct, $20) adds device and storage card encryption (3DES) to 2.2 Slide 22 Mobile Device Management (MDM) Not just security can have operations management and deployment capabilities Asset management Application whitelist Deploy in-house apps Deploy patches/upgrades Slide 23 Which one fits your organization better? In-House In-House with external comm center Hosted Managed Service Slide 24 Good Technology Encrypts Android 2.1 and above, and iPhone 3G and above Separation of data and apps from OS in encrypted sandbox Can control transfer of data to personal side (contacts typically) Onsite servers transmit through Good telecomm datacenters no ActiveSync Slide 25 Mobile Iron Suite of applications for security, asset management, and expense Self-service portal for apps, communications search/history, and usage Encrypts iPhones, Androids (with integrated Touchdown), integrates with BES Slide 26 Air-Watch Can be purchased as a cloud service, appliance, or software Encrypts iPhones but not Android 2.x Slide 27 Verizon Managed Mobility Service 750 employee accounts minimum Based on Sybase solutions Services include inventory & expense mgmt, provisioning and logistics, and Sybase (policies, security, app store) Note: Sybase did not support iOS4 or Android until Oct 2010 Slide 28 Slide 29 Employee and management requirements often conflict Consumer-grade products = security an afterthought or non-existent Proprietary OS = complexity, inequality, lack of standards Immature market = rapid change Slide 30 Perform constant market research Provide non-technical executive management enough information to make informed risk decision(s) regarding mobile devices Immature market = limited choices, constant change Set realistic expectations no Holy Grail Communicate risks in business terms Crawl/Walk/Run Slide 31 Hi, my names Terry and Im a CISO Slide 32