Transcription

1

2 The IT Manager s Nightmare... Good morning, the board decided last night that we need to have ipads in order to do our work properly. Can you please have these set up for us by next Friday so that we can read the board minutes, oh, and I decided I couldn t wait, so here is mine so that you can get me connected today

3 Disruptive Technologies 1980 s The Microcomputer 1980 s The Network 1990 s Personal s The Web 2000 s Smart Phones 2010 s Mobile Computing Devices

4 Mobile Computing Security Challenges What ever happened to the network perimeter? Is that one of our devices? Is that really one of our users? Where is our data? No, I said it s our data, not your data Yes, I know that it s a clever app Who s in charge of these!@(*#^)* things anyway?

5 Security Taxonomy Mobile Device Policy Mobile Device Security Encryption Security Management Internal Security Identity Management Perimeter Security Storage Security Physical Security

6 Best Practices for Policy Engage the business Understand their mobile computing requirements Survey your workforce Establish a corporate strategy based on requirement vs risk

7 Best Practices for Policy Establish levels of service Tier 1 Corporate owned devices PIM and business applications Tier 2 Corporate or user owned devices Lightly managed and supported (eg mail/calendar) Tier 3 User owned devices Web based access only Unsupported

8 Best Practices for Policy Reserve to right to manage ALL devices with access to corporate resources Includes connections to internal wireless LANs and connections to PC s. Require installation of your security profile on all devices as a condition of access.

9 Best Practices for Policy Isolate corporate data from private data Sandboxing Policy compliance Application publication (no data at rest)

10 Best Practices for Policy Enforce strong security controls Passwords Auto lock Remote wipe Certificates Encryption Enforced device policy

11 Best Practices for Policy Consider disabling device functions that conflict with business activities Camera App stores Cloud storage services YouTube Explicit content

12 Best Practices for Policy Enforce acceptable use policy Cover current and future devices everywhere access means wiping a device when the employee leaves the organisation... And that may include their own personal device if it has been used to access corporate systems.

13 Best Practices for Policy Determine how users with be provisioned with applications The use of app stores is fine with only a few users but can become unwieldy with many users Start with basic applications ( , collaboration, productivity) Layer on advanced applications

14 Best Practices for Policy Proactively monitor voice and data usage Implement ongoing recording of usage

15 Best Practices for Policy Require users to backup their own data If it s their information, they are responsible for it. Assert the right to wipe the device if it is lost or stolen Assert the right to wipe the device when the employee leaves

16 Best Practices for Policy Require users to understand and agree with policy Security policies don t belong in a book Publish policies for all users to read Review the policies annually See Mrs K afterwards if you don t know how to do this bit

17 Best Practices for Policy Address the ramifications of non compliance to policy Usage infractions Unauthorised application installation Inappropriate material Not reporting lost devices Excessive personal use

18 OK, So You ve Got Your New Toys, Now What? Learn to walk before you can fly! Implement a mobile device management system Establish a base device policy Enforce that policy

19 Device Policy #1 Enable Password Protection Require a PIN code after power on Require a PIN code after auto lock Minimum of 4 digits Preferably longer if the device supports it

20 Device Policy #2 Lock the Device Always enable autolock on mobile devices Keep the lock period to as short as possible

21 Device Policy #3 Enable Wiping Wipe on more than five invalid PIN code entries Remote wipe in the event of loss or theft Easily implemented in Exchange, Keriomail and BES Setup a lost device hotline Wipe devices prior to disposal

22 Device Policy #4 Turn on Device Encryption IOS4.x, 5.x All user data is automatically encrypted Android Information on removable media is not encrypted by default. Windows Mobile 7 Encryption not supported It's important to note that Windows Phone 7 (WP7) primarily was developed as a consumer device and not an enterprise device. Windows 8 Expected to be supported when it is released

23 Device Policy #5 Encrypt Data in Transit Enable SSL encryption Use digital certificates

24 Device Policy #6 Update Frequently Keep the operating system and applications up to date Enable auto update if available

25 Device Policy #7 Control Network Connections Disable network services if not required Wifi Bluetooth Infrared Restrict WiFi Connections to authorised networks

26 Device Policy #8 Install AntiVirus Software Install AntiVirus software wherever practical Controlled and scrutinised application release minimises the threat

27 Strategy Decisions: BYOD Bring Your Own Device Your data, their device, your risk Firmly establish a data centric security strategy before even considering a BYOD strategy

28 Strategy Decisions: Application Publication Model Securely publish applications to mobile devices from your data centre Removes data at rest risk Device agnostic approach Requires good data centre bandwidth Enabler for BYOD strategy

29 Going Full Circle?

30 Going Full Circle?

31 Conclusion Mobile devices/tablets are a game changing technology Successful (and secure) deployment requires an effective policy and an effective strategy

32 Tony Krzyzewski Kaon Technologies Ltd