• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Securing Mobile Devices

Securing Mobile Devices






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Introduce Self Work for Enterprise Security Office Background in Technical Security (Hosting, Firewalls) Do InfoSec Analysis and consultation Advise on Technical aspects of Policies Note about questions: Feel Free to ask Questions at any time!
  • The Enterprise Security Office does: State Enterprise Information Security Attempt to address issues at an overall, big-picture level Enterprise Policies – things that apply to everyone Generally not very specific, must cover biggest and smallest agencies Work, Coordinate, Consult with agencies We also have some insight into what various agencies are doing I’ll Present examples from agencies We don’t do operations No software, hardware deployment, no products This presentation is: Based on research Policy-based Reflects Agency Experience
  • We’re Going to: Review the Issues (You already know these – we’re setting the stage) There are Two Issues we will discuss: Portable Storage Mobile Workforce Outline a Step-by-step strategy for working toward solutions to these problems Discuss coming trends in Mobile Devices and Computing
  • Issue #1 – Portable Storage Readily-Available Gigabytes, Everybody has them Easy to Use, Easy to carry and share Data Unfortunately, very easy to lose The Portable Storage Issue primarily about Data Loss Prevention Data wandering around getting lost or stolen Secondary Issue: Bypass Security Controls e. g. Anti-virus controls – email, web filtering at gateway – pop in portable drive, Conficker Evasion of Security Controls – example of access controls makes sharing difficult so user workaround
  • Number 1 issue we’re going to discuss today Culture Change: Pervasive devices: computing everywhere, Everybody owns them, access from anywhere Erosion of Work/Home segregation “ young people” expect this Can’t Ignore it: competition for skilled workforce employee retention - Retaining employees is cheaper than training new Benefits: Quicker response Greater flexibility Greater productivity Technical Challenges Change from Perimeter protecting assets: computing in the office, protected to: Data and Devices wandering around everywhere – Outside the Perimeter Firewall is now Blocking Access to employees Culture Change: Personal Devices – everybody has their own computer(s) they want to use: erosion of work/home barriers
  • Everything is “Smart” - Phones, eReaders, TV’s Soon want to read work messages from Refrigerator Display Mostly Consumer-grade Security is not a consideration with many of these devices Hostile Environments: what do I mean by this? Remember the Protected Perimeter model of the old days? No firewall, no secure network Number One Risk: Easy Loss, Easy Theft
  • Now that we’ve discussed the issues, let’s talk about how to solve them These are the Four (plus One) Steps
  • We’re presenting an Ivory-Tower Recipe for Success but: Nobody can implement this all at once Too Much Change Costs Too Much More mature agencies have plans that they follow NO agency I’ve talked to have everything in place that they want All have wish-lists
  • Business Comes First! if you don’t allow the business, you’ll be trampled or bypassed Definition of goals gives: targets for success establishes priorities shapes the following stages Data classification Data Classification Saves You Money shapes next steps Data Classification: What type of Data will be used by Mobile Devices? BTW, Statewide Information Asset Classification Policy establishes 4 Levels of Classification Level 1 Published – publicly-available Level 2 Limited – not Published but not protected from Public Disclosure Level 3 Restricted – Sensitive information – maybe exempt from Public Disclosure Level 4 Critical – Extremely sensitive, potential for major damage, injury or death We use these Data Classification levels to regulate how information must be protected, e.g. on Mobile Devices in Enterprise Information Security Standards
  • Policy Decision Points – these are decisions that need to be made when forming policy. These will be shaped by the Business Goals defined on previous slide We will talk about most of these in more detail in successive slides Strict or Lenient?: Will the business adopt a strict stance, or a lenient one? Data Classification – Data Types stored on Mobile Devices (partially) determine Strict vs. Lenient (Also Business Goals: Encourage vs. Discourage Mobile Use) The policy decisions will be set in accordance to strict vs. lenient Each of the subsequent policy decisions are based on this State Scenario: Enterprise Policy sets some of the tone for this, but Agency makes this business decision within that context e.g. Statewide Information Security Standards set baseline controls that regulate some of this.
  • This is a key decision What devices will be allowed to be used? Company-owned Increased Control things like: configuration control, policy enforcement (acceptable use), security controls easier to implement Responsibility – belongs mostly to company. Responsible for maintenance, configuration security, etc. However, since the Number One Threat to mobile devices is Loss or Theft, having Employee have some skin in the game is good Separation of Church and State – what is acceptable personal use of the device? Can say business-only Personal Devices Flexibility – One device for home and work, integration of life and work, get device choice Employee Satisfaction – Employees may wish to use own device Cost? – Allow employees to buy own equipment, don’t have to buy it Hidden costs: loss of control, reduction of security, legal liability Statewide Information Security Standards do not allow Level 3 and Level 4 information on _Personally-Owned_ Mobile Devices vs. State-owned (with controls)
  • This policy decision is closely related to Personal Device vs. Corporate Device decision Corporate Management gives greatest control (stricter) Personal management avoids (upfront) costs and is more lenient What devices will be supported? Huge variation in cost, ability to control Supported models only: stricter but more secure All/any model: more lenient but less secure, more costly Standard configuration? Or allow customization? (strict vs. lenient) How will the the organization find out about changes in status? This should be defined in policy. Also – what needs to be done before a (personally-owned) device can be sold? Data loss prevention Just like centrally-managed access control, how will mobile devices be managed upon termination? Most agencies: Have limited supported models Attempt to standardize configuration
  • Remember Data Classification? This is where that comes into play. No sensitive Data, less security concern. Security – Set in Policy? Vs. Incorporated in Technical Implementation – depending upon decisions made above. e.g., if corporate manages configuration, they can just implement this rather than setting it in policy Personal ownership, some of this may need to be policy-based. Data at Rest: Encryption vs. Remote Wipe (vs. Device Recovery) Encryption generally better Remote Wipe if Encryption not available Device Recovery – can be successful but doesn’t protect data. Device cost isn’t a factor. Data In Transit Encryption – and how? Access To Device Device firewall – remember, we’re the perimeter now! Access Control – aka Password Failed Login Attempts – what to do? (see Remote Wipe) Access to Enterprise Assets Network – Wireless Local Only? – sync with Desktop VPN Client Verification – aka NAC Remote Data – Desktop Virtualization Growing Trend – don’t store data on Mobile Device
  • Device loss and theft is Number 1 hazard – one way to mitigate this is to raise Employee awareness. E.g. responsibility for device replacement. Education: Raise awareness, helps reduce risk Data Classification (again) – avoid data exposure, relies upon employee understanding Education underscores importance (they really do care about this) State Scenario: Not practical to make employee responsible
  • Technical Implementation supports Policy and Security – they work together Policy without controls is… (nearly) meaningless. Like a “Please don’t steal” sign. Integrate Solutions With Architecture Remember “Step-by-Step”? This is one way to save $$$ and make progress Don’t reinvent the wheel E.g. Remote Access – use existing VPN solution or SSL VPN – how do people currently do remote access? Can an existing anti-virus product control USB devices? Existing Policies: Mobile Devices should implement same security controls as local users enjoy. Web browsing acceptable use: Do you allow porn site browsing on the employee workstation? If not, you shouldn’t allow it on mobile devices. Ditto Antivirus
  • Education – mentioning it again. Upfront education costs less than employee discipline. Tradeoff with strength of Technical Controls – weak technical controls, more auditing. Technical Audits – logging. May be a tradeoff between strictness vs. leniency. Use as an education point? Agency Example: End-point client verification seen as too strict. Client non-compliance logged, education rendered unto user. Lessons Learned E.g. Laptop stolen with (or without) personally-identifiable information After the fact, but better than nothing If we can’t learn from our mistakes, what good is that? Some agencies Audit Use (but some don’t) Manual Automated Some agencies are disciplining for misuse.
  • Now we’ve gone through the steps, let’s have another word of encouragement NO agency I’ve talked to have everything in place that they want Better ones have plans for what they want All have wish-lists It all costs money Use Risk Analysis to determine greatest risks, tackle those first Use Data Classification to Identify assets needing most protection (avoid problem?)
  • Discuss trends predicted in research: Increasingly Mobile: Not just mobile users, more mobile tools: iPhone and competitors, Kindle, xBox Culture Change will strengthen Better Tools: Remote Access – as discussed, many organizations are solving problem by keeping data in-house Security Tools for mobile devices: a growing market Also – creeping into consumer-grade devices? Keep predicting more viruses/worms for mobile devices – Someday As market goes there, thieves will follow Will things get better? As people get used to Mobile Devices, security may creep into culture…? Look at PC Security – who doesn’t know you need to protect your PC? Jury is out
  • These are materials that the Enterprise Security Office has prepared that relate to this topic: Policies: All our Policies, including: Information Asset Classification Controlling Portable and Removable Storage Devices Acceptable Use Policies Plan and Standards Specific standards that apply to Mobile Devices, Data Classification
  • The next few pages of external product references are extracted from Burton Group’s “ Securing Mobile- and Home-Worker Access” paper by Phil Schacter and Eric Maiwald, August 10, 2009 They are provided FYI only, with no recommendation or knowledge of these products Use at your own risk.

Securing Mobile Devices Securing Mobile Devices Presentation Transcript

  • Security Strategies for Mobile Devices
      • State of Oregon
      • Enterprise Security Office
      • Jan. 14 th , 2010
  • Welcome
    • John Ritchie, CISSP
      • State of Oregon Enterprise Security Office
      • Information Security Analysis and Consultation
  • Introduction
    • Enterprise Security Office (ESO)
      • State Enterprise Perspective
        • Multi-Agency, Cross-Agency
      • Enterprise Policy and Oversight
      • Not Operations
  • Agenda
    • Overview of Issues
    • Strategies For Developing Solutions
    • Future Trends
  • Issue: Portable Storage
    • Storage, Storage and more Storage
      • Easy Data Sharing
      • Small, Smaller, Smallest, Lost
    • Data Loss Prevention
    • Bypass Security Controls
  • Issue: Mobile Workforce
    • Culture Change
      • Can’t Be Ignored
      • Huge Benefits
    • Technical Challenges
      • Porous Perimeter
        • Firewalls?
      • Personal Devices
  • Issue: Mobile Workforce
    • Everything Connects
    • Hostile Environments
  • Strategies For Coping
    • Step By Step
    • Define Business Needs
    • Develop Policy
    • Technical Implementation
    • Audit Device Use and Compliance
    • Step By Step (Refrain)
  • Strategy: Step By Step
    • Start Somewhere
    • Develop A Plan
    • Something Is Better Than Nothing
    • It All Costs Money
  • Strategy: Business Needs
    • Define Benefits
      • What Are Your Goals?
    • Data Classification – Task #1
      • Where’s Your Sensitive Data?
      • What Will Your Employees Store On Mobile Devices?
  • Strategy: Policy
    • Decision Points
      • Strict Or Lenient?
      • Device Ownership Decision
      • Device Management Decisions
      • Security
  • Policy
    • Device Ownership
      • Company-owned (stricter)
        • Control and Security
        • Responsibility (mostly) company’s
        • Separation of Church and State
      • Personal Devices (more lenient)
        • Flexibility
        • Employee Satisfaction
        • Cost?
  • Policy
    • Device Management
      • Corporate vs. Personal Management
      • Supported Models vs. All Models
      • Standard Configuration
      • Lost/Stolen/Sold Devices
      • Employee Termination
  • Policy
    • Security
      • Data At Rest
      • Data In Transit
      • Access To Device
      • Access to Enterprise Assets
    Comic by XKCD.com
  • Policy
    • Responsibility
      • Should Employee Share Responsibility?
    • Policy Education
      • Critical Component
  • Strategy: Technical Controls
    • Intersect With Policy And Security
    • Policy Without Controls Is…
    • Integrate Solutions With Architecture
    • Don’t Forget About Existing Policies
      • Acceptable Use
  • Strategy: Audit Device Use
    • Education
    • Visual Audits
      • Manager drive-by
    • Technical Audits
      • Logging
    • “ Lessons Learned” Audits
      • After-the-fact
  • Strategy: Step By Step (Refrain)
    • Start Somewhere
    • Develop A Plan
    • Something Is Better Than Nothing
    • It All Costs Money
  • Trends For the Future
    • Increasingly Mobile Workforce
    • Better Tools
      • Current: Remote Access, Minimize Local Storage
      • Developing Market for Tools
    • Increasing Risk
      • Targets For Attack
    • Increasing Awareness?
      • History of PC Security Awareness
  • State Reference Material
    • Policies http://www.oregon.gov/DAS/EISPD/ESO/Policies.shtml
    • Statewide Information Security Plan and Standards http://www.oregon.gov/DAS/EISPD/ESO/SW_Plan_Standards.shtml
  • Questions?
    • John Ritchie
    • (503) 378-3910
    • [email_address]
  • Drive Encryption Tools
    • Pointsec: http://www.checkpoint.com/products/datasecurity/pc/index.html
    • CREDANT: http://www.credant.com/products.html
    • GuardianEdge: http://www.guardianedge.com/products/guardianedge-hard-disk-encryption.php
    • PGP: http://www.pgp.com/products/wholediskencryption/index.html
    • McAfee Endpoint Encryption: http://www.mcafee.com/us/enterprise/products/data_protection/data_encryption/endpoint_encryption.html
    • Microsoft BitLocker: http://technet.microsoft.com/en-us/windows/aa905065.aspx
  • Drive Encryption Tools
    • Mobile Armor: http://www.mobilearmor.com/dataarmor.php
    • SafeNet: http://www.safenet-inc.com/products/data_protection/disk_and_file_encryption/protectdrive.aspx
    • SecurStar: http://www.securstar.com/products.php
    • Utimaco Software: http://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/device-encryption/
    • WinMagic: http://www.winmagic.com/products
  • Remote Device Wipe
    • BlackBerry Enterprise Server
    • Microsoft’s System Center Mobile Device Manager
    • Apple’s iPhone 3.0 (with MobileMe)
  • Lost Device Tracking
    • Adeona Project (Open Source): http://adeona.cs.washington.edu/
    • Absolute Software: http://www.absolute.com/
    • zTrace Technologies: http://www.ztrace.com/
  • Presentation, Desktop Virtualization
    • Citrix XenDesktop: http://www.citrix.com/english/ps2/products/product.asp?contentID=163057
    • Citrix XenApp: http://www.citrix.com/english/ps2/products/product.asp?contentid=186
    • VMware View: http://www.vmware.com/products/view/
    • Microsoft’s Remote Desktop Services: http://www.microsoft.com/windowsserver2008/en/us/presentation-terminal.aspx?pf=true