Your SlideShare is downloading. ×
The intersection of cool mobility and corporate protection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The intersection of cool mobility and corporate protection

553
views

Published on

Cool Mobility in business terms is mobile productivity. It enables a workforce to have instant access to information through mobile applications anywhere, anytime. People are fundamentally changing …

Cool Mobility in business terms is mobile productivity. It enables a workforce to have instant access to information through mobile applications anywhere, anytime. People are fundamentally changing the way they work, and in order to remain competitive, organizations are making enterprise applications accessible through mobile devices. But, what about the confidential data? How do we audit those mobile devices? This presentation will provide a streamline approach to auditing endpoint security on mobile devices.

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
553
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Cool Mobility in business terms is mobile productivity. It enables a workforce to have instant access to information through mobile applications anywhere, anytime. People are fundamentally changing the way they work, and in order to remain competitive, organizations are making enterprise applications accessible through mobile devices. But, what about the confidential data? How do we audit those mobile devices? This presentation will provide a streamline approach to auditing endpoint security on mobile devices.
  • Transcript

    • 1. The Intersection of Cool Mobility andCorporate Protection:Practical Steps for Assessing the Security of Mobile DevicesJames Tarala, Enclave Security
    • 2. Mobility is a Reality• Organizations want their toys…• These devices will not be going away anytime soon… The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 3. Business Legitimacy• Almost every industry has discovered ways of enhancing productivity with mobility: – Healthcare – Financial Services – Manufacturing – Retail – Government – Professional Services – And more… The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 4. What are we protecting?• Potentially any / all of your organization’s data• More than simply contacts & calendars• Potentially we are protecting: – Financial records – Private health records – Credit card numbers – Anything in an email mailbox – And much, much more… The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 5. What if we ignore the risk?• The primary risk to consider is the loss of data confidentiality• If a mobile device is lost or stolen, the information stored on the device is also at risk• However, other risks include: – Compromised authentication (SMS, soft tokens) – Manipulation of data sets – Impersonation of device owner The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 6. Mobility Statistics• 81% of global executives say they are connected to work through mobile devices all of the time (Korn/Ferry International, August 2006)• Telecommunications managers believe 28% of their employees are using their mobile phone as their primary work phone (IDC, June 2006)• 85% of mobile users said it was important or very important for mobile apps to remember their favorites/preferences (Action Engine, September 2005) The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 7. Mobility Statistics (cont)• 81% of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months (Ponemon 2010)• 64% of companies surveyed reported that they have never conducted an inventory of sensitive consumer information (Ponemon 2010)• 85% say handheld devices used in their organization should require security protection (Bluefire Wireless Security, April 2006) The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 8. Evolution of Mobile Risk• There has been an evolution in mobile computing• The evolution has been from: – Phones & PDAs – Laptops – Smart Phones & Tablets• Although device capabilities have evolved, security controls have not necessarily kept up The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 9. Typical Mobile Device Controls• Generally organizations secure laptops by implementing technical controls, such as: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 10. Whole Disk Encryption Scorecard The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 11. Anti-Malware ScorecardThe Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 12. Application Whitelisting Scorecard The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 13. Host-Based Firewall Scorecard The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 14. Authentication ScorecardThe Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 15. Security Configuration Scorecard The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 16. More than BlackBerrys• RIM BlackBerrys are the modern Lotus Notes• Phrases heard from clients: – “We went with BlackBerry because of their security.” – “BlackBerrys are protected by default by RIM and BlackBerry Enterprise Servers (BES).”• These principles apply to all mobile devices The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 17. So what have we learned so far?• By default most mobile devices do not implement even basic security controls• Even when software is available it must be configured, it is not “out of the box”• Most mobile devices require not only configuration, but owners to research & buy additional software to gain functionality• Centralized management is another issue altogether… The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 18. Mobile Specific Threat VectorsIn addition to traditional risk vectors, mobiledevices deserve extra attention in the areas of: – Physical theft / loss – Wireless / Bluetooth hacking – Geo-location tracking – General privacy threats – General ownership threats The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 19. Minimum Technical Controls• Already, the following controls for all mobile devices have been mentioned: – Whole disk encryption – Anti-malware software – Application whitelisting software – Personal / host-based firewalls – Strong / two-factor authentication – Secure operating system configurations The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 20. Minimum Technical Controls (cont) • In addition, organizations should consider controls such as: – Functionality limitations (cameras, wireless, etc) – LoJack / phone home – Storage card encryption – Remote wiping – Remote locking – Logging / auditing – “Jailbreak detection” The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 21. Governance Questions• In addition to technical controls, organizations must establish policy to determine: – Can organization data reside on personal devices? – Who is responsible for data residing on a device? – Will the organization purchase mobile devices for workforce members? – Regardless of ownership, can mobile devices be inspected by organization personnel? – Can data on devices be monitored by organizational personnel? The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 22. Governance Questions (cont)– Who will support mobile devices?– Which workforce members will be offered support?– Will all or only certain types of devices be supported by the organization?– Will application support be included?– Who is responsible installing / supporting security software applications on devices?– And on, and on, and on… The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 23. Central Management• Laws are useful, but only when there are sufficient mechanisms to enforce those laws• If end users can disable controls, they will• Technical controls help organizations to enforce business decisions• Therefore centralized mobile device management must be considered The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 24. Commercial Enterprise Tools • April 2011, Gartner releases a “Magic Quadrant” study for mobile device management software • Evaluates security & manageability • Names the following leaders: – AirWatch – Good Technology – MobileIron – Sybasehttp://www.sap.com/campaigns/2011_04_mobility/assets/GartnerReport_MDM_MQ_April2011.pdf The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 25. Lessons Learned• Organizations want to use mobile devices (even infosec groups), do not just be a barrier• Educate business owners on specific risks and allow them to accept it or not• Define mandatory and optional security controls for these devices, and stick to them• But be willing to ban devices that do not meet corporate standards for mobility The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011
    • 26. Further Questions• James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/• Resources for further study: – SANS Security 505: Securing Windows – Gartner Magic Quadrant for Mobile Device Management Software (April 2011) The Intersection of Cool Mobility and Corporate Protection © Enclave Security 2011