• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Andrew Jaquith SOURCE Boston 2011
 

Andrew Jaquith SOURCE Boston 2011

on

  • 1,118 views

What The Post-PC Era Means for Enterprise Security

What The Post-PC Era Means for Enterprise Security

Statistics

Views

Total Views
1,118
Views on SlideShare
1,118
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Andrew Jaquith SOURCE Boston 2011 Andrew Jaquith SOURCE Boston 2011 Presentation Transcript

    • What The Post-PC Era Meansfor Enterprise SecurityAndrew JaquithChief Technology OfficerApril 20, 2011 1
    • Welcome from the CTO •  Former senior analyst, Forrester Research and Yankee Group •  Co-founder of pioneering security consultancy @stake •  Widely cited in CSO, Information Week, Forbes, and BusinessWeek. Research includes: !  Apple’s iPhone and iPad: Secure Enough for Business? (Aug 2010) !  The Forrester Wave: Data Leak Prevention •  Author of best-selling security book, “Security Metrics: Replacing Fear, Uncertainty and Doubt •  Founder, securitymetrics.org 2
    • Agenda•  Introduction•  Three mobile trends•  Four things you don’t need•  Five things you must do•  Q&A 3
    • Agenda•  Introduction•  Three mobile trends•  Four things you don’t need•  Five things you must do•  Q&A 4
    • Mission and vision •  Give all customers the same level of security as a Fortune 500 firm, by providing solutions that allow them to easily assess, monitor and reduce their messaging, security and compliance risks. •  We achieve this by: !  Using our private cloud to manage the critical resources we protect — including email, logs and archived data. !  Leveraging the best security technology and the best people, on behalf of our customers. !  Leveraging our scale, visibility and analytical insights to bring enhanced security solutions to customers. 5
    • Key facts about Perimeter E-Security•  6,000 customers (1,800 in financial services)•  $525 billion in assets protected•  5,700 managed CPE devices•  1 million secure messaging users•  50m e-mails filtered per day•  200 terabytes of managed archives•  240m managed security events daily•  300 employees Perimeter Security Operations Center 6
    • Perimeter E-Security SaaS platform SaaS Managed SaaS Vulnerability SaaS Secure Messaging Security Services Management 24x7 Global Customer Support Global Management Platform Consulting Services Migration Assessment Penetration testing 7
    • Agenda•  Introduction•  Three mobile trends•  Four things you don’t need•  Five things you must do•  Q&A 8
    • Trend 1: Post-PC devices are taking over 1.4 billion 72% Post-PC tablets and smartphones 540 million 351 million PCs 314 million 2010 2011 2012 2015 Source: Gartner, Inc., “IT Spending Forecast, 1Q11 Update,” forecast unit shipments. 9
    • Trend 2: Consumer brands crowding out IT favorites 985 million 70% Consumer brands: Apple, Google, Symbian 414 million77% 243 million 71 million IT favorites: RIM, HP, Microsoft 2010 2011 2012 2013 2014 2015 Source: Gartner, Inc., “IT Spending Forecast, 1Q11 Update,” forecast unit shipments. 10
    • Trend 3: Mobile’s differences from PCs becoming clearer PCs Post-PCs OS design Wide open Closed OS capabilities Anything Some things RIM, Apple: one source App sources Anywhere Android: any source Sandboxing Browser All apps Device integrity None Trusted boot RIM, Apple: vendor Security decisions You Android: you 11
    • Trend 3: Mobile’s differences from PCs becoming clearer PCs Post-PCs OS design Wide open Closed OS capabilities Anything Some things RIM, Apple: one source App sources Anywhere Android: any source Sandboxing Browser All apps Device integrity None Trusted boot RIM, Apple: vendor Security decisions You Android: you Likelihood of compromise High Low Likelihood of loss or theft Medium High Biggest risks Malware, privacy Loss of device, privacy 12
    • Privacy, not malware, will be the dominant security issue*Unless we’re talking about Android 13
    • Agenda•  Introduction•  Three mobile trends•  Four things you don’t need•  Five things you must do•  Q&A 14
    • Four things you don’t need1.  Mobile anti-virus… except maybe for Android !  Post-PC OSes (Apple, RIM, Microsoft, Google*) locked down !  Apps are digitally signed, and run in a sandbox that limits what they can do — making malicious compromise unlikely !  Quality of Android stores is concerning2.  Mobile data leak prevention !  Host DLP scans local drives and email for sensitive content (SSNs, credit card numbers, etc.) !  DLP isn’t mainstream yet, but many enterprises want it !  For mobile: best to limit DLP to e-mail scanning on the server 15
    • Four things you don’t need (continued)3.  The same brand of device everywhere !  Modern Post-PC OSes support the key capabilities most companies need !  Focus on capabilities not brands4.  The same old password policy !  Skip expiration… it annoy users without increasing security !  Automatic lock/wipe provides the essential margin of safety 16
    • Agenda•  Introduction•  Three mobile trends•  Four things you don’t need•  Five things you must do•  Q&A 17
    • 1. Configure devices to protect your data•  Secure connections !  Enforce SSL for mail, calendar sessions: ActiveSync, IMAP, SMTP !  VPN and in-the-cloud web proxy for content filtering•  Remote-wipe lost or stolen devices !  RIM, Apple devices and most ActiveSync devices can do this•  Device-specific policies !  Require hardware- or content-encryption (Apple or RIM devices) !  Consider disallowing camera, App Store purchases Email is your chokepoint for enforcing data protection policies (BES, ActiveSync) 18
    • 2. Pick a sensible mobile security policy•  Balance security and usability with this policy: !  8-digit numeric PIN (or 6 alphanumeric characters) !  Simple PINs disallowed !  Automatic lock after 15 minutes !  Grace period of 2 minutes !  Automatic wipe/permanent lock after eight wrong tries !  No expiration. Remember, it’s not your network password This policy aligns with NIST 800-63 Level 1 guidance (1:1,024 guessing entropy). See my paper “Picking a Sensible Mobile Password Policy” for more details, and the math. 19
    • 3. Support multiple devices•  ActiveSync !  ActiveSync is Microsoft’s protocol for push e-mail. When e-mail is pushed, ActiveSync also enforces security policies on the device !  Servers: Microsoft Exchange and Lotus Notes Traveler implement it !  Devices: WinMo/WP7, Apple and some Android devices natively support some/all ActiveSync features.•  Apple !  Apple’s .mobileconfig policy files can be downloaded to configure new devices. These support all Apple security policies. !  Products that use Apple’s MDM API can manage devices after installation, eg, push apps, reset passwords, and send new policies. 20
    • 3. Support multiple devices (continued)•  RIM BlackBerry !  BlackBerry Enterprise Server (BES) supports huge number of policies for enterprises using Exchange or Lotus Notes !  For non-Exchange enterprises (IMAP, POP/SMTP, CMS), BlackBerry Internet Service (BIS) provides connectivity, but no security or configuration policy enforcement.•  Android !  Android’s primary method for enforcing security policies is via ActiveSync, and only a small subset of ActiveSync policies. !  Google Apps Device Policy App is available for corporate Google customers. 21
    • 4. Merge mobile IT operations and security teams•  No need for parallel security operations team !  No mobile anti-malware infrastructure needed•  Mobile security typically part of IT ops toolchain !  In particular: mail tools such as ActiveSync, BES•  Security should be primary stakeholder for data security decisions, however !  Enforces company security and compliance policies !  Drives policy decisions that IT ops inplements 22
    • 5. Create a mobile access and security covenant•  Your employees need to get their e-mail•  You need to enforce security policies•  So… here’s the deal you strike !  Employees can connect their own devices to your network if: !  …the device enforces your data protection policies (encryption, passcode, remote wipe, auto-lock), and: !  …employees accept your responsibility to protect your data on their devices as a condition of access, including remote wipe !  Employees should also agree to turn over device for forensics 23
    • Recommendations •  In closing, don’t: •  Worry about anti-virus; only Android needs it (maybe) •  Worry about DLP on the devices: do it server-side •  Recycle your desktop password policy •  Do: •  Pick a sensible, simple mobile password policy •  Use your email system as the choke point for enforcing data protection policies — Perimeter can help •  Allow access by devices with content encryption (BlackBerry, all Apple devices since 2009, some Android) •  Define a compact that trades access for security 24
    • For more information•  Picking a Sensible Mobile Password Policy !  http://perimeterusa.com/blog/picking-a-sensible-mobile- password-policy/•  NIST 800-63 Electronic Authentication Guideline !  http://csrc.nist.gov/publications/nistpubs/800-63/ SP800-63V1_0_2.pdf 25
    • One more thing… 26
    • Technology preview: e!n!r! o!An open source project sponsored by Perimeter E-Security 27
    • iEnroll provides essential security for iPads and iPhones Authenticate Enters activation code and accept policy Server requests private key generation Request signed certificate Return device certificate Security policies and configurations No agent or code needed on deviceImage copyright James MacDonald http://enthusiastik.com/ 28
    • Demo 29
    • Available for download June 1st ienroll.org 30
    • Agenda•  Introduction•  Three mobile trends•  Four things you don’t need•  Five things you must do•  Q&A 31
    • Andrew Jaquith Chief Techology Officer Perimeter E-Security ajaquith@perimeterusa.com Twitter: arjContact us:experts@perimeterusa.com1.800.234.2175Option #2 feed://perimeterusa.com/blog/feed/ http://www.facebook.com/perimeterusa http://twitter.com/PerimeterNews 32