Your SlideShare is downloading. ×
0
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Applied mobile chaos theory
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Applied mobile chaos theory

132

Published on

A 12 Step plan for ending the madness.

A 12 Step plan for ending the madness.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
132
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Applied ‘Mobile Chaos Theory’ …and NCA’s 12-step plan to end the madness Presented by Brad Bemis © 2011 Network Computing Architects, all rights reserved
  • 2. Our Modern Mobile WorkforceThe term ‘mobile’ has changed.It’s not just about phone callsand web surfing though…• ‘Always on’ availability• Location-based services• Credit card transactions• Patient medical records• Supply chain management• Customer and partner collaboration• Social media and social marketing• Predictive analysis and unique targetingThe technology is getting smaller, faster, and smarter… © 2011 Network Computing Architects, all rights reserved
  • 3. The Mobile Challenges We FaceWhile keeping up with the rapid paceof innovation is our biggest challenge,it’s only one of many…• Our data is on the move• The network perimeter is gone• The edge is now driving the core• IT services are now a commodity• Cloud and social challenge tie ins• Blurring of personal and business• Balancing emerging risks vs. benefitsWe must find ways to incorporate security controlsthat address the four dimensions of mobility above… © 2011 Network Computing Architects, all rights reserved
  • 4. Applied Mobile Chaos TheoryChaos theory is more complicatedthan what’s presented here, but:• Chaos underlies complex systems• Patterns can emerge from chaos• Initial conditions play a big part• Indicators of possible outcomes• Equilibrium based on attractorsMobile chaos theory is based on the idea that:• Mobility is a complex system challenge• Success is determined by initial conditions• To achieve equilibrium takes real effort © 2011 Network Computing Architects, all rights reserved
  • 5. Ending the MadnessWe can’t just solve part of the problem. In order to fullyenable a modern mobile workforce, we should be lookingat things from a more holistic perspective:  Needs  Identity Management  Risks  End-Point Protection  Policy  Remote Access  Ecosystem  Data Protection  Virtualization  Training and Awareness  Device Management  Loss and Incident HandlingThis approach is consistent with our long-standingprinciples of ‘defense-in-depth’. © 2011 Network Computing Architects, all rights reserved
  • 6. NeedsWhat are your business needs? The needs of the manyWhat needs do various groups have? The needs of the fewWhat needs do specific individuals have? The needs of the one• Identify the key stakeholders• Gather formal requirements• Define group/user profilesDon’t forget about your compliance needs!• Legal, regulatory, contractual… © 2011 Network Computing Architects, all rights reserved
  • 7. RisksWhat is your current risk posture?What are your risk tolerance thresholds?What are you doing to measure/manage risk?• Understand the threat landscape• Establish well-defined decision-making criteria• Build an overall mobile strategy covering all basesInclude a risk assessment /analysis to help with planning!• Use FAIR in a contextual manner… © 2011 Network Computing Architects, all rights reserved
  • 8. PolicyWhat does your policy framework cover?What other security policies might apply?What are your data classification policies?• Define acceptable use• Clarify and explain all expectations• Get formal sign-off and acceptanceMobile devices are just another end-point!• Leverage what you already have… © 2011 Network Computing Architects, all rights reserved
  • 9. EcosystemWhat platforms and models?What carrier service provider(s)?What kind of back-end infrastructure?• Decide on purchased, BYOD, or mixed• Research what carriers can offer you• Consider virtualizing the back-endThese are some of the most critical decision points!• Be sure to plan for the future (3 to 5 years)… © 2011 Network Computing Architects, all rights reserved
  • 10. VirtualizationWhat are you doing about data mixing?What are you doing to fully enable people?What are you doing to keep the security balance?• Consider mobile virtual machines• Keep the current limitations in mind• Understand how it’s different from sandboxingVirtualization really is the answer to many challenges!• Watch this technology closely as it evolves… © 2011 Network Computing Architects, all rights reserved
  • 11. Device ManagementWhat are you doing to lock devices down?What are you doing to manage all of them?What are you doing to keep track of everything?• Review scope, capabilities, and limitations• Build out written configuration standards• Simplify provisioning and de-provisioningProbably the single most important investment made!• Make your decision based on clear requirements… © 2011 Network Computing Architects, all rights reserved
  • 12. Identity ManagementHow are you authenticating to the device?How are you authenticating to remote assets?How are you authenticating with third parties?• Enforce pins and passphrases• Look at multi-factor authentication• Tie in to federated identity managementIdentity is everything in a mobile, social, cloud-based world!• Applies to people and assets… © 2011 Network Computing Architects, all rights reserved
  • 13. End-Point ProtectionWhat are you doing about mobile malware?What are you doing to limit network dangers?What are you doing to gain visibility into things?• Use AV on the platforms it’s available for• Consider available mobile FW options• Look into mobile end-point reportingThere are a lot of platform dependency issue here!• Stay up to date on how the industry responds… © 2011 Network Computing Architects, all rights reserved
  • 14. Remote AccessHow are you providing access to resources?How are you resolving file management issues?How are you keeping data out of the public cloud?• Use a reliable SSL client for remote access• Consider a VDI-based model for mobility• Build your own file management solutionFile management is one of the biggest issues right now!• Keep your data out of the public cloud… © 2011 Network Computing Architects, all rights reserved
  • 15. Data ProtectionHow are you protecting the local data store?How are you protecting data on removable cards?How are you protecting data leaving the device?• Disk encryption is still a key requirement• Look into data loss prevention options• Don’t forget about data classificationRouting data back to the corporate network may be possible!• Keep an eye on this to use your existing tools… © 2011 Network Computing Architects, all rights reserved
  • 16. Training and AwarenessHow do people know what the policies say?How do people know what is/isn’t acceptable?How do people know where to go with issues?• Have a formal awareness and training program• Fold mobility into this larger program• Keep folks up to date on changesSecurity training/awareness is still the absolute best tool!• Unfortunately it’s still the least used… © 2011 Network Computing Architects, all rights reserved
  • 17. Loss and Incident HandlingWhat happens if a device is lost or stolen?What happens if something suspicious occurs?What happens if you experience an actual incident?• Have a formal incident response plan• Fold mobility into your existing plan• Make sure folks know what to doEverything we do is to avoid incidents – be prepared though!• It only takes one for everything to change… © 2011 Network Computing Architects, all rights reserved
  • 18. Closing the LoopEverything is happening at such an incredibly fast pace –it’s hard to keep up. In the future we may see more andmore integration between security options, but as it standstoday a holistic approach is needed, one that includes: Needs  Identity Management Risks  End-Point Protection Policy  Remote Access Ecosystem  Data Protection Virtualization  Training and Awareness Device Management  Loss and Incident Handling …and, of course, NCA is happy to help! © 2011 Network Computing Architects, all rights reserved
  • 19. Questions?© 2011 Network Computing Architects, all rights reserved
  • 20. About the Author: Brad Bemis is the CISO, Security Practice Manager, and Principle Security Consultant for Network Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and information security. He is also a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco, Microsoft, and CompTIA.Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors ofScience in Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged ingraduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology.Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; inroles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between).Although highly skilled across multiple security disciplines, his main passion is information security awareness and training –evangelizing the message and engaging others. He is also very active in the security community, including: contributions tothe Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance andthe Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several otherprofessional associations, sharing insights and experience across a number of on-line security forums, and much much more.Additional information can be found on Brads professional blog at www.secureitexpert.com. © 2011 Network Computing Architects, all rights reserved
  • 21. About NCA’s Information Security Practice:NCA’s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices inBellevue WA, Portland OR, and Los Gatos CA. We offer a wide range of professional security services that can be scaledand customized to meet the business needs of any organization. Our major core competencies include: • Program Management: Building and managing a holistic information security program. • Governance: Incorporating security into enterprise or IT governance frameworks. • Risk Management: Measuring and managing information security and other related risks. • Compliance: Ensuring that all internal and external requirements are being met. • Identity & Access Management: Managing identities and permissions for systems and users. • Perimeter Defense & Firewall Management: Defending the borders between networks. • Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices. • Virtualization & Cloud Computing: Migrating customers to the cloud safely and securely. • Event Management & Incident Response: Detecting and responding to security incidents. • Awareness & Training: Engaging people in the process of security on a daily basis.Through a number of strategic partnerships we can also deliver additional services in the areas of: • Managed Services: Managing the day-to-day operational security of information systems. • Application Security & Penetration Testing: Validating controls for business applications. Learn more today at http://www.ncanet.com Or call 877-KNOW NCA (877-566-9622) © 2011 Network Computing Architects, all rights reserved

×