You Got Chocolate On My iPad! Barry Caplin Chief Information Security Officer MN Department of Human Services MN Gov’t. IT...
 
http://about.me/barrycaplin
 
 
Apr. 3, 2010 300K ipads 1M apps 250K ebooks …  day 1!
 
 
http://www.bbspot.com/News/2010/03/should-i-buy-an-ipad.html
 
Don't Touch! Pharmaceutical coating
<ul><li>17% have > 1 in their household </li></ul><ul><li>37% - their partner uses it </li></ul><ul><li>14% bought cause t...
 
 
 
 
 
Our Story Begins...
PEDs Computers Device Convergence
Example <ul><li>The “PED” policy </li></ul><ul><li>Personal Electronic Device </li></ul><ul><ul><ul><li>Acceptable use </l...
1 Day
5 Stages of Tablet Grief <ul><li>Surprise </li></ul><ul><li>Fear </li></ul><ul><li>Concern </li></ul><ul><li>Understanding...
Considerations
What needs to change for “local” remote access?
<ul><ul><ul><li>BYO </li></ul></ul></ul>
<ul><ul><ul><li>BYO </li></ul></ul></ul>BYOC or BYOD
Security Concerns
Data Leakage Remnants
Unauthorized Access
“ Authorized” Access
Risk v Hype
 
 
How can we do BYOC?
Method 1 - Sync <ul><li>Direct or Net Connect </li></ul><ul><li>Issues: </li></ul><ul><li>Need Controls – a/v, app install...
Method 2 – ssl vpn <ul><li>Citrix or similar </li></ul><ul><li>Pros: </li></ul><ul><li>Leakage – no remnants; disable scre...
Method 3 – data/app segregation <ul><li>Encrypted sandbox </li></ul><ul><li>Separate work and home </li></ul><ul><li>Many ...
DHS view <ul><li>Policy </li></ul><ul><li>Supervisor approval </li></ul><ul><li>Citrix only </li></ul><ul><li>No Gov't rec...
Other Issues <ul><li>Notes or manually entered data </li></ul><ul><li>Enterprise email/OWA </li></ul><ul><li>Discovery </l...
The Future <ul><li>More tablets/phones/small devices </li></ul><ul><li>More “slim” OS's – chrome, android, ios, etc </li><...
Capabilities to Consider <ul><li>Device encryption </li></ul><ul><li>Transport encryption </li></ul><ul><li>Complex PWs/po...
Discussion… Slides at http://slideshare.net/bcaplin [email_address] bc@bjb.org, @bcaplin, +barry caplin
Upcoming SlideShare
Loading in …5
×

Toys in the office 11

653 views

Published on

2011 may be the "year of the handheld". That is unless 2010 was! iPad sales exceeded all expectations in 2010. For the holiday season, many manufacturers came out with (and are coming out with) tablets. iPhones and Android devices can be seen everywhere... including the office. That means that people want to use these personal devices for work for a variety of reasons: they are more convenient; might be more powerful than company-issued gear; easy interfaces; they can carry less equipment, but, perhaps most importantly; these devices are finally like "real" computers. But use of these personally owned devices bring all kinds of security concerns including data leakage and vulnerabilities in these newer operating systems and apps.
We'll take a look at the convergence of mobile and desktop computing devices, security concerns and discuss some potential solutions.
Session Learning Objectives: 1. Define the convergence of mobile and desktop computing devices. 2. Discuss the tablet phenomenon. 3. Review security concerns with the use of these devices, particularly employee-owned. 4. Discuss possible solutions.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
653
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Stefan Magdalinski from South Africa gave his wife an ipad embedded in chocolate for her birthday in 6/2010. The ipad wasn’t yet available in SA so he had to get it from England! This is his wife in the “unboxing” process.
  • Spring Break 2011 in Chicago. There was a line each morning across from our hotel.
  • 1 st iPad, 4/3/2010. 300K iPads sold, 1M apps, 250K ebooks downloaded on the first day.
  • http://news.cnet.com/8301-31921_3-57335715-281/how-carrier-iq-was-wrongly-accused-of-keylogging/ - Dan Rosenberg, an exceptionally talented security consultant who has discovered  more than 100 vulnerabilities  in the Linux kernel, FreeBSD, and GNU utilities, extracted a copy of Carrier IQ&apos;s software from his own  Android phones . He then analyzed the assembly language code with a debugger that allowed him to look under the hood. &amp;quot;The application does not record and transmit keystroke data back to carriers,&amp;quot; Rosenberg told CNET. His reverse-engineering showed that &amp;quot;there is no code in Carrier IQ that actually records keystrokes for data collection purposes.&amp;quot;
  • Control app installs; nuke only work data
  • Toys in the office 11

    1. 1. You Got Chocolate On My iPad! Barry Caplin Chief Information Security Officer MN Department of Human Services MN Gov’t. IT Symposium Session 100: Thurs. Dec. 8, 2011 [email_address] bc@bjb.org, @bcaplin, +barry caplin (Toys in the Office)
    2. 3. http://about.me/barrycaplin
    3. 6. Apr. 3, 2010 300K ipads 1M apps 250K ebooks … day 1!
    4. 9. http://www.bbspot.com/News/2010/03/should-i-buy-an-ipad.html
    5. 11. Don't Touch! Pharmaceutical coating
    6. 12. <ul><li>17% have > 1 in their household </li></ul><ul><li>37% - their partner uses it </li></ul><ul><li>14% bought cause their kid has one </li></ul><ul><li>19% considering purchasing another </li></ul><ul><li>http://today.yougov.co.uk/sites/today.yougov.co.uk/files/Tablet_ownership_in_households.pdf </li></ul>Of iPad owners...
    7. 18. Our Story Begins...
    8. 19. PEDs Computers Device Convergence
    9. 20. Example <ul><li>The “PED” policy </li></ul><ul><li>Personal Electronic Device </li></ul><ul><ul><ul><li>Acceptable use </li></ul></ul></ul><ul><ul><ul><li>Connections </li></ul></ul></ul><ul><ul><ul><li>Data storage </li></ul></ul></ul>
    10. 21. 1 Day
    11. 22. 5 Stages of Tablet Grief <ul><li>Surprise </li></ul><ul><li>Fear </li></ul><ul><li>Concern </li></ul><ul><li>Understanding </li></ul><ul><li>Evangelism </li></ul>
    12. 23. Considerations
    13. 24. What needs to change for “local” remote access?
    14. 25. <ul><ul><ul><li>BYO </li></ul></ul></ul>
    15. 26. <ul><ul><ul><li>BYO </li></ul></ul></ul>BYOC or BYOD
    16. 27. Security Concerns
    17. 28. Data Leakage Remnants
    18. 29. Unauthorized Access
    19. 30. “ Authorized” Access
    20. 31. Risk v Hype
    21. 34. How can we do BYOC?
    22. 35. Method 1 - Sync <ul><li>Direct or Net Connect </li></ul><ul><li>Issues: </li></ul><ul><li>Need Controls – a/v, app install control, filtering, encryption, remote detonation </li></ul><ul><li>Authentication – 2-factor? </li></ul><ul><li>Leakage! </li></ul><ul><li>Support </li></ul>
    23. 36. Method 2 – ssl vpn <ul><li>Citrix or similar </li></ul><ul><li>Pros: </li></ul><ul><li>Leakage – no remnants; disable screen scrape, local save, print </li></ul><ul><li>Reduced support needed </li></ul><ul><li>Web filtering covered </li></ul><ul><li>Issues: </li></ul><ul><li>Unauthorized access still an issue; User experience; Support </li></ul>Remnants
    24. 37. Method 3 – data/app segregation <ul><li>Encrypted sandbox </li></ul><ul><li>Separate work and home </li></ul><ul><li>Many products </li></ul><ul><li>Pros: </li></ul><ul><li>Better user experience </li></ul><ul><li>Central management/policy </li></ul><ul><li>Many products – local/cloud </li></ul><ul><li>Leakage – config separation, encryption </li></ul><ul><li>Issues: access ; support; cloud issues </li></ul>Remnants
    25. 38. DHS view <ul><li>Policy </li></ul><ul><li>Supervisor approval </li></ul><ul><li>Citrix only </li></ul><ul><li>No Gov't records on POE (unencrypted) </li></ul><ul><li>3G or wired </li></ul><ul><li>Guest wireless </li></ul><ul><li>802.1x </li></ul><ul><li>FAQs for users/sups </li></ul><ul><li>Metrics </li></ul>
    26. 39. Other Issues <ul><li>Notes or manually entered data </li></ul><ul><li>Enterprise email/OWA </li></ul><ul><li>Discovery </li></ul><ul><li>Voicemail/video </li></ul>
    27. 40. The Future <ul><li>More tablets/phones/small devices </li></ul><ul><li>More “slim” OS's – chrome, android, ios, etc </li></ul><ul><li>Cost savings/stipend? </li></ul><ul><li>Cloud </li></ul><ul><li>User Experience – Citrix GoldenGate, Divide, Good </li></ul><ul><li>BES Fusion </li></ul>
    28. 41. Capabilities to Consider <ul><li>Device encryption </li></ul><ul><li>Transport encryption </li></ul><ul><li>Complex PWs/policy </li></ul><ul><li>VPN support </li></ul><ul><li>Disable camera </li></ul><ul><li>Restrict/block apps </li></ul><ul><li>Anti-malware </li></ul><ul><li>InfoWorld March 2011 MDM Deep Dive </li></ul><ul><li>Restrict/block networks </li></ul><ul><li>Remote lockout </li></ul><ul><li>Remote/selected wipe </li></ul><ul><li>Policy enforcement </li></ul><ul><li>OTA management </li></ul><ul><li>2-factor/OTP </li></ul>
    29. 42. Discussion… Slides at http://slideshare.net/bcaplin [email_address] bc@bjb.org, @bcaplin, +barry caplin

    ×