ISSE Mobile Device Policy Enforcement

1,278 views

Published on

Mobile Device Policy Enforcement
ISSE 2007

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,278
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
41
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • ISSE Mobile Device Policy Enforcement

    1. 1. Mobile Device Policy Enforcement John Rhoton Lead Technologist – Mobility HP Services
    2. 2. Context & Agenda <ul><ul><li>Mobile devices </li></ul></ul><ul><ul><li>Air interfaces </li></ul></ul><ul><ul><ul><li>Bluetooth, 802.11b, WWAN </li></ul></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><ul><li>Tunnels (VPNs), Roaming </li></ul></ul></ul><ul><ul><li>Perimeter Security </li></ul></ul><ul><ul><ul><li>Compartmentalization, Access Controls </li></ul></ul></ul><ul><ul><li>Policy Enforcement Options </li></ul></ul>1 2 3 4
    3. 3. Threats to Mobile Devices <ul><li>Stolen information </li></ul><ul><ul><li>Host intrusion, stolen device </li></ul></ul><ul><li>Unauthorized network/application access </li></ul><ul><ul><li>Compromised credentials, host intrusion </li></ul></ul><ul><li>Virus propagation </li></ul><ul><ul><li>Virus susceptibility </li></ul></ul><ul><li>Lost information </li></ul><ul><ul><li>Lost, stolen or damaged device </li></ul></ul>Source: Trend Micro Mabir Win CE DUTS Win CE BRADOR 29Dec04 1Feb05 Locknut (Gavno) Vlasco 21Nov04 Skulls 20June04 Cabir 17Jul04 5Aug04 8Mar05 Comwar 7Mar05 Dampig 12Aug04 Qdial 4Apr05 Fontal 6Apr05 Drever 18Mar05 Hobbes 15Apr05 Doomed 4Jul05 = Symbian OS (Nokia, etc) = Windows CE (HP, etc)
    4. 4. Mobile Content Protection Access Control Solutions <ul><li>Native Pocket PC </li></ul><ul><li>Biometric Authentication </li></ul><ul><li>HP ProtectTools </li></ul><ul><li>Pointsec </li></ul><ul><li>Credant </li></ul><ul><li>TrustDigital </li></ul><ul><li>Utimaco </li></ul><ul><li>Bluefire </li></ul>Centralized Provisioning and Configuration
    5. 5. Multi-tiered security
    6. 6. WiFi Protect Access (WPA) <ul><li>Temporal Key Integrity Protocol </li></ul><ul><ul><li>Fast/Per packet keying, Message Integrity Check </li></ul></ul><ul><li>WPA-Personal </li></ul><ul><li>WPA-Enterprise </li></ul>Require Non-Trivial Client Configuration
    7. 7. Rogue and Decoy Access Points <ul><li>Highest risk when WLANs are NOT implemented </li></ul><ul><ul><li>Usually completely unsecured </li></ul></ul><ul><ul><li>Connected by naïve (rather than malicious) users </li></ul></ul><ul><li>Intrusion Detection Products </li></ul><ul><ul><li>Manual, Sensors, Infrastructure </li></ul></ul><ul><li>Multi-layer perimeters </li></ul><ul><ul><li>802.1x </li></ul></ul><ul><ul><li>RBAC, VPN </li></ul></ul><ul><li>Decoys can be counteracted with automated configuration </li></ul>Internet Intranet Access
    8. 8. Unauthorized Wireless Bridge Prevented through Policy
    9. 9. Mobile Device Management IT Manager Use-Cases <ul><ul><li>Search and select target end-user </li></ul></ul><ul><ul><li>View/Add/Delete end-users </li></ul></ul><ul><ul><li>View/Add/Delete device instances </li></ul></ul><ul><ul><li>View device history of each end-user </li></ul></ul><ul><ul><li>View detailed device information </li></ul></ul><ul><ul><li>View/Add/Remove applications from devices </li></ul></ul><ul><ul><li>View and process diagnostic results </li></ul></ul><ul><ul><li>View/Add/Modify Rules </li></ul></ul><ul><ul><li>View/Add/Modify approved applications </li></ul></ul><ul><ul><li>View/Add/Modify settings for email, WIFI, VOIP </li></ul></ul><ul><ul><li>Lock/Unlock Devices </li></ul></ul>
    10. 10. Mobile Device Management Reduction in TCO Cost reduction per user per year with MDM $ 322 Net Reduction in TCO 11% Net Reduction in Annual Device Management Costs 32% Source : HP & Gartner Cost per User per Year MDM Benefit Device Cost $250 8% Amortized over 2 years Connectivity data $900 30% Connectivity voice $800 27% Backend/Ops $504 17% -30% -$151 Setup & operate backend mobile application, change requests Service Management $192 6% -40% -$77 Setup users, connectivity, user management, change requests User Support $312 11% -30% -$94 $2958 100% -11% -$322
    11. 11. Mobile Device Security Management <ul><li>Provisioning security tools </li></ul><ul><li>Policy enforcement </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Device lock </li></ul></ul><ul><ul><li>Policy updates </li></ul></ul><ul><li>User support </li></ul><ul><ul><li>Device lockout </li></ul></ul><ul><ul><li>Backup/restore </li></ul></ul>Security Usability
    12. 12. MSFP Messaging and Security Feature Pack <ul><li>Exchange 2003 SP2 </li></ul><ul><li>Windows Mobile 5.0 </li></ul><ul><ul><li>(Persistent Storage) </li></ul></ul><ul><li>S/MIME </li></ul><ul><li>Certificate-based Authentication </li></ul><ul><li>Policy Enforcement </li></ul><ul><li>Local wipe </li></ul><ul><li>Remote wipe </li></ul>
    13. 13. Enterprise Requirements <ul><li>Integrated Management Console </li></ul><ul><ul><li>Directory (AD/LDAP) integration </li></ul></ul><ul><li>Centralized Policies </li></ul><ul><ul><li>Policy polling </li></ul></ul><ul><ul><li>User cannot remove </li></ul></ul><ul><ul><li>Screen-lock / Idle-lock </li></ul></ul>
    14. 14. Credant OTA Sync Control Exchange 2003 Local ActiveSync HANDHELD App Servers Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange Gatekeeper Local Gatekeeper can detect devices which sync via local connection Internet Server ActiveSync Exchange Server OTA Sync Control OTA Sync Control detects devices which sync via Server Activesync. Based on ISAPI extension
    15. 15. Trust Digital Mobile Edge Perimeter Security <ul><li>Wireless Provisioning Portal </li></ul><ul><ul><li>Device and user registration integrated with enterprise use policy acceptance </li></ul></ul><ul><ul><li>Over-the-air (OTA) delivery of Trust Digital software and policy </li></ul></ul><ul><li>Advanced Features </li></ul><ul><ul><li>Asset, activity, and compliance reporting </li></ul></ul><ul><ul><li>Help Desk functionality including self-service portal </li></ul></ul><ul><li>Network Admission Control </li></ul><ul><ul><li>Ensures security/compliance of end-user device </li></ul></ul><ul><ul><li>Interrogates devices before allowing access </li></ul></ul><ul><ul><li>Integrated with Microsoft ISA Server </li></ul></ul>
    16. 16. HP Enterprise Mobility Suite WW Wireless Operator Networks HP Enterprise Devices HP Worldwide Hosting Facilities Enterprise HTTPS Internet HTTPS <ul><li>Device Support </li></ul><ul><li>S/W Maintenance </li></ul><ul><li>WW Network Support </li></ul><ul><li>FusionDM for Enterprise </li></ul><ul><li>Device Troubleshooting </li></ul><ul><li>Device Security </li></ul><ul><li>Policy Mgmt </li></ul><ul><li>Asset Mgmt </li></ul><ul><li>IT Dash Board </li></ul><ul><li>Exchange® </li></ul><ul><li>Domino ® </li></ul><ul><li>Groupwise® </li></ul><ul><li>Corporate Directory </li></ul><ul><li>Active Directory ® </li></ul><ul><li>Intranet </li></ul><ul><li>CRM </li></ul><ul><li>Application Portal </li></ul>Existing IT Systems FOR ENTERPRISE Leading OEM Device Manufacturers SMS TCP/IP SMS TCP/IP HTTPS
    17. 17. Self Care Driven
    18. 18. Use Case: Set Up My Device <ul><li>Out-of-the-box device setup </li></ul><ul><li>Employee Joe purchases a new device </li></ul><ul><ul><li>Logs into the Enterprise Self Care portal </li></ul></ul><ul><ul><li>Enters his phone number </li></ul></ul><ul><ul><li>Selects setup my device </li></ul></ul><ul><li>Joe’s email, ActiveSync, and corporate WiFi settings are automatically configured on the device </li></ul><ul><li>Automated OTA Delivery Without Cradle </li></ul><ul><li>Simple One Click Trigger for Setting Up New Device </li></ul><ul><li>Minutes to Fully Configured, Ready-to-Use Device </li></ul>
    19. 19. Use Case: Diagnose My Device <ul><li>Device Diagnostics </li></ul><ul><li>Joe’s email is not working </li></ul><ul><ul><li>Selects diagnose my device </li></ul></ul><ul><ul><li>Problem is automatically displayed </li></ul></ul><ul><ul><ul><li>Activesync settings are incorrect </li></ul></ul></ul><ul><ul><li>Selects the checkbox & presses go </li></ul></ul><ul><li>Joe’s ActiveSync settings are corrected and he is receiving his email </li></ul><ul><li>Instantly Validate All Device Settings </li></ul><ul><li>Automatically Detect Device Faults </li></ul><ul><li>OTA Push Fixes to Address Root Causes </li></ul>
    20. 20. Use Case: Update Software <ul><li>Joe needs the new VPN client </li></ul><ul><ul><li>Selects Update Software </li></ul></ul><ul><ul><li>Device inventory is remotely </li></ul></ul><ul><ul><li>List of required applications are displayed </li></ul></ul><ul><ul><li>Selects the checkbox for VPN & presses go </li></ul></ul><ul><li>VPN application is automatically installed </li></ul><ul><li>Instantly distribute corporate tools and applications and their updates OTA </li></ul><ul><li>Collect S/W Inventory of Device Fleet </li></ul><ul><li>Detect and Remove Unauthorized S/W </li></ul>
    21. 21. Use Case: Device Security <ul><li>Joe loses his device on a business trip </li></ul><ul><ul><li>Logs into the web-based application </li></ul></ul><ul><ul><li>Selects Lock & Wipe device </li></ul></ul><ul><ul><li>Remotely locks his device </li></ul></ul><ul><li>Corporate data is secure until the device is recovered </li></ul><ul><li>Remotely Lock Compromised Devices </li></ul><ul><li>Wipe All User Data OTA </li></ul><ul><li>Unlock Recovered Devices </li></ul>
    22. 22. Summary <ul><li>Security concerns are greatest mobility obstacle </li></ul><ul><li>Mobility introduces new risks </li></ul><ul><li>Industry has addressed the main threats </li></ul><ul><li>Primary user challenge is secure configuration </li></ul><ul><li>Primary enterprise challenge is consistent policy enforcement </li></ul><ul><li>MDM reduces cost of deployment and enfoces policies </li></ul>

    ×