• Like
  • Save
Session 4  Enterprise Mobile Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Session 4 Enterprise Mobile Security

  • 377 views
Published

Worried about BYOD security ? Don't miss SecurBay's workshop slides on Enterprise Mobile Security

Worried about BYOD security ? Don't miss SecurBay's workshop slides on Enterprise Mobile Security

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
377
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Session 4 Enterprise Mobile Security © SecurBay 2012 2
  • 2. Session 4 – Enterprise Mobile Security  Lifecycle of Mobile Device Solutions  Mobile Policy using Use Cases  BYOD Scenarios  MDM Solutions  Mobile Audit & Assurance Program  Essential elements of Mobile Security  Case Study  Questions © SecurBay 2012 3
  • 3. BYOD is Not New ! Source: a Greek marble relief that dates back to 100 BC @ Getty Museum in LA © SecurBay 2012 4
  • 4. Mobile Platform Key Issues • Mobile is different than Desktops • Mobile platform security is immature • Mobile security features can be easily compromised © SecurBay 2012 5
  • 5. Life cycle of enterprise mobile device solutions • Phase 1: Initiation • Phase 2: Development • Phase 3: Implementation • Phase 4: Operation and Maintenance • Phase 5: Disposal © SecurBay 2012 6
  • 6. Mobile Policy using Use Case Definition • What types of devices will be allowed ? • What corporate data / application will be used ? • Who will be allowed to access data/application ? • What happens if the device is lost or stolen ? • How will be policy be communicated or enforced? • What about Asset Management ? • What about HR / Business Processes ? • Who will be responsible for BYOD Support ? • What about Asset Management ? • How do you control the communication cost ? • How do you Audit Mobile Security ? • How will you handle Employee Education ? © SecurBay 2012 7
  • 7. BYOD Scenarios Source: Securosis © SecurBay 2012 8
  • 8. Challenges with unmanaged devices • Limited Security Controls • Often lack the rigor of those provided by a centralized mobile device management client application • Maintenance and Management • Patch Management issues • Desperate OS makes the control difficult © SecurBay 2012 9
  • 9. Mobile – Enterprise Strategies High VDI/Remote VDI/Remo Desktop te Desktop Sandbox Sandbox Low Management Control Management Control Vs User Experience MDM Exchange ActiveSync Limited / No control Unfamiliar Familiar User Experience © SecurBay 2012 10
  • 10. Mobile Device Management • Remotely set up email, VPN, calendar, identity certificates • Send free and pre-paid apps to devices • Send web bookmarks to devices • Inventory devices for apps, usage info, and identities • Configure features of email accounts not available in the UI: sandboxing, encryption • Additional restrictions on iCloud, encrypted backups, FaceTime, the App Store, videos, and more © SecurBay 2012 11
  • 11. MDM – What are different options ? • Exchange ActiveSync Protocol • • • • • • Require passcode Require a complex passcode Lock device after X unsuccessful attempts to unlock Disable camera Erase device Vendor Supplied • • • Often from the same vendor that makes a particular brand of phone Offers more robust support for the phones than third party products Third Party MDM • Single product that can manage multiple brands of phones desired for use within an enterprise. © SecurBay 2012 12
  • 12. Exchange ActiveSync • Exchange ActiveSync Protocol • Developed by Microsoft in 2002 • Supported by Microsoft, Google, Lotus Notes © SecurBay 2012 13
  • 13. Exchange ActiveSync Mailbox Policy Examples Source: http://technet.microsoft.com/en-us/library/bb123484 © SecurBay 2012 14
  • 14. Google Apps Device Policy Source: http://support.google.com/a/bin/answer.py?hl=en&answer=1408863 © SecurBay 2012 15
  • 15. Apple Configuration Utility Source: Apple •Apple Configuration Utility helps to create configuration profiles. •Configuration profiles define how iOS devices work with your enterprise systems. © SecurBay 2012 16
  • 16. Third Party MDM – Multiple Choices © SecurBay 2012 17
  • 17. Selecting MDM Solution • Applications: Can the vendor's MDM product manage the deployment, maintenance and use of mobile applications? • Security: Does the product provide such security features as authentication, encryption and device wipe? • Policy: Does the mobile device management system allow the enterprise to define, enter and monitor its mobile policies? • Device: Does the system give you the ability to manage mobile devices' underlying hardware and operating systems (BlackBerry, Windows Mobile, iPhone, Android, Symbian or webOS)? • Platform: Does it provide such core functions as centralized administration, Over the Air provisioning, monitoring and vendor templates to simplify provisioning? • Integration: Does the system integrate with existing systems, such as your identity server? © SecurBay 2012 18
  • 18. ISACA Mobile Audit/Assurance Program • Mobile computing security addresses the following COBIT processes •PO4 Define the IT processes, organization and relationships. •PO6 Communicate management aims and directions. •PO9 Assess and manage risks. •DS5 Ensure systems security. •DS11 Manage data. •ME3 Ensure compliance with established regulations. © SecurBay 2012 19
  • 19. ISACA Mobile Audit/Assurance Program Source: ISACA © SecurBay 2012 20
  • 20. Essential Elements of Enterprise Mobility Device Management Data Protection Device Activation, Monitoring/Tracking Device Patching, Content Management Security Management Remote Wipe, Lock down Password Management, Configuration, Compliance Application Management App Distribution, Enterprise Policies, Mobile App Security Assessment Data Encryption, Data Loss Prevention Data Backup /Restore Device Management Data Protection Network Protection Secure Communication Device Security Management ePO Mobile Application Management Network Protection Identify & Access Management © SecurBay 2012 Identify & Access Management Identity Management, Authentication, Certificate Management, 21
  • 21. Mobile Security – Case Study Roles Data Stored on Mobile Devices Senior Management Carry sensitive data on email and in documents Manager Corporate Emails, Customer Specific Documents Knowledge Worker Corporate Emails, Project Related Documents, Intellectual Property, Customer Specific Data HR/Admin Access to corporate email, shared resources Contractor Access to non-sensitive documents © SecurBay 2012 22
  • 22. Mobile Security – Case Study © SecurBay 2012 23
  • 23. Mobile OS Comparison ID ATTRIBUTE 1 Built-insecurity 2 Application Security 3 Authentication 4 Device Wipe 5 Device firewall 6 Data protection 7 Device protection Corporate managed 8 Email Support for 9 ActiveSync Mobile device 10 management 11 Virtualization 12 Security Certifications Average Score BB7.0 iOS 5 WP 7.5 Android 2.3 3.13 2.44 3.9 4 4.5 3.8 3.5 3.75 2.06 2 1.25 0 1.5 0.63 3.5 1.88 3.2 2.25 0 2.4 2.38 2.5 1.44 2 0.63 0 2 2 3.42 3 0 0 0 2 2.5 1.5 3.5 0 2.5 2.89 2.5 0.83 0.83 1.7 1.25 0 0 1.61 2 1.67 0.67 1.37 Source: http://www.trendmicro.com/cloudcontent/us/pdfs/business/reports/rpt_enterprise_readiness_consumerization_mobile_ platforms.pdf © SecurBay 2012 24
  • 24. Enterprise Mobility 1. Identify and classify data residing on mobile devices 2. Formulate Mobile Device Security Policy 3. Conduct Employee Awareness Session 4. Consider MDM for effective policy implementation 5. Consider Cost Implication of BYOD 6. Implement program for Mobile Security Audit © SecurBay 2012 25
  • 25. References •MDM Comparisons http://www.enterpriseios.com/wiki/Comparison_MDM_Providers •“Technical Information Paper: Cyber Threats to Mobile Devices” (http://www.us- cert.gov/reading_room/TIP10-105-01.pdf) • “Protecting Portable Devices: Physical Security” (http://www.us-cert.gov/cas/tips/ST04- 017.html) • “Protecting Portable Devices: Data Security” (http://www.us-cert.gov/cas/tips/ST04- 020.html) • “Securing Wireless Networks” (http://www.us-cert.gov/cas/tips/ST05-003.html) • “Cybersecurity for Electronic Devices” (http://www.us-cert.gov/cas/tips/ST05-017.html) • “Defending Cell Phones and PDAs Against Attack” (http://www.uscert.gov/cas/tips/ST06-007.html) •ISACA Audit/Assurance http://www.isaca.org/KnowledgeCenter/Research/ResearchDeliverables/Pages/Mobile -Computing-Security-Audit-Assurance-Program.aspx © SecurBay 2012 26
  • 26. Questions © SecurBay 2012
  • 27. End of Session 4 © SecurBay 2012
  • 28. THANK YOU © SecurBay 2012
  • 29. Contact Us info@securbay.com satamsantosh @ © SecurBay 2012
  • 30. > Innovative Solutions & Services 31