Smartphone security

1,457 views

Published on

Mobile Device Security @ NGC MobileIron and Juniper Access
Presented to ISSA Charlotte Aug 11 2011

Published in: Business, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,457
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
79
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Smartphone security

    1. 1. SECURING “BYOD”How We Secure Mobile Devices That We Do Not OWN...
    2. 2. People Love Their Smart-phones!!
    3. 3. People Love Their Smart-phones!!
    4. 4. BUSINESS ISSUES• From Company Owned Blackberry to Bring Your Own Device • From Field Reps/Managers to Any Employee• Approval From Supervisor (“Business Need”)• Allowed Devices - Any Carrier - iPhone, Android, Windows -• Initial Application - Access Exchange - eMail, Calendar, Contacts
    5. 5. SECURITY POLICY - AUDIT ISSUES• Protect “Corporate Data” and Access To Systems (eMail)• Old Blackberry - Had 4 Character PIN / Inactivity Timeout and Wipe - BES Provisioning and Management• Minimal Protection on ActiveSync Devices “Enforced” Via Exchange Policy But Device Dependent - “Mileage Varies!”• ActiveSync Configuration W/O IT Enrollment• No “Unified Audit Trail” - Scattered Logs Across Systems
    6. 6. LOOKING FOR CONTROL TOOLS• Limited Tools Available in 2008/9 TimeFrame• Identified MobileIron System - Conducted Testing / POC• Supported All Policy Enforcement Needs - All Devices• Excellent Separation of User Data from Business Data on iOS• Simple Enrollment and Distribution of Client Agents• Simple Deployment of System - Appliance and Server Agent
    7. 7. AVAILABLE OPTIONS?• MANY Options Now• Leader Quadrant• Successful PoC
    8. 8. WHERE ARE WE NOW?• Blackberry Usage Dropping - Users Switching Away• New Users Connecting Via ActiveSync (iOS and Android)• Policies Now Equally Enforced Across All Mobile Devices• User Self Service / Minimal IT Effort In Deployment• Users Adopting iPad / Tablet Mobile Devices• Research Project To “Deliver App / Data” to iOS - iPad/iPhone
    9. 9. ACCESS TO MORE THAN EMAIL• Mobile Device Browsers Work Really Well...• Users Want Access To Their Data / Systems - Outside eMail• Juniper Secure Access and Junos Pulse Provide Access• Same Gateway Used For Remote Access• Robust Security and Granular Access / Roles for Users
    10. 10. IPAD ACCESS - APPLICATIONS• Data Access To More Than eMail Attachments - All Files• Device / Backup Encryption Turned On in MobileIron• Best Way To Access User Data? • DropBox? Google Docs? Transfer Directly To iPad? • Leverage SharePoint MySites / Team Sites Via Client • “There’s An App For That” - Filamente (AirCreek) • Juniper Provides VPN After SecurID Authentication
    11. 11. WHAT ARE THE THREATS?• Malware On Devices Exists But Not Yet In Numbers • Enforce App Store Use (No JailBreaking) As Control• Minimal Business Need For “Device Control” Today • Could Control SW Install, Device Features, Content Filters• Biggest Exposure - Lost / Stolen Devices, Device Swaps • Data Access, Data On Device and Backups • MobileIron “Find My Phone” - Remote Lock and Wipe • PIN / Pass Code - Automatic Wipe After Guessing Wrong
    12. 12. BUSINESS INCENTIVES• People Like Security• They Don’t Like Inconvenience• Balance Is Needed!!• “I NEED My Email Now!”
    13. 13. PICKING OUR PIN POLICY• Devices Default To Open Access - But Support PIN Lock• Users Very Rarely Want The Security Enough (vs Ease of Use)• NIST Guidance on PIN / Passwords - Pub. 800-63 (“Entropy”) • “Level 1 PIN” - Simple But Effective Versus Guessing... • Andrew Jacquith - “Picking A Sensible Mobile Password” • Trade Off Between “Secure Enough and User Pain”
    14. 14. PIN SETTINGS 8 Characters - 6 Characters - NoPIN Length / Format No SImple PIN SImple PIN Lock 15 Minutes Lock 30 Minutes Lock and Wipe 2 Minutes Grace 2 Minutes Grace Settings 8 Tries - Wipe 10 Tries - Wipe No PIN Expiration No PIN Expiration Change Policy? (AD Passwords (AD Passwords Expire Like PC) Expire Like PC)
    15. 15. PRIVACY ISSUES• Mobile Intelligence / Activity Monitoring Features • Track Cell Tower Connections / Location of Device • Collect Call Logs and All SMS Messages• Set To Ignore Calls/SMS and Track “Current Location” Only• Concerns About Collecting Data and Controls / Management• Not Presently Any Security / Business Requirements
    16. 16. AGENT INTERACTION• Updates, Profiles, Certificates• Report Dropped Calls• Check Data Speeds• iOS Only Features • Links to iTunes App Store • App Delivery Direct to iOS
    17. 17. IOS “APP STORE”• Links to Apple• Define/Deliver• Direct and Store
    18. 18. INTERNATIONAL ROAMING• Detect International Roaming• Send Text Message Alert• Send Alert to IT Admins• Update Plans / Activity
    19. 19. REFERENCES• Surveys - Sybase Survey Telenav Survey• MobileIron• Picking PIN Policy - Perimeter Jaquith Blog - NIST 800-63• iPhone Password Brute ForceCNN Money http://money.cnn.com/galleries/2011/technology/1108/gallery.cybersecurity_tidbits/Dino Dai Zovi -http://trailofbits.com/2011/08/10/ios-4-security-evaluation/•

    ×