1) The document discusses the trends of post-PC devices taking over the market and consumer brands crowding out traditional IT favorites. It also outlines how mobile operating systems differ from PCs in being more closed and focused on security. 2) It recommends that enterprises do not need mobile antivirus except for Android devices. They also do not need mobile data leak prevention or enforcing the same device brands. 3) The document outlines five things enterprises must do which include configuring devices to protect data, picking a sensible mobile password policy, supporting multiple devices, merging mobile IT and security teams, and creating a mobile access security covenant.

1. What The Post-PC Era Means
for Enterprise Security
Andrew Jaquith
Chief Technology Officer
April 20, 2011 1

2. Welcome from the CTO
• Former senior analyst, Forrester Research
and Yankee Group
• Co-founder of pioneering security consultancy
@stake
• Widely cited in CSO, Information Week, Forbes,
and BusinessWeek. Research includes:
! Apple’s iPhone and iPad: Secure Enough for
Business? (Aug 2010)
! The Forrester Wave: Data Leak Prevention
• Author of best-selling security book,
“Security Metrics: Replacing Fear, Uncertainty
and Doubt
• Founder, securitymetrics.org
2

3. Agenda
• Introduction
• Three mobile trends
• Four things you don’t need
• Five things you must do
• Q&A
3

4. Agenda
• Introduction
• Three mobile trends
• Four things you don’t need
• Five things you must do
• Q&A
4

5. Mission and vision
• Give all customers the same level of security as a Fortune
500 firm, by providing solutions that allow them to easily
assess, monitor and reduce their messaging, security and
compliance risks.
• We achieve this by:
! Using our private cloud to manage the critical resources we
protect — including email, logs and archived data.
! Leveraging the best security technology and the best people,
on behalf of our customers.
! Leveraging our scale, visibility and analytical insights to bring
enhanced security solutions to customers.
5

6. Key facts about Perimeter E-Security
• 6,000 customers
(1,800 in financial services)
• $525 billion in assets protected
• 5,700 managed CPE devices
• 1 million secure messaging users
• 50m e-mails filtered per day
• 200 terabytes of managed archives
• 240m managed security events daily
• 300 employees
Perimeter Security Operations Center
6

7. Perimeter E-Security SaaS platform
SaaS Managed SaaS Vulnerability
SaaS Secure Messaging
Security Services Management
24x7 Global Customer Support
Global Management Platform
Consulting Services
Migration Assessment Penetration testing
7

8. Agenda
• Introduction
• Three mobile trends
• Four things you don’t need
• Five things you must do
• Q&A
8

9. Trend 1: Post-PC devices are taking over
1.4 billion 72%
Post-PC tablets and
smartphones
540 million
351 million
PCs
314 million
2010 2011 2012 2015
Source: Gartner, Inc., “IT Spending Forecast, 1Q11 Update,” forecast unit shipments.
9

10. Trend 2: Consumer brands crowding out IT favorites
985 million 70%
Consumer brands:
Apple, Google, Symbian
414 million
77% 243 million
71 million IT favorites: RIM, HP, Microsoft
2010 2011 2012 2013 2014 2015
Source: Gartner, Inc., “IT Spending Forecast, 1Q11 Update,” forecast unit shipments.
10

11. Trend 3: Mobile’s differences from PCs becoming clearer
PCs Post-PCs
OS design Wide open Closed
OS capabilities Anything Some things
RIM, Apple: one source
App sources Anywhere
Android: any source
Sandboxing Browser All apps
Device integrity None Trusted boot
RIM, Apple: vendor
Security decisions You
Android: you
11

12. Trend 3: Mobile’s differences from PCs becoming clearer
PCs Post-PCs
OS design Wide open Closed
OS capabilities Anything Some things
RIM, Apple: one source
App sources Anywhere
Android: any source
Sandboxing Browser All apps
Device integrity None Trusted boot
RIM, Apple: vendor
Security decisions You
Android: you
Likelihood of compromise High Low
Likelihood of loss or theft Medium High
Biggest risks Malware, privacy Loss of device, privacy
12

13. Privacy, not malware, will be the dominant security issue
*Unless we’re talking about Android
13

14. Agenda
• Introduction
• Three mobile trends
• Four things you don’t need
• Five things you must do
• Q&A
14

15. Four things you don’t need
1. Mobile anti-virus… except maybe for Android
! Post-PC OSes (Apple, RIM, Microsoft, Google*) locked down
! Apps are digitally signed, and run in a sandbox that limits
what they can do — making malicious compromise unlikely
! Quality of Android stores is concerning
2. Mobile data leak prevention
! Host DLP scans local drives and email for sensitive content
(SSNs, credit card numbers, etc.)
! DLP isn’t mainstream yet, but many enterprises want it
! For mobile: best to limit DLP to e-mail scanning on the server
15

16. Four things you don’t need (continued)
3. The same brand of device everywhere
! Modern Post-PC OSes support the key capabilities most
companies need
! Focus on capabilities not brands
4. The same old password policy
! Skip expiration… it annoy users without increasing security
! Automatic lock/wipe provides the essential margin of safety
16

17. Agenda
• Introduction
• Three mobile trends
• Four things you don’t need
• Five things you must do
• Q&A
17

18. 1. Configure devices to protect your data
• Secure connections
! Enforce SSL for mail, calendar sessions: ActiveSync, IMAP, SMTP
! VPN and in-the-cloud web proxy for content filtering
• Remote-wipe lost or stolen devices
! RIM, Apple devices and most ActiveSync devices can do this
• Device-specific policies
! Require hardware- or content-encryption (Apple or RIM devices)
! Consider disallowing camera, App Store purchases
Email is your chokepoint for enforcing data protection policies (BES, ActiveSync)
18

19. 2. Pick a sensible mobile security policy
• Balance security and usability with this policy:
! 8-digit numeric PIN (or 6 alphanumeric characters)
! Simple PINs disallowed
! Automatic lock after 15 minutes
! Grace period of 2 minutes
! Automatic wipe/permanent lock after eight wrong tries
! No expiration. Remember, it’s not your network password
This policy aligns with NIST 800-63 Level 1 guidance
(1:1,024 guessing entropy). See my paper “Picking a Sensible
Mobile Password Policy” for more details, and the math.
19

20. 3. Support multiple devices
• ActiveSync
! ActiveSync is Microsoft’s protocol for push e-mail. When e-mail is
pushed, ActiveSync also enforces security policies on the device
! Servers: Microsoft Exchange and Lotus Notes Traveler implement it
! Devices: WinMo/WP7, Apple and some Android devices natively
support some/all ActiveSync features.
• Apple
! Apple’s .mobileconfig policy files can be downloaded to configure
new devices. These support all Apple security policies.
! Products that use Apple’s MDM API can manage devices after
installation, eg, push apps, reset passwords, and send new policies.
20

21. 3. Support multiple devices (continued)
• RIM BlackBerry
! BlackBerry Enterprise Server (BES) supports huge number of
policies for enterprises using Exchange or Lotus Notes
! For non-Exchange enterprises (IMAP, POP/SMTP, CMS), BlackBerry
Internet Service (BIS) provides connectivity, but no security or
configuration policy enforcement.
• Android
! Android’s primary method for enforcing security policies is via
ActiveSync, and only a small subset of ActiveSync policies.
! Google Apps Device Policy App is available for corporate Google
customers.
21

22. 4. Merge mobile IT operations and security teams
• No need for parallel security operations team
! No mobile anti-malware infrastructure needed
• Mobile security typically part of IT ops toolchain
! In particular: mail tools such as ActiveSync, BES
• Security should be primary stakeholder for data
security decisions, however
! Enforces company security and compliance policies
! Drives policy decisions that IT ops inplements
22

23. 5. Create a mobile access and security covenant
• Your employees need to get their e-mail
• You need to enforce security policies
• So… here’s the deal you strike
! Employees can connect their own devices to your network if:
! …the device enforces your data protection policies (encryption,
passcode, remote wipe, auto-lock), and:
! …employees accept your responsibility to protect your data on their
devices as a condition of access, including remote wipe
! Employees should also agree to turn over device for forensics
23

24. Recommendations
• In closing, don’t:
• Worry about anti-virus; only Android needs it (maybe)
• Worry about DLP on the devices: do it server-side
• Recycle your desktop password policy
• Do:
• Pick a sensible, simple mobile password policy
• Use your email system as the choke point for enforcing
data protection policies — Perimeter can help
• Allow access by devices with content encryption
(BlackBerry, all Apple devices since 2009, some Android)
• Define a compact that trades access for security
24

25. For more information
• Picking a Sensible Mobile Password Policy
! http://perimeterusa.com/blog/picking-a-sensible-mobile-
password-policy/
• NIST 800-63 Electronic Authentication Guideline
! http://csrc.nist.gov/publications/nistpubs/800-63/
SP800-63V1_0_2.pdf
25

26. One more thing…
26

27. Technology preview:
e!n!r! o!
An open source project sponsored by Perimeter E-Security
27

28. iEnroll provides essential security for iPads and iPhones
Authenticate
Enters activation code and accept policy
Server requests private key generation
Request signed certificate
Return device certificate
Security policies and configurations
No agent or code needed on device
Image copyright James MacDonald http://enthusiastik.com/ 28

29. Demo
29

30. Available for download
June 1st
ienroll.org
30

31. Agenda
• Introduction
• Three mobile trends
• Four things you don’t need
• Five things you must do
• Q&A
31

32. Andrew Jaquith
Chief Techology Officer
Perimeter E-Security
ajaquith@perimeterusa.com
Twitter: arj
Contact us:
experts@perimeterusa.com
1.800.234.2175
Option #2
feed://perimeterusa.com/blog/feed/
http://www.facebook.com/perimeterusa
http://twitter.com/PerimeterNews
32