Mobile Device
Security
Presented by Terry Daus, CISSP
To the ISSA Las Vegas Chapter
April 13, 2011
Agenda
• Definition
• People
• Technology
• Policy
SmartPhone Definition
A cellular telephone with built-in applications
and Internet access.
Smartphones provide digital voice service as
well as text messaging, e-mail, Web browsing,
still and video cameras, MP3 player, video
viewing and often video calling. In addition to
their built-in functions, smartphones can run
myriad applications, turning the once singleminded cellphone into a mobile computer.
Source: PC Magazine Encyclopedia
People
What do they want?
• “Only carry one”
• Anywhere access
• Any device supported
• Transparent security
Trying to Stop the Inevitable?
Business
What does management want?
• Lower cost
• Low support overhead
• “Increased Productivity”
• Any device supported
• Transparent security
Business Implications/Questions
• Is the business willing to securely support
a mix of personal/business data and
smartphones/tablets?
• Remote access - to how much?
• Authority over data?
• Is the value worth the cost?
Policy
Source: Symantec
No Easy Answers
• What are your organization’s compliance
requirements?
• Which rewards does management want to
balance against risk and cost?
– Compliance
– Strategic mobility
– Employee productivity/creativity/retention
More Management Questions…
• Is confidential data allowed on mobile devices?
• Are personally-owned mobile devices allowed
access?
• Who has authority/responsibility for…
–
–
–
–
–
–
Who gets company-issued smartphones
Who gets access from smartphones, and to what?
Purchasing smartphones
Provisioning smartphones
Securing/monitoring smartphones?
Support of Organization-owned (O)? Personallyowned (P)?
Standards/Operational Notes…
• What are O mobile devices allowed
access to? Is it different for P?
• Will you list specific devices supported, or
just OS versions?
• Who is going to test all the new devices?
How often? What about application
maintenance?
• (how) Do you wipe a P phone at term?
• Crawl/Walk/Run or Flash Cut?
Policy Design Suggestions
• Review other’s policies for ideas
• Review your laptop policy
• Involve stakeholders in requirements and
design
• Communicate early and often
– Stakeholders
– IT (they have to make the tech work)
– Finance (our buddies with the budget)
– Users (they hate change too – be nice)
Technology
Device Scenarios
• Pure Monolithic – typically BES
– Organization (O) owned only
• Mixed Monolithic
– O or Personally (P) owned
• Mail System w/Supported Security
– O, O/P, limited to native OS’s
• 3rd Party Mgmt Software (in-house,
hosted, managed) – multiple device types
Device Market Share
Native Security in the OS
• From Most to Least Complete Options
– Blackberry
– Windows Mobile (6.1 and 6.5 only)
– iPhone
– Android
– Windows Mobile 7
– Symbian?
– Nokia?
Mobile Security Basic Req’mts
•
•
•
•
Passwords not pins
Remote wipe
Secure Email/Calendar sync
Device and storage card encryption
Mobile Security Advanced Req’s
• Disable capabilities (removable storage,
camera, BlueTooth, IR, etc…)
• Two-factor authentication
• Failed attempts lock/wipe
ActiveSync Client Comparison
•
Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-clientcomparison-table.aspx#cite_note-3
ActiveSync Client Comparison 2
•
Source: Microsoft - http://social.technet.microsoft.com/wiki/contents/articles/exchange-activesync-clientcomparison-table.aspx#cite_note-3
Interesting Android Factoids
• Android 2.2 supports all the basic security
requirements except encryption
• Android 3.0 (Honeycomb) provides
encryption, but is currently only on tablets
and one phone
• Carriers modify Android, sometimes badly
• NitroDesk Touchdown (Android Market or
direct, $20) adds device and storage card
encryption (3DES) to 2.2
3rd Party Security Options
• Mobile Device Management (MDM)
– Not just security – can have operations
management and deployment capabilities
•
•
•
•
Asset management
Application whitelist
Deploy in-house apps
Deploy patches/upgrades
MDM Deployment Options
– Which one fits your organization better?
• In-House
• In-House with external comm center
• Hosted
• Managed Service
Example MDM 1
Good Technology
• Encrypts Android 2.1 and above, and
iPhone 3G and above
• Separation of data and apps from OS in
encrypted sandbox
• Can control transfer of data to personal
side (contacts typically)
• Onsite servers transmit through Good
telecomm datacenters – no ActiveSync
Example MDM 2
Mobile Iron
• Suite of applications for security, asset
management, and expense
• Self-service portal for apps,
communications search/history, and usage
• Encrypts iPhones, Androids (with
integrated Touchdown), integrates with
BES
Example MDM 3
Air-Watch
• Can be purchased as a cloud service,
appliance, or software
• Encrypts iPhones but not Android 2.x
Example MDM 4
Verizon Managed Mobility Service
• 750 employee accounts minimum
• Based on Sybase solutions
• Services include inventory & expense
mgmt, provisioning and logistics, and
Sybase (policies, security, app store)
• Note: Sybase did not support iOS4 or
Android until Oct 2010
Can you say “complex”?
CISO Mobility Challenges
• Employee and management requirements
often conflict
• Consumer-grade products = security an
afterthought or non-existent
• Proprietary OS = complexity, inequality,
lack of standards
• Immature market = rapid change
CISO Mobility Recommendations
• Perform constant market research
• Provide non-technical executive management
enough information to make informed risk
decision(s) regarding mobile devices
– Immature market = limited choices, constant
change
– Set realistic expectations – no Holy Grail
– Communicate risks in business terms
– Crawl/Walk/Run
Story Time – Anyone?
• Hi, my name’s Terry and I’m a CISO…
End?
Open for Questions and Stories