Security Considerations for Mobile Devices in GoRTT

advertisement
Security considerations for
mobile devices in GoRTT
Dearl Bain, Security & Assurance Unit
18 April, 2013
Mobile Devices
Definition:
• Any portable device that can be used to access
corporate data and information services.
• Examples : Smart-Phones,Tablets, Laptops
Security for Mobile Devices
• There is increased use of portable computing
devices such as (smartphones, netbooks,
tablets)
• Work-from-home employees
• An organizations’ data vulnerability points have
increased exponentially.
• Industry experts say that by 2013 there will be 1.2 billion
mobile workers worldwide.
• They also report that by 2013,75 percent of all U.S.
workers will be mobile, meaning those workers will use a
mobile device for at least 20 percent of their work.
• Another survey reveals that 36 percent of cell phone
owners have either lost a phone or had one stolen.
• These facts suggest that in the near future, nearly 25
percent of all workers will have lost a mobile device that
could provide access to confidential information.
• It’s no wonder that mobile device security is a top concern
Responsibility & Accountability
GoRTT is responsible, accountable and legally liable for
information it stores, processes and transports.
1000’s of personal devices currently hold GoRTT
information, files, conversations and account access
information.
Security configurations of personal devices do not
correspond to enterprise security standards, e.g.
password strength
Personal Use vs Risk Exposure
Personal Devices in The Enterprise
Current User Control / Access:
•
•
•
•
•
Unrestricted Access to consumer services
Unrestricted access to applications
Corporate Email Access
Consumer Cloud storage
Camera and Video recording access
Corporate Devices in the Enterprise
Ideal Corporate Control Scenario:
•
•
•
•
•
•
Restrict Access to internal services
Restrict Access to External 3rd Party services
Detect tampering (rootkits, rooting etc.)
Audit logging of asset location & usage
Audit trail for records, compliance investigations
Securely extend network services beyond
perimeter defenses.
• Remotely monitor and protect data
• Access network file shares
• Data Loss Prevention
Managing Risks – Mobile Enterprise
Corporate vs BYOD, Which is best?
•
•
•
•
What level of data classification is accessed?
What services are required to perform job?
What is the risk rating for the individual?
Does the user have a device that allows for
encrypted secure workspace?
Risks of Inadequate Mobile Security
• Storage of enterprise data on unsecured personal
devices
• Storage of enterprise data on 3rd party infrastructure
and services outside of jurisdiction (Dropbox,
Skydrive, etc)
• Multiple, disparate and uncoordinated file storage
silos
• Malicious mining of enterprise data using stolen
devices with saved access credentials
• Legal liability for information breaches under the Data
Privacy Act if citizen data is compromised
Managing Risk in Mobile Computing
Policy
•
•
•
•
•
•
•
Data classification
Mobile usage policy
Mobile assignment policies
Corporate services policy
Confidentiality policies
Identify legal recourse for non-compliance
BYOD
Managing Risk in Mobile Computing
Centralized Management
• Mobile Device Management Solutions (BES10, etc) for
device policy enforcement
• Access Management
• Single Sign On
• Device recovery
• Remote Information Recovery / Information Removal
Managing Risk in Mobile Computing
User Education & Accountability
•
•
•
•
Policy Awareness
Policy Enforcement
User agreement forms/Acceptable use
Confidentiality Statements
Managing Risk in Mobile Computing
Compliance
• Mobile Access Auditing (Active Sync, BES)
• Data Retention (Laws / Regulations)
Incident Reporting
• Mobile device incident reporting for Loss & Theft
• Device itself may be required to provide evidence in
legal matter or assist in investigations
Conclusions
Contingency Approach
• Secure mobile devices as you would secure a laptop
• Provide security controls in line with data
classifications, highest class applies.
• Educate users on their responsibilities and the
policies they must abide by
• Ensure access granted to employee and to device
matches organizational responsibilities
Thank You
iGovTT
Lord Harris Court
52 Pembroke Street
Port of Spain
Republic of Trinidad and Tobago
Telephone: (868) 627-5600
Fax: (868) 624-8001
Email:igovtt@gov.tt
Website: www.igovtt.tt
Facebook: www.facebook.com/iGovTT
Twitter: @iGovTT
Download