Mobile Device Management In the Real World!

advertisement
MDM CHALLENGES
• SECURITY & COMPLIANCE ENFORCEMENT
• REDUCE SUPPORT COST OF MOBILE ASSETS
• PROVIDE APPLICATION & PERFORMANCE MANAGEMENT
• PROVIDE BETTER BUSINESS CONTINUITY
• MAKE EMPLOYEES MORE PRODUCTIVE & MORE SATISFIED
TO BYOD OR NOT TO BYOD?
THAT IS THE QUESTION
• EACH BANK HAS TO DECIDE THIS FOR THEMSELVES WHILE WEIGHING THE
PROS AND CONS OF EACH.
• MAKE SURE THAT YOUR POLICIES & PROCEDURES ADDRESS BYOD WHETHER
OR NOT YOUR INSTITUTION SUPPORTS IT!
• IF YOU HAVE A GUEST WIRELESS NETWORK & YOU DON’T ALLOW BYOD….
GUESS WHAT? YOU WILL VERY LIKELY HAVE EMPLOYEES USE THEIR
PERSONAL DEVICES FOR BANKING PURPOSES.
• AT LEAST IF YOU ALLOW BYOD, YOU CAN MAKE THE RULES SURROUNDING IT!
THE MAAS360 10 COMMANDMENTS OF BYOD
• 1. CREATE THY POLICY BEFORE PROCURING TECHNOLOGY
• 2. SEEK THE FLOCK’S DEVICES
• 3. ENROLLMENT SHALL BE SIMPLE
• 4. THOU SHALT CONFIGURE DEVICES OVER-THE-AIR
• 5. GIVE THY USERS SELF-SERVICE
• 6. HOLD SACRED PERSONAL INFORMATION
• 7. PART THE SEAS OF CORPORATE & PERSONAL DATA
• 8. MONITOR THY FLOCK – HERD AUTOMATICALLY
• 9. MANAGE THY DATA USAGE
• 10. DRINK FROM THE FOUNTAIN OF ROI
ROI CONSIDERATIONS
CORPORATE-OWNED MODEL BYOD
DEVICE COST
COST OF SUBSIDIZING DATA PLAN
DATA PLAN COST
ELIMINATED DEVICE COST
REPLACING DEVICES EVERY FEW YEARS
COST OF MOBILE MANAGEMENT
WARRANTY PLANS
BOTH OPTIONS TAKE IT TIME & EFFORT TO MANAGE
WHAT DOES A GOOD MDM PROGRAM
CONTAIN FROM A BANKERS PROSPECTIVE?
• MOBILE DEVICE RISK ASSESSMENT
• GOOD POLICY FRAMEWORK
• ACCEPTABLE USE POLICY
• BYOD POLICY
• MOBILE DEVICE POLICY
• INFORMATION SECURITY POLICY
• DATA CLASSIFICATION POLICY
MDM FROM A TECHNOLOGY PERSPECTIVE:
• SOLUTIONS THAT PROVIDE COORDINATED VISIBILITY & CONTROL OVER
ALL DEVICES & OPERATING SYSTEMS.
• ENFORCE PASSCODE PROTECTION, ENCRYPTION, & SECURITY UPDATES
• CONTROL NETWORK & APPLICATION SETTINGS
• REMOTELY LOCATE, BLOCK, OR WIPE (FULL & SELECTIVE) DEVICES THAT
HAVE BEEN LOST, STOLEN, OR ARE NO LONGER AUTHORIZED.
• SECURE EMAIL, MESSAGING, & BROWSING
• WHITELISTING & BLACKLISTING
• BE EASY TO USE, CENTRALLY MANAGED, AND QUICK TO DEPLOY
INTEGRATION IS KEY
• A GOOD MDM SOLUTION WILL INTEGRATE WITH ACTIVE DIRECTORY,
EMAIL PLATFORMS (EXCHANGE, OFFICE 365,ETC.), SHAREPOINT,
INTRANET, WEB APPLICATIONS, AND ALL OF YOUR EXISTING
INFRASTRUCTURE.
• SINGLE SIGN ON ACROSS APPLICATIONS FOR AUTHENTICATION.
WHAT KIND OF ACTIONS WILL AN MDM
SOLUTION PERFORM?
• REFRESH DEVICE DETAILS IN REAL-TIME INCLUDING LOCATION.
• PERFORM HELP DESK OPERATIONS LIKE LOCKING A DEVICE OR RESETTING A FORGOTTEN
PASSCODE.
• PERFORM A FULL WIPE OF A LOST DEVICE OR A SELECTIVE WIPE OF ONLY THE CORPORATE
DATA WHILE MAINTAINING PERSONAL DATA OF AN EMPLOYEE OWNED DEVICE.
• CHANGE IOS POLICY.
• REMOTELY PUSH APPS TO DEVICES INCLUDING “HOME GROWN” APPS & PUBLISHED
UPDATES.
• PREVENT DATA LEAKAGE – KEEP PERSONAL DATA SEPARATE FROM COMPANY DATA
SET & DISTRIBUTE POLICIES
• ENFORCE PASSCODE REQUIREMENTS
• CONFIGURE RESTRICTIONS
•
•
•
•
•
•
•
ENFORCE ENCRYPTED DEVICE BACKUPS
RESTRICT USE OF CAMERA, FACETIME, & SCREEN CAPTURES
RESTRICT APPLICATION INSTALLATION
RESTRICT SAFARI, YOUTUBE, ETC… (BUILT IN APPLICATIONS)
DISTRIBUTE WI-FI, VPN, PROXY, & EMAIL PROFILES/SETTINGS
MANAGE ICLOUD CONTROLS AND SETTINGS
EMAIL SECURITY – RESTRICT USERS FROM MOVING EMAILS BETWEEN ACCOUNTS AND
RESTRICT 3RD PARTY APPS FROM SENDING EMAILS
• DETECTION OF JAIL BROKEN AND ROOTED DEVICES
• COMPLIANCE REPORTING
SECURE BROWSING
• A GOOD SOLUTION WILL PROVIDE:
• URL FILTERING BASED ON CATEGORIES AND INCLUDE THE ABILITY TO
CUSTOMIZE WHITELISTS AND BLACKLISTS
• BLOCK KNOWN MALICIOUS WEBSITES
• RESTRICT COOKIES, DOWNLOADS, COPY, PASTE, & PRINTING
FUNCTIONALITY
• NOTIFY USERS & ADMINISTRATORS OF VIOLATIONS
• PROVIDE DETAILED REPORTING WITH AN AUDIT TRAIL
SECURE DOCUMENT SHARING
• A GOOD MDM SOLUTION SHOULD ALSO PROVIDE A SECURE CONTAINER FOR
DOCUMENTS THAT CAN BE EDITED ON THE DEVICE
• THIS WILL REDUCE THE RISK OF DATA LEAKAGE
• SET TIME BASED EXPIRATIONS FOR AUTOMATIC DOCUMENT DELETION
• WORK WILL ALL COMMON FILE TYPES SUCH AS MICROSOFT OFFICE & PDF
FORMATS
• ENFORCE USER AUTHENTICATION
BOARD MINUTE PORTAL BEST PRACTICES
• CHOOSE DEVICE CAREFULLY. IOS IS RECOMMENDED BECAUSE OF SECURITY.
• CORPORATE OWNED DEVICE
• MANAGED SETTINGS
• USER FRIENDLY SOLUTION
• FULL CONTROL OF DATA ON DEVICE
• DISABLE SCREEN SHOT
• LOCATE LOST DEVICE
• ENABLE ENCRYPTION
• DEVICE BACKUP
• DEVICE WIPE
• RISK ASSESSMENT
• IPAD POLICY / AGREEMENT
USING MDM FOR BOARD MINUTES
• USING AN APP FORM AN MDM SOLUTION
• PROVIDES DEVICE MANAGEMENT
• ALLOWS FOR FULL CONTROL OF DATA ON DEVICE
• ALLOWS FOR DEVICE WIPE
• ALLOWS TO ENCRYPT DATA
• ALLOWS FOR OPENING, DOWNLOADING, PRINTING RESTRICTIONS
• ALLOW OPENING IN SPECIFIED GEOGRAPHICAL RANGE
• USING AN MDM SOLUTION WILL COMBINE TWO SOLUTIONS IN ONE
AIRWATCH SECURE CONTENT LOCKER BY
VMWARE
• FOUNDED IN 2003, AIRWATCH IS AN ATLANTA BASED
ENTERPRISE, MOBILE DEVICE, MOBILE APPLICATION AND MOBILE
CONTENT MANAGEMENT COMPANY.
• IN FEB 2014 VMWARE AQUIRED AIRWATCH
• IT PROVIDES SOLUTIONS THAT ARE COMPATIBLE WITH A VARIETY
OF DEVICES INCLUDING IOS, ANDROID, BLACKBERRY AND
WINDOWS PHONE.
• WON THE 2013 CLOUD STORAGE EXCELLENCE AWARD
AIRWATCH SECURE CONTENT LOCKER BY
VMWARE
• Flexible Content
Storage
• Hosted in Cloud
• On Premise
• Hybrid
• Device Wipe
• Set Time Limits on Data
• Set Data to be Viewed
Online Only
• Password Protected
• Device Location
• Geographical Range Limits
• Disable Screen Shots
• Specify Wi-Fi Hotspot
• Disable Browser
MOBILE BEST PRACTICES
1.
LOCK THE DEVICE WITH A PASSWORD OR PERSONAL IDENTIFICATION
2.
NUMBER (PIN)
3.
INSTALL APPS ONLY FROM TRUSTED SOURCES
4.
BACK UP YOUR DATA
5. KEEP YOUR SYSTEM UPDATED
6.
DO NOT HACK (JAIL-BREAK) YOUR DEVICE
MOBILE BEST PRACTICES (CONTINUED)
7.
TURN OFF WI-FI AND BLUETOOTH SERVICES WHEN NOT IN USE
8.
DO NOT AUTOMATICALLY CONNECT TO WI-FI HOT SPOTS
9.
DO NOT USE UNTRUSTED HOT SPOTS PUBLIC OR PRIVATE.
UNTRUSTED WI-FI HOT SPOTS ARE SUSCEPTIBLE TO MAN-IN-THEMIDDLE ATTACKS.
10. AVOID SENDING PERSONAL INFORMATION VIA TEXT OR EMAIL
11. BE CAREFUL WHAT YOU CLICK
12. INSTALL A MOBILE SECURITY APP
HOW FCNB ENABLES BYOD
•
•
•
•
•
FCNB CURRENTLY ONLY ALLOWS ACCESS TO EMAIL.
•
•
THE BANK CONTROLS THE CORPORATE E-MAIL PROFILE
FCNB SELECTED MOBILE IRON AS IT MOBILE DEVICE MANAGEMENT SYSTEM.
EMPLOYEE MUST SIGN AND AGREE TO MOBILE POLICY.
IN THE FUTURE FCNB WILL ALLOW ACCESS VIA SECURE CITRIX CONNECTION
THE BANK IS NOT OBLIGATED OR RESPONSIBLE FOR PERSONAL EMAIL, TEXTS,
ETC...
FCNB RESTRICTS FORWARDING OF E-MAIL THROUGH PERSONAL ACCOUNTS.
HOW FCNB ENABLES BYOD (CONTINUED)
• CURRENTLY FIRST CITIZENS ONLY SUPPORTS IOS (IPHONE AND
IPADS) AND SUPPORTED LEVELS OF THAT SOFTWARE.
• EMPLOYEES WILL BE HELD PERSONALLY RESPONSIBLE FOR ANY
PROBLEMS CAUSED BY THEIR NEGLIGENCE AS DEEMED BY BANK
MANAGEMENT.
• EMAIL HISTORY AVAILABLE ON THE MOBILE SMARTPHONES AND
TABLETS WILL BE LIMITED.
• A “JAIL BROKE” OPERATING SYSTEM WILL AUTOMATICALLY BE
WIPED BY MOBILE IRON.
HOW FCNB ENABLES BYOD (CONTINUED)
• THE BANK IS NOT RESPONSIBLE FOR THAT EMPLOYEE DATA.
• CORPORATE EMAIL AND DATA THAT IS MANAGED BY THE BANK’S MOBILE
MANAGEMENT SYSTEM IS PROTECTED AND SEPARATED IN ITS OWN
CONTAINER. EACH ATTACHMENT IS PROTECTED BY A SECURE GATEWAY
AND CAN ONLY BE READ BY A TRUSTED READER.
• MOBILE IRON AUTOMATICALLY PROTECTS AGAINST MAN–IN–MIDDLE
ATTACKS.
HOW FCNB ENABLES BYOD CONT.
•
THE BANK CAN CHOOSE AT ANY TIME TO DO A SELECTIVE WIPE OF THE
CORPORATE EMAIL AND DATA ON SMARTPHONES AND TABLETS.
•
THE BANK WILL AUTOMATICALLY QUARANTINE A SMARTPHONE OR
TABLET THAT HAS NOT CHECKED IN TO THE BANK’S MOBILE
MANAGEMENT SYSTEM.
•
THE BANK WILL AUTOMATICALLY COMPLETE A FULL WIPE OF THE
SMARTPHONE OR TABLET IF THE DEVICE HAS NOT CHECKED IN AFTER
THIRTY DAYS. THIS PREVENTS DATA COMPROMISE IN CASE THE MOBILE
DEVICE HAS BEEN STOLEN AND TAKEN OFF LINE (I.E. SIM CARD SWAP).
WHY FCNB SELECTED APPLE IOS
•
EVERY IOS APP CAN ONLY ACCESS ITS OWN DATA CONTAINER: THERE IS NO
GENERAL ACCESS TO THE FILE SYSTEM. AS A RESULT, APPS CAN ONLY DAMAGE
THEIR OWN DATA, UNLESS IT IS A “JAIL BROKEN” DEVICE.
•
THE APP STORE IS TIGHTLY CURATED: APPS ARE TESTED BY APPLE BEFORE BEING
MADE AVAILABLE TO THE PUBLIC SO INCIDENCES OF MALWARE ARE RARE.
•
APPLE CONTROLS THE DISTRIBUTION OF NEW OPERATING SYSTEM UPGRADES:
APPLE CAN QUICKLY MAKE UPGRADES AVAILABLE FOR THE ENTIRE IPHONE, IPAD,
AND IPOD DEVICE COMMUNITY. IF A SECURITY ISSUE IS IDENTIFIED, IT FIXES IT
AND ENSURES THAT ALL DEVICES HAVE EASY ACCESS TO THE NEWLY-PATCHED
IOS VERSION. THE TIMING OF THE FIX AND DISTRIBUTION IS ENTIRELY UNDER
APPLE’S CONTROL.
WHY FCNB SELECTED APPLE IOS (CONTINUED)
•
PASSCODE ENFORCEMENT PREVENTS UNAUTHORIZED ACCESS TO THE
DEVICE. IT ALSO ACTIVATES IOS DATA PROTECTION TO ENHANCE BUILT-IN
HARDWARE ENCRYPTION IN ORDER TO PROVIDE ADDITIONAL SECURITY FOR
EMAIL MESSAGES, EMAIL ATTACHMENTS.
•
MOBILE IRON SUPPORTS MULTIPLE DEVICES, SO IN THE FUTURE FCNB CAN
ADD OTHER DEVICES AS NEEDED.
FCNB MOBILE BANKING
• MOBILE BANKING REQUIRES USER TO HAVE ONLINE BANKING
ACCESS
• TWO FACTOR AUTHENTICATION IS NEEDED FOR ONLINE
BANKING
• MOBILE DEVICE REQUIRES OUT-OF-BAND AUTHENTICATION
Download