Smartphone security
5 likes687 views
The document discusses how a company can securely manage employee-owned mobile devices (BYOD) using MobileIron. It summarizes the company's transition from company-owned Blackberries to allowing any device. MobileIron provides centralized policy enforcement and security across all devices. It allows separating personal and work data, enforcing access controls and remote wiping lost devices. The document also discusses providing secure access to additional corporate resources beyond email and ensuring privacy and international roaming policies are followed.
Smartphone security
- 1. SECURING “BYOD” How We Secure Mobile Devices That We Do Not OWN...
- 2. People Love Their Smart-phones!!
- 3. People Love Their Smart-phones!!
- 4. BUSINESS ISSUES • From Company Owned Blackberry to Bring Your Own Device • From Field Reps/Managers to Any Employee • Approval From Supervisor (“Business Need”) • Allowed Devices - Any Carrier - iPhone, Android, Windows - • Initial Application - Access Exchange - eMail, Calendar, Contacts
- 5. SECURITY POLICY - AUDIT ISSUES • Protect “Corporate Data” and Access To Systems (eMail) • Old Blackberry - Had 4 Character PIN / Inactivity Timeout and Wipe - BES Provisioning and Management • Minimal Protection on ActiveSync Devices “Enforced” Via Exchange Policy But Device Dependent - “Mileage Varies!” • ActiveSync Configuration W/O IT Enrollment • No “Unified Audit Trail” - Scattered Logs Across Systems
- 6. LOOKING FOR CONTROL TOOLS • Limited Tools Available in 2008/9 TimeFrame • Identified MobileIron System - Conducted Testing / POC • Supported All Policy Enforcement Needs - All Devices • Excellent Separation of User Data from Business Data on iOS • Simple Enrollment and Distribution of Client Agents • Simple Deployment of System - Appliance and Server Agent
- 7. AVAILABLE OPTIONS? • MANY Options Now • Leader Quadrant • Successful PoC
- 11. WHERE ARE WE NOW? • Blackberry Usage Dropping - Users Switching Away • New Users Connecting Via ActiveSync (iOS and Android) • Policies Now Equally Enforced Across All Mobile Devices • User Self Service / Minimal IT Effort In Deployment • Users Adopting iPad / Tablet Mobile Devices • Research Project To “Deliver App / Data” to iOS - iPad/iPhone
- 12. ACCESS TO MORE THAN EMAIL • Mobile Device Browsers Work Really Well... • Users Want Access To Their Data / Systems - Outside eMail • Juniper Secure Access and Junos Pulse Provide Access • Same Gateway Used For Remote Access • Robust Security and Granular Access / Roles for Users
- 16. IPAD ACCESS - APPLICATIONS • Data Access To More Than eMail Attachments - All Files • Device / Backup Encryption Turned On in MobileIron • Best Way To Access User Data? • DropBox? Google Docs? Transfer Directly To iPad? • Leverage SharePoint MySites / Team Sites Via Client • “There’s An App For That” - Filamente (AirCreek) • Juniper Provides VPN After SecurID Authentication
- 17. WHAT ARE THE THREATS? • Malware On Devices Exists But Not Yet In Numbers • Enforce App Store Use (No JailBreaking) As Control • Minimal Business Need For “Device Control” Today • Could Control SW Install, Device Features, Content Filters • Biggest Exposure - Lost / Stolen Devices, Device Swaps • Data Access, Data On Device and Backups • MobileIron “Find My Phone” - Remote Lock and Wipe • PIN / Pass Code - Automatic Wipe After Guessing Wrong
- 18. BUSINESS INCENTIVES • People Like Security • They Don’t Like Inconvenience • Balance Is Needed!! • “I NEED My Email Now!”
- 19. PICKING OUR PIN POLICY • Devices Default To Open Access - But Support PIN Lock • Users Very Rarely Want The Security Enough (vs Ease of Use) • NIST Guidance on PIN / Passwords - Pub. 800-63 (“Entropy”) • “Level 1 PIN” - Simple But Effective Versus Guessing... • Andrew Jacquith - “Picking A Sensible Mobile Password” • Trade Off Between “Secure Enough and User Pain”
- 20. PIN SETTINGS 8 Characters - 6 Characters - No PIN Length / Format No SImple PIN SImple PIN Lock 15 Minutes Lock 30 Minutes Lock and Wipe 2 Minutes Grace 2 Minutes Grace Settings 8 Tries - Wipe 10 Tries - Wipe No PIN Expiration No PIN Expiration Change Policy? (AD Passwords (AD Passwords Expire Like PC) Expire Like PC)
- 21. PRIVACY ISSUES • Mobile Intelligence / Activity Monitoring Features • Track Cell Tower Connections / Location of Device • Collect Call Logs and All SMS Messages • Set To Ignore Calls/SMS and Track “Current Location” Only • Concerns About Collecting Data and Controls / Management • Not Presently Any Security / Business Requirements
- 22. AGENT INTERACTION • Updates, Profiles, Certificates • Report Dropped Calls • Check Data Speeds • iOS Only Features • Links to iTunes App Store • App Delivery Direct to iOS
- 23. IOS “APP STORE” • Links to Apple • Define/Deliver • Direct and Store
- 24. INTERNATIONAL ROAMING • Detect International Roaming • Send Text Message Alert • Send Alert to IT Admins • Update Plans / Activity
- 25. REFERENCES • Surveys - Sybase Survey Telenav Survey • MobileIron • Picking PIN Policy - Perimeter Jaquith Blog - NIST 800-63 • iPhone Password Brute Force CNN Money http://money.cnn.com/galleries/2011/technology/1108/gallery.cybersecurity_tidbits/ Dino Dai Zovi -http://trailofbits.com/2011/08/10/ios-4-security-evaluation/ •