26
Security Strategies for Mobile Devices State of Oregon Enterprise Security Office Jan. 14 th , 2010

Securing Mobile Devices

Embed Size (px)

Citation preview

Page 1: Securing Mobile Devices

Security Strategies for Mobile Devices

State of Oregon

Enterprise Security OfficeJan. 14th, 2010

Page 2: Securing Mobile Devices

Welcome

John Ritchie, CISSP State of Oregon Enterprise Security Office Information Security Analysis and Consultation

2

Page 3: Securing Mobile Devices

Introduction

Enterprise Security Office (ESO) State Enterprise

Perspective Multi-Agency, Cross-

Agency Enterprise Policy and

Oversight Not Operations

Enterprise Security Plan

ISO Domains 5.0 Asset Management 7.0 Access Control 9.0 Communications & Operations Management 11.0 System Development and Maintenance

Enterprise Security Standards & Processes

Enterprise Security Architecture

ISO Domains8.0 Incident Management

ESO Strategic InitiativeStatewide Incident Response

Program

ISO Domains3.0 Compliance

6.0 Physical & Environmental10.0 Business Continuity Plan

ESO Strategic InitiativeInformation Security Consulting Services

ISO Domains1.0 Security Organization

2.0 Security Policy

ESO Strategic InitiativeIdentify & Evaluate Security

Opportunities

ISO Domains2.0 Security Policy

ESO Strategic InitiativePolicy Development

ISO Domains3.0 Compliance

ESO Strategic InitiativeVulnerability Assessment

ISO Domains1.0 Security Organization

ESO Strategic InitiativeInformation Security Communication Plan

Agency Information Security Plans

ISO Domains4.0 Human Resources

ESO Strategic InitiativeUser Awareness Program

ISO Domains5.0 Asset Management

ESO Strategic InitiativeInformation Security Risk

Assessment

Enterprise Security Policies

ISO 27001Information Security Management System

ISO 27002 – Technical Standards

Page 4: Securing Mobile Devices

Agenda

Overview of Issues

Strategies For Developing Solutions

Future Trends

4

Page 5: Securing Mobile Devices

Issue: Portable Storage

Storage, Storage and more Storage Easy Data Sharing

Small, Smaller, Smallest, Lost

Data Loss Prevention

Bypass Security Controls

5

Page 6: Securing Mobile Devices

Issue: Mobile Workforce

Culture Change Can’t Be Ignored

Huge Benefits

Technical Challenges Porous Perimeter

Firewalls?

Personal Devices

6

Page 7: Securing Mobile Devices

Issue: Mobile Workforce

Everything Connects

Hostile Environments

7

Page 8: Securing Mobile Devices

Strategies For Coping

Step By Step

Define Business Needs

Develop Policy

Technical Implementation

Audit Device Use and Compliance

Step By Step (Refrain)

Page 9: Securing Mobile Devices

Strategy: Step By Step

Start Somewhere

Develop A Plan

Something Is Better Than Nothing

It All Costs Money

9

Page 10: Securing Mobile Devices

Strategy: Business Needs

Define Benefits What Are Your Goals?

Data Classification – Task #1 Where’s Your Sensitive Data?

What Will Your Employees Store On Mobile Devices?

10

Page 11: Securing Mobile Devices

Strategy: Policy

Decision Points Strict Or Lenient?

Device Ownership Decision

Device Management Decisions

Security

11

Page 12: Securing Mobile Devices

Policy

Device Ownership Company-owned (stricter)

Control and Security

Responsibility (mostly) company’s

Separation of Church and State

Personal Devices (more lenient) Flexibility

Employee Satisfaction

Cost?12

Page 13: Securing Mobile Devices

Policy

Device Management Corporate vs. Personal Management

Supported Models vs. All Models

Standard Configuration

Lost/Stolen/Sold Devices

Employee Termination

13

Page 14: Securing Mobile Devices

Policy

Security Data At Rest Data In Transit Access To Device Access to Enterprise Assets

14

Comic by XKCD.com

Page 15: Securing Mobile Devices

Policy

Responsibility Should Employee Share Responsibility?

Policy Education Critical Component

15

Page 16: Securing Mobile Devices

Strategy: Technical Controls

Intersect With Policy And Security

Policy Without Controls Is…

Integrate Solutions With Architecture

Don’t Forget About Existing Policies Acceptable Use

16

Page 17: Securing Mobile Devices

Strategy: Audit Device Use

Education

Visual Audits Manager drive-by

Technical Audits Logging

“Lessons Learned” Audits After-the-fact

17

Page 18: Securing Mobile Devices

Strategy: Step By Step (Refrain)

Start Somewhere

Develop A Plan

Something Is Better Than Nothing

It All Costs Money

18

Page 19: Securing Mobile Devices

Trends For the Future

Increasingly Mobile WorkforceBetter Tools

Current: Remote Access, Minimize Local Storage

Developing Market for Tools

Increasing Risk Targets For Attack

Increasing Awareness? History of PC Security Awareness

Page 20: Securing Mobile Devices

State Reference Material

Policies http://www.oregon.gov/DAS/EISPD/ESO/Policies.shtml

Statewide Information Security Plan and Standards http://www.oregon.gov/DAS/EISPD/ESO/SW_Plan_Standards.shtml

20

Page 21: Securing Mobile Devices

Questions?

John Ritchie

(503) 378-3910

[email protected]

21

Page 22: Securing Mobile Devices

Drive Encryption Tools Pointsec:

http://www.checkpoint.com/products/datasecurity/pc/index.html CREDANT: http://www.credant.com/products.html GuardianEdge:

http://www.guardianedge.com/products/guardianedge-hard-disk-encryption.php PGP:

http://www.pgp.com/products/wholediskencryption/index.html McAfee Endpoint Encryption:

http://www.mcafee.com/us/enterprise/products/data_protection/data_encryption/endpoint_encryption.html Microsoft BitLocker:

http://technet.microsoft.com/en-us/windows/aa905065.aspx

22

Page 23: Securing Mobile Devices

Drive Encryption Tools Mobile Armor:

http://www.mobilearmor.com/dataarmor.php SafeNet:

http://www.safenet-inc.com/products/data_protection/disk_and_file_encryption/protectdrive.aspx SecurStar: http://www.securstar.com/products.php Utimaco Software:

http://www.sophos.com/products/enterprise/encryption/safeguard-enterprise/device-encryption/

WinMagic: http://www.winmagic.com/products

23

Page 24: Securing Mobile Devices

Remote Device Wipe

BlackBerry Enterprise Server

Microsoft’s System Center Mobile Device Manager

Apple’s iPhone 3.0 (with MobileMe)

24

Page 25: Securing Mobile Devices

Lost Device Tracking

Adeona Project (Open Source): http://adeona.cs.washington.edu/

Absolute Software: http://www.absolute.com/

zTrace Technologies: http://www.ztrace.com/

25

Page 26: Securing Mobile Devices

Presentation, Desktop Virtualization Citrix XenDesktop:

http://www.citrix.com/english/ps2/products/product.asp?contentID=163057

Citrix XenApp: http://www.citrix.com/english/ps2/products/product.asp?contentid=186

VMware View: http://www.vmware.com/products/view/

Microsoft’s Remote Desktop Services: http://www.microsoft.com/windowsserver2008/en/us/presentation-terminal.aspx?pf=true