Applied mobile chaos theory

Applied ‘Mobile Chaos Theory’

…and NCA’s 12-step plan

to end the madness

© 2011 Network Computing Architects, all rights reserved

Presented by Brad Bemis

Our Modern Mobile Workforce


The term ‘mobile’ has changed.

It’s not just about phone calls

and web surfing though…

• ‘Always on’ availability

• Location-based services

• Credit card transactions

• Patient medical records

• Supply chain management

• Customer and partner collaboration

• Social media and social marketing

• Predictive analysis and unique targeting

The technology is getting smaller, faster, and smarter…

The Mobile Challenges We Face


While keeping up with the rapid pace

of innovation is our biggest challenge,

it’s only one of many…

• Our data is on the move

• The network perimeter is gone

• The edge is now driving the core

• IT services are now a commodity

• Cloud and social challenge tie ins

• Blurring of personal and business

• Balancing emerging risks vs. benefits

We must find ways to incorporate security controls

that address the four dimensions of mobility above…

Applied Mobile Chaos Theory


Chaos theory is more complicated

than what’s presented here, but:

• Chaos underlies complex systems

• Patterns can emerge from chaos

• Initial conditions play a big part

• Indicators of possible outcomes

• Equilibrium based on attractors

Mobile chaos theory is based on the idea that:

• Mobility is a complex system challenge

• Success is determined by initial conditions

• To achieve equilibrium takes real effort

Ending the Madness


We can’t just solve part of the problem. In order to fully

enable a modern mobile workforce, we should be looking

at things from a more holistic perspective:

This approach is consistent with our long-standing

principles of ‘defense-in-depth’.

Needs

Risks

Policy

Ecosystem

Virtualization

Device Management

Identity Management

End-Point Protection

Remote Access

Data Protection

Training and Awareness

Loss and Incident Handling

Needs


The needs of the many

The needs of the few

The needs of the one

What are your business needs?

What needs do various groups have?

What needs do specific individuals have?

• Identify the key stakeholders

• Gather formal requirements

• Define group/user profiles

Don’t forget about your compliance needs!

• Legal, regulatory, contractual…

Risks


What is your current risk posture?

What are your risk tolerance thresholds?

What are you doing to measure/manage risk?

• Understand the threat landscape

• Establish well-defined decision-making criteria

• Build an overall mobile strategy covering all bases

Include a risk assessment /analysis to help with planning!

• Use FAIR in a contextual manner…

Policy


What does your policy framework cover?

What other security policies might apply?

What are your data classification policies?

• Define acceptable use

• Clarify and explain all expectations

• Get formal sign-off and acceptance

Mobile devices are just another end-point!

• Leverage what you already have…

Ecosystem


What platforms and models?

What carrier service provider(s)?

What kind of back-end infrastructure?

• Decide on purchased, BYOD, or mixed

• Research what carriers can offer you

• Consider virtualizing the back-end

These are some of the most critical decision points!

• Be sure to plan for the future (3 to 5 years)…

Virtualization


What are you doing about data mixing?

What are you doing to fully enable people?

What are you doing to keep the security balance?

• Consider mobile virtual machines

• Keep the current limitations in mind

• Understand how it’s different from sandboxing

Virtualization really is the answer to many challenges!

• Watch this technology closely as it evolves…

Device Management


What are you doing to lock devices down?

What are you doing to manage all of them?

What are you doing to keep track of everything?

• Review scope, capabilities, and limitations

• Build out written configuration standards

• Simplify provisioning and de-provisioning

Probably the single most important investment made!

• Make your decision based on clear requirements…

Identity Management


How are you authenticating to the device?

How are you authenticating to remote assets?

How are you authenticating with third parties?

• Enforce pins and passphrases

• Look at multi-factor authentication

• Tie in to federated identity management

Identity is everything in a mobile, social, cloud-based world!

• Applies to people and assets…



What are you doing about mobile malware?

What are you doing to limit network dangers?

What are you doing to gain visibility into things?

• Use AV on the platforms it’s available for

• Consider available mobile FW options

• Look into mobile end-point reporting

There are a lot of platform dependency issue here!

• Stay up to date on how the industry responds…

Remote Access


How are you providing access to resources?

How are you resolving file management issues?

How are you keeping data out of the public cloud?

• Use a reliable SSL client for remote access

• Consider a VDI-based model for mobility

• Build your own file management solution

File management is one of the biggest issues right now!

• Keep your data out of the public cloud…

Data Protection


How are you protecting the local data store?

How are you protecting data on removable cards?

How are you protecting data leaving the device?

• Disk encryption is still a key requirement

• Look into data loss prevention options

• Don’t forget about data classification

Routing data back to the corporate network may be possible!

• Keep an eye on this to use your existing tools…



How do people know what the policies say?

How do people know what is/isn’t acceptable?

How do people know where to go with issues?

• Have a formal awareness and training program

• Fold mobility into this larger program

• Keep folks up to date on changes

Security training/awareness is still the absolute best tool!

• Unfortunately it’s still the least used…



What happens if a device is lost or stolen?

What happens if something suspicious occurs?

What happens if you experience an actual incident?

• Have a formal incident response plan

• Fold mobility into your existing plan

• Make sure folks know what to do

Everything we do is to avoid incidents – be prepared though!

• It only takes one for everything to change…

Closing the Loop


Needs

Risks

Policy

Ecosystem

Virtualization

Device Management

Identity Management


Remote Access

Data Protection



Everything is happening at such an incredibly fast pace –

it’s hard to keep up. In the future we may see more and

more integration between security options, but as it stands

today a holistic approach is needed, one that includes:

…and, of course, NCA is happy to help!

Questions?



Brad Bemis is the CISO, Security Practice Manager, and Principle Security Consultant for Network

Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and

information security. He is also a Certified Information Systems Security Professional (CISSP),

Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and

Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco,

Microsoft, and CompTIA.

Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of

Science in Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in

graduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology.

Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in

roles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between).

Although highly skilled across multiple security disciplines, his main passion is information security awareness and training –

evangelizing the message and engaging others. He is also very active in the security community, including: contributions to

the Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and

the Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several other

professional associations, sharing insights and experience across a number of on-line security forums, and much much more.

Additional information can be found on Brad's professional blog at www.secureitexpert.com.

About the Author:

http://www.secureitexpert.com/


NCA’s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in

Bellevue WA, Portland OR, and Los Gatos CA. We offer a wide range of professional security services that can be scaled

and customized to meet the business needs of any organization. Our major core competencies include:

• Program Management: Building and managing a holistic information security program.

• Governance: Incorporating security into enterprise or IT governance frameworks.

• Risk Management: Measuring and managing information security and other related risks.

• Compliance: Ensuring that all internal and external requirements are being met.

• Identity & Access Management: Managing identities and permissions for systems and users.

• Perimeter Defense & Firewall Management: Defending the borders between networks.

• Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices.

• Virtualization & Cloud Computing: Migrating customers to the cloud safely and securely.

• Event Management & Incident Response: Detecting and responding to security incidents.

• Awareness & Training: Engaging people in the process of security on a daily basis.

Through a number of strategic partnerships we can also deliver additional services in the areas of:

• Managed Services: Managing the day-to-day operational security of information systems.

• Application Security & Penetration Testing: Validating controls for business applications.

About NCA’s Information Security Practice:

Learn more today at http://www.ncanet.com

Or call 877-KNOW NCA (877-566-9622)

http://www.ncanet.com/