Presentation is loading. Please wait.

Presentation is loading. Please wait.

The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please.

Similar presentations

Presentation on theme: "The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please."— Presentation transcript:


2 The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please have these set up for us by next Friday so that we can read the board minutes, … oh, and I decided I couldn’t wait, so here is mine so that you can get me connected today”

3 Disruptive Technologies  1980’sThe Microcomputer  1980’sThe Network  1990’sPersonal Email  1990’sThe Web  2000’sSmart Phones  2010’sMobile Computing Devices

4 Mobile Computing Security Challenges  What ever happened to the network perimeter?  Is that one of our devices?  Is that really one of our users?  Where is our data?  No, I said it’s our data, not your data  Yes, I know that it’s a clever app  Who’s in charge of these !@(*#^)* things anyway?

5 Security Taxonomy Physical Security Storage Security Perimeter Security Identity Management Internal Security Security Management Encryption Mobile Device Security Mobile Device Policy

6 Best Practices for Policy  Engage the business Understand their mobile computing requirements Survey your workforce Establish a corporate strategy based on requirement vs risk

7 Best Practices for Policy  Establish levels of ‘service’ Tier 1 ○ Corporate owned devices ○ PIM and business applications Tier 2 ○ Corporate or user owned devices ○ Lightly managed and supported (eg mail/calendar) Tier 3 ○ User owned devices ○ Web based access only ○ Unsupported

8 Best Practices for Policy  Reserve to right to manage ALL devices with access to corporate resources Includes connections to internal wireless LANs and connections to PC’s. Require installation of your security profile on all devices as a condition of access.

9 Best Practices for Policy  Isolate corporate data from private data Sandboxing Policy compliance Application publication (no data at rest)

10 Best Practices for Policy  Enforce strong security controls Passwords Auto lock Remote wipe Certificates Encryption Enforced device policy

11 Best Practices for Policy  Consider disabling device functions that conflict with business activities Camera App stores Cloud storage services YouTube Explicit content

12 Best Practices for Policy  Enforce acceptable use policy Cover current and future devices “everywhere” access means wiping a device when the employee leaves the organisation... And that may include their own personal device if it has been used to access corporate systems.

13 Best Practices for Policy  Determine how users with be provisioned with applications The use of ‘app’ stores is fine with only a few users but can become unwieldy with many users Start with basic applications (email, collaboration, productivity) Layer on advanced applications

14 Best Practices for Policy  Proactively monitor voice and data usage Implement ongoing recording of usage

15 Best Practices for Policy  Require users to backup their own data If it’s their information, they are responsible for it. Assert the right to wipe the device if it is lost or stolen Assert the right to wipe the device when the employee leaves

16 Best Practices for Policy  Teach Users about ‘Stranger Danger’ No reading of sensitive information in uncontrolled areas... ○ Aircraft ○ Trains ○ Supplier offices  Close/lock the devices when not in use.  Beware of theft

17 Best Practices for Policy  Require users to understand and agree with policy Security policies don’t belong in a book Publish policies for all users to read Review the policies annually

18 Best Practices for Policy  Address the ramifications of non compliance to policy Usage infractions Unauthorised application installation Inappropriate material Not reporting lost devices Excessive personal use

19 OK, So You’ve Got Your New Toys, Now What?  Learn to walk before you can fly!  Implement a mobile device management system  Establish a base device policy  Enforce that policy

20 Device Policy #1 Enable Password Protection  Require a PIN code after power on  Require a PIN code after auto lock  Minimum of 4 digits Preferably longer if the device supports it

21 Device Policy #2 Lock the Device  Always enable auto- lock on mobile devices  Keep the lock period to as short as possible

22 Device Policy #3 Enable Wiping  Wipe on more than five invalid PIN code entries  Remote wipe in the event of loss or theft Easily implemented in Exchange, Keriomail and BES  Setup a lost device hotline  Wipe devices prior to disposal

23 Device Policy #4 Turn on Device Encryption  IOS4.x, 5.x All user data is automatically encrypted  Android Information on removable media is not encrypted by default.  Windows Mobile 7 Encryption not supported ○ “It's important to note that Windows Phone 7 (WP7) primarily was developed as a consumer device and not an enterprise device”.  Windows 8 Expected to be supported when it is released

24 Device Policy #5 Encrypt Data in Transit  Enable SSL encryption  Use digital certificates

25 Device Policy #6 Update Frequently  Keep the operating system and applications up to date  Enable auto update if available

26 Device Policy #7 Control Network Connections  Disable network services if not required ○ Wifi ○ Bluetooth ○ Infrared  Restrict WiFi Connections to authorised networks

27 Device Policy #8 Install AntiVirus Software  Install AntiVirus software wherever practical  Controlled and scrutinised application release minimises the threat

28 Strategy Decisions: BYOD  Bring Your Own Device  Your data, their device, your risk  Firmly establish a data centric security strategy before even considering a BYOD strategy

29 Strategy Decisions: Application Publication Model  Securely publish applications to mobile devices from your data centre  Removes data at rest risk  Device agnostic approach  Requires good data centre bandwidth  Enabler for BYOD strategy

30 Going Full Circle?


32 Conclusion  Mobile devices/tablets are a game changing technology  Successful (and secure) deployment requires an effective policy and an effective strategy

33 Tony Krzyzewski Kaon Technologies Ltd

Download ppt "The IT Manager’s Nightmare... “Good morning, the board decided last night that we need to have iPads in order to do our work properly. Can you please."

Similar presentations

Ads by Google