isse mobile device policy enforcement
DESCRIPTION
Mobile Device Policy Enforcement ISSE 2007TRANSCRIPT
Mobile Device Policy Enforcement
John RhotonLead Technologist – MobilityHP Services
Context & Agenda1. Mobile devices2. Air interfaces
• Bluetooth, 802.11b, WWAN
3. Remote Access• Tunnels (VPNs), Roaming
4. Perimeter Security• Compartmentalization, Access Controls
5. Policy Enforcement Options
11 22
3 3
44
Threats to Mobile DevicesStolen information
– Host intrusion, stolen device
Unauthorized network/application access– Compromised credentials, host intrusion
Virus propagation– Virus susceptibility
Lost information– Lost, stolen or damaged device
Mabir
Win CE DUTS Win CE
BRADOR
29Dec041Feb05
Locknut (Gavno)
Vlasco
21Nov04
Skulls
20June04
Cabir
17Jul04
5Aug048Mar05
Comwar
7Mar05
Dampig
12Aug04
Qdial
4Apr05
Fontal
6Apr05
Drever
18Mar05
Hobbes
15Apr05
Doomed
4Jul05
= Symbian OS (Nokia, etc)= Windows CE (HP, etc)Source: Trend Micro
Mobile Content ProtectionAccess Control Solutions
Native Pocket PC
Biometric Authentication
HP ProtectTools
Pointsec
Credant
TrustDigital
Utimaco
Bluefire
Multi-tiered security
WiFi Protect Access (WPA)Temporal Key Integrity Protocol
– Fast/Per packet keying, Message Integrity Check
WPA-Personal
WPA-Enterprise
Rogue and Decoy Access Points
Highest risk when WLANs are NOT implemented– Usually completely unsecured
– Connected by naïve (rather than malicious) users
Intrusion Detection Products – Manual, Sensors, Infrastructure
Multi-layer perimeters– 802.1x
– RBAC, VPN
Decoys can be counteractedwith automated configuration
InternetIntranetAccess
Unauthorized Wireless Bridge
Private LAN
Public Network
Mobile Device ManagementIT Manager Use-Cases
1) Search and select target end-user2) View/Add/Delete end-users3) View/Add/Delete device instances4) View device history of each end-user5) View detailed device information6) View/Add/Remove applications from devices7) View and process diagnostic results8) View/Add/Modify Rules9) View/Add/Modify approved applications10)View/Add/Modify settings for email, WIFI,
VOIP11)Lock/Unlock Devices
Mobile Device Security Management
Provisioning security tools
Policy enforcement– Passwords– Device lock– Policy updates
User support– Device lockout– Backup/restore
Security
Usability
MSFPMessaging and Security Feature Pack
Exchange 2003 SP2
Windows Mobile 5.0(Persistent Storage)
S/MIME
Certificate-based Authentication
Policy Enforcement
Local wipe
Remote wipe
Enterprise Requirements
Integrated Management Console– Directory (AD/LDAP) integration
Centralized Policies– Policy polling
– User cannot remove
– Screen-lock / Idle-lock
Credant OTA Sync Control
Exchange 2003
Local
ActiveSync
HANDHELD
Gatekeeper
Local Gatekeeper can
detect devices which sync
via local connection
Internet
Server
ActiveSync
Exchange Server
App Servers
OTA Sync
Control
OTA Sync Control detects
devices which sync via
Server Activesync.
Based on ISAPI extension
Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange
Trust DigitalMobile Edge Perimeter Security
Wireless Provisioning Portal – Device and user registration integrated with enterprise use policy
acceptance
– Over-the-air (OTA) delivery of Trust Digital software and policy
Advanced Features – Asset, activity, and compliance reporting
– Help Desk functionality including self-service portal
Network Admission Control – Ensures security/compliance of end-user device
– Interrogates devices before allowing access
– Integrated with Microsoft ISA Server
SMS
TCP/IP
WW Wireless Operator Networks
HP Enterprise Devices
SMS
TCP/IP
HP Enterprise Mobility Suite
HP Worldwide Hosting Facilities
Enterprise
HTTPS
Internet
HTTPS
• Device Support• S/W Maintenance• WW Network Support
FusionDM for Enterprise
• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board
• Exchange®• Domino®• Groupwise®
• Corporate Directory• Active Directory ®
• Intranet• CRM• Application Portal
Existing IT Systems
HTTPS
FOR ENTERPRISE
Leading OEM Device Manufacturers
Self Care Driven
Summary
Security concerns are greatest mobility obstacle
Mobility introduces new risks
Industry has addressed the main threats
Primary user challenge is secure configuration
Primary enterprise challenge is consistent policy enforcement
MDM reduces cost of deployment and enfoces policies