Mobile Device Policy Enforcement

John RhotonLead Technologist – MobilityHP Services

Context & Agenda1. Mobile devices2. Air interfaces

• Bluetooth, 802.11b, WWAN

3. Remote Access• Tunnels (VPNs), Roaming

4. Perimeter Security• Compartmentalization, Access Controls

5. Policy Enforcement Options

11 22

3 3

44

Threats to Mobile DevicesStolen information

– Host intrusion, stolen device

Unauthorized network/application access– Compromised credentials, host intrusion

Virus propagation– Virus susceptibility

Lost information– Lost, stolen or damaged device

Mabir

Win CE DUTS Win CE

BRADOR

29Dec041Feb05

Locknut (Gavno)

Vlasco

21Nov04

Skulls

20June04

Cabir

17Jul04

5Aug048Mar05

Comwar

7Mar05

Dampig

12Aug04

Qdial

4Apr05

Fontal

6Apr05

Drever

18Mar05

Hobbes

15Apr05

Doomed

4Jul05

= Symbian OS (Nokia, etc)= Windows CE (HP, etc)Source: Trend Micro

Mobile Content ProtectionAccess Control Solutions

Native Pocket PC

Biometric Authentication

HP ProtectTools

Pointsec

Credant

TrustDigital

Utimaco

Bluefire

Multi-tiered security

WiFi Protect Access (WPA)Temporal Key Integrity Protocol

– Fast/Per packet keying, Message Integrity Check

WPA-Personal

WPA-Enterprise

Rogue and Decoy Access Points

Highest risk when WLANs are NOT implemented– Usually completely unsecured

– Connected by naïve (rather than malicious) users

Intrusion Detection Products – Manual, Sensors, Infrastructure

Multi-layer perimeters– 802.1x

– RBAC, VPN

Decoys can be counteractedwith automated configuration

InternetIntranetAccess

Unauthorized Wireless Bridge

Private LAN

Public Network

Mobile Device ManagementIT Manager Use-Cases

1) Search and select target end-user2) View/Add/Delete end-users3) View/Add/Delete device instances4) View device history of each end-user5) View detailed device information6) View/Add/Remove applications from devices7) View and process diagnostic results8) View/Add/Modify Rules9) View/Add/Modify approved applications10)View/Add/Modify settings for email, WIFI,

VOIP11)Lock/Unlock Devices

Mobile Device Security Management

Provisioning security tools

Policy enforcement– Passwords– Device lock– Policy updates

User support– Device lockout– Backup/restore

Security

Usability

MSFPMessaging and Security Feature Pack

Exchange 2003 SP2

Windows Mobile 5.0(Persistent Storage)

S/MIME

Certificate-based Authentication

Policy Enforcement

Local wipe

Remote wipe

Enterprise Requirements

Integrated Management Console– Directory (AD/LDAP) integration

Centralized Policies– Policy polling

– User cannot remove

– Screen-lock / Idle-lock

Credant OTA Sync Control

Exchange 2003

Local

ActiveSync

HANDHELD

Gatekeeper

Local Gatekeeper can

detect devices which sync

via local connection

Internet

Server

ActiveSync

Exchange Server

App Servers

OTA Sync

Control

OTA Sync Control detects

devices which sync via

Server Activesync.

Based on ISAPI extension

Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange

Trust DigitalMobile Edge Perimeter Security

Wireless Provisioning Portal – Device and user registration integrated with enterprise use policy

acceptance

– Over-the-air (OTA) delivery of Trust Digital software and policy

Advanced Features – Asset, activity, and compliance reporting

– Help Desk functionality including self-service portal

Network Admission Control – Ensures security/compliance of end-user device

– Interrogates devices before allowing access

– Integrated with Microsoft ISA Server

SMS

TCP/IP

WW Wireless Operator Networks

HP Enterprise Devices

SMS

TCP/IP

HP Enterprise Mobility Suite

HP Worldwide Hosting Facilities

Enterprise

HTTPS

Internet

HTTPS

• Device Support• S/W Maintenance• WW Network Support

FusionDM for Enterprise

• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board

• Exchange®• Domino®• Groupwise®

• Corporate Directory• Active Directory ®

• Intranet• CRM• Application Portal

Existing IT Systems

HTTPS

FOR ENTERPRISE

Leading OEM Device Manufacturers

Self Care Driven

Summary

Security concerns are greatest mobility obstacle

Mobility introduces new risks

Industry has addressed the main threats

Primary user challenge is secure configuration

Primary enterprise challenge is consistent policy enforcement

MDM reduces cost of deployment and enfoces policies