May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa

May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa

Helping to Secure Helping to Secure Data while on the Data while on the RunRun

Helping to Secure Helping to Secure Data while on the Data while on the RunRunGreg MilliganGreg MilliganMobility Solutions ManagerMobility Solutions ManagerMicrosoft Canada Co.Microsoft Canada Co.

Greg.Milligan@microsoft.comGreg.Milligan@microsoft.com

AgendaAgenda

Microsoft Mobile VisionMicrosoft Mobile Vision

ThreatsThreats

Windows Mobile 5 Security FeaturesWindows Mobile 5 Security Features

Device ManagementDevice Management

Security RecommendationsSecurity Recommendations

Windows Mobile 6 EnhancementsWindows Mobile 6 Enhancements

33rdrd Party Security Extensions Party Security Extensions

Access Access ControlControl

FirewallFirewall

Unmanaged Unmanaged PCPC

(Home PC, Kiosk, etc)(Home PC, Kiosk, etc)

Managed Managed PCPC

Mobile & Mobile & Traditional Traditional

DevicesDevices

Team Team WorkspaceWorkspace

ss

E-MailE-Mail

Web & Video Web & Video ConferencingConferencing

DocumentDocuments s

& Files& Files

CalendarinCalendaring g

Instant Instant MessagingMessaging

LOB ApplicationsLOB Applications

Intranet Web Intranet Web ApplicationsApplications

MSFT Enterprise Mobility MSFT Enterprise Mobility VisionVision

Mobile Security ThreatsMobile Security Threats

Physical access to device itselfPhysical access to device itself

Access to device User InterfaceAccess to device User Interface

Access to data at restAccess to data at rest

Access to data in motionAccess to data in motion

Access to the corporate networkAccess to the corporate network

Viruses/malware/spywareViruses/malware/spyware

Access to mobile applicationsAccess to mobile applications

Mobile device security Mobile device security threatsthreats

WLANWLAN

PANPAN

InfraredInfrared

LANLAN

WWANWWAN

DesktoDesktopp

VirusVirusMalwareMalwareSpywareSpyware

Unsupported Unsupported AppsApps

Loss/TheftLoss/Theft

CorpNeCorpNett

A Layered Approach to A Layered Approach to Delivering Trustworthy Delivering Trustworthy SolutionsSolutions

PolicyPolicy

ProcessProcess

PersonnelPersonnel

ProductsProducts

PartnershipsPartnerships

PPRROOTTEECCTT

DDEETTEECCTT

RREESSPPOONNDD

RREECCOOVVEERR

WM5: Platform Security FeaturesWM5: Platform Security FeaturesSupport industry standard certificatesSupport industry standard certificates

Support Open Mobile Alliance device Support Open Mobile Alliance device management standards *management standards *

AES 256 *, PFX/PKCS12 APIs support *AES 256 *, PFX/PKCS12 APIs support *

FIPS 140-2 Certification *FIPS 140-2 Certification *

Smartcard Resource Manager *Smartcard Resource Manager *Support Network Authentication StandardsSupport Network Authentication Standards

NTLM 1 & 2, KerberosNTLM 1 & 2, Kerberos

SSL TLS Client AuthenticationSSL TLS Client Authentication

802.1x user auth using PEAP, EAP/TLS802.1x user auth using PEAP, EAP/TLS

WPAWPA

* New for Windows * New for Windows Mobile 5.0Mobile 5.0

WM5: Local Security FeaturesWM5: Local Security FeaturesSecurity Configuration ManagementSecurity Configuration Management

Critical Updating - Image Update *Critical Updating - Image Update *

Peer-to-Peer connections (IR/Bluetooth)Peer-to-Peer connections (IR/Bluetooth)Require user interaction to accept dataRequire user interaction to accept data

Can be programmatically disabledCan be programmatically disabled

Pluggable, programmable device lock *Pluggable, programmable device lock *Exponential backoff mitigates brute force Exponential backoff mitigates brute force attacksattacks

Can be activated via code anytimeCan be activated via code anytime

Can include biometrics, smartcard, etc.Can include biometrics, smartcard, etc.* New for Windows * New for Windows

Mobile 5.0Mobile 5.0

WM5: Development Security WM5: Development Security FeaturesFeaturesData Protection APIsData Protection APIs

All purpose encryption APIsAll purpose encryption APIs

Used for LOB application data encryption: Used for LOB application data encryption: databases, application passwords, etc.databases, application passwords, etc.

Credential ManagerCredential ManagerHardcoded encryption of credentials and Hardcoded encryption of credentials and private keys that are cached on the local private keys that are cached on the local devicedevice

Reads/Writes credentials based on the user, Reads/Writes credentials based on the user, target server and credential typetarget server and credential type

Can be configured to force user verification Can be configured to force user verification prior to use of credentialsprior to use of credentials

Remotely manage and Remotely manage and enforce select corporate IT enforce select corporate IT policiespoliciesHighlightsHighlights

Separate IT policies into Separate IT policies into “Mandatory” versus “Mandatory” versus

“Recommended”“Recommended”Separate users with Separate users with

exception listexception listCertain users can be Certain users can be

exemptexemptUsing a PolicyKey, Exchange Using a PolicyKey, Exchange

Admin can check whether Admin can check whether the client device has the the client device has the

latest policy settingslatest policy settingsIf necessary, can mandate If necessary, can mandate device to download new device to download new

policy and settingspolicy and settingsIf device does not comply If device does not comply

with Mandatory IT policies, it with Mandatory IT policies, it will no longer be able to will no longer be able to

syncsyncExchange Admin can also Exchange Admin can also mandate device to refresh mandate device to refresh

policies every X hourspolicies every X hours

Policy ExamplesPolicy Examples

Remotely require a Remotely require a device PIN password for device PIN password for

every device every device Set strength and Set strength and

length of PIN passwordlength of PIN passwordSet device inactivity Set device inactivity

time before user needs time before user needs to enter PIN password to enter PIN password

againagainSet time intervals for a Set time intervals for a

device to refresh device to refresh policypolicy

Require device to Require device to authenticate to authenticate to

Exchange Server using Exchange Server using CertificatesCertificates

Remotely manage and enforce Remotely manage and enforce select corporate IT policies: select corporate IT policies: ScreenshotsScreenshots

Help Protect Unauthorized Entry to Help Protect Unauthorized Entry to DeviceDeviceLocal Data WipeLocal Data Wipe

Device automatically Device automatically resets local memory to resets local memory to

clean state after X clean state after X number of unsuccessful number of unsuccessful

PIN/password entriesPIN/password entries

Does not erase external Does not erase external memory such as SD cardmemory such as SD card

Local Data Reset is an IT Local Data Reset is an IT policy that can be set policy that can be set from Exchange Server from Exchange Server

ConsoleConsole

Protects against Protects against accidental reset with accidental reset with

“firebreak” mechanism “firebreak” mechanism that requires user for that requires user for

special keyword to special keyword to proceed with password proceed with password

entryentry

Device TimeoutDevice Timeout

Device automatically Device automatically locks itself after X locks itself after X

minutes of inactivityminutes of inactivity

User has to enter PIN User has to enter PIN password in order to use password in order to use

devicedevice

Device timeout is an IT Device timeout is an IT policy that can be set policy that can be set from Exchange Server from Exchange Server

ConsoleConsole

However, device can still However, device can still make emergency callsmake emergency calls

Help Protect Unauthorized Entry to Help Protect Unauthorized Entry to Device: ScreenshotsDevice: Screenshots

Help Protect Device Data if Device is Help Protect Device Data if Device is Lost with Remote WipeLost with Remote Wipe

Exchange Server 2003 Console can over-the-air erase all Exchange Server 2003 Console can over-the-air erase all on-device data and reset device back to clean stateon-device data and reset device back to clean state

Remote wipe only applies to data stored in internal memory Remote wipe only applies to data stored in internal memory and not external storage like SD Cardsand not external storage like SD Cards

Remote wipe will only work once lost device attempts to Remote wipe will only work once lost device attempts to sync with networksync with network

Admin sends remote erase order to specific deviceAdmin sends remote erase order to specific deviceServer sends erase order next time device connects to Server sends erase order next time device connects to ExchangeExchangeDevice will acknowledge that the command was receivedDevice will acknowledge that the command was receivedDevice wipes its data next time upon receiving commandDevice wipes its data next time upon receiving command

Easy to manageEasy to manageAdministration through a websiteAdministration through a websiteExchange Admin can “delegate” access to helpdeskExchange Admin can “delegate” access to helpdeskProvides a transaction log for history recordingProvides a transaction log for history recording

Increase Access Security To Exchange Increase Access Security To Exchange Server Using Certificate-Based Server Using Certificate-Based AuthenticationAuthentication

Certificate-based Authentication (CA) has been a big ask Certificate-based Authentication (CA) has been a big ask from top security-conscious customersfrom top security-conscious customers

User can now access Exchange using PKI Software User can now access Exchange using PKI Software Certificates instead of corporate login credentials Certificates instead of corporate login credentials

If user loses device to an unauthorized party, it cannot If user loses device to an unauthorized party, it cannot gain access to the user’s corporate LAN network gain access to the user’s corporate LAN network Certificates limit what a user can do on a corporate Certificates limit what a user can do on a corporate

networknetwork

Upon certificate expiration, user needs to cradle device Upon certificate expiration, user needs to cradle device againagain

User gets an alert 14 days before expirationUser gets an alert 14 days before expiration

Certificate-Based Authentication: ScreenshotsCertificate-Based Authentication: Screenshots

Using Using Certificate Certificate

AuthenticatiAuthenticationon

Using Basic Using Basic AuthenticatiAuthenticati

onon

SMS 2003SMS 2003Device Management Feature PackDevice Management Feature PackAdd-on to SMS 2003 Add-on to SMS 2003

Features includeFeatures includeDiscovery/IdentificationDiscovery/Identification

Hardware InventoryHardware Inventory

Software Inventory and File CollectionSoftware Inventory and File Collection

Software DistributionSoftware Distribution

Script ExecutionScript Execution

InformationInformationDevice nameDevice name

Hardware IDHardware ID

Device model Device model

Power (battery status)Power (battery status)

Display resolutionDisplay resolution

Generate reports on any hardware Generate reports on any hardware characteristiccharacteristic

Can be extended to capture other Can be extended to capture other hardware inventory informationhardware inventory information

Asset ManagementAsset ManagementHardware InventoryHardware Inventory

File systemFile system

MemoryMemory

NetworkNetwork

Operating systemOperating system

InformationInformationPresence of filesPresence of filesFile detailsFile detailsLast software scanLast software scanProduct detailsProduct detailsSpecify directoriesSpecify directoriesSpecify wildcard file extensionsSpecify wildcard file extensionsList of files or applications in the file List of files or applications in the file systemsystem

Permits collection of log/data filesPermits collection of log/data files

Generate reports on any software or Generate reports on any software or filefile

Asset ManagementAsset ManagementSoftware Inventory and File CollectionSoftware Inventory and File Collection

Software InventorySoftware Inventory

Configuration ManagementConfiguration ManagementDeviceDevice SettingsSettings

SMS provides integrated experience SMS provides integrated experience to configure and deploy settings to configure and deploy settings

Example of configurable settings:Example of configurable settings:NetworkNetwork

GPRS NetworkGPRS Network

PPP NetworkPPP Network

VPNVPN

SecuritySecurityCertificatesCertificates

Registry EntryRegistry Entry

ApplicationsApplications

ActiveSync & Exchange E-ActiveSync & Exchange E-mailmail

Internet E-mailInternet E-mail

ProxyProxy

Browser FavoriteBrowser Favorite

Configuration ManagementConfiguration ManagementPassword PolicyPassword Policy

Centralized control of device password policyCentralized control of device password policyConfigure mandatory numeric or strong passwordConfigure mandatory numeric or strong password

Force password setting prior to useForce password setting prior to use

Power off timeout maybe definedPower off timeout maybe defined

Administrator defined ‘lockout’ strong password applies Administrator defined ‘lockout’ strong password applies after certain failed device entry attemptsafter certain failed device entry attempts

ImplementationImplementationPassword applet contained in a separate install from Password applet contained in a separate install from core SMS clientcore SMS client

Password policy configured and deployed as part of Password policy configured and deployed as part of settingssettings

Deploy applications or execute scriptsDeploy applications or execute scripts

Provides rich administrator controlProvides rich administrator controlTarget specific groups of devices based on inventoryTarget specific groups of devices based on inventorySpecify whether application is mandatorySpecify whether application is mandatorySchedule deployment time and configure reoccurrenceSchedule deployment time and configure reoccurrenceConfigure “anytime”/“only when docked”/”only over a Configure “anytime”/“only when docked”/”only over a fast network”fast network”

Sophisticated deploymentSophisticated deploymentSimple download and execute command line modelSimple download and execute command line modelCheckpoint restart for downloadsCheckpoint restart for downloads

Generate reports on deployment statusGenerate reports on deployment statusStatus: download started, program execution start and Status: download started, program execution start and finishfinish

Application Deployment Application Deployment

Windows MobileWindows MobileApplication Level Security FeaturesApplication Level Security Features

Security LevelSecurity Level Execution SecurityExecution Security Device Mgmt SecurityDevice Mgmt Security

Security OFFSecurity OFFNo security checks at all. No security checks at all.

All executables from any All executables from any source can install and run source can install and run with maximum access to with maximum access to the device. the device.

All configuration files from All configuration files from all sources will execute all sources will execute with maximum privileges. with maximum privileges.

Prompt Prompt User is prompted when source is User is prompted when source is unknown or anonymous. unknown or anonymous.

User visibility into install User visibility into install and execution when source and execution when source is not known. is not known.

User must OK changes User must OK changes from unknown sources. from unknown sources.

3rd Party Signed3rd Party Signed33rdrd party vendors identified party vendors identified through the Mobile-to-Market through the Mobile-to-Market program are allowed access. program are allowed access.

An app must be M2M An app must be M2M signed in order to run on signed in order to run on the device. the device.

M2M signed app vendors M2M signed app vendors are required not to make are required not to make configuration changes that configuration changes that impact security. impact security.

LockedLockedOnly the OEM & Operator, or their Only the OEM & Operator, or their licensed vendors, are allowed licensed vendors, are allowed access.access.

Third party apps are not Third party apps are not allowed to run or install.allowed to run or install.

Only Operator can change Only Operator can change configuration.configuration.

Mobile Security Mobile Security ThreatThreat

Windows Mobile Windows Mobile SolutionSolutionPhysical access to device itselfPhysical access to device itself Policy-enforced password*; remote Policy-enforced password*; remote

& local wipe*& local wipe*

Access to device User InterfaceAccess to device User Interface Policy-enforced password; remote Policy-enforced password; remote & local wipe& local wipe

Access to data at rest (stored on Access to data at rest (stored on device)device)

Policy-enforced password; remote Policy-enforced password; remote & local wipe; S/MIME email support*& local wipe; S/MIME email support*

Access to data in motion Access to data in motion (network)(network)

Encrypted email synch; Virtual Encrypted email synch; Virtual Private Network client; secure Private Network client; secure WLAN accessWLAN access

Access to the corporate networkAccess to the corporate network Certificate-based synch*; secure Certificate-based synch*; secure WLAN accessWLAN access

Access to mobile applicationsAccess to mobile applications Policy-enforced password; remote Policy-enforced password; remote & local wipe; application installation & local wipe; application installation & execution security model; & execution security model; programmatic device lock access*programmatic device lock access*

Viruses/malware/spywareViruses/malware/spyware Rich platform support for 3Rich platform support for 3rdrd party party antivirus and firewall productsantivirus and firewall products

* New for Windows Mobile 5.0, MSFP* New for Windows Mobile 5.0, MSFP

Pocket PC Security RecommendationsPocket PC Security Recommendations

Risk assessment is keyRisk assessment is keyEvaluate applicability of organisation’s Evaluate applicability of organisation’s standards for laptop computersstandards for laptop computersPasswordsPasswords

Activate power-on passwordActivate power-on passwordNo power-on password, prohibit storing corporate network No power-on password, prohibit storing corporate network passwordpassword

Anti-virusAnti-virusConsider anti-virus software that runs locally on the mobile Consider anti-virus software that runs locally on the mobile devicedevice

Flash-able ROMFlash-able ROMConsider placing systems management, security, and virus Consider placing systems management, security, and virus protection applications in flash ROM protection applications in flash ROM

EncryptionEncryptionEncrypting sensitive information in the devices and on Encrypting sensitive information in the devices and on external storage cards external storage cards End-to-end network encryption when using a virtual private End-to-end network encryption when using a virtual private network (VPN) connectionnetwork (VPN) connection802.1x authentication/encryption over 802.11b WLANs802.1x authentication/encryption over 802.11b WLANs

Windows Mobile 6 Security Windows Mobile 6 Security Enhancements Enhancements

•Storage Card Security:Storage Card Security:• Storage Card EncryptionStorage Card Encryption• Storage card wipe (Exchange 2007)Storage card wipe (Exchange 2007)

•Generating a Personal CertificateGenerating a Personal Certificate• New desktop and device certificate enrollment toolsNew desktop and device certificate enrollment tools• PFX importPFX import

•Crypto/Certificate ServicesCrypto/Certificate Services• Root Certificate Add for usersRoot Certificate Add for users• AES 128 and 256 implementation for SSL and DPAPIAES 128 and 256 implementation for SSL and DPAPI• Wildcard Certificate SupportWildcard Certificate Support• SMIME configuration improvementsSMIME configuration improvements

•Built in Rights Management support for messaging and Built in Rights Management support for messaging and Office documentsOffice documents

Windows Mobile UpdateWindows Mobile Update

The “Windows Update” client is The “Windows Update” client is turned turned off by defaultoff by default but will ship but will ship on every Windows Mobile device.  on every Windows Mobile device.  Users have an option to enable the Users have an option to enable the client client

WMU will be used to distribute WMU will be used to distribute critical security fixes onlycritical security fixes only

WMU enables WMU enables rapid distributionrapid distribution of of fixes to respond to urgent security fixes to respond to urgent security issuesissues

WMU will be available with WMU will be available with Windows Mobile 6 based devicesWindows Mobile 6 based devices

Signature authenticationSignature authenticationCerticom CorporationCerticom CorporationCommunication Intelligence CorporationCommunication Intelligence CorporationTSI/Crypto-SignTSI/Crypto-SignVASCOVASCO

Enhanced password protectionEnhanced password protectionHewlett-PackardHewlett-Packard

Pictograph authenticationPictograph authenticationPointsec Mobile TechnologiesPointsec Mobile Technologies

Fingerprint authenticationFingerprint authenticationBiocentric Solutions Inc.Biocentric Solutions Inc.HP iPAQ 5400HP iPAQ 5400

Card-based authenticationCard-based authenticationRSA SecurityRSA SecuritySchlumberger SemaSchlumberger Sema

Certificate Authentication on a Certificate Authentication on a Storage CardStorage Card

JGUIJGUI

Software Storage EncryptionSoftware Storage EncryptionF-SecureF-SecurePointsec Mobile TechnologiesPointsec Mobile TechnologiesTrust Digital LLCTrust Digital LLC

Encrypt Application DataEncrypt Application DataCerticom CorporationCerticom CorporationGlück & Kanja GroupGlück & Kanja GroupNtrū Cryptosystems, Inc.Ntrū Cryptosystems, Inc.

Virtual Private NetworkingVirtual Private NetworkingCerticom CorporationCerticom CorporationCheck Point Software Technologies Ltd.Check Point Software Technologies Ltd.ColumbitechColumbitechEntrust, Inc.Entrust, Inc.Epiphan Consulting Inc.Epiphan Consulting Inc.

Disable ApplicationsDisable ApplicationsTrust Digital LLCTrust Digital LLC

Device WipeDevice WipeAsynchrony.comAsynchrony.com

Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certicom CorporationCerticom CorporationDiversinet Corp.Diversinet Corp.Dreamsecurity Co., Ltd.Dreamsecurity Co., Ltd.Glück & Kanja GroupGlück & Kanja Group

Thin Client TechnologyThin Client TechnologyCitrixCitrixFinTech Solutions Ltd.FinTech Solutions Ltd.MicrosoftMicrosoft

33rdrd Party Solution Party Solution ProvidersProviders

ReferencesReferences