may 30 th – 31 st, 2007 chateau laurier ottawa. helping to secure data while on the run greg...
TRANSCRIPT
May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa
May 30May 30thth – 31 – 31stst, 2007, 2007Chateau Laurier Chateau Laurier OttawaOttawa
Helping to Secure Helping to Secure Data while on the Data while on the RunRun
Helping to Secure Helping to Secure Data while on the Data while on the RunRunGreg MilliganGreg MilliganMobility Solutions ManagerMobility Solutions ManagerMicrosoft Canada Co.Microsoft Canada Co.
[email protected]@microsoft.com
AgendaAgenda
Microsoft Mobile VisionMicrosoft Mobile Vision
ThreatsThreats
Windows Mobile 5 Security FeaturesWindows Mobile 5 Security Features
Device ManagementDevice Management
Security RecommendationsSecurity Recommendations
Windows Mobile 6 EnhancementsWindows Mobile 6 Enhancements
33rdrd Party Security Extensions Party Security Extensions
Access Access ControlControl
FirewallFirewall
Unmanaged Unmanaged PCPC
(Home PC, Kiosk, etc)(Home PC, Kiosk, etc)
Managed Managed PCPC
Mobile & Mobile & Traditional Traditional
DevicesDevices
Team Team WorkspaceWorkspace
ss
E-MailE-Mail
Web & Video Web & Video ConferencingConferencing
DocumentDocuments s
& Files& Files
CalendarinCalendaring g
Instant Instant MessagingMessaging
LOB ApplicationsLOB Applications
Intranet Web Intranet Web ApplicationsApplications
MSFT Enterprise Mobility MSFT Enterprise Mobility VisionVision
Mobile Security ThreatsMobile Security Threats
Physical access to device itselfPhysical access to device itself
Access to device User InterfaceAccess to device User Interface
Access to data at restAccess to data at rest
Access to data in motionAccess to data in motion
Access to the corporate networkAccess to the corporate network
Viruses/malware/spywareViruses/malware/spyware
Access to mobile applicationsAccess to mobile applications
Mobile device security Mobile device security threatsthreats
WLANWLAN
PANPAN
InfraredInfrared
LANLAN
WWANWWAN
DesktoDesktopp
VirusVirusMalwareMalwareSpywareSpyware
Unsupported Unsupported AppsApps
Loss/TheftLoss/Theft
CorpNeCorpNett
A Layered Approach to A Layered Approach to Delivering Trustworthy Delivering Trustworthy SolutionsSolutions
PolicyPolicy
ProcessProcess
PersonnelPersonnel
ProductsProducts
PartnershipsPartnerships
PPRROOTTEECCTT
DDEETTEECCTT
RREESSPPOONNDD
RREECCOOVVEERR
WM5: Platform Security FeaturesWM5: Platform Security FeaturesSupport industry standard certificatesSupport industry standard certificates
Support Open Mobile Alliance device Support Open Mobile Alliance device management standards *management standards *
AES 256 *, PFX/PKCS12 APIs support *AES 256 *, PFX/PKCS12 APIs support *
FIPS 140-2 Certification *FIPS 140-2 Certification *
Smartcard Resource Manager *Smartcard Resource Manager *Support Network Authentication StandardsSupport Network Authentication Standards
NTLM 1 & 2, KerberosNTLM 1 & 2, Kerberos
SSL TLS Client AuthenticationSSL TLS Client Authentication
802.1x user auth using PEAP, EAP/TLS802.1x user auth using PEAP, EAP/TLS
WPAWPA
* New for Windows * New for Windows Mobile 5.0Mobile 5.0
WM5: Local Security FeaturesWM5: Local Security FeaturesSecurity Configuration ManagementSecurity Configuration Management
Critical Updating - Image Update *Critical Updating - Image Update *
Peer-to-Peer connections (IR/Bluetooth)Peer-to-Peer connections (IR/Bluetooth)Require user interaction to accept dataRequire user interaction to accept data
Can be programmatically disabledCan be programmatically disabled
Pluggable, programmable device lock *Pluggable, programmable device lock *Exponential backoff mitigates brute force Exponential backoff mitigates brute force attacksattacks
Can be activated via code anytimeCan be activated via code anytime
Can include biometrics, smartcard, etc.Can include biometrics, smartcard, etc.* New for Windows * New for Windows
Mobile 5.0Mobile 5.0
WM5: Development Security WM5: Development Security FeaturesFeaturesData Protection APIsData Protection APIs
All purpose encryption APIsAll purpose encryption APIs
Used for LOB application data encryption: Used for LOB application data encryption: databases, application passwords, etc.databases, application passwords, etc.
Credential ManagerCredential ManagerHardcoded encryption of credentials and Hardcoded encryption of credentials and private keys that are cached on the local private keys that are cached on the local devicedevice
Reads/Writes credentials based on the user, Reads/Writes credentials based on the user, target server and credential typetarget server and credential type
Can be configured to force user verification Can be configured to force user verification prior to use of credentialsprior to use of credentials
Remotely manage and Remotely manage and enforce select corporate IT enforce select corporate IT policiespoliciesHighlightsHighlights
Separate IT policies into Separate IT policies into “Mandatory” versus “Mandatory” versus
“Recommended”“Recommended”Separate users with Separate users with
exception listexception listCertain users can be Certain users can be
exemptexemptUsing a PolicyKey, Exchange Using a PolicyKey, Exchange
Admin can check whether Admin can check whether the client device has the the client device has the
latest policy settingslatest policy settingsIf necessary, can mandate If necessary, can mandate device to download new device to download new
policy and settingspolicy and settingsIf device does not comply If device does not comply
with Mandatory IT policies, it with Mandatory IT policies, it will no longer be able to will no longer be able to
syncsyncExchange Admin can also Exchange Admin can also mandate device to refresh mandate device to refresh
policies every X hourspolicies every X hours
Policy ExamplesPolicy Examples
Remotely require a Remotely require a device PIN password for device PIN password for
every device every device Set strength and Set strength and
length of PIN passwordlength of PIN passwordSet device inactivity Set device inactivity
time before user needs time before user needs to enter PIN password to enter PIN password
againagainSet time intervals for a Set time intervals for a
device to refresh device to refresh policypolicy
Require device to Require device to authenticate to authenticate to
Exchange Server using Exchange Server using CertificatesCertificates
Remotely manage and enforce Remotely manage and enforce select corporate IT policies: select corporate IT policies: ScreenshotsScreenshots
Help Protect Unauthorized Entry to Help Protect Unauthorized Entry to DeviceDeviceLocal Data WipeLocal Data Wipe
Device automatically Device automatically resets local memory to resets local memory to
clean state after X clean state after X number of unsuccessful number of unsuccessful
PIN/password entriesPIN/password entries
Does not erase external Does not erase external memory such as SD cardmemory such as SD card
Local Data Reset is an IT Local Data Reset is an IT policy that can be set policy that can be set from Exchange Server from Exchange Server
ConsoleConsole
Protects against Protects against accidental reset with accidental reset with
“firebreak” mechanism “firebreak” mechanism that requires user for that requires user for
special keyword to special keyword to proceed with password proceed with password
entryentry
Device TimeoutDevice Timeout
Device automatically Device automatically locks itself after X locks itself after X
minutes of inactivityminutes of inactivity
User has to enter PIN User has to enter PIN password in order to use password in order to use
devicedevice
Device timeout is an IT Device timeout is an IT policy that can be set policy that can be set from Exchange Server from Exchange Server
ConsoleConsole
However, device can still However, device can still make emergency callsmake emergency calls
Help Protect Unauthorized Entry to Help Protect Unauthorized Entry to Device: ScreenshotsDevice: Screenshots
Help Protect Device Data if Device is Help Protect Device Data if Device is Lost with Remote WipeLost with Remote Wipe
Exchange Server 2003 Console can over-the-air erase all Exchange Server 2003 Console can over-the-air erase all on-device data and reset device back to clean stateon-device data and reset device back to clean state
Remote wipe only applies to data stored in internal memory Remote wipe only applies to data stored in internal memory and not external storage like SD Cardsand not external storage like SD Cards
Remote wipe will only work once lost device attempts to Remote wipe will only work once lost device attempts to sync with networksync with network
Admin sends remote erase order to specific deviceAdmin sends remote erase order to specific deviceServer sends erase order next time device connects to Server sends erase order next time device connects to ExchangeExchangeDevice will acknowledge that the command was receivedDevice will acknowledge that the command was receivedDevice wipes its data next time upon receiving commandDevice wipes its data next time upon receiving command
Easy to manageEasy to manageAdministration through a websiteAdministration through a websiteExchange Admin can “delegate” access to helpdeskExchange Admin can “delegate” access to helpdeskProvides a transaction log for history recordingProvides a transaction log for history recording
Increase Access Security To Exchange Increase Access Security To Exchange Server Using Certificate-Based Server Using Certificate-Based AuthenticationAuthentication
Certificate-based Authentication (CA) has been a big ask Certificate-based Authentication (CA) has been a big ask from top security-conscious customersfrom top security-conscious customers
User can now access Exchange using PKI Software User can now access Exchange using PKI Software Certificates instead of corporate login credentials Certificates instead of corporate login credentials
If user loses device to an unauthorized party, it cannot If user loses device to an unauthorized party, it cannot gain access to the user’s corporate LAN network gain access to the user’s corporate LAN network Certificates limit what a user can do on a corporate Certificates limit what a user can do on a corporate
networknetwork
Upon certificate expiration, user needs to cradle device Upon certificate expiration, user needs to cradle device againagain
User gets an alert 14 days before expirationUser gets an alert 14 days before expiration
Certificate-Based Authentication: ScreenshotsCertificate-Based Authentication: Screenshots
Using Using Certificate Certificate
AuthenticatiAuthenticationon
Using Basic Using Basic AuthenticatiAuthenticati
onon
SMS 2003SMS 2003Device Management Feature PackDevice Management Feature PackAdd-on to SMS 2003 Add-on to SMS 2003
Features includeFeatures includeDiscovery/IdentificationDiscovery/Identification
Hardware InventoryHardware Inventory
Software Inventory and File CollectionSoftware Inventory and File Collection
Software DistributionSoftware Distribution
Script ExecutionScript Execution
InformationInformationDevice nameDevice name
Hardware IDHardware ID
Device model Device model
Power (battery status)Power (battery status)
Display resolutionDisplay resolution
Generate reports on any hardware Generate reports on any hardware characteristiccharacteristic
Can be extended to capture other Can be extended to capture other hardware inventory informationhardware inventory information
Asset ManagementAsset ManagementHardware InventoryHardware Inventory
File systemFile system
MemoryMemory
NetworkNetwork
Operating systemOperating system
InformationInformationPresence of filesPresence of filesFile detailsFile detailsLast software scanLast software scanProduct detailsProduct detailsSpecify directoriesSpecify directoriesSpecify wildcard file extensionsSpecify wildcard file extensionsList of files or applications in the file List of files or applications in the file systemsystem
Permits collection of log/data filesPermits collection of log/data files
Generate reports on any software or Generate reports on any software or filefile
Asset ManagementAsset ManagementSoftware Inventory and File CollectionSoftware Inventory and File Collection
Configuration ManagementConfiguration ManagementDeviceDevice SettingsSettings
SMS provides integrated experience SMS provides integrated experience to configure and deploy settings to configure and deploy settings
Example of configurable settings:Example of configurable settings:NetworkNetwork
GPRS NetworkGPRS Network
PPP NetworkPPP Network
VPNVPN
SecuritySecurityCertificatesCertificates
Registry EntryRegistry Entry
ApplicationsApplications
ActiveSync & Exchange E-ActiveSync & Exchange E-mailmail
Internet E-mailInternet E-mail
ProxyProxy
Browser FavoriteBrowser Favorite
Configuration ManagementConfiguration ManagementPassword PolicyPassword Policy
Centralized control of device password policyCentralized control of device password policyConfigure mandatory numeric or strong passwordConfigure mandatory numeric or strong password
Force password setting prior to useForce password setting prior to use
Power off timeout maybe definedPower off timeout maybe defined
Administrator defined ‘lockout’ strong password applies Administrator defined ‘lockout’ strong password applies after certain failed device entry attemptsafter certain failed device entry attempts
ImplementationImplementationPassword applet contained in a separate install from Password applet contained in a separate install from core SMS clientcore SMS client
Password policy configured and deployed as part of Password policy configured and deployed as part of settingssettings
Deploy applications or execute scriptsDeploy applications or execute scripts
Provides rich administrator controlProvides rich administrator controlTarget specific groups of devices based on inventoryTarget specific groups of devices based on inventorySpecify whether application is mandatorySpecify whether application is mandatorySchedule deployment time and configure reoccurrenceSchedule deployment time and configure reoccurrenceConfigure “anytime”/“only when docked”/”only over a Configure “anytime”/“only when docked”/”only over a fast network”fast network”
Sophisticated deploymentSophisticated deploymentSimple download and execute command line modelSimple download and execute command line modelCheckpoint restart for downloadsCheckpoint restart for downloads
Generate reports on deployment statusGenerate reports on deployment statusStatus: download started, program execution start and Status: download started, program execution start and finishfinish
Application Deployment Application Deployment
Windows MobileWindows MobileApplication Level Security FeaturesApplication Level Security Features
Security LevelSecurity Level Execution SecurityExecution Security Device Mgmt SecurityDevice Mgmt Security
Security OFFSecurity OFFNo security checks at all. No security checks at all.
All executables from any All executables from any source can install and run source can install and run with maximum access to with maximum access to the device. the device.
All configuration files from All configuration files from all sources will execute all sources will execute with maximum privileges. with maximum privileges.
Prompt Prompt User is prompted when source is User is prompted when source is unknown or anonymous. unknown or anonymous.
User visibility into install User visibility into install and execution when source and execution when source is not known. is not known.
User must OK changes User must OK changes from unknown sources. from unknown sources.
3rd Party Signed3rd Party Signed33rdrd party vendors identified party vendors identified through the Mobile-to-Market through the Mobile-to-Market program are allowed access. program are allowed access.
An app must be M2M An app must be M2M signed in order to run on signed in order to run on the device. the device.
M2M signed app vendors M2M signed app vendors are required not to make are required not to make configuration changes that configuration changes that impact security. impact security.
LockedLockedOnly the OEM & Operator, or their Only the OEM & Operator, or their licensed vendors, are allowed licensed vendors, are allowed access.access.
Third party apps are not Third party apps are not allowed to run or install.allowed to run or install.
Only Operator can change Only Operator can change configuration.configuration.
Mobile Security Mobile Security ThreatThreat
Windows Mobile Windows Mobile SolutionSolutionPhysical access to device itselfPhysical access to device itself Policy-enforced password*; remote Policy-enforced password*; remote
& local wipe*& local wipe*
Access to device User InterfaceAccess to device User Interface Policy-enforced password; remote Policy-enforced password; remote & local wipe& local wipe
Access to data at rest (stored on Access to data at rest (stored on device)device)
Policy-enforced password; remote Policy-enforced password; remote & local wipe; S/MIME email support*& local wipe; S/MIME email support*
Access to data in motion Access to data in motion (network)(network)
Encrypted email synch; Virtual Encrypted email synch; Virtual Private Network client; secure Private Network client; secure WLAN accessWLAN access
Access to the corporate networkAccess to the corporate network Certificate-based synch*; secure Certificate-based synch*; secure WLAN accessWLAN access
Access to mobile applicationsAccess to mobile applications Policy-enforced password; remote Policy-enforced password; remote & local wipe; application installation & local wipe; application installation & execution security model; & execution security model; programmatic device lock access*programmatic device lock access*
Viruses/malware/spywareViruses/malware/spyware Rich platform support for 3Rich platform support for 3rdrd party party antivirus and firewall productsantivirus and firewall products
* New for Windows Mobile 5.0, MSFP* New for Windows Mobile 5.0, MSFP
Pocket PC Security RecommendationsPocket PC Security Recommendations
Risk assessment is keyRisk assessment is keyEvaluate applicability of organisation’s Evaluate applicability of organisation’s standards for laptop computersstandards for laptop computersPasswordsPasswords
Activate power-on passwordActivate power-on passwordNo power-on password, prohibit storing corporate network No power-on password, prohibit storing corporate network passwordpassword
Anti-virusAnti-virusConsider anti-virus software that runs locally on the mobile Consider anti-virus software that runs locally on the mobile devicedevice
Flash-able ROMFlash-able ROMConsider placing systems management, security, and virus Consider placing systems management, security, and virus protection applications in flash ROM protection applications in flash ROM
EncryptionEncryptionEncrypting sensitive information in the devices and on Encrypting sensitive information in the devices and on external storage cards external storage cards End-to-end network encryption when using a virtual private End-to-end network encryption when using a virtual private network (VPN) connectionnetwork (VPN) connection802.1x authentication/encryption over 802.11b WLANs802.1x authentication/encryption over 802.11b WLANs
Windows Mobile 6 Security Windows Mobile 6 Security Enhancements Enhancements
•Storage Card Security:Storage Card Security:• Storage Card EncryptionStorage Card Encryption• Storage card wipe (Exchange 2007)Storage card wipe (Exchange 2007)
•Generating a Personal CertificateGenerating a Personal Certificate• New desktop and device certificate enrollment toolsNew desktop and device certificate enrollment tools• PFX importPFX import
•Crypto/Certificate ServicesCrypto/Certificate Services• Root Certificate Add for usersRoot Certificate Add for users• AES 128 and 256 implementation for SSL and DPAPIAES 128 and 256 implementation for SSL and DPAPI• Wildcard Certificate SupportWildcard Certificate Support• SMIME configuration improvementsSMIME configuration improvements
•Built in Rights Management support for messaging and Built in Rights Management support for messaging and Office documentsOffice documents
Windows Mobile UpdateWindows Mobile Update
The “Windows Update” client is The “Windows Update” client is turned turned off by defaultoff by default but will ship but will ship on every Windows Mobile device. on every Windows Mobile device. Users have an option to enable the Users have an option to enable the client client
WMU will be used to distribute WMU will be used to distribute critical security fixes onlycritical security fixes only
WMU enables WMU enables rapid distributionrapid distribution of of fixes to respond to urgent security fixes to respond to urgent security issuesissues
WMU will be available with WMU will be available with Windows Mobile 6 based devicesWindows Mobile 6 based devices
Signature authenticationSignature authenticationCerticom CorporationCerticom CorporationCommunication Intelligence CorporationCommunication Intelligence CorporationTSI/Crypto-SignTSI/Crypto-SignVASCOVASCO
Enhanced password protectionEnhanced password protectionHewlett-PackardHewlett-Packard
Pictograph authenticationPictograph authenticationPointsec Mobile TechnologiesPointsec Mobile Technologies
Fingerprint authenticationFingerprint authenticationBiocentric Solutions Inc.Biocentric Solutions Inc.HP iPAQ 5400HP iPAQ 5400
Card-based authenticationCard-based authenticationRSA SecurityRSA SecuritySchlumberger SemaSchlumberger Sema
Certificate Authentication on a Certificate Authentication on a Storage CardStorage Card
JGUIJGUI
Software Storage EncryptionSoftware Storage EncryptionF-SecureF-SecurePointsec Mobile TechnologiesPointsec Mobile TechnologiesTrust Digital LLCTrust Digital LLC
Encrypt Application DataEncrypt Application DataCerticom CorporationCerticom CorporationGlück & Kanja GroupGlück & Kanja GroupNtrū Cryptosystems, Inc.Ntrū Cryptosystems, Inc.
Virtual Private NetworkingVirtual Private NetworkingCerticom CorporationCerticom CorporationCheck Point Software Technologies Ltd.Check Point Software Technologies Ltd.ColumbitechColumbitechEntrust, Inc.Entrust, Inc.Epiphan Consulting Inc.Epiphan Consulting Inc.
Disable ApplicationsDisable ApplicationsTrust Digital LLCTrust Digital LLC
Device WipeDevice WipeAsynchrony.comAsynchrony.com
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certicom CorporationCerticom CorporationDiversinet Corp.Diversinet Corp.Dreamsecurity Co., Ltd.Dreamsecurity Co., Ltd.Glück & Kanja GroupGlück & Kanja Group
Thin Client TechnologyThin Client TechnologyCitrixCitrixFinTech Solutions Ltd.FinTech Solutions Ltd.MicrosoftMicrosoft
33rdrd Party Solution Party Solution ProvidersProviders