How to Secure iPads,

Tablets and Android

Devices for Corporate Use

John Masserini

CISO

Dow Jones

WSJ DIGITAL NETWORK• 38.8 million monthly

visitors to the digital network

• More Than 1 million paying subscribers for WSJ.com

• Sites include:

•WSJ.com

•MarketWatch.com

•Barrons.com

•AllThingsD.com

•SmartMoney.com

OFFICE NETWORK• 780 Class A office

buildings

• 15 top markets

• More than 1 million uniques every day

• More than 35,000 Businesses

• 22 million monthly impressions

VIDEO / COMMUNITY• 5.6 million streams each

month

• 140,400 WSJ.comCommunity members

• 200,000 MarketWatch.com Community members

MOBILE• Top Mobile audience in

the financial news category

• 3.1 million Uniques

• 7 minutes avg/visit

• 11 million WAP site pg views

• 1.6 million+ downloads of the wsj.com iPhone App

• 80,000+ downloads of the ATD.com iPhone App

• 226,000+ downloads of the MarketWatch iPhone App

• 1.5 million podcast downloads each month

iPad• 517,000 + Active Users

• Over One Million Downloads

WSJ DIGITAL WORLD

Mobile Device Strategy

• Strategy– Support mobile device connectivity to both internal network

resources and public internet

– Global WiFi infrastructure that provides seamless access to

all employees

– Deployment supports regulatory efforts and security model

• Challenges– Immature market causes a fragmented approach to access

– All devices released to date are consumer focused – not

enterprise

– Variations between devices required individual certification

– Lack of standard approach to security

Dow Jones Wireless

The DJ WiFi infrastructure consists of three networks:

• Vendor_WiFi:– Used for vendors only

– Access credentials setup by the Help Desk/Corporate Security.

– Default of 2 hours of access.

– Provides direct access to the Internet

• External_WiFi:– Provides employees access to unfettered Internet access

– Captive Portal requires domain credentials

– Provides access for laptops, iPhones/iPads, and Android devices

– All traffic is monitored for abuse

• Internal_WiFi:– Provides direct access to internal network resources

– Requires device registration and strong authentication

DJ Mobile Device Standards

• Supported Device Types:

– All DJ Corporate laptops, including Mac’s

– iPhone/iPad with OS 3.0 and higher

– Devices which support Windows Mobile

– Palm devices which use WebOS 1.3 and higher

– Droid devices which use 2.2 or higher (Internet access only)

• ActiveSync:

– Any device which connects to ActiveSync must adhere to the

Corporate ActiveSync standard

– Must meet or exceed BlackBerry standards

– Requires managers approval

– Device Password enforcement

– Encrypted communications

– Screen timeouts

– Remote wipe

Key Considerations

• We are not alone– Proactive disassociation is not

generally a viable solution

• PCI requires authentication of

individuals – not machines

• Potential of abuse by outsiders

– Imagine someone attacking a

competitor from our wireless

network

• Functionally no different than

VPN… remote access is

remote access

• Its always about the data – not

the device

The Apple-verse

• iPhones have been approved for 2 years (OS 3.0)

• iPads where approved within 1 week of retail sale date

• Can leverage External_WiFi and ActiveSync to access email,

calendar, and contacts– Current configuration has them as secure as a BlackBerry

• Internal network access is on an as-needed basis only– Internal access requires device registration and strong authentication

– Apple supports Digital Certificates and our current infrastructure

– Unfortunately, Apple does not support ‘over the air’ certificate distribution

– Every device must be manually configured by a security admin

Internal Network access is not a security issue – it’s a support issue

The Droid-o-sphere

• Google’s Android Operating System has been wildly popular

• Should follow organizations approach to ‘Open Source’

solutions

• Almost every phone manufacturer has an Android device or

has plans for one in the near term

• No ‘Approval Board’ for Android functionality on devices– Hardware vendors can implement features however they want

– No mandatory support of standard functionality

– No review of apps in the Marketplace

• Of the four devices tested recently, all four had very different

user interactions

• ActiveSync support is different on each device, potentially

requiring an additional app to access email

• Each device had to be configured by Tech Support – and each

setup was different!

User Awareness

• User Awareness is crucial– Millions of cell phones are ‘lost’ annually

– Even though it may be personal, password protect your

device

– Always think about the apps you put on your phone – we

have already seen malware on Androids

– Think about the data you store on your phone. Do you

really need your credit card numbers, passwords, or alarm

codes in your ‘notes’ app?

– WiFi is just as insecure on a phone or tablet as it is on a

laptop. Use caution when connecting to open WiFi

hotspots

Questions?

Thank You!