how to secure ipads, - etouches€¦ · how to secure ipads, ... of the wsj.com iphone app ... –...
TRANSCRIPT
How to Secure iPads,
Tablets and Android
Devices for Corporate Use
John Masserini
CISO
Dow Jones
WSJ DIGITAL NETWORK• 38.8 million monthly
visitors to the digital network
• More Than 1 million paying subscribers for WSJ.com
• Sites include:
•WSJ.com
•MarketWatch.com
•Barrons.com
•AllThingsD.com
•SmartMoney.com
OFFICE NETWORK• 780 Class A office
buildings
• 15 top markets
• More than 1 million uniques every day
• More than 35,000 Businesses
• 22 million monthly impressions
VIDEO / COMMUNITY• 5.6 million streams each
month
• 140,400 WSJ.comCommunity members
• 200,000 MarketWatch.com Community members
MOBILE• Top Mobile audience in
the financial news category
• 3.1 million Uniques
• 7 minutes avg/visit
• 11 million WAP site pg views
• 1.6 million+ downloads of the wsj.com iPhone App
• 80,000+ downloads of the ATD.com iPhone App
• 226,000+ downloads of the MarketWatch iPhone App
• 1.5 million podcast downloads each month
iPad• 517,000 + Active Users
• Over One Million Downloads
WSJ DIGITAL WORLD
Mobile Device Strategy
• Strategy– Support mobile device connectivity to both internal network
resources and public internet
– Global WiFi infrastructure that provides seamless access to
all employees
– Deployment supports regulatory efforts and security model
• Challenges– Immature market causes a fragmented approach to access
– All devices released to date are consumer focused – not
enterprise
– Variations between devices required individual certification
– Lack of standard approach to security
Dow Jones Wireless
The DJ WiFi infrastructure consists of three networks:
• Vendor_WiFi:– Used for vendors only
– Access credentials setup by the Help Desk/Corporate Security.
– Default of 2 hours of access.
– Provides direct access to the Internet
• External_WiFi:– Provides employees access to unfettered Internet access
– Captive Portal requires domain credentials
– Provides access for laptops, iPhones/iPads, and Android devices
– All traffic is monitored for abuse
• Internal_WiFi:– Provides direct access to internal network resources
– Requires device registration and strong authentication
DJ Mobile Device Standards
• Supported Device Types:
– All DJ Corporate laptops, including Mac’s
– iPhone/iPad with OS 3.0 and higher
– Devices which support Windows Mobile
– Palm devices which use WebOS 1.3 and higher
– Droid devices which use 2.2 or higher (Internet access only)
• ActiveSync:
– Any device which connects to ActiveSync must adhere to the
Corporate ActiveSync standard
– Must meet or exceed BlackBerry standards
– Requires managers approval
– Device Password enforcement
– Encrypted communications
– Screen timeouts
– Remote wipe
Key Considerations
• We are not alone– Proactive disassociation is not
generally a viable solution
• PCI requires authentication of
individuals – not machines
• Potential of abuse by outsiders
– Imagine someone attacking a
competitor from our wireless
network
• Functionally no different than
VPN… remote access is
remote access
• Its always about the data – not
the device
The Apple-verse
• iPhones have been approved for 2 years (OS 3.0)
• iPads where approved within 1 week of retail sale date
• Can leverage External_WiFi and ActiveSync to access email,
calendar, and contacts– Current configuration has them as secure as a BlackBerry
• Internal network access is on an as-needed basis only– Internal access requires device registration and strong authentication
– Apple supports Digital Certificates and our current infrastructure
– Unfortunately, Apple does not support ‘over the air’ certificate distribution
– Every device must be manually configured by a security admin
Internal Network access is not a security issue – it’s a support issue
The Droid-o-sphere
• Google’s Android Operating System has been wildly popular
• Should follow organizations approach to ‘Open Source’
solutions
• Almost every phone manufacturer has an Android device or
has plans for one in the near term
• No ‘Approval Board’ for Android functionality on devices– Hardware vendors can implement features however they want
– No mandatory support of standard functionality
– No review of apps in the Marketplace
• Of the four devices tested recently, all four had very different
user interactions
• ActiveSync support is different on each device, potentially
requiring an additional app to access email
• Each device had to be configured by Tech Support – and each
setup was different!
User Awareness
• User Awareness is crucial– Millions of cell phones are ‘lost’ annually
– Even though it may be personal, password protect your
device
– Always think about the apps you put on your phone – we
have already seen malware on Androids
– Think about the data you store on your phone. Do you
really need your credit card numbers, passwords, or alarm
codes in your ‘notes’ app?
– WiFi is just as insecure on a phone or tablet as it is on a
laptop. Use caution when connecting to open WiFi
hotspots
Questions?
Thank You!