information technology for minnesota government christopher p. buse assistant commissioner and ciso...
TRANSCRIPT
INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT
Christopher P. BuseAssistant Commissioner and CISO
State of Minnesota
Mobile Device Management
Assessing the Benefits and Risks
About MeDeveloped IT audit function
First CISONow Assistant Commissioner and CISO, overseeing “leadership” services
Key Business DriversProductivity: Need to access data anytime from anywhere
Dissatisfaction with “work only” devices
Fueled by consumerization of mobile devices
Portability: Business process and applications going mobile
Health professionalsTransportation workersLocation-based applications
Mobile devices and applications
allow workers to be more satisfied,
productive, and effective
Lingering QuestionsCan I support the litany vendor products?
How do I address the legal issues?BYOD: government dataBYOD: remote wipeWork hour provisions
How does mobility impact our security posture?
What will it cost?
Infrastructure Executive Council, Information Technology Practice
© 2011 The Corporate Executive Board Company. All Rights Reserved. 7
Enterprise technology roadmaps reflect substantial, cross-industry investment in mobile applications and support for employees’ mobile devices.
• By end-2011, a majority IT organizations had introduced some mobile applications and support for mobile device video.
• By mid-2012, a majority of IT organizations anticipate that they will support a “bring your own” program for employees’ mobile devices.
• Investments in desktop and application virtualization may enable additional access and support for mobile platforms.
The Mobile Enterprise is Coming
A majority of IT organizations had introduced video for mobile devices and mobile enterprise applications by end-2011, in some cases enabled through virtualization
By mid-2012, a majority of IT organizations anticipate supporting a “bring your own” program for mobile devices
End-User Computing Roadmap, 2011-2014
For more in-depth information on the enterprise value, deployment risk and adoption timelines associated with emerging technologies, please check out the Infrastructure Executive Council’s Emerging Technology Roadmap.
IT Needs Solutions That Work
Percentage of Employees Engaging in
Risky Behaviors
More Often than "Rarely"
A Good News Story
Out of the box, mobile devices are more secure than PCsArchitected with security in mindNot been the next security
nightmare
But…..The increased risk of loss must
be addressedThe security model can be
broken
Malware?Not a significant issueDynamic code won’t run
Code can only come from application storesCode is digitally signed
Applications run in a sandboxThings to worry about
Rogue applications in the app storesApps installed from outside the app stores (Android
specific issue) “Jailbroken” phones
Lost or Stolen DevicesBiggest risk: Devices very
susceptible to loss or theft
Without proper controlsDirect access to critical
government business systemsAbility to harvest data housed
on the device
Things to worry aboutEnd users push for ease of use
over controlsExample: No pins or screen
timeouts
Remote Data StorageSynchronizing data between devices and applications is an issue
No shared file systemAnswer: Dropbox, Box, etc.
Things to worry aboutServices have a history of security problems Incomplete understanding of their security modelClick through contractual terms that are vendor
centric
CaveatsVery few active exploits today in the mobile space
Why?The mobile security model is solidPCs and Macs are easy to hack
Predictions PC and Mac security will continue to get better Hackers will focus more attention on mobile devices Cracks in the mobile security model will appear
A Secure FoundationEnterprise Security Portable Computing Device Standard (adopted June 2011)
Controls for both state and personally owned mobile devices
Key provisionsAuthorize all devicesPin and timeout requirementsDevice encryptionRemote wipe No jailbroken devices
Implementation of Security ControlsRequirements in standard enforced through technical controls
Goal: Devices that cannot comply cannot connect
Technical limitationsControls applied at the “person” levelExceptions for one device automatically create a
low bar for others
Why MDM?Project now underwayOffers additional security and management features
Key featuresMore granular security policiesAdvanced tracking and management
of devicesState app storeData storage repository
Final ThoughtsProliferation of mobile devices will continue
Risks can be appropriately managed
Laying out a comprehensive service strategy is vital
Strategy
Risks
Value