may 30 th – 31 st, 2006 sheraton ottawa. mobile security windows mobile 5 rick claus it pro...

May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa

Mobile SecurityMobile SecurityWindows Mobile 5Windows Mobile 5Mobile SecurityMobile SecurityWindows Mobile 5Windows Mobile 5

Rick ClausRick ClausIT Pro AdvisorIT Pro AdvisorMicrosoft CanadaMicrosoft Canada

[email protected]@microsoft.comhttp://blogs.technet.com/canitprohttp://blogs.technet.com/canitpro

AgendaAgenda

Define Mobile EnvironmentDefine Mobile Environment

Windows Mobile devices in CanadaWindows Mobile devices in Canada

Windows Mobile 5Windows Mobile 5ProductivityProductivity

Policy & SecurityPolicy & Security

Direct PushDirect Push

Myths and ObjectionsMyths and Objections

What is Mobile Data?What is Mobile Data?

Mobile Messaging Mobile Messaging InfrastructureInfrastructureMobile access to Exchange “that just works”Mobile access to Exchange “that just works”

Smartphone Smartphone Platform Platform

OutlookOutlook2003 2003

Outlook Outlook Web Web Access Access

Wireless Wireless Pocket PC&PEPocket PC&PE

Wireless Wireless 33rdrd Party Sync Party Sync

Outlook Outlook Mobile Mobile Access Access

Enable a greater number of customers, out-of-the-Enable a greater number of customers, out-of-the-box box

User experience optimized for mobile device User experience optimized for mobile device scenarioscenario

Exchange Server 2003 Mobility Exchange Server 2003 Mobility ScenariosScenarios

IW Mobile OfficeIW Mobile Office

•Rich web Access companion for Rich web Access companion for OutlookOutlook•Best companion to OutlookBest companion to Outlook•Part Time “Home Office”Part Time “Home Office”

•Airport Kiosk, Internet Café Airport Kiosk, Internet Café •Factory floor deploymentFactory floor deployment

Outlook Web AccessOutlook Web Access

IW Mobile On-The-RoadIW Mobile On-The-Road

•RPC over HTTP(S) ; No VPNRPC over HTTP(S) ; No VPN•Low bandwidth, latent connectionsLow bandwidth, latent connections•Hotel Dial-upHotel Dial-up•HotspotsHotspots•WWAN – Mobile OperatorWWAN – Mobile Operator

Outlook and ExchangeOutlook and Exchange

•Reach device companion for Reach device companion for OutlookOutlook

•E-mail triage and quick reviewE-mail triage and quick review•On-line GAL and contacts lookup with On-line GAL and contacts lookup with one touch callone touch call•Calendar and task managementCalendar and task management

Mobile Reach for IWMobile Reach for IW

Outlook Mobile AccessOutlook Mobile Access

“Kiosk”Laptop

PhoneSmart/PDA

•Rich/Smart device companion to Rich/Smart device companion to OutlookOutlook•Active e-mail/PIM management – Active e-mail/PIM management – preferably up-to-datepreferably up-to-date•WWAN – Mobile OperatorsWWAN – Mobile Operators•HotspotsHotspots

Highly Mobile IWHighly Mobile IW

Exchange ActiveSync (EAS)Exchange ActiveSync (EAS)

Mobile Messaging InfrastructureMobile Messaging Infrastructure

Exchange Front End Server(s)

Mailbox Server

Mailbox Server

Mobile Operator Network

Wired line

Wireless line

Legend

Wireless PDA

HTTPS (443)HTTPS (443)

Smartphone

Wi-FiPDA

Wi-FiSmartphone

Internet(802.11x - hotspots)

Wi-FiPDA

Wi-FiSmart phone

Wireless Intranet(802.11x)

Corporate Network

ISA Server(Optional)

HTTPS (443)HTTPS (443)

Outlook from home(rpc/http)

OWA from kiosk or from home

Wi-Fi Laptop

Wi-Fi Laptop

AgendaAgenda







6600 Pocket PC Phone 6600 Pocket PC Phone EditionEdition

CDMA/1xRTTCDMA/1xRTT

Windows Mobile 2003 Windows Mobile 2003 Second EditionSecond Edition

Landscape supportLandscape support

128 Mb ROM, 64 Mb RAM128 Mb ROM, 64 Mb RAM

SDIO Memory SlotSDIO Memory Slot

BluetoothBluetooth

1.1 Megapixel camera1.1 Megapixel camera

Built-in QWERTY keyboard, Built-in QWERTY keyboard, with Backlightingwith Backlighting

Windows Mobile Devices in Canada Windows Mobile Devices in Canada …… Today!Today!

SMT 5600 SmartphoneSMT 5600 Smartphone

•GSM/GPRSGSM/GPRS

•Windows Mobile 2003 Second EditionWindows Mobile 2003 Second Edition

•64 Mb ROM, 32 Mb RAM64 Mb ROM, 32 Mb RAM

•MiniSD Memory SlotMiniSD Memory Slot

•BluetoothBluetooth

•1.1 Megapixel camera1.1 Megapixel camera

•850/1800/1900 MHz Support850/1800/1900 MHz Support

•Mini USB connector Mini USB connector

•First Smartphone in Canada!First Smartphone in Canada!

Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Today!Today!

h6320/6325 Pocket PC Phone Edition h6320/6325 Pocket PC Phone Edition

•GSM/GPRSGSM/GPRS

•Windows Mobile 2003Windows Mobile 2003


•SDIO Memory Slot SDIO Memory Slot

•Integrated BluetoothIntegrated Bluetooth

•Integrated WiFiIntegrated WiFi

•850/900/1800/1900 MHz Support850/900/1800/1900 MHz Support

•Snap-on keyboardSnap-on keyboard

–6325 with camera6325 with camera


hw6515 Pocket PC Phone Edition hw6515 Pocket PC Phone Edition

•GSM/GPRS/EDGEGSM/GPRS/EDGE

•Windows Mobile 2003 Second EditionWindows Mobile 2003 Second Edition


•SDIO & MiniSD Memory Slot SDIO & MiniSD Memory Slot

•Integrated BluetoothIntegrated Bluetooth

•Integrated GPSIntegrated GPS

•850/900/1800/1900 MHz Support850/900/1800/1900 MHz Support

•Built-in Qwerty keyboardBuilt-in Qwerty keyboard

•1.3 MP Camera 8x Zoom1.3 MP Camera 8x Zoom


6700 Pocket PC Phone 6700 Pocket PC Phone EditionEdition

CDMA/1xRTT/EvDOCDMA/1xRTT/EvDO

Windows Mobile 5.0Windows Mobile 5.0


MiniSD Memory SlotMiniSD Memory Slot

Bluetooth, WiFiBluetooth, WiFi


Built-in Sliding QWERTY Built-in Sliding QWERTY keyboardkeyboard

Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Today! Today!

Treo 700w Pocket PC Phone EditionTreo 700w Pocket PC Phone Edition

CDMA/1xRTT/EvDO CDMA/1xRTT/EvDO GSM/GPRS/EDGE/UMTSGSM/GPRS/EDGE/UMTS



BluetoothBluetooth


Built-in QWERTY keyboardBuilt-in QWERTY keyboard

Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Soon!Soon!

CDMA/1xRTT/EvDOCDMA/1xRTT/EvDO




BluetoothBluetooth


Built-in QWERTY keyboardBuilt-in QWERTY keyboard

Scroll Wheel NavigationScroll Wheel Navigation

Windows Mobile Devices in CanadaWindows Mobile Devices in Canada … … Soon!Soon!

AgendaAgenda







Windows Mobile 5.0 Windows Mobile 5.0 StrengthsStrengthsWorks with Exchange Server 2003Works with Exchange Server 2003

Built-in mobile access – Windows Mobile, Outlook 2003, OMA, OWABuilt-in mobile access – Windows Mobile, Outlook 2003, OMA, OWA

Great mobile experience with Windows Mobile 5.0 + Great mobile experience with Windows Mobile 5.0 + MSFPMSFP

E-mail and PIM OTA Direct Push sync is built-in – with Outlook E-mail and PIM OTA Direct Push sync is built-in – with Outlook Mobile and Exchange ActiveSyncMobile and Exchange ActiveSyncNo client or 3No client or 3rdrd party server software to load reduces set-up time party server software to load reduces set-up time and costand costFamiliar Outlook experienceFamiliar Outlook experienceRange of powerful Windows Mobile devicesRange of powerful Windows Mobile devicesGreat client platform for LOB, other solutionsGreat client platform for LOB, other solutions

Scalable solution for enterprisesScalable solution for enterprisesE-mail front-end & back-end scalabilityE-mail front-end & back-end scalability

Easy to manage and consolidate serversEasy to manage and consolidate serversHigh number of users per serverHigh number of users per server

Scalable cost per userScalable cost per userRange of devices, form factors, prices and data plans Range of devices, form factors, prices and data plans No incremental server license costsNo incremental server license costsRemoves need for separate monitoring, directoryRemoves need for separate monitoring, directory

What is MSFP?What is MSFP?

Direct Push TechnologyDirect Push Technology – near real-time – near real-time sync between Exchange Server and the sync between Exchange Server and the mobile devicemobile device

GAL AccessGAL Access – corporate contact database – corporate contact database

Security Portfolio:Security Portfolio:Policy push/Device Wipe – protects the mobile device if it is ever Policy push/Device Wipe – protects the mobile device if it is ever lost or stolenlost or stolen

Native SSL, S/MIME and 3DES (w/FIPS 140-2) supportNative SSL, S/MIME and 3DES (w/FIPS 140-2) support

Certificate-based authenticationCertificate-based authentication

SecurID and VPNSecurID and VPN

Windows Mobile 5.0 + Messaging & Security Feature Windows Mobile 5.0 + Messaging & Security Feature Pack (MSFP) builds on the familiar Outlook Mobile with Pack (MSFP) builds on the familiar Outlook Mobile with new features that enhance mobile messaging usability new features that enhance mobile messaging usability and device management for the enterprise.and device management for the enterprise.

Device And Server Device And Server RequirementsRequirementsWinMobile Device RequirementsWinMobile Device Requirements

Requires a Windows Mobile 5 deviceRequires a Windows Mobile 5 deviceMSFP will not work on devices MSFP will not work on devices

with versions prior to Magnetowith versions prior to Magneto

MSFP features will not need PC sync MSFP features will not need PC sync except Certificate-based except Certificate-based AuthenticationAuthentication

Certificate-based authentication Certificate-based authentication will require a one-time will require a one-time connection to ActiveSync for connection to ActiveSync for certificate deploymentcertificate deployment

Exchange Server RequirementsExchange Server Requirements

Requires upgrade from Exchange Requires upgrade from Exchange Server 2003 to Exchange Server 2003 Server 2003 to Exchange Server 2003 SP2 SP2

No major changes beyond SP No major changes beyond SP upgradeupgrade

Need to increase IIS and Firewall Need to increase IIS and Firewall https connection timeout to the https connection timeout to the ActiveSync virtual directoryActiveSync virtual directory

Recommend 15min to 30min for Recommend 15min to 30min for timeouttimeout

Certificate-based Authentication Certificate-based Authentication feature will require a Certificate feature will require a Certificate Authority (CA) deploymentAuthority (CA) deployment

1.1.Enhances The Outlook Mobile ExperienceEnhances The Outlook Mobile Experience

A.A. Keep your Outlook Mobile up-to-date with the new Direct Keep your Outlook Mobile up-to-date with the new Direct Push Technology that delivers Inbox, Calendar, Contacts Push Technology that delivers Inbox, Calendar, Contacts and Tasks information quickly and directly to your device and Tasks information quickly and directly to your device

B.B. Maintain an up-to-date to-do list with new synchronization Maintain an up-to-date to-do list with new synchronization of the Outlook Mobile Tasks list with Exchange 2003 SP2of the Outlook Mobile Tasks list with Exchange 2003 SP2

C.C. Access the corporate contact database while on-the-go with Access the corporate contact database while on-the-go with over-the-air lookup and browsing of the Global Address List over-the-air lookup and browsing of the Global Address List on Exchange 2003 SP2on Exchange 2003 SP2

A.A. Remotely manage and enforce corporate IT policy Remotely manage and enforce corporate IT policy over-the-air via Exchange 03 SP2 consoleover-the-air via Exchange 03 SP2 console

B.B. Enable automatic reset of data when password is Enable automatic reset of data when password is entered incorrectly X number of timesentered incorrectly X number of times

C.C. Help to better protect device data with remote Help to better protect device data with remote reset of on-device data reset of on-device data via Exchange 03 SP2 via Exchange 03 SP2 consoleconsole

D.D. Increase access security to Exchange 03 SP2 Increase access security to Exchange 03 SP2 using Certificate-based Authentication to the using Certificate-based Authentication to the serverserver

E.E. Help protect email content with native support for Help protect email content with native support for S/MIMES/MIME

2. Helps Businesses To Better Protect Device 2. Helps Businesses To Better Protect Device DataData

Usability vs. SecurityUsability vs. Security

I Just I Just Want To Want To Make a Make a

Call!Call!

Exchange Server Exchange Server controls access controls access to the device by to the device by pushing pushing PIN/password PIN/password policy and policy and lockdown time-lockdown time-out to the device out to the device OTA the next OTA the next time a sync is time a sync is initiatedinitiated

Policy ProvisioningPolicy ProvisioningHow does this strengthen security?How does this strengthen security?

Device Security SettngsDevice Security Settngs

Enable PIN on device

4

Require both numbers and letters

Wipe device after failed (attempts): 4

Exceptions...Specify an exception list of users that are except from the setting enforcement

OK Cancel Help

Minimum PIN Length (digits):

Refresh settings on the device (hours): 24

Allow access to devices that do not support PIN settings

Inactivity time (minutes): 5

……but the end-but the end-user sets his/her user sets his/her personal PIN or personal PIN or password password according to the according to the policy requiredpolicy required

After lockdown, After lockdown, entering the entering the correct correct PIN/password is PIN/password is the only way to the only way to access data or access data or use the device*use the device*

Policy EnforcementPolicy EnforcementIT controls the password strength…IT controls the password strength…

* Emergency calls can be made during lockdown* Emergency calls can be made during lockdown

IT initiates the remote wipe via the Mobile Admin IT initiates the remote wipe via the Mobile Admin Web tool after a device is reported lost or stolenWeb tool after a device is reported lost or stolen

Remote wipe command status is relayed via Remote wipe command status is relayed via ActiveSync back to the Mobile Admin Web tool for ActiveSync back to the Mobile Admin Web tool for logginglogging

Remote Device WipeRemote Device WipeIT-initiated Data ProtectionIT-initiated Data Protection

IT configures the number of allowed attempts via IT configures the number of allowed attempts via the Exchange Server Consolethe Exchange Server Console

Local Device WipeLocal Device WipePassword-based Data ProtectionPassword-based Data Protection

Only local memory is erased (hard reset) with either device Only local memory is erased (hard reset) with either device wipe, external memory (such as a SD card) remains intactwipe, external memory (such as a SD card) remains intact

SSL (Secure Sockets Layer) is a secure SSL (Secure Sockets Layer) is a secure channel of communication between a Web channel of communication between a Web server and client (mobile device). server and client (mobile device).

Native SSL SupportNative SSL SupportThe end-to-end security standardThe end-to-end security standard

Windows Mobile uses SSL with RC4 cipher (128bit) as the Windows Mobile uses SSL with RC4 cipher (128bit) as the default. This is the standard for default. This is the standard for online bankingonline banking and other secure and other secure transactions on the Internet.transactions on the Internet.

SSL can make use of variety of encryption ciphers, including SSL can make use of variety of encryption ciphers, including 3DES by enabling FIPS on the front-end server.3DES by enabling FIPS on the front-end server.

SSL can’t be used by 3SSL can’t be used by 3rdrd party relay solutions because of the party relay solutions because of the discontinuous store-and-forward model they use. SSL is session-discontinuous store-and-forward model they use. SSL is session-based and requires an uninterrupted point-to-point connection based and requires an uninterrupted point-to-point connection between the data source (server) and the recipient client (mobile between the data source (server) and the recipient client (mobile device).device).

MSFP requires that a MSFP requires that a firewall port (443 firewall port (443 recommended) be recommended) be made available* as the made available* as the “Web Listener” in order “Web Listener” in order to allow Direct Push to to allow Direct Push to work. work.

To secure that port, 443 To secure that port, 443 is designated as the SSL is designated as the SSL port. Traffic into and out port. Traffic into and out of the port will then be of the port will then be doubly filtered because doubly filtered because it is:it is:

Security ArchitectureSecurity ArchitectureMaking the most of SSLMaking the most of SSL

Encrypted with SSLEncrypted with SSL

AuthenticatedAuthenticated

* Maximum duration of the “Web Listening” connection should be greater than the lowest * Maximum duration of the “Web Listening” connection should be greater than the lowest network timeout in the path between the device and the server. network timeout in the path between the device and the server.

S/MIME (Secure Multipurpose Internet Mail S/MIME (Secure Multipurpose Internet Mail Extensions) is a standard protocol that Extensions) is a standard protocol that provides protection and verification of provides protection and verification of messages as they are transferred by using messages as they are transferred by using content encryption and digital signatures content encryption and digital signatures features. features.

Native S/MIME SupportNative S/MIME SupportSecuring the payload…Securing the payload…

SigningSigning ensures the integrity of your message and attachments ensures the integrity of your message and attachments and ensures the recipient that they have not been tampered with and ensures the recipient that they have not been tampered with during transit.during transit.

EncryptionEncryption ensures data confidentiality by only allowing the ensures data confidentiality by only allowing the intended recipient to decrypt and access the contents of the intended recipient to decrypt and access the contents of the message.message.

Requires a S/MIME certificate on the device or via peripheral Requires a S/MIME certificate on the device or via peripheral reader.reader.

WM Smartcard SolutionWM Smartcard SolutionCurrently creating for US DoDCurrently creating for US DoD

Partners contributing:Partners contributing:Saflink (smartcard software)Saflink (smartcard software)

Axcess Technology (reader hardware)Axcess Technology (reader hardware)

Commercial Availability summer 05Commercial Availability summer 05

Certificates on the mobile device (or via cert-Certificates on the mobile device (or via cert-reading peripheral) authenticate the user to the reading peripheral) authenticate the user to the server for gaining sync privilegesserver for gaining sync privileges

Requires Exchange Server 2003Requires Exchange Server 2003

Cert-based AuthenticationCert-based AuthenticationThe next step in authenticationThe next step in authentication

Using Basic Using Basic AuthenticationAuthentication

Using Using Certificate Certificate

AuthenticationAuthentication

Native basic authentication for Exchange Native basic authentication for Exchange ActiveSync uses NT credentials ActiveSync uses NT credentials (userid/password/domain) – one-factor (userid/password/domain) – one-factor authentication (the NT password) cached authentication (the NT password) cached by the device. by the device.

Many enterprise customers are requiring Many enterprise customers are requiring two-factor security solutions (human-two-factor security solutions (human-memorized password AND some other memorized password AND some other physical object or certificate).physical object or certificate).

RSA’s SecurID is currently the most RSA’s SecurID is currently the most popular corporate solution for two-factor popular corporate solution for two-factor authentication – in Europe, it is a de authentication – in Europe, it is a de facto standard. facto standard. This is now supported This is now supported by Exchange ActiveSyncby Exchange ActiveSync..

Very important for the Finance vertical Very important for the Finance vertical where two-factor authentication is often where two-factor authentication is often required.required.

SecurIDSecurIDRSA’s two-factor authenticationRSA’s two-factor authentication

SecurIDSecurIDArchitecture with ISAArchitecture with ISA

Carrier Network

Corporate Network

Internet

ISAServer

SecurIDACE/Server

SSLF

ire

wa

ll

Fir

ew

all

MIS 2002EE

Data

Se

curI

D A

CE

/Ag

en

t

WAP Gateway

WTLS

Mobile Device

Windows MobileWindows MobilePlatform Security FeaturesPlatform Security Features

Support industry standard certificatesSupport industry standard certificates

Support Open Mobile Alliance device Support Open Mobile Alliance device management standards *management standards *

AES 256 *, PFX/PKCS12 APIs support *AES 256 *, PFX/PKCS12 APIs support *

FIPS 140-2 Certification *FIPS 140-2 Certification *

Smartcard Resource Manager *Smartcard Resource Manager *Support Network Authentication StandardsSupport Network Authentication Standards

NTLM 1 & 2, KerberosNTLM 1 & 2, Kerberos

SSL TLS Client AuthenticationSSL TLS Client Authentication

802.1x user auth using PEAP, EAP/TLS802.1x user auth using PEAP, EAP/TLS

WPAWPA

* New for Windows Mobile 5.0* New for Windows Mobile 5.0

AgendaAgenda







Before Direct PushBefore Direct PushHow did it work?How did it work?

Short Messaging Service (SMS)

IP Data Connection

IP Data Connection

1. Server Trigger Binary “blob” 1. Server Trigger Binary “blob” including:including:

• Message digest (hash)Message digest (hash)• Server ID (pre-configured on device)Server ID (pre-configured on device)

3. Server-Controlled Interchange 3. Server-Controlled Interchange passes data via ActiveSyncpasses data via ActiveSync

2. Client initiates 2. Client initiates sessionsession

Direct Push TechnologyDirect Push TechnologyHow does it work now?How does it work now?

4. If server state changes 4. If server state changes before heartbeat interval before heartbeat interval expires, Exchange 2003 expires, Exchange 2003 notifies device that notifies device that changes have occurred changes have occurred in the mail boxin the mail box

1. Device sends PING 1. Device sends PING request to Exchange 2003 request to Exchange 2003 SP2 server after SP2 server after establishing data/SSL establishing data/SSL connectionconnection

2. Exchange 2003 holds the 2. Exchange 2003 holds the request pending until request pending until heartbeat interval expiresheartbeat interval expires

5. Device immediately 5. Device immediately issues SYNC request to issues SYNC request to pull data. Upon SYNC pull data. Upon SYNC completion, go to step 1completion, go to step 1

3. If no server 3. If no server state changes state changes occur before occur before heartbeat expires, heartbeat expires, device sends device sends another PING another PING requestrequest

Windows Mobile Windows Mobile Device with MSFPDevice with MSFP

Server running Server running Exchange 2003 SP2Exchange 2003 SP2

The device controls the heartbeat interval duration as shown on the next slide…The device controls the heartbeat interval duration as shown on the next slide…

Less radio & battery overheadLess radio & battery overheadPersistent data connection does not require Persistent data connection does not require the data connection to be built up and torn the data connection to be built up and torn down for each ActiveSync sessiondown for each ActiveSync session

Less data usage requiredLess data usage requiredEach MSFP ping (~350 bits of data) uses less Each MSFP ping (~350 bits of data) uses less data than that needed to do a Scheduled data than that needed to do a Scheduled Sync even when no data is transferred during Sync even when no data is transferred during the syncthe sync

No need for SMS sync initiationNo need for SMS sync initiation

Direct Push TechnologyDirect Push TechnologyWhy is this better?Why is this better?

Windows Mobile 5.0: Why Direct is Windows Mobile 5.0: Why Direct is BetterBetter

No 3No 3rdrd party relay NOCs outside of enterprise IT control party relay NOCs outside of enterprise IT controlNo 3No 3rdrd party relay failure or access points party relay failure or access pointsUtilizes existing investments in Exchange Server – highly scalable Utilizes existing investments in Exchange Server – highly scalable messaging platformmessaging platformNo additional client or server licenses for devices No additional client or server licenses for devices No additional 3No additional 3rdrd party relay hardware or software required behind party relay hardware or software required behind the enterprise firewallthe enterprise firewallLeading platform for LOB applications: .NET Framework and Visual Leading platform for LOB applications: .NET Framework and Visual Studio porting to WMStudio porting to WMSingle source for product support included with Exchange 2003Single source for product support included with Exchange 2003

AgendaAgenda







Security Myths & Security Myths & ObjectionsObjectionsMyth: 3DES is “better” than SSLMyth: 3DES is “better” than SSL

Much online banking, e-commerce uses SSLMuch online banking, e-commerce uses SSL128-bit SSL—never hacked over the Internet128-bit SSL—never hacked over the InternetMS Solution—no dependence on 3MS Solution—no dependence on 3rdrd-party NOC-party NOC

Objection: Storing Corp credentials on deviceObjection: Storing Corp credentials on deviceCredentials stored in protected registryCredentials stored in protected registryCan use Certificate authentication insteadCan use Certificate authentication instead

Objection: Using Corp credentials for authenticationObjection: Using Corp credentials for authenticationCan use Certificate authentication insteadCan use Certificate authentication instead

Myth: Allowing inbound connections from devices to Myth: Allowing inbound connections from devices to corporate data center is unsecurecorporate data center is unsecure

Windows Mobile uses same data flow, authentication, Windows Mobile uses same data flow, authentication, encryption, architecture as Outlook Web Accessencryption, architecture as Outlook Web Access

Security Myths & Security Myths & ObjectionsObjectionsMyth: Sending all data through NOC is goodMyth: Sending all data through NOC is good

A 3A 3rdrd party has control of corporate data party has control of corporate data

Objection: Must encrypt data and pipeObjection: Must encrypt data and pipeTraffic encrypted between device & server; data doesn’t Traffic encrypted between device & server; data doesn’t need to be encryptedneed to be encrypted

Myth: Windows Mobile is not secure enoughMyth: Windows Mobile is not secure enoughReceived US Govt. Federal Information Processing Received US Govt. Federal Information Processing Standards Cryptographic certification (FIPS 140-2)Standards Cryptographic certification (FIPS 140-2)

Myth: Remote Wipe by itself is good enoughMyth: Remote Wipe by itself is good enoughShould require PIN lock to protect device prior to report of Should require PIN lock to protect device prior to report of lossloss

If device radio is turned off, remote wipe won’t work—need If device radio is turned off, remote wipe won’t work—need local wipe as welllocal wipe as well

ResourcesResourcesAdditional Third Party SecurityAdditional Third Party Security

Signature authenticationSignature authenticationCerticom CorporationCerticom CorporationCommunication Intelligence CorporationCommunication Intelligence CorporationTSI/Crypto-SignTSI/Crypto-SignVASCOVASCO

Enhanced password protectionEnhanced password protectionHewlett-PackardHewlett-Packard

Pictograph authenticationPictograph authenticationPointsec Mobile TechnologiesPointsec Mobile Technologies

Fingerprint authenticationFingerprint authenticationBiocentric Solutions Inc.Biocentric Solutions Inc.HP iPAQ 5400HP iPAQ 5400

Card-based authenticationCard-based authenticationRSA SecurityRSA Security

Certificate Authentication on a Storage Certificate Authentication on a Storage CardCard

JGUIJGUISoftware Storage EncryptionSoftware Storage Encryption

F-SecureF-SecurePointsec Mobile TechnologiesPointsec Mobile TechnologiesTrust Digital LLCTrust Digital LLC

802.1x WPA Encryption Method802.1x WPA Encryption MethodFunk SoftwareFunk Software

S/MIMES/MIMECerticomCerticom

Encrypt Application DataEncrypt Application DataCerticom CorporationCerticom CorporationGlück & Kanja GroupGlück & Kanja GroupNtrū Cryptosystems, Inc.Ntrū Cryptosystems, Inc.

Virtual Private NetworkingVirtual Private NetworkingCerticom CorporationCerticom CorporationCheck Point Software Technologies Ltd.Check Point Software Technologies Ltd.ColumbitechColumbitechEntrust, Inc.Entrust, Inc.Epiphan Consulting Inc.Epiphan Consulting Inc.

Disable ApplicationsDisable ApplicationsOdyssey SoftwareOdyssey SoftwareTrust Digital LLCTrust Digital LLC

Device WipeDevice WipeAsynchrony.comAsynchrony.com

Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Certicom CorporationCerticom CorporationDiversinet Corp.Diversinet Corp.Dreamsecurity Co., Ltd.Dreamsecurity Co., Ltd.Glück & Kanja GroupGlück & Kanja Group

Thin Client TechnologyThin Client TechnologyCitrixCitrixFinTech Solutions Ltd.FinTech Solutions Ltd.

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied,

Rick ClausRick ClausIT Pro AdvisorIT Pro AdvisorMicrosoft CanadaMicrosoft Canada

[email protected]@microsoft.comhttp://blogs.technet.com/canitprohttp://blogs.technet.com/canitpro

may 30 th – 31 st, 2006 sheraton ottawa. mobile security windows mobile 5 rick claus it pro...

Documents