security considerations for mobile devices in gortt dearl bain, security & assurance unit 18...
TRANSCRIPT
Security considerations for mobile devices in GoRTT
Dearl Bain, Security & Assurance Unit
18 April, 2013
Mobile Devices
Definition:
• Any portable device that can be used to access corporate data and information services.
• Examples : Smart-Phones,Tablets, Laptops
Security for Mobile Devices
• There is increased use of portable computing devices such as (smartphones, netbooks, tablets)
• Work-from-home employees
• An organizations’ data vulnerability points have increased exponentially.
• Industry experts say that by 2013 there will be 1.2 billion mobile workers worldwide.
• They also report that by 2013,75 percent of all U.S. workers will be mobile, meaning those workers will use a mobile device for at least 20 percent of their work.
• Another survey reveals that 36 percent of cell phone owners have either lost a phone or had one stolen.
• These facts suggest that in the near future, nearly 25 percent of all workers will have lost a mobile device that could provide access to confidential information.
• It’s no wonder that mobile device security is a top concern
GoRTT is responsible, accountable and legally liable for information it stores, processes and transports.
1000’s of personal devices currently hold GoRTT information, files, conversations and account access information.
Security configurations of personal devices do not correspond to enterprise security standards, e.g. password strength
Responsibility & Accountability
Personal Use vs Risk Exposure
Current User Control / Access:• Unrestricted Access to consumer services• Unrestricted access to applications• Corporate Email Access• Consumer Cloud storage• Camera and Video recording access
Personal Devices in The Enterprise
Ideal Corporate Control Scenario:• Restrict Access to internal services• Restrict Access to External 3rd Party services• Detect tampering (rootkits, rooting etc.)• Audit logging of asset location & usage• Audit trail for records, compliance investigations• Securely extend network services beyond
perimeter defenses.• Remotely monitor and protect data• Access network file shares• Data Loss Prevention
Corporate Devices in the Enterprise
Corporate vs BYOD, Which is best?
• What level of data classification is accessed?• What services are required to perform job?• What is the risk rating for the individual?• Does the user have a device that allows for
encrypted secure workspace?
Managing Risks – Mobile Enterprise
Risks of Inadequate Mobile Security
• Storage of enterprise data on unsecured personal devices
• Storage of enterprise data on 3rd party infrastructure and services outside of jurisdiction (Dropbox, Skydrive, etc)
• Multiple, disparate and uncoordinated file storage silos
• Malicious mining of enterprise data using stolen devices with saved access credentials
• Legal liability for information breaches under the Data Privacy Act if citizen data is compromised
Managing Risk in Mobile Computing
Policy
• Data classification• Mobile usage policy• Mobile assignment policies• Corporate services policy• Confidentiality policies• Identify legal recourse for non-compliance• BYOD
Centralized Management
• Mobile Device Management Solutions (BES10, etc) for device policy enforcement
• Access Management• Single Sign On• Device recovery• Remote Information Recovery / Information Removal
Managing Risk in Mobile Computing
User Education & Accountability
• Policy Awareness• Policy Enforcement• User agreement forms/Acceptable use• Confidentiality Statements
Managing Risk in Mobile Computing
Compliance• Mobile Access Auditing (Active Sync, BES)• Data Retention (Laws / Regulations)
Incident Reporting• Mobile device incident reporting for Loss & Theft• Device itself may be required to provide evidence in
legal matter or assist in investigations
Managing Risk in Mobile Computing
Conclusions
Contingency Approach
• Secure mobile devices as you would secure a laptop• Provide security controls in line with data
classifications, highest class applies.• Educate users on their responsibilities and the
policies they must abide by• Ensure access granted to employee and to device
matches organizational responsibilities
Thank YouiGovTT
Lord Harris Court52 Pembroke Street
Port of Spain Republic of Trinidad and Tobago
Telephone: (868) 627-5600
Fax: (868) 624-8001Email:[email protected]
Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT
Twitter: @iGovTT