Security considerations for mobile devices in GoRTT

Dearl Bain, Security & Assurance Unit

18 April, 2013

Mobile Devices

Definition:

• Any portable device that can be used to access corporate data and information services.

• Examples : Smart-Phones,Tablets, Laptops

Security for Mobile Devices

• There is increased use of portable computing devices such as (smartphones, netbooks, tablets)

• Work-from-home employees

• An organizations’ data vulnerability points have increased exponentially.

• Industry experts say that by 2013 there will be 1.2 billion mobile workers worldwide.

• They also report that by 2013,75 percent of all U.S. workers will be mobile, meaning those workers will use a mobile device for at least 20 percent of their work.

• Another survey reveals that 36 percent of cell phone owners have either lost a phone or had one stolen.

• These facts suggest that in the near future, nearly 25 percent of all workers will have lost a mobile device that could provide access to confidential information.

• It’s no wonder that mobile device security is a top concern

GoRTT is responsible, accountable and legally liable for information it stores, processes and transports.

1000’s of personal devices currently hold GoRTT information, files, conversations and account access information.

Security configurations of personal devices do not correspond to enterprise security standards, e.g. password strength

Responsibility & Accountability

Personal Use vs Risk Exposure

Current User Control / Access:• Unrestricted Access to consumer services• Unrestricted access to applications• Corporate Email Access• Consumer Cloud storage• Camera and Video recording access

Personal Devices in The Enterprise

Ideal Corporate Control Scenario:• Restrict Access to internal services• Restrict Access to External 3rd Party services• Detect tampering (rootkits, rooting etc.)• Audit logging of asset location & usage• Audit trail for records, compliance investigations• Securely extend network services beyond

perimeter defenses.• Remotely monitor and protect data• Access network file shares• Data Loss Prevention

Corporate Devices in the Enterprise

Corporate vs BYOD, Which is best?

• What level of data classification is accessed?• What services are required to perform job?• What is the risk rating for the individual?• Does the user have a device that allows for

encrypted secure workspace?

Managing Risks – Mobile Enterprise

Risks of Inadequate Mobile Security

• Storage of enterprise data on unsecured personal devices

• Storage of enterprise data on 3rd party infrastructure and services outside of jurisdiction (Dropbox, Skydrive, etc)

• Multiple, disparate and uncoordinated file storage silos

• Malicious mining of enterprise data using stolen devices with saved access credentials

• Legal liability for information breaches under the Data Privacy Act if citizen data is compromised

Managing Risk in Mobile Computing

Policy

• Data classification• Mobile usage policy• Mobile assignment policies• Corporate services policy• Confidentiality policies• Identify legal recourse for non-compliance• BYOD

Centralized Management

• Mobile Device Management Solutions (BES10, etc) for device policy enforcement

• Access Management• Single Sign On• Device recovery• Remote Information Recovery / Information Removal

Managing Risk in Mobile Computing

User Education & Accountability

• Policy Awareness• Policy Enforcement• User agreement forms/Acceptable use• Confidentiality Statements

Managing Risk in Mobile Computing

Compliance• Mobile Access Auditing (Active Sync, BES)• Data Retention (Laws / Regulations)

Incident Reporting• Mobile device incident reporting for Loss & Theft• Device itself may be required to provide evidence in

legal matter or assist in investigations

Managing Risk in Mobile Computing

Conclusions

Contingency Approach

• Secure mobile devices as you would secure a laptop• Provide security controls in line with data

classifications, highest class applies.• Educate users on their responsibilities and the

policies they must abide by• Ensure access granted to employee and to device

matches organizational responsibilities

Thank YouiGovTT

Lord Harris Court52 Pembroke Street

Port of Spain Republic of Trinidad and Tobago

Telephone: (868) 627-5600

Fax: (868) 624-8001Email:igovtt@gov.tt

Website: www.igovtt.ttFacebook: www.facebook.com/iGovTT

Twitter: @iGovTT