Condition of Oregon Enterprise Security Office Jan. 14 th , 2010 Security Strategies for Mobile Devices
Slide 2Welcome John Ritchie, CISSP State of Oregon Enterprise Security Office Information Security Analysis and Consultation
Slide 3Introduction Enterprise Security Office (ESO) State Enterprise Perspective Multi-Agency, Cross-Agency Enterprise Policy and Oversight Not Operations
Slide 4Agenda Overview of Issues Strategies For Developing Solutions Future Trends
Slide 5Issue: Portable Storage, Storage and more Storage Easy Data Sharing Small, Smaller, Smallest, Lost Data Loss Prevention Bypass Security Controls
Slide 6Issue: Mobile Workforce Culture Change Can\'t Be Ignored Huge Benefits Technical Challenges Porous Perimeter Firewalls? Individual Devices
Slide 7Issue: Mobile Workforce Everything Connects Hostile Environments
Slide 8Strategies For Coping Step By Step Define Business Needs Develop Policy Technical Implementation Audit Device Use and Compliance Step By Step (Refrain)
Slide 9Strategy: Step By Step Start Somewhere Develop A Plan Something Is Better Than Nothing It All Costs Money
Slide 10Strategy: Business Needs Define Benefits What Are Your Goals? Information Classification – Task #1 Where\'s Your Sensitive Data? What Will Your Employees Store On Mobile Devices?
Slide 11Strategy: Policy Decision Points Strict Or Lenient? Gadget Ownership Decision Device Management Decisions Security
Slide 12Policy Device Ownership Company-claimed (stricter) Control and Security Responsibility (for the most part) organization\'s Separation of Church and State Personal Devices (more permissive) Flexibility Employee Satisfaction Cost?
Slide 13Policy Device Management Corporate versus Individual Management Supported Models versus All Models Standard Configuration Lost/Stolen/Sold Devices Employee Termination
Slide 14Policy Security Data At Rest Data In Transit Access To Device Access to Enterprise Assets Comic by XKCD.com
Slide 15Policy Responsibility Should Employee Share Responsibility? Arrangement Education Critical Component
Slide 16Strategy: Technical Controls Intersect With Policy And Security Policy Without Controls Is… Integrate Solutions With Architecture Don\'t Forget About Existing Policies Acceptable Use
Slide 17Strategy: Audit Device Use Education Visual Audits Manager drive-by Technical Audits Logging "Lessons Learned" Audits After-the-reality
Slide 18Strategy: Step By Step (Refrain) Start Somewhere Develop A Plan Something Is Better Than Nothing It All Costs Money
Slide 19Trends For the Future Increasingly Mobile Workforce Better Tools Current: Remote Access, Minimize Local Storage Developing Market for Tools Increasing Risk Targets For Attack Increasing Awareness? History of PC Security Awareness
Slide 20State Reference Material Policies http://www.oregon.gov/DAS/EISPD/ESO/Policies.shtml Statewide Information Security Plan and Standards http://www.oregon.gov/DAS/EISPD/ESO/SW_Plan_Standards.shtml
Slide 21Questions? John Ritchie (503) 378-3910 john.ritchie@state.or.us
Slide 22Drive Encryption Tools Pointsec: http://www.checkpoint.com/items/datasecurity/pc/index.html CREDANT: http://www.credant.com/products.html GuardianEdge: http://www.guardianedge.com/items/guardianedge-hard-plate encryption.php PGP: http://www.pgp.com/items/wholediskencryption/index.html McAfee Endpoint Encryption: http://www.mcafee.com/us/undertaking/items/data_protection/data_encryption/endpoint_encryption.html Microsoft BitLocker: http://technet.microsoft.com/en-us/windows/aa905065.aspx
Slide 23Drive Encryption Tools Mobile Armor: http://www.mobilearmor.com/dataarmor.php SafeNet: http://www.safenet-inc.com/items/data_protection/disk_and_file_encryption/protectdrive.aspx SecurStar: http://www.securstar.com/products.php Utimaco Software: http://www.sophos.com/items/endeavor/encryption/shield venture/gadget encryption/WinMagic: http://www.winmagic.com/items
Slide 24Remote Device Wipe BlackBerry Enterprise Server Microsoft\'s System Center Mobile Device Manager Apple\'s iPhone 3.0 (with MobileMe)
Slide 25Lost Device Tracking Adeona Project (Open Source): http://adeona.cs.washington.edu/Absolute Software: http://www.absolute.com/zTrace Technologies: http://www.ztrace.com/
Slide 26Presentation, Desktop Virtualization Citrix XenDesktop: http://www.citrix.com/english/ps2/items/product.asp?contentID=163057 Citrix XenApp: http://www.citrix.com/english/ps2/items/product.asp?contentid=186 VMware View: http://www.vmware.com/items/view/Microsoft\'s Remote Desktop Services: http://www.microsoft.com/windowsserver2008/en/us/presentation-terminal.aspx?pf=true