Security Procedures for Cell phones.

Condition of Oregon Enterprise Security Office Jan. 14 th , 2010 Security Strategies for Mobile Devices

Welcome John Ritchie, CISSP State of Oregon Enterprise Security Office Information Security Analysis and Consultation

Introduction Enterprise Security Office (ESO) State Enterprise Perspective Multi-Agency, Cross-Agency Enterprise Policy and Oversight Not Operations

Agenda Overview of Issues Strategies For Developing Solutions Future Trends

Issue: Portable Storage, Storage and more Storage Easy Data Sharing Small, Smaller, Smallest, Lost Data Loss Prevention Bypass Security Controls

Issue: Mobile Workforce Culture Change Can\'t Be Ignored Huge Benefits Technical Challenges Porous Perimeter Firewalls? Individual Devices

Issue: Mobile Workforce Everything Connects Hostile Environments

Strategies For Coping Step By Step Define Business Needs Develop Policy Technical Implementation Audit Device Use and Compliance Step By Step (Refrain)

Strategy: Step By Step Start Somewhere Develop A Plan Something Is Better Than Nothing It All Costs Money

Strategy: Business Needs Define Benefits What Are Your Goals? Information Classification – Task #1 Where\'s Your Sensitive Data? What Will Your Employees Store On Mobile Devices?

Strategy: Policy Decision Points Strict Or Lenient? Gadget Ownership Decision Device Management Decisions Security

Policy Device Ownership Company-claimed (stricter) Control and Security Responsibility (for the most part) organization\'s Separation of Church and State Personal Devices (more permissive) Flexibility Employee Satisfaction Cost?

Policy Device Management Corporate versus Individual Management Supported Models versus All Models Standard Configuration Lost/Stolen/Sold Devices Employee Termination

Policy Security Data At Rest Data In Transit Access To Device Access to Enterprise Assets Comic by XKCD.com

Policy Responsibility Should Employee Share Responsibility? Arrangement Education Critical Component

Strategy: Technical Controls Intersect With Policy And Security Policy Without Controls Is… Integrate Solutions With Architecture Don\'t Forget About Existing Policies Acceptable Use

Strategy: Audit Device Use Education Visual Audits Manager drive-by Technical Audits Logging "Lessons Learned" Audits After-the-reality

Strategy: Step By Step (Refrain) Start Somewhere Develop A Plan Something Is Better Than Nothing It All Costs Money

Trends For the Future Increasingly Mobile Workforce Better Tools Current: Remote Access, Minimize Local Storage Developing Market for Tools Increasing Risk Targets For Attack Increasing Awareness? History of PC Security Awareness

State Reference Material Policies http://www.oregon.gov/DAS/EISPD/ESO/Policies.shtml Statewide Information Security Plan and Standards http://www.oregon.gov/DAS/EISPD/ESO/SW_Plan_Standards.shtml

Questions? John Ritchie (503) 378-3910 john.ritchie@state.or.us

Drive Encryption Tools Pointsec: http://www.checkpoint.com/items/datasecurity/pc/index.html CREDANT: http://www.credant.com/products.html GuardianEdge: http://www.guardianedge.com/items/guardianedge-hard-plate encryption.php PGP: http://www.pgp.com/items/wholediskencryption/index.html McAfee Endpoint Encryption: http://www.mcafee.com/us/undertaking/items/data_protection/data_encryption/endpoint_encryption.html Microsoft BitLocker: http://technet.microsoft.com/en-us/windows/aa905065.aspx

Drive Encryption Tools Mobile Armor: http://www.mobilearmor.com/dataarmor.php SafeNet: http://www.safenet-inc.com/items/data_protection/disk_and_file_encryption/protectdrive.aspx SecurStar: http://www.securstar.com/products.php Utimaco Software: http://www.sophos.com/items/endeavor/encryption/shield venture/gadget encryption/WinMagic: http://www.winmagic.com/items

Remote Device Wipe BlackBerry Enterprise Server Microsoft\'s System Center Mobile Device Manager Apple\'s iPhone 3.0 (with MobileMe)

Lost Device Tracking Adeona Project (Open Source): http://adeona.cs.washington.edu/Absolute Software: http://www.absolute.com/zTrace Technologies: http://www.ztrace.com/

Presentation, Desktop Virtualization Citrix XenDesktop: http://www.citrix.com/english/ps2/items/product.asp?contentID=163057 Citrix XenApp: http://www.citrix.com/english/ps2/items/product.asp?contentid=186 VMware View: http://www.vmware.com/items/view/Microsoft\'s Remote Desktop Services: http://www.microsoft.com/windowsserver2008/en/us/presentation-terminal.aspx?pf=true