Deploying and Managing Mobility Securely Jason Langridge UK Mobility Business Manager
Agenda Observations and Questions for you! What are we protecting? Threats and how to mitigate them Managing and enforcing policy Summary
Statements and observations Security is an excuse – not a reason not to deploy a mobile solution A Smartphone/Pocket PC is not the same as a PC – it’s just a phone/PDA that got really really smart The use of mobile devices is very different to a laptop Security and Device Management are not independent they are intrinsically linked
Questions for you! Do you have a mobile device security policy? – It’s not the same as a laptop policy. Do you let security influence your choice of device or platform? Who is handling your data as it goes from its corporate home to your users’ mobile devices? Is security designed into any custom mobile apps — or an afterthought?
What Are We Protecting? The physical device? Corporate Knowledge? Misuse of Resources (and increased costs)? Corporate legal exposure: – Sarbanes-Oxley, GLBA (US), – Privacy Directive, Data Protection Directive (EU), and “Safe Harbor” Principles (US) – OECD Fair Information Practices – CFAA (Computer Fraud and Abuse Act)
Fundamental Tradeoff Secure UsableCost You get to pick any two!
Threats and how to mitigate them Major threat categories – Unauthorized Access to device – Unauthorized Access to data – Interception of data – Viruses and trojan applications Perform Risk Assessment Establish Policy for: 1. Device Password 2. Anti-Virus 3. Application Installation and Execution 4. Transmission of Data 5. Data Protection
1. Device Password 4-digit PIN (Pocket PC) Strong password (Pocket PC & SmartPhone) >4 digit PIN (Smartphone) Exponential delay with incorrect password Password protected ActiveSync partnership Now enforceable and manageable through MSFP and SMS
2. Anti-Virus Software Built-in APIs for Anti-virus solutions – Computer Associates – F-Secure – McAfee – SOFTWIN – Airscanner – Trend Personal Firewall – Bluefire Security Technologies – Check Point VPN-1 SecureClient
3. Application Level Security Security Policies Configured via the Security Configuration Service Provider Unsigned Applications PolicyDisables execution of unsigned apps Unsigned CABS Policy Disables installation of unsigned applications Unsigned Prompt Policy Code Enables prompt-mode for unsigned installation and execution Privileged Applications PolicyEnables “1 tier” or “2 tier” security model
3. Application-level Security “1 tier” and “2 tier”? Smartphone supports “2 tier”: If an application is not blocked, it could be signed for one of 2 different trust levels – Trusted: Access to all registries, APIs, hardware interfaces – Normal: Exists only on two-tier devices – Some APIs restricted, parts of Registry are read-only – >95% of device accessible, adequate for almost all apps – Intended as a way to improve reliability of apps, not a primary defense against damage from malicious code
3. Application-level Security “1 tier” and “2 tier”? New to Windows Mobile 5.0: Pocket PC supports “1 tier” – The configuration or application is either blocked completely or trusted completely
4. Securing transmission of data Network Authentication – NTLM versions 1 and 2 – SSL Basic and TLS Client Authentication WiFi 802.1x user auth using – Protected EAP (PEAP) – EAP/TLS (cert-based) – WPA
4. Windows Mobile VPN VPN Name Mutually Authenticated Standards Based Password Only PPTP/MSCHAPv2 Layer 2 Tunneling Protocol Third Party VPN solutions
5. Data Protection Limit the data to just what is needed…. Cryptographic services for applications are built-in (Crypto API v2) SQL-CE provides 128-bit encryption (PPC only) 3 rd Party options: CompanyProduct Applian TechnologiesThe Pocket Lock offers both file and folder encryption. Asynchrony.comPDA Defense for the Pocket PC encrypts databases, files, and memory cards. Cranite SystemsWirelessWall provides AES data encryption for Pocket PCs Developer One, Inc.CodeWallet Pro provides a secure way to store and access important information on your Pocket PC or Smartphone Handango, Inc.Handango Security Suite for Pocket PC provides file and data encryption. Pointsec Mobile Technologies Pointsec for Pocket PC encrypts all data stored in the device, whether in RAM or on external storage cards. SoftWinterseNTry 2020 encrypts data on external storage cards. Trust Digital LLCPDASecure secures access to a Pocket PC and encrypts the data on it. It also prevents unauthorized infrared beaming of data.
Perimeter protection – Device lock: PIN, Strong, exponential delay – Authentication protocols: PAP, CHAP, MS-CHAP, NTLM, TLS Data protection – 128-bit Cryptographic services: CAPIv2 – Code signing (SmartPhone only) – Anti-virus API Network protection – OTA device management security – Secure Browsing: HTTP (SSL), WAP (WTLS) – Virtual Private Networking (PPTP, L2TP IPSec) – Wireless network protection (WEP, 802.1x, WPA) Summary of Windows Mobile Security Features
Mobile Device Management and Security Challenges Devices infrequently connected to an organisation’s network Low bandwidth, higher cost connections Unreliable connections Device loss that leads to work stoppage
Customer requests for mobile device management Security – Data protection – Ensuring corporate data on the device is secure Configuration – Applying settings – Applying networking, application and security settings Inventory – Asset and version tracking – Storing device serial numbers, OS and application versions Application deployment and update – Deploying applications, and updating or patching based on version OS Deployment and update MSFP will provide
SMS 2003 Device Management Feature Pack (DMFP) Add-on to SMS 2003 SP1 to manage Pocket PC, Pocket PC Phone and Windows CE based devices Components install on SMS 2003 site systems Client agent installs on Windows Mobile devices via SD Card or Activesync Device clients can connect direct to the SMS server independent of a PC Aimed at the major feature requests
Feature Set Hardware/Software inventory File collection Software distribution Script execution Settings management Password policy management Automated client distribution via SMS 2003 Advanced Client desktop
Mobile Device Management – Working environments Customers already deployed or licensed for SMS Support for both personal and line of business devices Flexible configuration required SMS 2003 Device Management Feature Pack (DMFP) Customers who don’t currently have a management solution in place Managing critical business processes Robust configuration management b2m solutions - mProdigy
Mobile Enterprise Management Tom Fell Mobile Systems Architect, b2m solutions
Device Management Asset Management Communications Management Supplier Management Application Monitoring mProdigy Five Software Modules Focus for today’s presentation
mProdigy Features “Hands off” commissioning of devices Deployment Profiles – detailed device configuration management – provides tight control whilst maintaining flexibility – support multiple device types in the same operational role Patches for “ad-hoc” updates Remote diagnostics Remote warm / cold reboot Cold boot resilience Distributed deployment
mProdigy Features Asset register includes details of devices and associated peripherals Repair loop management Event tracking (used by Supplier Management & Application Monitoring) Alerts Manage devices by group / location / function GPRS / /Ethernet Support Efficient and robust communications infrastructure (optimised protocol for “pay per byte” networks)
Device Management Asset Management Communications Management Supplier Management Application Monitoring mProdigy Five Software Modules Change Management Technology Management
Mobile Device Management Demonstration Tom Fell Mobile Systems Architect, b2m solutions
Summary and Recommendations Security is no longer an excuse Define a security policy for mobile devices Find out how many devices are in use in your organisation! If you need: – Security Policy and Password Policy control – MSFP – Software deployment, settings management and asset control – Management Solution
References Windows Mobile Security White paper – security.mspx security.mspx Security Product Solutions – utions/security/secsearch.aspx utions/security/secsearch.aspx
Signature authentication – Certicom Corporation – Communication Intelligence Corporation – TSI/Crypto-Sign – VASCO Enhanced password protection – Hewlett-Packard Pictograph authentication – Pointsec Mobile Technologies Fingerprint authentication – Biocentric Solutions Inc. – HP iPAQ 5400 Card-based authentication – RSA Security – Schlumberger Sema Certificate Authentication on a Storage Card – JGUI Software Storage Encryption – F-Secure – Pointsec Mobile Technologies – Trust Digital LLC Encrypt Application Data – Certicom Corporation – Glück & Kanja Group – Ntrū Cryptosystems, Inc. Virtual Private Networking – Certicom Corporation – Check Point Software Technologies Ltd. – Columbitech – Entrust, Inc. – Epiphan Consulting Inc. Disable Applications – Trust Digital LLC Device Wipe – Asynchrony.com Public Key Infrastructure (PKI) – Certicom Corporation – Diversinet Corp. – Dreamsecurity Co., Ltd. – Glück & Kanja Group Thin Client Technology – Citrix – FinTech Solutions Ltd. – Microsoft 3 rd Party Solution Providers