Security for Mobile Devices

Slides:

Advertisements

Similar presentations

Embrace Mobility. Without Compromise. The apps they need. On the devices they want. Without sacrificing compliance. Strategic Approach to Mobile Security.

Advertisements

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

MANAGING AND SECURING BYOD Legal ITs Next Great Challenge.

Mobile device security Practical advice on how to keep your mobile device and the data on it safe.

November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.

Bring Your Own Device (BYOD) Security By Josh Bennett & Travis Miller.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

1 1 March 20, 2014 A SIMPLE APPROACH TO BYOD. WHAT THEY DONT WANT IS: Company monitoring of their personal activities or restriction of the apps they.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Protection Overview

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

SANS Technology Institute - Candidate for Master of Science Degree Design Phase 1 of an iPhone Rollout Mark Baggett, Jim Horwath June 2010.

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

The Natural way for Secure Mobile v.1.4

BYOD: Privacy and Security Andrew Paterson, Senior Technology Officer.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Steps to Compliance: Bring Your Own Device PRESENTED BY.

Mobile Data Management (MDM) July 24, 2013 Lance M. Calisch.

Security Controls – What Works

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Managing BYOD Legal IT’s Next Great Challenge. Agenda  The BYOD Trend – benefits and risks  Best practices for managing mobile device usage  Overview.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

New Data Regulation Law 201 CMR TJX Video.

Information Security Technological Security Implementation and Privacy Protection.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

PROJECT PAPER ON BLUEFIRE MOBILE SECURITY. BY PONNURU VENKATA DINESH KUMAR STUDENT ID # A0815 PROFESSOR – VICKY HSU CS-426.

Security considerations for mobile devices in GoRTT

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 7, 2015 DRAFT1.

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite

BYOD- Bring Your Own Device Understanding the benefits and the risks. Phillys Yang Alex Verblen Aaron Chung Michael Lyons.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Mobility In the Enterprise Friend or Foe? Bob West, CEO, Echelon One 2012 Workshop on Cyber Security and Global Affairs 20 Junio, 2012 Barcelona, España.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

Chapter 2 Securing Network Server and User Workstations.

©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

User and Device Management

Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.

Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.

BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.

Technical Sales Specialist Software - OS and Applications John R. Moegling Sr. Systems Engineer.

Mobile device security Practical advice on how to keep your mobile device and the data on it safe.

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

THE CONSUMERIZATION OF IT By Patricia Coonelly, Anthony Dipoalo, Tom Stagliano.

Total Enterprise Mobility Comprehensive Management and Security

The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

Mobile Devices in the Corporate World

The time to address enterprise mobility is now

Mobile Operating Systems

DATA SECURITY FOR MEDICAL RESEARCH

Using Office 365 Across All Your Devices

Cybersecurity - What’s Next? June 2017

How to Define a Successful Mobility Strategy

Mobile Data Solutions Inc

Mobile Device Management options in Office 365 and beyond

What this activity will show you

Microsoft Intune MAM without Device Enrollment

Mobile Device Management

Microsoft Virtual Academy

Presentation transcript:

Security for Mobile Devices FedCASIC Abstract 2014 The use of mobile devices for survey data collection presents unique new issues in a FISMA-regulated environment. Mobile devices, when used for data collection, represent a new type of computing platform and are subject to the same security requirements as desktops or laptops. Mobile devices are also an emerging technology with a wide variety of hardware, operating systems, and applications and that, along with the rapid innovation of new models, features, and capabilities presents many challenges to a successful and secure deployment. Additionally mobile devices are generally aimed at a consumer market rather than for enterprise use. The tools, technology, and procedures that are typically employed to function as technical controls, e.g., user authentication, data encryption, configuration management, etc. have not fully developed in all cases or do not yet exist. In this presentation we will review the common FISMA controls that may apply to the use of mobile devices, the technical solutions that are available, and special issues to consider. FedCASIC March 2014 Dennis Pickett Westat

Introduction Who am I? What will we be discussing? Dennis Pickett, Senior Manager of Information Security at Westat What will we be discussing? Securing mobile devices as a general need What are the risks you need to be aware of with mobile devices, and how do you mitigate those risks?

What do we mean by “mobile device”? Most often when we discuss “mobile devices” it mean just tablets and smart phones, those devices with a mobile operating systems Apple’s iOS Google’s Android OS Microsoft’s Windows Phone and RT OS Blackberry Firefox OS “Mobile” can vary, it could mean anything portable Heart rate monitors GPS devices Accelerometers Laptops are included, but generally have traditional tools available for security

What are the benefits of mobility? Since the iPhone, and later the iPad, we’ve seen an explosion in smartphone and tablet adoption for personal and business use Users love them because Convenience Portability Businesses Love them Cheaper than laptops More user friendly Can leverage user’s existing equipment, BYOD Mobile devices are here to stay, and the form factors will only become more varied (e.g. Google Glass)

What are the risks with the adoption of mobility devices? Two categories, existing and new risks Existing Risks Most of these have proven mitigation strategies for laptops, and options for solving them on mobile OS devices are only now becoming ‘mature’ Theft and device loss Malicious software Sharing devices and accounts Controlling access to the network Keeping devices up to date

What are the risks with the adoption of mobility devices? (cont.) New Risks Mobile devices bring new risks that many, including organizations who have devices in use, haven’t yet considered. It’s a ticking clock, it’s a question of when, not if, a security breech will occur if there is no mitigation put in pace. Voice input – Anything you speak goes off device for translation Built in accessories: Camera, Recorder, GPS Employee personal information on company device Finding solutions that work across different OSs, versions, etc. Corporate information on personal devices – Is email ok? What about contact information for other employees or study participants, what about study participant data, network login credentials, contract information?

Managerial, Operational, Technical How do we know what security controls are needed, and how do we know when we’ve achieved success? Appropriate security is achieved through compliance with Federal information assurance laws and requirements Federal Information Systems Management Act (FISMA) Health Insurance Portability and Accountability Act (HIPAA) Federal Information Processing Standards (FIPS) 140-2 As much as we want a “silver bullet”, security is a layered process. You must have goals before you can have IT to achieve them. Managerial, Operational, Technical Decide on your rules Put practices in place Implement IT to enables those rules and practices

What solutions exist, and how do I go about implementing them? Managerial – policy, company decisions Strategy - Your organization, or at least your project, needs a mobile device security strategy, document it in a policy. Once it’s on paper you have a boundary drawn, it becomes more manageable. Decide what is and isn’t allowed on the corporate network May users use their own devices? Standardize platform for distributed devices What investigative rights does your organization have over a user’s personal device if used for work? Users must sign roles and responsibilities before using any mobile device for work

What solutions exist, and how do I go about implementing them? (cont.) Operational Process and Procedures - Implement, test, and train in operational procedures related to mobile devices, and follow best practices where possible. Key items: Software (app) development procedures must include security controls and testing De-Identification of Data Offloading of Data

What solutions exist, and how do I go about implementing them? (cont.) Technical Apply technical controls at the Device Level where possible, and at the Application Level in other cases Implementation - Device Mobile Device Management (MDM) Control access to network Containerization Remote wipe

What solutions exist, and how do I go about implementing them? (cont.) Technical Implementation - Device Leverage what the OS provides FIPS 140-2 Cryptographic Modules Apple Configurator, Samsung Android Knox, Blackberry Playbook VPN at application layer Access controls Full disk encryption Antivirus and malware

What solutions exist, and how do I go about implementing them? (cont.) Technical (cont.) Implementation – Apps and Network YOU are responsible for building, or buying, apps with appropriate security controls that will enforce: Authentication and authorization of users Access to corporate resources Protection of credentials on the device Protection of data at rest Protection of data in transit Security logging and auditing Don’t expect another component to secure your app, understand what you are getting from the device, and what you need to build into your program.

Case study Data Collection Project In home interviews 1,200 devices in field Security was achieved through a layered approach Security plan with policy, practices, and procedures De-identified information Device level Full disk encryption (FDE) through OS PIN authentication to device App level Complex password to access application Authentication required to transfer to server HTTPS to encrypt data in transit

What does the future hold? The Good More security and management tools and options More mature products More products aimed at Federal compliance The Bad More sophisticated attacks as more as more valuable information is stored on mobile devices and use becomes more widespread

Questions? Dennis Pickett, CISSP Westat Senior Manager of Information Security 301-251-8203 dennispickett@westat.com