Managing the Unmanageable: Surviving in a Mobile World

1
Managing the Unmanageable Surviving in a Mobile
World

• Jay Heiser

2
Mobile Data Issues
User-owned PDAs and smartphones
Weak passwords
Loss
WLAN attacks
Theft
Home PCs
Exposed ports
Multiple devices per user
Security controlled by user
Unmanaged VPN
Personal remote control
Missing or weak data encryption
Unpatched operating system, applications
3
Making a Mobile Device Safe

• Keep it clean simple
• A locked-down standard image avoids potential
  problems
• Reduce Services, PlugPlay, Network capabilities

• Protect the platform software
• Patch and update OS and applications
• Use anti-virus, anti-spyware, personal firewall,
  HIPS

• Protect the information
• Encrypt to prevent theft
• Backup to provide continuity

In practice, how do you do all of this?Can you
do it reliably comprehensively?
4
Traditional Configuration Management Is Not
Mobile-Friendly
Desktop management focus Novadigm (HP), Marimba
(BMC) ManageSoft, ON Technology (Symantec),
Altiris, LANDesk, Novell ...
Microsoft
Enterprise FrameworksComputer Associates,
IBM/Tivoli
Mobile management focus iAnywhere, Sybase, Mobile
Enterprise, Intellisync EndPoint Policy
Management, iPass
Security focusCredant Technologies, SecureWave,
Full Armor, IS/Complete, Tripwire ...
5
Enforce Mobile Security Policy usingNetwork
Access Control Process
Connection to Enterprise
Policy Check
Default Deny

• Software up-to-date?
• Standard configuration?
• Recently scanned?

Update Scan

• Auto update
• User update

Network Access ControlProcess
Monitor

• Agent based
• Network based

Quarantine if non-Compliant

• No connectivity or
• Limited connectivity

6
Separate Personal Data from Endpoint
X
X
Personality on single device with system image
and applications
Remote Control "Rats Nest" access anarchy,
Trojan architecture
Personality not Stored on Endpoint
Stored Centrally
Virtualization
Transportable
Central Applications
Central Data or Backup
Central Support
Presentation Logic
7
Remote Trust Topology Models
Full extension of trust to remote system
WAN
IPSEC VPN
WAN
Protected terminal connection
SSL VPN
Protected connection to verifiable end point
WAN
Virtual management
8
How to Put Trusted Code on Untrusted Host
1) Remote Access object ispushed/pulled
Enterprise
2) It has a protected interface
Workstation Operating System
3) Host OS conditions can be evaluated
Trusted Object
4) Info can be collected on time, place, history,
etc.
5) Incoming access privileges determined
dynamically
6) Session information protected from rest of
workstation
9
Manage Trust Dynamic Access Levels
Company device
Full access
Personal device (registered)
Partial access
Extremely limited access
Unknown device
X
Lock device, lock gateway, set alarms
?
Company device
?
Directory and policy servers
10
ComparingManagement and Mobility Approaches
Network Access Control
Hardening
Verification
How many add-ons?
Web Apps
Terminal
App/Desktop
PortablePersonality
OS/Hardware
PDA Phone BlackBerry
Decrease Contact withNetwork
Limited Device
Wireless
Virtual physical connection betweenend point
and Enterprise
Laptop
Avoid your customers network
11
Architectural Considerations

• Where processing occurs
• Locally on platform CPU
• Locally on smart peripheral
• Remotely on workstation
• Remotely on server
• Where data is stored
• Locally on platform
• Locally on smart peripheral
• Remotely on workstation
• Remotely on server
• Third party

• How connection is protected
• Physical connection
• VPN (supports ad hoc routing)
• SSL (supports specific applications)
• Degree to which it fails safe
• Boundary permeability
• Environment persistence
• Management
• Ownership
• Responsibility
• Budget