Versatile Web Gadget Security: Some Initial Slides

Mobile internet device security some introductory slides l.jpg
1 / 31
0
0
858 days ago, 275 views
PowerPoint PPT Presentation
Equipment encryption on the BlackBerry is portrayed in some point of interest in

Presentation Transcript

Slide 1

Versatile Internet Device Security: Some Introductory Slides Educause Security Professionals Atlanta GA, April twelfth fourteenth, 2010 Joe St Sauver, Ph.D. Internet2 Security Programs Manager Internet2 and the University of Oregon (joe@uoregon.edu or joe@internet2.edu) http://www.uoregon.edu/~joe/cell phone security/Disclaimer: all conclusions communicated are those of the creator and don't really speak to the sentiment of whatever other element or association.

Slide 2

The Format Of This Session The configuration of this session is somewhat unique in relation to customary Educause Security Professionals Sessions: - it is a trial "Hotly debated issues" session that joins two presentations by two distinct speakers on points of generous developing group intrigue - every lead moderator will do a brief 15-20 minute "basic" or "encircling" presentation, with the rest of the session held for exchange - this session is likewise being netcast, to permit intrigued people who couldn't come to Atlanta to in any case take an interest

Slide 3

This Part of Today's Hot Topic Session: Security of Mobile Internet Devices For the motivations behind this session, we'll characterize "versatile Internet gadgets" to be the sorts of things you may expect: iPhones, BlackBerry gadgets, Android telephones, Windows Mobile gadgets, and so on - stash estimate gadgets that can get to the Internet by means of WiFi, cell/3G, and so forth. In the event that you like, we can extend the definition to incorporate customary portable workstations and tablet PCs, for example, the iPad (possibly you have huge pockets?), and perhaps traditional phones, thumb drives, and so forth. We'll attempt to draw a hard line at anything that requires fiber availability or a bed jack to move. :- )

Slide 4

Mobile Devices Are Common in Higher Ed ECAR Study of Undergraduate Students and Information Technology 2009 ( http://www.educause.edu/ers0906 ): About half of the respondents (51.2%) showed that they claim an Internet proficient handheld device, and another 11.8% demonstrated that they plan to buy one in the following 12 months [...] Faculty/staff responsibility for web gadgets is more muddled: there are an assortment of gadgets accessible ("Which one(s) should we support?"), expenses of administration arrangements can be high ("It costs how much every month for your information plan???"), and the IRS' treats them strangely (see www.irs.gov/govt/fslg/article/0,,id=167154,00.html )

Slide 5

But Are Mobile Internet Devices Secure ? Numerous destinations, confronted with the specially appointed expansion of cell phones among their clients, have ended up concerned: Are all these new portable Internet gadgets secure ? In some cases, that worry shows itself as inquiries: - Who has one? - Is there PII on them? Imagine a scenario in which one get lost or stolen. Does it have "entire gadget" information encryption? Will we send the gadget a remote "wipe" or "slaughter" code? - How are we sync'ing/backing those gadgets up? - Do we require antivirus security for cell phones? - Is all the WiFi/cell/3G movement scrambled? Will they work with our VPN (even with VPN hw tokens)? - And how's our cell phone security approach coming?

Slide 6

Let's Start With a Very, Very, Basic Question Who at your webpage has a portable Internet gadget? You basically may not know - clients will frequently freely buy cell phones (especially if it's hard/unprecedented for a site to do as such for its staff) Those gadgets may interface by means of an outsider/business organize, and may not even specifically get to your servers. On the off chance that those gadgets do get to your servers, unless they need to verify to do as such, you may not realize that it is a gadget having a place with one of your clients. Proposed: If you don't know who has a versatile Internet gadget, you presumably additionally don't know how they're being designed and kept up, or what information might be put away on them.

Slide 7

A Semi-Zen-like Koan "On the off chance that I didn't purchase the cell phone, and the cell phone isn't utilizing my institutional system, and the cell phone isn't specifically touching my servers, do I even care that it exists?" (Not exactly as terse as, "If a tree falls in the woods when nobody's around, does regardless it make any stable?" yet you get the thought). Yes, you ought to mind. You may believe that that gadget isn't something you have to stress over, yet sooner or later that WILL change. Abruptly, for reasons unknown (or apparently for reasons unknown) in any event some of those gadgets WILL start to utilize your system or potentially servers, or some of those gadgets WILL wind up accepting or putting away by and by identifiable data (PII).

Slide 8

Want Influence? It'll Probably Cost You… This is the slide that I loathe including, all things considered, in the event that you need the capacity to impact/control what happens on versatile Internet gadgets on your grounds, you're likely going to need to "purchase your way in." If you buy portable Internet gadgets for your personnel or staff, you'll then have a recognized reason for controlling/emphatically affecting (a) what gets acquired, (b) how those gadgets get designed, and (c) (perhaps) you'll then even know who might utilize these gadgets. Thus, on the off chance that you have a marked down/sponsored/required cell phone buy program for understudies, you might have the capacity to control/firmly impact what they buy, how those gadgets gets arranged, and so on. Yet, purchasing in may not be shoddy…

Slide 9

Mobile Data Plans Are Expensive One variable that I accept is a hindrance to cell phone sending at a few foundations is the cost of the administration arranges required to interface the gadgets. For instance, while the iPhone 3GS itself begins at only $199 for qualified clients, the month to month repeating costs right now extend from $69.99 to $99.99 from AT&T in the U.S. also a content informing arrangement of up to $20/month. (Residential administration gets ready for BlackBerry gadgets, e.g., from Verizon, have a tendency to be tantamount). Subsequently, iPhones for 20,000 clients would cost from $1.6 to $2.4+ million/yr! In the event that you travel universally, intl voice and information use is additional, extending from $24.99/month for 20MB to $199.99/month for 200MB. Over those points of confinement, use keeps running from $5/MB to $20/MB (ouch). (You might need to consider handicapping information wandering while voyaging abroad)

Slide 10

Are We Seeing A Recapitulation of The Good Old "Oversaw versus Unmanaged PCs" Paradigm? For quite a while path back in the "days of yore," conventional IT administration imagined that PCs didn't exist. While they were "willfully ignorant," individuals purchased whatever PCs they needed and "managed" them themselves. While that occasionally functioned admirably, different times disorder ruled. Today's more nearly overseen "undertaking" model was the aftereffect of that political agitation. At a few locales, institutionalized PC designs are acquired and firmly secured and are then halfway regulated. While I'm not a fanatic of this worldview, I perceive that it is progressively basic. It is safe to say that we are re-encountering that same advancement for versatile Internet gadgets? On the other hand would we say we are as yet denying that portable Internet gadgets even exist? What strategies may we see?

Slide 11

An Example Device Policy: Device Passwords If a versatile Internet gadget is lost or stolen, an essential specialized control anticipating access to/utilization of the gadget is the gadget's secret key. Clients loathe passwords, yet left to their own particular gadgets (in a manner of speaking), they may utilize a short (and effectively beat) one, for example, 1234 You/your school may lean toward that clients utilize a more extended and more perplexing watchword, especially if that versatile Internet gadget is arranged to consequently login to your VPN or the gadget has delicate PII on it. You may even require utilization of two variable auth for your VPN, or require the gadget to wipe itself on the off chance that it identifies that it is the objective of a watchword beast compel assault. In the event that the gadget is overseen, you can require these things.

Slide 12

Managing Mobile Internet Device Policies Because Blackberries (42.1% U.S. piece of the overall industry as of April 2010 reports, see tinyurl.com/comscore-mkt-share ) and iPhones (25.4% U.S. piece of the overall industry) are the most mainstream portable Internet gadgets, we'll concentrate on them for the accompanying talk. (Utilization examples will probably differ in higher ed, however in the event that anything, I'd expect a more prominent iPhone piece of the overall industry in higher ed than whatever else) Both RIM and Apple offer direction for arranging and midway dealing with their versatile Internet gadgets in an endeavor setting. In case you're occupied with what it would take to midway deal with these gadgets and you haven't as of now observed these archives, I'd ask you to see: - na.blackberry.com/eng/ataglance/security/it_policy.jsp - manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

Slide 13

Example: What Can Be Required for iPhone Passwords? Taking a gander at the iPhone Enterprise Deployment Guide: - you can require the client *have* a secret key - you can require a *long*/*complex* watchword - you can set max number of disappointments (or the maximum days of non-use) before the gadget is wiped out (the gadget can then be reestablished from reinforcement through iTunes) - you can determine a greatest secret key change interim - you can anticipate secret key reuse by means of secret key history - you can indicate an interim after which a screen-bolt like watchword will naturally should be re-entered RIM offer comparative controls for BlackBerry gadgets.

Slide 14

Other Potential Local iPhone "Approaches" Include Adding or expelling root certs Configuring WiFi including trusted SSIDs, passwords, and so on. Arranging VPN settings and use Blocking establishment of extra applications from the AppStore Blocking Safari (e.g., blocking general web perusing) Blocking utilization of the iPhone's camera Blocking screen catches Blocking utilization of the iTunes Music Store Blocking utilization of YouTube Blocking express substance Some of these settings might be less relevant or less vital to higher ed people than to corp/gov clients.

SPONSORS