The document discusses how a company can securely manage employee-owned mobile devices (BYOD) using MobileIron. It summarizes the company's transition from company-owned Blackberries to allowing any device. MobileIron provides centralized policy enforcement and security across all devices. It allows separating personal and work data, enforcing access controls and remote wiping lost devices. The document also discusses providing secure access to additional corporate resources beyond email and ensuring privacy and international roaming policies are followed.
4. BUSINESS
ISSUES
• From Company Owned Blackberry to Bring Your Own Device
• From Field Reps/Managers to Any Employee
• Approval From Supervisor (“Business Need”)
• Allowed Devices - Any Carrier - iPhone, Android, Windows -
• Initial Application - Access Exchange - eMail, Calendar, Contacts
5. SECURITY POLICY - AUDIT
ISSUES
• Protect “Corporate Data” and Access To Systems (eMail)
• Old
Blackberry - Had 4 Character PIN / Inactivity Timeout and
Wipe - BES Provisioning and Management
• Minimal
Protection on ActiveSync Devices “Enforced” Via
Exchange Policy But Device Dependent - “Mileage Varies!”
• ActiveSync Configuration W/O IT Enrollment
• No “Unified Audit Trail” - Scattered Logs Across Systems
6. LOOKING FOR CONTROL
TOOLS
• Limited Tools Available in 2008/9 TimeFrame
• Identified MobileIron System - Conducted Testing / POC
• Supported All Policy Enforcement Needs - All Devices
• Excellent Separation of User Data from Business Data on iOS
• Simple Enrollment and Distribution of Client Agents
• Simple Deployment of System - Appliance and Server Agent
11. WHERE ARE WE NOW?
• Blackberry Usage Dropping - Users Switching Away
• New Users Connecting Via ActiveSync (iOS and Android)
• Policies Now Equally Enforced Across All Mobile Devices
• User Self Service / Minimal IT Effort In Deployment
• Users Adopting iPad / Tablet Mobile Devices
• Research Project To “Deliver App / Data” to iOS - iPad/iPhone
12. ACCESS TO MORE
THAN EMAIL
• Mobile Device Browsers Work Really Well...
• Users Want Access To Their Data / Systems - Outside eMail
• Juniper Secure Access and Junos Pulse Provide Access
• Same Gateway Used For Remote Access
• Robust Security and Granular Access / Roles for Users
13.
14.
15.
16. IPAD ACCESS - APPLICATIONS
• Data Access To More Than eMail Attachments - All Files
• Device / Backup Encryption Turned On in MobileIron
• Best Way To Access User Data?
• DropBox? Google Docs? Transfer Directly To iPad?
• Leverage SharePoint MySites / Team Sites Via Client
• “There’s An App For That” - Filamente (AirCreek)
• Juniper Provides VPN After SecurID Authentication
17. WHAT ARE THE THREATS?
• Malware On Devices Exists But Not Yet In Numbers
• Enforce App Store Use (No JailBreaking) As Control
• Minimal Business Need For “Device Control” Today
• Could Control SW Install, Device Features, Content Filters
• Biggest Exposure - Lost / Stolen Devices, Device Swaps
• Data Access, Data On Device and Backups
• MobileIron “Find My Phone” - Remote Lock and Wipe
• PIN / Pass Code - Automatic Wipe After Guessing Wrong
18. BUSINESS INCENTIVES
• People Like Security
• They Don’t Like Inconvenience
• Balance Is Needed!!
• “I NEED My Email Now!”
19. PICKING OUR PIN POLICY
• Devices Default To Open Access - But Support PIN Lock
• Users Very Rarely Want The Security Enough (vs Ease of Use)
• NIST Guidance on PIN / Passwords - Pub. 800-63 (“Entropy”)
• “Level 1 PIN” - Simple But Effective Versus Guessing...
• Andrew Jacquith - “Picking A Sensible Mobile Password”
• Trade Off Between “Secure Enough and User Pain”
20. PIN SETTINGS
8 Characters - 6 Characters - No
PIN Length / Format
No SImple PIN SImple PIN
Lock 15 Minutes Lock 30 Minutes
Lock and Wipe
2 Minutes Grace 2 Minutes Grace
Settings
8 Tries - Wipe 10 Tries - Wipe
No PIN Expiration No PIN Expiration
Change Policy? (AD Passwords (AD Passwords
Expire Like PC) Expire Like PC)
21. PRIVACY ISSUES
• Mobile Intelligence / Activity Monitoring Features
• Track Cell Tower Connections / Location of Device
• Collect Call Logs and All SMS Messages
• Set To Ignore Calls/SMS and Track “Current Location” Only
• Concerns About Collecting Data and Controls / Management
• Not Presently Any Security / Business Requirements
22. AGENT INTERACTION
• Updates, Profiles, Certificates
• Report Dropped Calls
• Check Data Speeds
• iOS Only Features
• Links to iTunes App Store
• App Delivery Direct to iOS