The document discusses how a company can securely manage employee-owned mobile devices (BYOD) using MobileIron. It summarizes the company's transition from company-owned Blackberries to allowing any device. MobileIron provides centralized policy enforcement and security across all devices. It allows separating personal and work data, enforcing access controls and remote wiping lost devices. The document also discusses providing secure access to additional corporate resources beyond email and ensuring privacy and international roaming policies are followed.

1. SECURING “BYOD”
How We Secure Mobile Devices That We Do Not OWN...

2. People Love Their Smart-phones!!

3. People Love Their Smart-phones!!

4. BUSINESS
ISSUES
• From Company Owned Blackberry to Bring Your Own Device
• From Field Reps/Managers to Any Employee
• Approval From Supervisor (“Business Need”)
• Allowed Devices - Any Carrier - iPhone, Android, Windows -
• Initial Application - Access Exchange - eMail, Calendar, Contacts

5. SECURITY POLICY - AUDIT
ISSUES
• Protect “Corporate Data” and Access To Systems (eMail)
• Old
Blackberry - Had 4 Character PIN / Inactivity Timeout and
Wipe - BES Provisioning and Management
• Minimal
Protection on ActiveSync Devices “Enforced” Via
Exchange Policy But Device Dependent - “Mileage Varies!”
• ActiveSync Configuration W/O IT Enrollment
• No “Unified Audit Trail” - Scattered Logs Across Systems

6. LOOKING FOR CONTROL
TOOLS
• Limited Tools Available in 2008/9 TimeFrame
• Identified MobileIron System - Conducted Testing / POC
• Supported All Policy Enforcement Needs - All Devices
• Excellent Separation of User Data from Business Data on iOS
• Simple Enrollment and Distribution of Client Agents
• Simple Deployment of System - Appliance and Server Agent

7. AVAILABLE OPTIONS?
• MANY Options Now
• Leader Quadrant
• Successful PoC

11. WHERE ARE WE NOW?
• Blackberry Usage Dropping - Users Switching Away
• New Users Connecting Via ActiveSync (iOS and Android)
• Policies Now Equally Enforced Across All Mobile Devices
• User Self Service / Minimal IT Effort In Deployment
• Users Adopting iPad / Tablet Mobile Devices
• Research Project To “Deliver App / Data” to iOS - iPad/iPhone

12. ACCESS TO MORE
THAN EMAIL
• Mobile Device Browsers Work Really Well...
• Users Want Access To Their Data / Systems - Outside eMail
• Juniper Secure Access and Junos Pulse Provide Access
• Same Gateway Used For Remote Access
• Robust Security and Granular Access / Roles for Users

16. IPAD ACCESS - APPLICATIONS
• Data Access To More Than eMail Attachments - All Files
• Device / Backup Encryption Turned On in MobileIron
• Best Way To Access User Data?
• DropBox? Google Docs? Transfer Directly To iPad?
• Leverage SharePoint MySites / Team Sites Via Client
• “There’s An App For That” - Filamente (AirCreek)
• Juniper Provides VPN After SecurID Authentication

17. WHAT ARE THE THREATS?
• Malware On Devices Exists But Not Yet In Numbers
• Enforce App Store Use (No JailBreaking) As Control
• Minimal Business Need For “Device Control” Today
• Could Control SW Install, Device Features, Content Filters
• Biggest Exposure - Lost / Stolen Devices, Device Swaps
• Data Access, Data On Device and Backups
• MobileIron “Find My Phone” - Remote Lock and Wipe
• PIN / Pass Code - Automatic Wipe After Guessing Wrong

18. BUSINESS INCENTIVES
• People Like Security
• They Don’t Like Inconvenience
• Balance Is Needed!!
• “I NEED My Email Now!”

19. PICKING OUR PIN POLICY
• Devices Default To Open Access - But Support PIN Lock
• Users Very Rarely Want The Security Enough (vs Ease of Use)
• NIST Guidance on PIN / Passwords - Pub. 800-63 (“Entropy”)
• “Level 1 PIN” - Simple But Effective Versus Guessing...
• Andrew Jacquith - “Picking A Sensible Mobile Password”
• Trade Off Between “Secure Enough and User Pain”

20. PIN SETTINGS
8 Characters - 6 Characters - No
PIN Length / Format
No SImple PIN SImple PIN
Lock 15 Minutes Lock 30 Minutes
Lock and Wipe
2 Minutes Grace 2 Minutes Grace
Settings
8 Tries - Wipe 10 Tries - Wipe
No PIN Expiration No PIN Expiration
Change Policy? (AD Passwords (AD Passwords
Expire Like PC) Expire Like PC)

21. PRIVACY ISSUES
• Mobile Intelligence / Activity Monitoring Features
• Track Cell Tower Connections / Location of Device
• Collect Call Logs and All SMS Messages
• Set To Ignore Calls/SMS and Track “Current Location” Only
• Concerns About Collecting Data and Controls / Management
• Not Presently Any Security / Business Requirements

22. AGENT INTERACTION
• Updates, Profiles, Certificates
• Report Dropped Calls
• Check Data Speeds
• iOS Only Features
• Links to iTunes App Store
• App Delivery Direct to iOS

23. IOS “APP STORE”
• Links to Apple
• Define/Deliver
• Direct and Store

24. INTERNATIONAL ROAMING
• Detect International Roaming
• Send Text Message Alert
• Send Alert to IT Admins
• Update Plans / Activity

25. REFERENCES
• Surveys - Sybase Survey Telenav Survey
• MobileIron
• Picking PIN Policy - Perimeter Jaquith Blog - NIST 800-63
• iPhone Password Brute Force
CNN Money http://money.cnn.com/galleries/2011/technology/1108/gallery.cybersecurity_tidbits/
Dino Dai Zovi -http://trailofbits.com/2011/08/10/ios-4-security-evaluation/
•