Monday, 29 September 2008

Mobility and Security Management Cycle

Security requires management, management requires security.

Cycle: Manage-Secure-Defend-Budget-Specify-Configure

  • How does mobility affect the challenge of management and security?
  • What are the key implementation decisions to security and management?

Management becomes more difficult when personal devices must be managed and secured (makes me think of devices bought by departments and faculties.

Platforms each require infrastructure for security and management: Blackberry, Windows Mobile, PC, personal PC, Nokia… But if we restrict platform support, people forward mail from managed device to personal account—then what happens to the security?

Recommendations: apply security policy at the point that a device is provisioned. Change management should check whether the device is within compliance. As issues are solved, move them out of the responsibilities of the security group—those problems are solved, and the security group needs to look constantly to the future. Network access control; VPN; patch management; local data encryption; port/peripheral usage control; firewall; anti-spyware; anti-virus. For us, many of these things are rightly handled by "operations"—but maybe we need to look to the others.

  • What are the inherent weaknesses of the device?
  • What default measures will strengthen device security?
  • What exposures are caused by the way the device is used?
  • What security measures and user practices will reduce exposure?
  • Can the device configuration be monitored or controlled?
  • Will good management reduce operations and support costs as well as improve security?

Consider that all the above questions need to be asked for each type of device that we use…

We may be at odds with users' requirements to ensure security. It is interesting that the speaker says that we don't have time to evaluate windows updates before we apply them—we should just accept the risk of deploying straight away. Not worth using EFS unless you follow best practices—otherwise it is too easy to break. Encryption and strong authentication much better than remote lockdown/erase for mobile devices.

Securing wifi is to be a big problem moving forward—too many different kinds of devices.

  • Trusted devices: corporate-issued, fully controlled (ISS managed PCs)
  • Tolerated device: limited to safe interactions
  • Unwanted devices: uncontrolled, unmanaged

Speaker used this grid to show that there is a landscape of issues, and that we must look to converge on solutions that cover multiple areas of the grid—though there are different strategies for doing that. I think that we would benefit from looking to build a list of devices appropriate to the institution and determine how we are approaching the different areas of concern versus how we ought to approach them.

 

Encryption

lock/ wipe

backup/ restore

Inventory & audit

patch update

software distribution

anti-malware

VPN

user Auth

Company Desktop

         

Company notebook

         

Windows Mobile

         

Contractor PC

         

Employee notebook

         

Portable personality

         

iPhone

         

Blackberry

         


 


 

No comments: