Mobile Device Security - Responsible Not Repressive
•Télécharger en tant que PPTX, PDF•
1 j'aime•750 vues
Users want mobility and their own devices on the network - IT wants security! How can both groups get what they need? Tools exist to make that happen and this presentation provides an overview of what National Gypsum did recently (2011/2)
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Mobile Device Security - Responsible Not Repressive
Similaire à Mobile Device Security - Responsible Not Repressive (20)
Plus de Mike Brannon
Plus de Mike Brannon (12)
Dernier
Dernier (20)
Mobile Device Security - Responsible Not Repressive
- 1. Responsible Not Restrictive Mike Brannon Dir. Infrastructure & Security, National Gypsum 1
- 2. National Gypsum Company is a fully integrated building products manufacturer Headquartered in Charlotte, NC with mines and quarries, and manufacturing plants across North America 2
- 3. National Gypsum and MobileIron Nov 2009 June 2012 (National Gypsum (M2) buys MobileIron) iPads sold by 0 >70 million Apple MobileIron 7 2300 customers … countries 2 32 … employees 39 320 3 MobileIron - Confidential 3
- 4. National Gypsum Mobile Requirements Business users pick devices they want (not Blackberry) SECURE process to enable / allow BYOD phones, iPads ActiveSync and Juniper VPN connections DEVICE level security and respect for “employee data” – PIN/passcode, device / backup, encryption – NO jailbreaks, MDM and SW inventories Elected NOT to use most “mobile intel” – employee issues – Using last location / international warning message Next: PKI SCEP mgmt, app deployment coming, iOS domination 4
- 5. Evolving Mobile Strategy FIRST: Email It’s all about email all the time NEXT: Personal tools Leverage the app store for personal tools • Sales/service, office, plant, engineers – DIVERSITY NOW: Connecting data Connect our data/processes with employees, partners, customers • NGC4ME is .NET custom web app – one-stop shop • SharePoint is private cloud/content manager/etc. 5
- 6. Principles / Learning… Do not custom develop unless absolutely required – Leverage smart devices and off-the-shelf components – Stay away from super customized work – takes resources – Approach as “Systems Integrator” – assemble proven components Keep focused on USABLE solutions to business issues – “Voice of the Customer” as the priority guide! Remember technically simple solutions are better (Agile/Nimble) – Cannot assume that “best” will always be “best” Leverage existing technology components – Microsoft AD/PKI, Servers; Juniper VPN; .NET Development Security cannot just say NO – offer the secure option 6
- 7. What we implemented ActiveSync email access – Exchange 2007/ISA then; – Now Exchange 2010 and Juniper/Junos Pulse – All devices “under management”; all users Juniper – Junos Pulse VPN access (iPad/iOS) – SharePoint and .NET web applications delivered (“NGC4ME”) -- SharePlus and Colligo Briefcase Field sales / customer svc / marketing deployment – Collection of apps (BrainShark/SharePlus/Concur) – Now working on custom app / deployment / one click (NGC4ME) Legal / security issues with some approaches – DropBox NOT permitted – Box.Com and SharePoint in use instead – Avoid “personal accounts” in favor of more “enterprise ready” answers 7
- 8. High Level Architecture PKI Server, MobileIron HSM iPad NGC AD Servers MobileIron Enrollment iPhone, Juniper SSL VPN • Policy Checking Android MDM Configuration • WiFi, VPN, Certs/Apps Exchange CAS SharePoint / .NET Mailboxes Exchange CAS Sentry MI Sentry • Email is „User Driver” Juniper VPN as Proxy • AD Integrated SQL Databases SharePoint Portal/.NET • Windows Servers SQL • XML Interfaces M/F Mainframe 8
- 9. App Challenges - Responses Challenge Response Beyond email, our employees SharePoint is open, web leverage shared content oriented content manager Apps deliver data into SharePoint Users save data into team sites, (Reports, Search-BCS) workflow and email ties “Personal Cloud” based upon MySites and user profiles Simple web forms SharePoint Lists – Mobile Safari OR Apps (see below) Surveys, pictures and easy Colligo, SharePlus, Filamente analysis (More complex!) and Docs2Go provide great tools 9
- 10. Core philosophy – Responsible but not restrictive Vision: “Do the right thing for the right reason” (Security, risk & compliance – collaboration with the business) Security cannot just say NO … Must offer a secure option Business Need Options Proposed Response / Solution Easy-to-use cloud DropBox, iCloud, various Internal users: storage “personal” storage SharePoint MySites accounts and services External: Box.Com Full-fidelity Keynote conversion, Business account: presentations with personal Slideshare, BrainShark animations SlideShark 10
- 11. Thank you 11
Notes de l'éditeur
- Late 2007 – Only corporate procured Blackberry allowed – BES for security and controlMove to “user choice” as the number of good choices multiplied iPhone (ATT Only) and Android / Win Mobile (Mostly Verizon) phones start replacing BlackberryNeeded a way to setup and enforce consistent policy across a varied fleet of devices! But how?2008 Audit finings!2009 project to improve security – MobileIron decision / deployment!
- Current requirements – Beyond “email on my phone” and now moving into “I need a mobile application”Biggest threat – lost or stolen / misused/abused devices – Data loss and unauthorized data accessEnrollment REQUIRED – Easy to do – But some controls to prevent casual, unmanaged connections PIN/Passcode Required - NOT Simple, minimum 6 characters/numbers, wipe after too many tries…Enforced device and backup data encryption – Jailbreaking not supported!!SW Inventory Required – Plans to deploy / manage SW more in near future!!
- Initially mobile users wanted access to their email – Continues to the BIG DRIVER across the board for mobile device connectionBlackberry served that purpose well – secure and managedMore user choices – Improved smart phones – move away from BlackberryNew smart phones – iPhone, Android – APP STORES – users choose devices and users access their own applicationsSales reps managing contacts, documents and their own information – STOP traveling with laptops all the timeiPad comes along and explosion of user app choices – Some reps practice real ‘laptop elimination” in favor of more mobile deviceExplosion of design and sales tools – architects, retail store personnel – Start trying to leverage INTERNAL data via APPS - SharePoint clients, Mobile SafariEngineers, Quality Control – Plant folks with iBooks, Kindle – SharePoint and web based appsHTML5 server content Juniper e=reverse web proxy“less” IE Specific Support requirements - .NET Apps – NGC4ME and SharePointUSER SIDE: Increasing numbers of devices per user – iPhone, iPad and a Laptop – Sometimes other devices – iPod Touch, mix and match device level!
- IT as a “System Integrator” – Limited resources and fast moving providers limit our interest / ability to DEEPLY CUSTOMIZEOpen up choice as much as possible WITHOUT compromising data / systems security too muchStay focused on delivering business user valueLeverage and integrate with EXISTING technology – Internal PKI – Juniper SSL VPN (Junos Pulse) -- .NET Development (HTML5) SQL and XML Integration
- Two Key Mobility Tools:MobileIron for Security / MDMJuniper Secure Access for authentication, access control, server protection – VERY Robust solution that covers far more than these mobile devices –Customer / Partner extranet, Associate VPN and/or basic intranet accessExchange Server 2010 email and related contentSharePoint 2007 data stored/managed; ECM / reports / simple apps.NET Web services and sites – Tight connections into IBM Mainframe transaction processing and hosted SAP financial systems(XML Gateway / data connections from Software AG tools)
- Link iOS to SharePoint contentLeverage rich SharePoint Apps in the App Store to access / edit / update LISTS, PICTURES/MEDIA“Personal Cloud” – Windows Laptop tied to MYSITES – App on iPad tied into Document Libraries
- Our core philosophy is provide for responsible, flexible secure use – without being too restrictiveMI Agent on device and system gives us structure around granting access – delivering configuration, content and security controlsUser benefits and business productivity more than offset the perceived costsDue to content management, e-discovery and related legal hold concerns we made a decision NOT to allow use of personal level accounts connected to DropBox (or other personal cloud services).Setup internal “managed cloud” via iOS Apps that access Sharepoint readily.Internal users with a significant need for external sharing leverage BOX.Net – Business account is centrally managed – subject legal holds, searches for e-Discovery Same for BrainShark