logging in or signing up eWEEK Security Summit 20040929 BurtonGroup Tirone Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 43 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: February 04, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Securing the Moving Target eWeek Security Summit September 29, 2004: Securing the Moving Target eWeek Security Summit September 29, 2004 C. Michael Disabato Vice President & Service Director Network & Telecom Strategies mdisabato@burtongroup.com www.burtongroup.com Securing the Moving Target: Securing the Moving Target Securing Wireless is Easy WPA/802.11i for WLANs VPNs for public networks But it’s not just the wireless, it’s the mobility What happens if a device is lost or stolen? Are you protecting the device infrastructure? The perimeter is no longer your enterprise firewall, it’s in your laptop, PDA, and mobile phone You need to think about… Recovering the device Encrypting the data on the device Erasing the data on the deviceSecuring the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsSecuring the Moving Target: 6 – 8 a.m. 8 – 9 a.m. 9 – 11 a.m. 11 – noon 12 – 2 p.m. 2 – 4 p.m. 4 – 6 p.m. 10 – 11 p.m. Wake up – Check work email; Check personal email Go to coffee shop; drive to work Communicate with office; check traffic In office at work In conference room at work Lunch with customer; receive proposal on laptop and present to customer Offsite meeting; authorize orders in ERP system remotely Drive to airport – check traffic and flight Check email at airport Check email in hotel with in-room broadband DSL/Cable (1Mbps) 2.5G/3G (50 - 500 Kbps) Partner Access (1 Mbps) Public WiFi (11 Mbps) Corp WiFi (11 Mbps) Public WiFi (11 Mbps) In-Room (1 Mbps) T1/DS3 (10+ Mbps) Public Internet or Enterprise Network Securing the Moving Target A “Day in the Life” of a Network User Source: Redback Networks One user, but multiple devices and network access servicesMobility Issues: Mobility Issues Today’s Environment Mobile users routinely connect to public networks where their systems are scanned for vulnerabilities Viruses are becoming more sophisticated and spread more rapidly Spyware is becoming more prevalent Mobile devices are easily lost or stolen As a result, mobile users Should be required to run an encrypted VPN Should have a personal firewall Should be running a virus scanner/spyware remover Should be encrypting sensitive filesMobility Issues: Mobility Issues Mobile employee circa 2004 Synchronization Dial-Up Networking Cellular Data Network Out of Office Bluetooth PAN Cellular Data Services 802.11 WLAN Public Internet 802.11 WLAN (Hotspot or Home) Hands-free SpeakerphoneMobility Issues: Mobility Issues New Vulnerabilities Connection sharing Wireless technologies built into laptops (Bluetooth, 802.11) Connection sharing enabled by default can allow access to enterprise network or contents of mobile device Public hotspots are not secure Not even Wired Equivalent Privacy (WEP) is enabled Systems are open to ad hoc connections Bluetooth devices Can pair with any other Bluetooth device if security is not enabled Bluesnarfing, Bluejacking, ‘toothing In order to ensure a positive “out of the box experience”, all connectivity is enabled, and all security is disabledMobility Issues: Mobility Issues Nothing is safe… Cell phones in Spain were used as “carriers” to infect other devices Variant of the “Love Bug” worm used Smartphone (PocketPC) address book to find next target Non-Windows platforms (Mac OS X, Palm, PocketPC) can transmit viruses to Windows machines All devices and network segments need to be protectedMobility Issues: Mobility Issues You left it where?? The cost of a lost or stolen device is far less than the potential cost of the information it contains U.S. Graham-Leach-Bliley Act U.S. Sarbanes-Oxley Act U.S. Health Insurance Portability and Accountability Act (HIPAA) European Data Protection Directive Canadian Personal Information Protection & Electronic Documents Act U.S. Government Information Security Reform Act (GISRA) U.S. Federal Information Security Management Act (FISMA)Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsVirtual Network Operators: Virtual Network Operators Pulling it all together Virtual Network Operators (VNOs) offer a solution to remote access management Fiberlink, GoRemote( formerly GRIC), iPass, Netifice, and Virtella are VNOs that provide: Billing aggregation Authentication services VPN services Point-of-presence management Policy enforcement Single phone number for user support, regardless of connection Billing aggregation pulls information from dial-up, hotspots, and cellular carriers togetherVirtual Network Operators: Virtual Network Operators Managing the User Client software serves multiple purposes Can function as a single sign on regardless of connection type Users authenticate to the VNO’s system and through them to the enterprise authentication system Acts as a VPN client Provides connection finder by location, connection type, cost Can limit connections to approved networks Works across multiple platforms Policy enforcement can include checking for: a current virus scanner; an active personal firewall and/or; an active VPN connection.Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Configuration Management Recommendations ConclusionsSecuring the Device: Securing the Device I left my laptop on the airplane… How do you prevent unauthorized access to the data on a mobile device? Recover the device Remotely erase the data Encrypt the data Securing the Device: Securing the Device Recover the Device: LoJack for Laptops Computer-tracking services help recover stolen or missing devices Based on IP connections, not Global Positioning System When machine is in recovery mode, the installed agent will contact the service’s server at start-up and at regular intervals after that Information sent includes machine name and IP address Vendors of such software and services include: Absolute Software, Stealth Security, and zTrace Suffers from time lag between loss of the device and its recovery and the need to connect to the InternetSecuring the Device: Securing the Device Remotely Erase the Data PDA Solutions Extended Systems A command can be sent to erase the contents of a Palm, PocketPC, RIM Blackberry, or Symbian mobile device when it connects to the Internet Xcellenet Systems Can send an empty database, erasing the contents of the mobile database Laptop Solutions Phoenix Systems–the BIOS Bomb Xcellenet Systems Can send an empty database, erasing the contents of the mobile database Absolute Software, zTrace, etc. Suffers from time lag between loss of the device and when the erase command is sent and the need to connect to the InternetSecuring the Device: Securing the Device Encrypt the Data PDA/Mobile Phone Solutions Software can encrypt the contents of Palm OS/PocketPC/Symbian systems Available from PGP, PDA Defense, Pointsec, F-Secure, PI Technology, and others Laptop Solutions Encryption for files and disks Built into Windows 2000/XP and Mac OS X 10.3 (Panther) Add-on from several vendors (PGP, SoftWinter, Pointsec, F-secure, etc.)Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsSecuring the Network Edge: Securing the Network Edge Contaminating the Environment Most network infections occur when a mobile device reconnects to the enterprise network behind the firewall, intrusion detection system, etc. “Day Zero” infections also cause much damage before systems are inoculated Mobile devices must be checked to ensure: System is clean Patches are up to date Virus scanner/Spyware detector/Firewall running and up to dateSecuring the Network Edge: Securing the Network Edge Protecting the Edge - Stopping the Infection Mirage Networks Monitors network behaviors of connected devices Blocks port numbers if anomalous behavior detected Quarantines infection Requires 3-5 “sacrificial lambs” to detect behavior More effective than detection at the firewall Central control of distributed detection engines Perfigo CleanMachines Checks systems prior to allowing connection Maintains a list of “clean machines” Unclean machines are quarantined until they are patched and updatedSecuring the Network Edge: Securing the Network Edge Cisco Network Admission Control Examines systems to ensure OS patches and virus scanners are current The CiscoTrust Agent resides on desktops and laptops and reports results of virus scans and current patch levels to a Cisco Access Control Server (ACS) ACS acts as a repository and policy-enforcement tool If a system fails checks, it is blocked with a Layer 3 access control list (ACL) Partnered with Symantec, Network Associates (MacAffee), and Trend Micro for virus protectionSecuring the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsConfiguration Management: Configuration Management The problem with mobile devices is that they are mobile Configuration management can be done when the device “returns home,” or updates can be pushed out if the user is permanently remote Mobile users are wary of updates to a functioning system Updates should be done in the background Files are transmitted to “staging” folder Installed at next restart or at the user’s convenience Download must be restartable Must account for slow connections Some method of backing out updates must be available to restore a system in the event an update failsConfiguration Management: Configuration Management mFormation Technologies Supports Symbian, Palm, PocketPC, Blackberry, BREW Can update applications and operating system Uses encrypted connection Facilitates asset tracking Two security modes for lost/stolen devices Lock device and preserve data Zap the contents of the device Can either leave device locked or unlocked Provides information on connection quality for troubleshootingConfiguration Management: Configuration Management Mobile Automation, Inc. Automates detection, deployment, and installation of Microsoft OS and application service packs and hot fixes for desktop and mobile devices Can handle local desktops and remote laptops simultaneously regardless of connection type or speed Policy management to automatically enforce group level compliance to desired patch levels Web-based remote-assistance solution to provide virtual on-site technical supportConfiguration Management: Configuration Management Xcellenet Systems Can synchronize databases with remote systems Enforces policies regarding virus scanners before allowing connection AirWave, Symbol, & Wavelink Policy-based security and configuration management for access points and mobile devices Monitors firmware, applications, OS, and patch levels Can integrate with higher level managers (Spectrum, OpenView, etc.)Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsRecommendations: Recommendations General Conduct a risk assessment for all information that travels over mobile connections or resides on mobile devices Evaluate the cost of implementing security against the cost to the enterprise of a security or privacy breach, loss of confidence, bad press, etc. Provide consistent policies, authentication mechanisms, and security services across all connections, regardless of user location Educate your users on their responsibilities Business processes that can withstand an audit should be applied to each deviceRecommendations: Recommendations Connections Untrusted connections (WLAN hotspots, hotel connections, cellular connections, etc.) should be secured by encrypted VPNs Turn off connection sharing and ad hoc networking (file shares) Disable any communications facility that is not needed For enterprise WLANs, enable Wi-Fi Protected Access (WPA) For Bluetooth: Enable Bluetooth security Make the device name non-descriptive Turn off discovery mode Do your Bluetooth pairing in private Consider using a Virtual Network OperatorRecommendations: Recommendations Mobile Devices Firewalls, virus scanners, and spyware detectors are necessary Automate patch management Consider utilities can remotely erase data Use file and disk encryption to protect sensitive information stored on mobile devices Part of Windows 2000/XP and Mac OS X Can be added to PDAs and Symbian phones Encryption utilities need to be transparent to the user (continued)Recommendations: Recommendations Mobile Devices (cont) A tracking service may not make economic sense when the cost of the service is compared to the cost of device replacement Most PDAs and cell phones are under the $500 expense limit PDA technology changes at least yearly Cell phone technology can change as often as twice yearly In order to allow recovery of equipment and data, the company must own the equipment Discourage use of employee-owned devicesRecommendations: Recommendations Establish provisioning processes Human resources should be the source of hiring and termination information Line management should define “who gets what” based on roles and access levels Develop processes that support recovery of mobile equipment when people leave the company Erase the contents of devices if they are not turned in Lock corporate devices so they cannot be used Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsConclusions: Conclusions Conclusions Mobile devices create serious security issues that can have expensive, legal ramifications A risk analysis is the first step in determining the level of protection the enterprise requires and the most cost-effective way to realize that protection Integrated security solutions will eventually appear, but for now, point products will need to be used The responsibility for defining and enforcing security polices extends beyond the IT or network department (continued)Conclusions: Conclusions Conclusions (cont) If you restrict the use of mobile devices, users will get their own and use them in an insecure manner Remember, the cost of the hardware and software is far less than the potential cost and liability of information in the wrong hands Security must be unobtrusive and consistent to be effective! You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
eWEEK Security Summit 20040929 BurtonGroup Tirone Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 43 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: February 04, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Securing the Moving Target eWeek Security Summit September 29, 2004: Securing the Moving Target eWeek Security Summit September 29, 2004 C. Michael Disabato Vice President & Service Director Network & Telecom Strategies mdisabato@burtongroup.com www.burtongroup.com Securing the Moving Target: Securing the Moving Target Securing Wireless is Easy WPA/802.11i for WLANs VPNs for public networks But it’s not just the wireless, it’s the mobility What happens if a device is lost or stolen? Are you protecting the device infrastructure? The perimeter is no longer your enterprise firewall, it’s in your laptop, PDA, and mobile phone You need to think about… Recovering the device Encrypting the data on the device Erasing the data on the deviceSecuring the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsSecuring the Moving Target: 6 – 8 a.m. 8 – 9 a.m. 9 – 11 a.m. 11 – noon 12 – 2 p.m. 2 – 4 p.m. 4 – 6 p.m. 10 – 11 p.m. Wake up – Check work email; Check personal email Go to coffee shop; drive to work Communicate with office; check traffic In office at work In conference room at work Lunch with customer; receive proposal on laptop and present to customer Offsite meeting; authorize orders in ERP system remotely Drive to airport – check traffic and flight Check email at airport Check email in hotel with in-room broadband DSL/Cable (1Mbps) 2.5G/3G (50 - 500 Kbps) Partner Access (1 Mbps) Public WiFi (11 Mbps) Corp WiFi (11 Mbps) Public WiFi (11 Mbps) In-Room (1 Mbps) T1/DS3 (10+ Mbps) Public Internet or Enterprise Network Securing the Moving Target A “Day in the Life” of a Network User Source: Redback Networks One user, but multiple devices and network access servicesMobility Issues: Mobility Issues Today’s Environment Mobile users routinely connect to public networks where their systems are scanned for vulnerabilities Viruses are becoming more sophisticated and spread more rapidly Spyware is becoming more prevalent Mobile devices are easily lost or stolen As a result, mobile users Should be required to run an encrypted VPN Should have a personal firewall Should be running a virus scanner/spyware remover Should be encrypting sensitive filesMobility Issues: Mobility Issues Mobile employee circa 2004 Synchronization Dial-Up Networking Cellular Data Network Out of Office Bluetooth PAN Cellular Data Services 802.11 WLAN Public Internet 802.11 WLAN (Hotspot or Home) Hands-free SpeakerphoneMobility Issues: Mobility Issues New Vulnerabilities Connection sharing Wireless technologies built into laptops (Bluetooth, 802.11) Connection sharing enabled by default can allow access to enterprise network or contents of mobile device Public hotspots are not secure Not even Wired Equivalent Privacy (WEP) is enabled Systems are open to ad hoc connections Bluetooth devices Can pair with any other Bluetooth device if security is not enabled Bluesnarfing, Bluejacking, ‘toothing In order to ensure a positive “out of the box experience”, all connectivity is enabled, and all security is disabledMobility Issues: Mobility Issues Nothing is safe… Cell phones in Spain were used as “carriers” to infect other devices Variant of the “Love Bug” worm used Smartphone (PocketPC) address book to find next target Non-Windows platforms (Mac OS X, Palm, PocketPC) can transmit viruses to Windows machines All devices and network segments need to be protectedMobility Issues: Mobility Issues You left it where?? The cost of a lost or stolen device is far less than the potential cost of the information it contains U.S. Graham-Leach-Bliley Act U.S. Sarbanes-Oxley Act U.S. Health Insurance Portability and Accountability Act (HIPAA) European Data Protection Directive Canadian Personal Information Protection & Electronic Documents Act U.S. Government Information Security Reform Act (GISRA) U.S. Federal Information Security Management Act (FISMA)Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsVirtual Network Operators: Virtual Network Operators Pulling it all together Virtual Network Operators (VNOs) offer a solution to remote access management Fiberlink, GoRemote( formerly GRIC), iPass, Netifice, and Virtella are VNOs that provide: Billing aggregation Authentication services VPN services Point-of-presence management Policy enforcement Single phone number for user support, regardless of connection Billing aggregation pulls information from dial-up, hotspots, and cellular carriers togetherVirtual Network Operators: Virtual Network Operators Managing the User Client software serves multiple purposes Can function as a single sign on regardless of connection type Users authenticate to the VNO’s system and through them to the enterprise authentication system Acts as a VPN client Provides connection finder by location, connection type, cost Can limit connections to approved networks Works across multiple platforms Policy enforcement can include checking for: a current virus scanner; an active personal firewall and/or; an active VPN connection.Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Configuration Management Recommendations ConclusionsSecuring the Device: Securing the Device I left my laptop on the airplane… How do you prevent unauthorized access to the data on a mobile device? Recover the device Remotely erase the data Encrypt the data Securing the Device: Securing the Device Recover the Device: LoJack for Laptops Computer-tracking services help recover stolen or missing devices Based on IP connections, not Global Positioning System When machine is in recovery mode, the installed agent will contact the service’s server at start-up and at regular intervals after that Information sent includes machine name and IP address Vendors of such software and services include: Absolute Software, Stealth Security, and zTrace Suffers from time lag between loss of the device and its recovery and the need to connect to the InternetSecuring the Device: Securing the Device Remotely Erase the Data PDA Solutions Extended Systems A command can be sent to erase the contents of a Palm, PocketPC, RIM Blackberry, or Symbian mobile device when it connects to the Internet Xcellenet Systems Can send an empty database, erasing the contents of the mobile database Laptop Solutions Phoenix Systems–the BIOS Bomb Xcellenet Systems Can send an empty database, erasing the contents of the mobile database Absolute Software, zTrace, etc. Suffers from time lag between loss of the device and when the erase command is sent and the need to connect to the InternetSecuring the Device: Securing the Device Encrypt the Data PDA/Mobile Phone Solutions Software can encrypt the contents of Palm OS/PocketPC/Symbian systems Available from PGP, PDA Defense, Pointsec, F-Secure, PI Technology, and others Laptop Solutions Encryption for files and disks Built into Windows 2000/XP and Mac OS X 10.3 (Panther) Add-on from several vendors (PGP, SoftWinter, Pointsec, F-secure, etc.)Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsSecuring the Network Edge: Securing the Network Edge Contaminating the Environment Most network infections occur when a mobile device reconnects to the enterprise network behind the firewall, intrusion detection system, etc. “Day Zero” infections also cause much damage before systems are inoculated Mobile devices must be checked to ensure: System is clean Patches are up to date Virus scanner/Spyware detector/Firewall running and up to dateSecuring the Network Edge: Securing the Network Edge Protecting the Edge - Stopping the Infection Mirage Networks Monitors network behaviors of connected devices Blocks port numbers if anomalous behavior detected Quarantines infection Requires 3-5 “sacrificial lambs” to detect behavior More effective than detection at the firewall Central control of distributed detection engines Perfigo CleanMachines Checks systems prior to allowing connection Maintains a list of “clean machines” Unclean machines are quarantined until they are patched and updatedSecuring the Network Edge: Securing the Network Edge Cisco Network Admission Control Examines systems to ensure OS patches and virus scanners are current The CiscoTrust Agent resides on desktops and laptops and reports results of virus scans and current patch levels to a Cisco Access Control Server (ACS) ACS acts as a repository and policy-enforcement tool If a system fails checks, it is blocked with a Layer 3 access control list (ACL) Partnered with Symantec, Network Associates (MacAffee), and Trend Micro for virus protectionSecuring the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsConfiguration Management: Configuration Management The problem with mobile devices is that they are mobile Configuration management can be done when the device “returns home,” or updates can be pushed out if the user is permanently remote Mobile users are wary of updates to a functioning system Updates should be done in the background Files are transmitted to “staging” folder Installed at next restart or at the user’s convenience Download must be restartable Must account for slow connections Some method of backing out updates must be available to restore a system in the event an update failsConfiguration Management: Configuration Management mFormation Technologies Supports Symbian, Palm, PocketPC, Blackberry, BREW Can update applications and operating system Uses encrypted connection Facilitates asset tracking Two security modes for lost/stolen devices Lock device and preserve data Zap the contents of the device Can either leave device locked or unlocked Provides information on connection quality for troubleshootingConfiguration Management: Configuration Management Mobile Automation, Inc. Automates detection, deployment, and installation of Microsoft OS and application service packs and hot fixes for desktop and mobile devices Can handle local desktops and remote laptops simultaneously regardless of connection type or speed Policy management to automatically enforce group level compliance to desired patch levels Web-based remote-assistance solution to provide virtual on-site technical supportConfiguration Management: Configuration Management Xcellenet Systems Can synchronize databases with remote systems Enforces policies regarding virus scanners before allowing connection AirWave, Symbol, & Wavelink Policy-based security and configuration management for access points and mobile devices Monitors firmware, applications, OS, and patch levels Can integrate with higher level managers (Spectrum, OpenView, etc.)Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsRecommendations: Recommendations General Conduct a risk assessment for all information that travels over mobile connections or resides on mobile devices Evaluate the cost of implementing security against the cost to the enterprise of a security or privacy breach, loss of confidence, bad press, etc. Provide consistent policies, authentication mechanisms, and security services across all connections, regardless of user location Educate your users on their responsibilities Business processes that can withstand an audit should be applied to each deviceRecommendations: Recommendations Connections Untrusted connections (WLAN hotspots, hotel connections, cellular connections, etc.) should be secured by encrypted VPNs Turn off connection sharing and ad hoc networking (file shares) Disable any communications facility that is not needed For enterprise WLANs, enable Wi-Fi Protected Access (WPA) For Bluetooth: Enable Bluetooth security Make the device name non-descriptive Turn off discovery mode Do your Bluetooth pairing in private Consider using a Virtual Network OperatorRecommendations: Recommendations Mobile Devices Firewalls, virus scanners, and spyware detectors are necessary Automate patch management Consider utilities can remotely erase data Use file and disk encryption to protect sensitive information stored on mobile devices Part of Windows 2000/XP and Mac OS X Can be added to PDAs and Symbian phones Encryption utilities need to be transparent to the user (continued)Recommendations: Recommendations Mobile Devices (cont) A tracking service may not make economic sense when the cost of the service is compared to the cost of device replacement Most PDAs and cell phones are under the $500 expense limit PDA technology changes at least yearly Cell phone technology can change as often as twice yearly In order to allow recovery of equipment and data, the company must own the equipment Discourage use of employee-owned devicesRecommendations: Recommendations Establish provisioning processes Human resources should be the source of hiring and termination information Line management should define “who gets what” based on roles and access levels Develop processes that support recovery of mobile equipment when people leave the company Erase the contents of devices if they are not turned in Lock corporate devices so they cannot be used Securing the Moving Target: Securing the Moving Target Agenda Mobility Issues Virtual Network Operators Securing the Device Securing the Network Edge Configuration Management Recommendations ConclusionsConclusions: Conclusions Conclusions Mobile devices create serious security issues that can have expensive, legal ramifications A risk analysis is the first step in determining the level of protection the enterprise requires and the most cost-effective way to realize that protection Integrated security solutions will eventually appear, but for now, point products will need to be used The responsibility for defining and enforcing security polices extends beyond the IT or network department (continued)Conclusions: Conclusions Conclusions (cont) If you restrict the use of mobile devices, users will get their own and use them in an insecure manner Remember, the cost of the hardware and software is far less than the potential cost and liability of information in the wrong hands Security must be unobtrusive and consistent to be effective!