Transcript Document
MDM CHALLENGES • SECURITY & COMPLIANCE ENFORCEMENT • REDUCE SUPPORT COST OF MOBILE ASSETS • PROVIDE APPLICATION & PERFORMANCE MANAGEMENT • PROVIDE BETTER BUSINESS CONTINUITY • MAKE EMPLOYEES MORE PRODUCTIVE & MORE SATISFIED TO BYOD OR NOT TO BYOD? THAT IS THE QUESTION • EACH BANK HAS TO DECIDE THIS FOR THEMSELVES WHILE WEIGHING THE PROS AND CONS OF EACH. • MAKE SURE THAT YOUR POLICIES & PROCEDURES ADDRESS BYOD WHETHER OR NOT YOUR INSTITUTION SUPPORTS IT! • IF YOU HAVE A GUEST WIRELESS NETWORK & YOU DON’T ALLOW BYOD…. GUESS WHAT? YOU WILL VERY LIKELY HAVE EMPLOYEES USE THEIR PERSONAL DEVICES FOR BANKING PURPOSES. • AT LEAST IF YOU ALLOW BYOD, YOU CAN MAKE THE RULES SURROUNDING IT! THE MAAS360 10 COMMANDMENTS OF BYOD • 1. CREATE THY POLICY BEFORE PROCURING TECHNOLOGY • 2. SEEK THE FLOCK’S DEVICES • 3. ENROLLMENT SHALL BE SIMPLE • 4. THOU SHALT CONFIGURE DEVICES OVER-THE-AIR • 5. GIVE THY USERS SELF-SERVICE • 6. HOLD SACRED PERSONAL INFORMATION • 7. PART THE SEAS OF CORPORATE & PERSONAL DATA • 8. MONITOR THY FLOCK – HERD AUTOMATICALLY • 9. MANAGE THY DATA USAGE • 10. DRINK FROM THE FOUNTAIN OF ROI ROI CONSIDERATIONS CORPORATE-OWNED MODEL BYOD DEVICE COST COST OF SUBSIDIZING DATA PLAN DATA PLAN COST ELIMINATED DEVICE COST REPLACING DEVICES EVERY FEW YEARS COST OF MOBILE MANAGEMENT WARRANTY PLANS BOTH OPTIONS TAKE IT TIME & EFFORT TO MANAGE WHAT DOES A GOOD MDM PROGRAM CONTAIN FROM A BANKERS PROSPECTIVE? • MOBILE DEVICE RISK ASSESSMENT • GOOD POLICY FRAMEWORK • ACCEPTABLE USE POLICY • BYOD POLICY • MOBILE DEVICE POLICY • INFORMATION SECURITY POLICY • DATA CLASSIFICATION POLICY MDM FROM A TECHNOLOGY PERSPECTIVE: • SOLUTIONS THAT PROVIDE COORDINATED VISIBILITY & CONTROL OVER ALL DEVICES & OPERATING SYSTEMS. • ENFORCE PASSCODE PROTECTION, ENCRYPTION, & SECURITY UPDATES • CONTROL NETWORK & APPLICATION SETTINGS • REMOTELY LOCATE, BLOCK, OR WIPE (FULL & SELECTIVE) DEVICES THAT HAVE BEEN LOST, STOLEN, OR ARE NO LONGER AUTHORIZED. • SECURE EMAIL, MESSAGING, & BROWSING • WHITELISTING & BLACKLISTING • BE EASY TO USE, CENTRALLY MANAGED, AND QUICK TO DEPLOY INTEGRATION IS KEY • A GOOD MDM SOLUTION WILL INTEGRATE WITH ACTIVE DIRECTORY, EMAIL PLATFORMS (EXCHANGE, OFFICE 365,ETC.), SHAREPOINT, INTRANET, WEB APPLICATIONS, AND ALL OF YOUR EXISTING INFRASTRUCTURE. • SINGLE SIGN ON ACROSS APPLICATIONS FOR AUTHENTICATION. WHAT KIND OF ACTIONS WILL AN MDM SOLUTION PERFORM? • REFRESH DEVICE DETAILS IN REAL-TIME INCLUDING LOCATION. • PERFORM HELP DESK OPERATIONS LIKE LOCKING A DEVICE OR RESETTING A FORGOTTEN PASSCODE. • PERFORM A FULL WIPE OF A LOST DEVICE OR A SELECTIVE WIPE OF ONLY THE CORPORATE DATA WHILE MAINTAINING PERSONAL DATA OF AN EMPLOYEE OWNED DEVICE. • CHANGE IOS POLICY. • REMOTELY PUSH APPS TO DEVICES INCLUDING “HOME GROWN” APPS & PUBLISHED UPDATES. • PREVENT DATA LEAKAGE – KEEP PERSONAL DATA SEPARATE FROM COMPANY DATA SET & DISTRIBUTE POLICIES • ENFORCE PASSCODE REQUIREMENTS • CONFIGURE RESTRICTIONS • • • • • • • ENFORCE ENCRYPTED DEVICE BACKUPS RESTRICT USE OF CAMERA, FACETIME, & SCREEN CAPTURES RESTRICT APPLICATION INSTALLATION RESTRICT SAFARI, YOUTUBE, ETC… (BUILT IN APPLICATIONS) DISTRIBUTE WI-FI, VPN, PROXY, & EMAIL PROFILES/SETTINGS MANAGE ICLOUD CONTROLS AND SETTINGS EMAIL SECURITY – RESTRICT USERS FROM MOVING EMAILS BETWEEN ACCOUNTS AND RESTRICT 3RD PARTY APPS FROM SENDING EMAILS • DETECTION OF JAIL BROKEN AND ROOTED DEVICES • COMPLIANCE REPORTING SECURE BROWSING • A GOOD SOLUTION WILL PROVIDE: • URL FILTERING BASED ON CATEGORIES AND INCLUDE THE ABILITY TO CUSTOMIZE WHITELISTS AND BLACKLISTS • BLOCK KNOWN MALICIOUS WEBSITES • RESTRICT COOKIES, DOWNLOADS, COPY, PASTE, & PRINTING FUNCTIONALITY • NOTIFY USERS & ADMINISTRATORS OF VIOLATIONS • PROVIDE DETAILED REPORTING WITH AN AUDIT TRAIL SECURE DOCUMENT SHARING • A GOOD MDM SOLUTION SHOULD ALSO PROVIDE A SECURE CONTAINER FOR DOCUMENTS THAT CAN BE EDITED ON THE DEVICE • THIS WILL REDUCE THE RISK OF DATA LEAKAGE • SET TIME BASED EXPIRATIONS FOR AUTOMATIC DOCUMENT DELETION • WORK WILL ALL COMMON FILE TYPES SUCH AS MICROSOFT OFFICE & PDF FORMATS • ENFORCE USER AUTHENTICATION BOARD MINUTE PORTAL BEST PRACTICES • CHOOSE DEVICE CAREFULLY. IOS IS RECOMMENDED BECAUSE OF SECURITY. • CORPORATE OWNED DEVICE • MANAGED SETTINGS • USER FRIENDLY SOLUTION • FULL CONTROL OF DATA ON DEVICE • DISABLE SCREEN SHOT • LOCATE LOST DEVICE • ENABLE ENCRYPTION • DEVICE BACKUP • DEVICE WIPE • RISK ASSESSMENT • IPAD POLICY / AGREEMENT USING MDM FOR BOARD MINUTES • USING AN APP FORM AN MDM SOLUTION • PROVIDES DEVICE MANAGEMENT • ALLOWS FOR FULL CONTROL OF DATA ON DEVICE • ALLOWS FOR DEVICE WIPE • ALLOWS TO ENCRYPT DATA • ALLOWS FOR OPENING, DOWNLOADING, PRINTING RESTRICTIONS • ALLOW OPENING IN SPECIFIED GEOGRAPHICAL RANGE • USING AN MDM SOLUTION WILL COMBINE TWO SOLUTIONS IN ONE AIRWATCH SECURE CONTENT LOCKER BY VMWARE • FOUNDED IN 2003, AIRWATCH IS AN ATLANTA BASED ENTERPRISE, MOBILE DEVICE, MOBILE APPLICATION AND MOBILE CONTENT MANAGEMENT COMPANY. • IN FEB 2014 VMWARE AQUIRED AIRWATCH • IT PROVIDES SOLUTIONS THAT ARE COMPATIBLE WITH A VARIETY OF DEVICES INCLUDING IOS, ANDROID, BLACKBERRY AND WINDOWS PHONE. • WON THE 2013 CLOUD STORAGE EXCELLENCE AWARD AIRWATCH SECURE CONTENT LOCKER BY VMWARE • Flexible Content Storage • Hosted in Cloud • On Premise • Hybrid • Device Wipe • Set Time Limits on Data • Set Data to be Viewed Online Only • Password Protected • Device Location • Geographical Range Limits • Disable Screen Shots • Specify Wi-Fi Hotspot • Disable Browser MOBILE BEST PRACTICES 1. LOCK THE DEVICE WITH A PASSWORD OR PERSONAL IDENTIFICATION 2. NUMBER (PIN) 3. INSTALL APPS ONLY FROM TRUSTED SOURCES 4. BACK UP YOUR DATA 5. KEEP YOUR SYSTEM UPDATED 6. DO NOT HACK (JAIL-BREAK) YOUR DEVICE MOBILE BEST PRACTICES (CONTINUED) 7. TURN OFF WI-FI AND BLUETOOTH SERVICES WHEN NOT IN USE 8. DO NOT AUTOMATICALLY CONNECT TO WI-FI HOT SPOTS 9. DO NOT USE UNTRUSTED HOT SPOTS PUBLIC OR PRIVATE. UNTRUSTED WI-FI HOT SPOTS ARE SUSCEPTIBLE TO MAN-IN-THEMIDDLE ATTACKS. 10. AVOID SENDING PERSONAL INFORMATION VIA TEXT OR EMAIL 11. BE CAREFUL WHAT YOU CLICK 12. INSTALL A MOBILE SECURITY APP HOW FCNB ENABLES BYOD • • • • • FCNB CURRENTLY ONLY ALLOWS ACCESS TO EMAIL. • • THE BANK CONTROLS THE CORPORATE E-MAIL PROFILE FCNB SELECTED MOBILE IRON AS IT MOBILE DEVICE MANAGEMENT SYSTEM. EMPLOYEE MUST SIGN AND AGREE TO MOBILE POLICY. IN THE FUTURE FCNB WILL ALLOW ACCESS VIA SECURE CITRIX CONNECTION THE BANK IS NOT OBLIGATED OR RESPONSIBLE FOR PERSONAL EMAIL, TEXTS, ETC... FCNB RESTRICTS FORWARDING OF E-MAIL THROUGH PERSONAL ACCOUNTS. HOW FCNB ENABLES BYOD (CONTINUED) • CURRENTLY FIRST CITIZENS ONLY SUPPORTS IOS (IPHONE AND IPADS) AND SUPPORTED LEVELS OF THAT SOFTWARE. • EMPLOYEES WILL BE HELD PERSONALLY RESPONSIBLE FOR ANY PROBLEMS CAUSED BY THEIR NEGLIGENCE AS DEEMED BY BANK MANAGEMENT. • EMAIL HISTORY AVAILABLE ON THE MOBILE SMARTPHONES AND TABLETS WILL BE LIMITED. • A “JAIL BROKE” OPERATING SYSTEM WILL AUTOMATICALLY BE WIPED BY MOBILE IRON. HOW FCNB ENABLES BYOD (CONTINUED) • THE BANK IS NOT RESPONSIBLE FOR THAT EMPLOYEE DATA. • CORPORATE EMAIL AND DATA THAT IS MANAGED BY THE BANK’S MOBILE MANAGEMENT SYSTEM IS PROTECTED AND SEPARATED IN ITS OWN CONTAINER. EACH ATTACHMENT IS PROTECTED BY A SECURE GATEWAY AND CAN ONLY BE READ BY A TRUSTED READER. • MOBILE IRON AUTOMATICALLY PROTECTS AGAINST MAN–IN–MIDDLE ATTACKS. HOW FCNB ENABLES BYOD CONT. • THE BANK CAN CHOOSE AT ANY TIME TO DO A SELECTIVE WIPE OF THE CORPORATE EMAIL AND DATA ON SMARTPHONES AND TABLETS. • THE BANK WILL AUTOMATICALLY QUARANTINE A SMARTPHONE OR TABLET THAT HAS NOT CHECKED IN TO THE BANK’S MOBILE MANAGEMENT SYSTEM. • THE BANK WILL AUTOMATICALLY COMPLETE A FULL WIPE OF THE SMARTPHONE OR TABLET IF THE DEVICE HAS NOT CHECKED IN AFTER THIRTY DAYS. THIS PREVENTS DATA COMPROMISE IN CASE THE MOBILE DEVICE HAS BEEN STOLEN AND TAKEN OFF LINE (I.E. SIM CARD SWAP). WHY FCNB SELECTED APPLE IOS • EVERY IOS APP CAN ONLY ACCESS ITS OWN DATA CONTAINER: THERE IS NO GENERAL ACCESS TO THE FILE SYSTEM. AS A RESULT, APPS CAN ONLY DAMAGE THEIR OWN DATA, UNLESS IT IS A “JAIL BROKEN” DEVICE. • THE APP STORE IS TIGHTLY CURATED: APPS ARE TESTED BY APPLE BEFORE BEING MADE AVAILABLE TO THE PUBLIC SO INCIDENCES OF MALWARE ARE RARE. • APPLE CONTROLS THE DISTRIBUTION OF NEW OPERATING SYSTEM UPGRADES: APPLE CAN QUICKLY MAKE UPGRADES AVAILABLE FOR THE ENTIRE IPHONE, IPAD, AND IPOD DEVICE COMMUNITY. IF A SECURITY ISSUE IS IDENTIFIED, IT FIXES IT AND ENSURES THAT ALL DEVICES HAVE EASY ACCESS TO THE NEWLY-PATCHED IOS VERSION. THE TIMING OF THE FIX AND DISTRIBUTION IS ENTIRELY UNDER APPLE’S CONTROL. WHY FCNB SELECTED APPLE IOS (CONTINUED) • PASSCODE ENFORCEMENT PREVENTS UNAUTHORIZED ACCESS TO THE DEVICE. IT ALSO ACTIVATES IOS DATA PROTECTION TO ENHANCE BUILT-IN HARDWARE ENCRYPTION IN ORDER TO PROVIDE ADDITIONAL SECURITY FOR EMAIL MESSAGES, EMAIL ATTACHMENTS. • MOBILE IRON SUPPORTS MULTIPLE DEVICES, SO IN THE FUTURE FCNB CAN ADD OTHER DEVICES AS NEEDED. FCNB MOBILE BANKING • MOBILE BANKING REQUIRES USER TO HAVE ONLINE BANKING ACCESS • TWO FACTOR AUTHENTICATION IS NEEDED FOR ONLINE BANKING • MOBILE DEVICE REQUIRES OUT-OF-BAND AUTHENTICATION