RSA 2013 Session: Mobile Security Smackdown: How Government “Pwned” The Private Sector
1. MOBILE SECURITY SMACKDOWN:
HOW GOVERNMENT “PWNED” THE
PRIVATE SECTOR
John Bordwine
Symantec, Inc.
Session ID: MBS-T18B
Session Classification: Intermediate
2. “PWNED”
► To be owned or dominated by an opponent or situation
Presenter Logo
3. Quick Facts on Why
► Over 1,300 “agencies” within the US government
► Somewhere between 10 and 14 million employees
► Hundreds of agency CIO’S
► Varying levels of information classification
► Increased mobile workforce
► Not only workforce support but also citizen support for
information access from mobile devices
Presenter Logo
4. Government Dilemma, Which is Best?
Policy
► Government issued and locked down devices
► Government issued and allow a level of personal access
► Employee owned and government managed
Devices
► Smart-phones
► Tablets
► Hybrids
Presenter Logo
7. Defining the Key Components
Management Devices/OS Applications Classification Data Security
Device iOS E-mail Unclassified VPN
Information Android Agency specific Highly Identity
classified Management
Application Windows Personal Personal data Encryption at
rest
Authentication RIM Information General access Encryption in
share motion
Unified Hybrids Cloud access PII DLP
Presenter Logo
8. Private/Public Sector Comparison
Private Sector Public Sector
Encrypted data storage Limited FIPS 140-2
Multi-factor authentication Limited Utilize existing
PKI/credential methods
Application control Sand-box method Application wrapping
Geo-fencing Limited Full awareness
Compliance measurements Limited to IT policy Defined compliance
metrics
Chain of assurance No Access and data protection
Root of trust OS testing OS control
► Advantage…Public Sector
Presenter Logo
9. Best of Both Worlds?
► Agency/Organization
► Well managed user access and critical device components
► Strong security
► Information protection
► Application management
► End User
► Ease of use
► Fully functional
► Productivity benefits
Private Sector can utilize the extensive work already
performed by the Public Sector!
Presenter Logo
10. In Conclusion...
► Just how did Government “pwn” the private
sector?
► By implementing a progressively multi-faceted “all of the above”
strategy, while the private sector struggled with narrower, less
effective policies.
► In other words:
“Necessity is the mother of invention.”
-- Plato
Presenter Logo
13. Core Mobile Security Components
Government Focus
► Application Management
► Government applications secured, trusted and protected
► Device Management
► Impact of lost device
► User Management
► Prevent abuse and ensure proper ownership
► Information Management
► Protection of government information. Data loss prevention to
protect sensitive information
Presenter Logo
14. Core Security Components
► Cloud Access
► Appropriate controls to cloud information
► Access Control
► Defining the authenticity of the user and the device
► Unified Management
► Devices, users and information protected independent of access
point
► Secure Operating System
► How to ensure the OS is not compromised
► Trusted Service Manager
► Trusted authority to issue secure applications
Presenter Logo