XperienceIT 2.011
Wednesday 26 October 2011, De Montil, Affligem
XperienceIT 2.011
Security Track
Integrate tablets successfully in your
business environment
Wednesday 26 October 2011, De Montil, Affligem
Before starting
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011 Slide 3
Paradigm
“How to access corporate data & applications
from a tablet , while being compliant
with the corporate security policies.”
Internal Use Only" 27/10/2011 Slide 4
Challenges
Market is not as mature as traditional PC market
• Tablets are fairly new and evolving fast
For first implementation choose one and only one device type
• Tools are not always available or at least not fully mature
E.G: Dual factor authentication not available in standard Android E-Mail client
• Security risks around Tablet integration in corporate environment are not
known in most organisation
No deep knowledge of those technologies
Break the uncertainty barrier in your organization (It’s new, we don’t know it,..)
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011 Slide 5
How to proceed?
Define corporate security requirements
• They are needed to known how you’ll build the solution
• They will influence costs and complexity of the solution
Build high level technical solution
• Develop a test –bed solution
• Let it validate from user experience point of view
Start implementation
• Work in parallel on various technical implementation tracks
• Assign a small cross functional dedicated team (Client, Security, Support
engineers)
• Build documentation and plan roll-out
Communicate and roll-out
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011 Slide 6
Security requirements
First type:
To protect corporate data on the device and to protect corporate services
accessible from the device.
Example: PIN protection, Remote Wipe, Data Encryption of SD card
Second type:
To protect the corporate environment.
Example: Data encryption during connection, managed anti-virus
Third type:
The device is fully managed.
Example: Full management of all settings / software ( similar to corporate PC)
For each type, dual factor authentication is always required!
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011 Slide 7
Belgacom’s Infrastructure
Internet
Belgacom’s
Private Cloud
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011
27 October 2011 Slide 8
Client Side Security
Touchdown HD for tablets
• PIN protection etc are set via pushmail – MS Exchange policies
• client pre-installed
• Not all Exchange policies work, but on Android, Touchdown is the best client
(for the moment) to correctly process most of the Exchange policies.
• Dual factor authentication implemented via certificate + Windows ID/pwd
Free local anti-virus
• AVG mobilation free version
VPN
• Juniper JUNOS Pulse (SSL Layer 3)
• In combination RSA Securid solution( already in place)
Internal Use Only" 27/10/2011 Slide 9
Belgacom private cloud infrastructure
CITRIX
2 dedicated servers have been added to Belgacom’s private cloud CITRIX
infrastructure, on a 64 bits win OS.
Dimensioned to have 50% of tablets users (80) simultaneous users
Office 2010, “adobe reader” and intranet for the use of BCI CRM sales
tools
Some issues related to tablet keyboard and adobe reader were fixed by
fine-tuning on the servers
Adding an application on Citrix is not “out-of-the-box” easy, if not
previously virtualized
Internal Use Only" 27/10/2011 Slide 10
Belgacom’s Deployment
Staging & deployment solution not yet existing for android
Plan for a manual deployment
• Helpdesk agreed to provide necessary resources for manual installation of
devices
• Training given to Helpdesk member
• pre-installation of all devices by following engineering recommendations &
documentation (+-30 minutes per devices)
• AS user certificates required for push-mail (touchdown), helpdesk set it with
the user at distribution time (100 devices in one shot)
• Users were required to manually setup application requiring their credential
Touchdown
Junos Pulse SSL VPN
Internal Use Only"" 27/10/2011 Slide 11
Belgacom’s Investment
Implementation efforts: 60 mandays (*)
• Select & test Android software
• Deploy dedicated Citrix infrastructure
• Document installation procedure
• Train Support staff
Deploy dedicated Citrix infrastructure for 80 users (50K€)
Android software licences
• Touchdown : 15€/users
• Junos Pulse subscription : 3€/month/user
Manual deployment : 30 minutes/users
* Exchange, PKI, and Juniper SSL infrastructure were already deployed
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011 Slide 12
Lessons learned
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27/10/2011 Slide 13
Tablet Roadmap
Short term • Implement new version of Junos Pulse SSL VPN with build in
(1-3 Month) manager Anti-Virus
• Implement Mobile Device Management solution to allow
Remote configuration & support of devices - Device and users inventory -
Mid-term Device location through GPS - Deploy internal apps market - ...
(3-9 Months)
• Validate solution for other private cloud services
(VMware VDI – Virtual PC’s)
• Investigate virtualization (VMware) on the device : corporate
image on a non corporate device
Long term • Service differentiation
(9-18 months) Corporate (Managed devices) : use of native application on the tablet :
Intranet, Business Intelligence tools
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27 October 2011
Private (Unmanaged devices) – BYOD : Access to corporate resources through Slide 14
private cloud services
Live Demo
Type here level of Sensitivity "Unrestricted", Internal Use Only" or "Confidential" 27 October 2011 Slide 15
Who’s the first?
Questions