Ashwin Krishnan s a Director of Product Management at Juniper Networks, where he runs the product management team that is responsible for the high-end SRX product line (which has the leading market share position according to Infonetics Research) and SRX service provider business. He also heads up a cross-functional mobile security team that is focused on defining the strategy and solutions for infrastructure and services protection in the mobile network. His prior experience includes over five years at Nokia where he held various senior product management, architecture, and engineering management roles focusing on core infrastructure, service control, and intelligent subscriber gateway products. Prior to that he has held various lead technical roles at 3Com, Octel, Hughes, and Wipro. He is a frequent speaker at security and mobile conferences (NGMN, 4G world, Informa, and so on) and regularly blogs about all aspects of security. He has over 17 years of industry experience with specialization in wireless, security, and IP networking. He attained his Bachelor of Science degree from the National Institute of Technology, Warangal, India in 1991.
Dedication
Rich Campagna: To Brooke — Daddy loves you!
Authors’ Acknowledgments
Subbu Iyler: I would like to thank my wife Manju, and daughter Anoushka, for their constant motivation, encouragement, and support throughout the writing of this book.
Ashwin Krishnan: I would like to thank Radhika, my wife; Ananya, my daughter; and Jackie, our dog for supporting me through the process of creating this book while I was ostensibly doing chores to write it, including walking the dog (sorry Jackie). Thanks for putting up with my vagaries. And to my mom, Indira Ananthakrishnan, who is a renowned author herself, for instilling in me some of your book writing genes.
To the “numero uno” team at Wiley for providing excellent feedback throughout the process and helping get the book into its final finished form.
And finally to our Juniper in-house editor-in-chief, Patrick Ames, who helped instigate the idea of writing the book and cajoled, threatened, and pleaded with us throughout the course — without you this book never would have happened.
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Media Development
Project Editor: Kim Darosett
Acquisitions Editor: Katie Mohr
Copy Editor: Heidi Unger
Technical Editor: Rob Cameron
Editorial Manager: Leah Cameron
Editorial Assistant: Amanda Graham
Sr. Editorial Assistant: Cherie Case
Cartoons: Rich Tennant (www.the5thwave.com)
Composition Services
Project Coordinator: Sheree Montgomery
Layout and Graphics: Timothy C. Detrick, Nikki Gately, Corrie Socolovitch
Proofreaders: Context Editorial Services, John Greenough
Indexer: Broccoli Information Management
Special help: Colleen Totz Diamond, Kimberly Holtman
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Acquisitions Director
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Composition Services
Debbie Stailey, Director of Composition Services
Foreword
The sweep of mobile devices into our lives has transformed business IT in only a few short years. If you are holding this book in your hands, then you have no doubt encountered this massive change firsthand, and you are looking for answers. Looking out over the next few years, mobile devices will continue to transform the way that we do business.
New form factors such as tablets and “dockable” smartphones will allow users to replace laptops and desktops, DVRs, radios, DVD players, and many other “fixed” devices — untethering us completely. Ubiquitous network access through Wi-Fi, 3G, 4G/LTE, and beyond will allow us to do work anywhere, and at any time. Advances in peripherals and device-to-device interaction will integrate these devices into our lives much more seamlessly, no longer requiring us to remove them from our pockets.
All of this freedom, however, brings forth a huge challenge for corporate IT. It wasn’t that long ago when our IT departments required that users access corporate data and applications from a specific, corporate-issued device (typically a RIM BlackBerry).
Starting with the release of the Apple iPhone, however, users began to demand choice, ushering in a new era of consumerization that will forever change enterprise IT. Today’s users typically purchase their own mobile device of choice, and they find a way to connect it to the corporate network. Your challenge is to provide the flexibility that your users need, without sacrificing security, and this book, Mobile Device Security For Dummies, provides a complete look at the best practices for allowing you to meet that challenge. The authors are at the forefront of mobile device security strategy and product development, and are particularly well-suited to provide a balanced view of the current state of security concerns, and recommend ways to assuage those concerns. They regularly advise a range of customers across just about every domain and industry vertical, so chances are they have experience dealing with other organizations just like yours, with similar challenges.
The mobile world is evolving quickly — with new devices, operating systems, capabilities, and even threats emerging with every passing day. To meet the inexorable mobile changes, you’ll want best practices on how to manage these challenges while adapting the new truths of mobility in the enterprise. So go ahead: Ride the mobile wave safely with the best tools and practices available in the market.
Mark Bauhaus
Executive Vice President
Device and Network Systems Business Group
Juniper Networks
Introduction
Mobile devices, including smartphones and tablets, rule the marketplace. Regardless of whether these devices are employees’ personal devices or company-issued, you need to adopt best practices in an effort to secure them. It’s an effort, because very little planning and budget are devoted to these powerful little devices; but you have to have a plan for securing your company and its network, people, resources, and information.
This book helps you plan for mobile device security in your business and extend it into the lives and homes of your company’s employees. Having a plan helps you plead your case to management, and this book gives you the background you need to make the best decisions for your own implementation of mobile security, management, and control.
We (the authors) work on mobile security software and hardware and have worked for many years on security software implementation throughout the world. This is not to emphasize our massive intelligence in the matter, but rather point out that we’ve seen just about every marketplace and every issue that various IT departments and network administrators face in implementing a mobile strategy. And because we work for Juniper Networks, on the Junos Pulse product team, we know intimately what our customers need. In this book, we give you a view of the mobile security world from a collective viewpoint: beginner, implementer, and successful provider. Regardless of whether you choose Junos Pulse or another solution, or implement your own customized solution, this book helps you understand the threats facing mobile device adoption today and implement the current best practices for securing these devices in the enterprise (the best practices we’ve learned the hard way).
About This Book
This book isn’t meant to be read from cover to cover. It’s more like a reference than a suspense novel. Each chapter is divided into sections, each of which has self-contained information about a sp
ecific task in setting up a mobile device security solution.
You don’t have to memorize anything in this book. The information here is what you need to know to complete the task at hand. Wherever we mention a new term or are possessed by the need to get geeky with the technical descriptions, we’ve been sure to let you know so that you can decide whether to read or ignore them. Aren’t we thoughtful? You’re welcome.
Mobile device security has several players: you, the administrator; the mobile device users; management, who must fund security solutions; vendors, who create and sell their solutions; and a shifting crowd of nefarious hackers, thieves, and competitors who are looking for cracks in your wall. While you might find other books about mobile device security, you won’t find one that makes you aware of all the players all the time. This is a new-school book about new-school technology.
Foolish Assumptions
We make a few assumptions about who you are. For example, we assume you bought this book to learn more about mobile device security in the enterprise, hence we assume your job is as an enterprise IT or network administrator. If you’re not one of those industrious people, we assume you might be in IT management or even sales management. In short, you work for a company whose employees all connect to the network with their mobile devices, and you’re supposed to be, somehow, one of the people who control this.
We have bad news and good news for you. The bad news is that we’re sorry you are in this position. If you haven’t had security problems yet, you will. We’ve seen many customers seeking security solutions in our lifetimes, and the good news is that this book details the threats facing mobile device adoption today and the best practices that you can implement for securing them in the enterprise.
Conventions Used in This Book
We know that doing something the same way over and over again can be boring (like Mr. Rogers always wearing the same kind of sweater), but sometimes consistency is a good thing. In this book, those consistent elements are called conventions. In fact, we use italics to identify and define new terms you might not recognize, just like we’ve done with the word conventions. Additionally, when we type URLs (web addresses) within a paragraph, they look like this: www.wiley.com.
That said, throughout this book we use the terms smartphones and mobile devices interchangeably. Sometimes only smartphones have the capability of over-the-air transmission, but new mobile devices are coming that could far surpass even the smartphone’s capabilities. So we use smartphone, mobile device, iPad, iPhone, Android, BlackBerry, and other terms interchangeably, too.
At the end of many chapters, we include a case study based on experience we’ve gained from our customers who have grappled with similar situations. It’s the only way we can justify how many miles we’ve flown during the past five years, but more importantly, we hope you can benefit from this running example of how you might implement some of the policies we discuss throughout the book.
That’s about it. Mobile device security is so new that the only convention you share with everyone else around you is a feeling that your data isn’t secure. At all. But fear not — it will be after you implement the policies discussed in this book.
How This Book Is Organized
This book is organized into five main parts. Don’t feel that you need to read these parts in sequential order; you can jump around as much as you like, and each part is meant to stand on its own.
Part I: Living Securely in the Smart World
Sometimes it’s comforting for authors to describe the world you live in. Part I of this book describes the world that you’re trying control. You’ll be able to find yourself here, in one of the chapters, in one of the scenarios. Misery loves company, and eventually by Chapter 3, we ask you to stop fighting the hordes of mobile devices in your environment and instead embrace them. Embrace, adapt, protect, and manage are the four stages of living securely in this smart new world.
Part II: Implementing Enterprise Mobile Security
Part II assumes you’ve given up the “no mobile devices permitted onsite” fight and taken down the signs. Implementation starts by creating policies and then managing and monitoring them. It’s not rocket science, and chances are you already do many of them today. This part helps you put your policies together and perform the real trick: Make your mobile device policies conform to existing compliance policies so you don’t have to redo policies for the whole company.
Part III: Securing Smart Device Access
Part III moves from the policy to the real world — your network. How do you build the system of monitoring, accepting/rejecting, or limiting access to the hordes of devices entering your main, branch, and remote offices? Not to reveal the ending too much, but you’re going to leverage technology to provide granular, application access control.
Part IV: Securing Each Smart Device
At some point, you have to touch your customer. It’s time to roll out the policy, programs, and technology to encrypt, protect, and back up the device hoards. You don’t want to be in upper management, anyway.
Part V: The Part of Tens
Indispensable places and checklists tend to come in lists of tens, and mobile device security is no different. Turn here often as you read the book, and come back when you’re done.
Icons Used in This Book
To make your experience with the book easier, we use various icons in the margins of the book to indicate particular points of interest.
Whenever we give you a hint or a tip that makes an aspect of mobile device security easier to understand or speeds the process along, we mark it with this little Tip thingamabob. It’s our way of sharing what we’ve figured out the hard way so you don’t have to.
This icon is a friendly reminder or a marker for something that you want to make sure that you keep in mind, or remember, as the icon says.
Ouch! This icon is the equivalent of an exclamation point. Warnings give you important directions to prevent you from experiencing any nightmares. (Well, at least where security is concerned. Offering premonitions about your personal life costs extra.)
Sometimes we feel obligated or perhaps obsessed with some technical aspect of mobile security. We are geeky guys, but mark this info thusly so that you know it’s just geeky background information.
Where to Go from Here
Now you’re ready to use this book. The beginning introduces basic security concepts so you’re familiar with both the terminology and the state of affairs in today’s mobile device security marketplace. If you’re new to mobile device security, start here, or depending on your background, you may want to start by jumping straight to the meat of the discussion in Part II. Once you zoom in to what interests you, we highly recommend going to the other parts or chapters because there are key concepts and usage cases in each chapter.
If you have a mobile device on your desk right now, we recommend muting the ringer and alarms and putting it to sleep for awhile. These devices don’t like to be corralled at first, and if they see you reading this book, they’ll start acting strange for an hour or so.
If you ever want to see what we authors really do, and some of the products we actually get paid to work on, check out Junos Pulse at the Juniper Networks website, www.juniper.net/pulse.
Please note that some special symbols used in this eBook may not display properly on all eReader devices. If you have trouble determining any symbol, please call Wiley Product Technical Support at 800-762-2974. Outside of the United States, please call 317-572-3993. You can also contact Wiley Product Technical Support at www.wiley.com/techsupport.
Part I
Living Securely in the Smart World
In this part . . .
By the end of reading Chapters 1 and 2, you will recognize that your best option for securing your corporate network is to embrace the hordes of mobile devices on your campus — well, embrace may be going overboard, but at least you should acknowledge their existence. You can’t live with mobile devices, and you can’t live
without them. What’s the answer? Embrace, adapt, protect, and manage. Those are the four stages of living securely in this smart new world — and the message of Chapter 3.
Chapter 1
What’s So Smart About a Phone, Anyway?
In This Chapter
Taking a look at different mobile devices
Getting up to speed on mobile operating system platforms
Exploring data connections
Examining the applications that run on mobile devices
Putting the mobile device security deployment in order
Introducing the AcmeGizmo case study
The late 2000s and early 2010s ushered in a new era of mobility in the enterprise. Prior to this time, truly productive mobility required users to have a laptop, a mobile phone, and possibly a personal digital assistant (PDA) in order to be as productive offsite as they would be at the office. The rise of the smartphone, however, has changed all of that. Now users can get as much done with a device that fits in their pocket as they could when three separate devices were required to accomplish the same tasks. With tablets reaching widespread adoption as well, many users and organizations are trading in their laptops and desktops and replacing them with these new devices.
Your enterprise may have worked for years on strategies for the use of Microsoft Windows (on laptops and desktops) and the Research In Motion (RIM) BlackBerry OS (on smartphones). In addition to the tools that Microsoft and RIM provide to manage, update, and secure these operating systems, your enterprise may have invested in a number of third-party components to help secure these systems further.
Mobile Device Security For Dummies Page 2