Educause Security Discussion mailing list archives
Re: Is anyone forcing active sync controls on their smart phone users?
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 22 Apr 2010 15:08:20 -0700
John commented: #We are currently considering our options for securing information on #smartphones that include iPhones. # #Is anyone using the Active Sync controls in Exchange to push security #controls to these devices? #Some controls would include an automated timeout, required pin or #password, and enabling remote wipe for lost or stolen devices. # #Are these controls applied to all university owned devices ? Do #controls apply to personally owned devices? I just did a talk covering this area for the Educause Security Professionals 2010 Meeting in Atlanta a few weeks back, see http://www.uoregon.edu/~joe/mobile-device-security/mobile-device-security.pdf (or .ppt if you prefer). In particular, for iPhones, I'd be careful about relying on either the "built in" hardware encryption available on 3GS's, or the remote wipe option, for the reasons discussed in that talk. Because the iPhone security architecture is heavily dependent on a whitelisted application environment, I would urge institutions to consider whether they want to adopt a formal policy on "jailbreaking" phones, at least if those phones may be used for critical institutional purposes (including PII data-related applications). I would also encourage sites to consider security awareness/security training on the issue of iPhone configuration data sources (e.g., users need to be trained not to download configs from email messages or random web sites, since doing so has the potential to compromise the confidentiality/integrity of the iPhone environment if a malicious configuration is provided). Let me also clarify that the above concerns do NOT mean that I'd discourage folks from using or deploying iPhones, because that's NOT my intent, I just think you want to understand the potential issues and implement appropriate compensating controls as may be necessary, etc. Feel free to drop me a note if you have any questions about this. Regards, Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions expressed are strictly my own
Current thread:
- Re: Is anyone forcing active sync controls on their smart phone users? Joe St Sauver (Apr 22)
- <Possible follow-ups>
- Re: Is anyone forcing active sync controls on their smart phone users? Matthew Giannetto (Apr 23)
- Re: Is anyone forcing active sync controls on their smart phone users? Patria, Patricia (Apr 23)