How to Secure iPads,
Tablets and Android
Devices for Corporate Use
John Masserini
CISO
Dow Jones
WSJ DIGITAL NETWORK• 38.8 million monthly
visitors to the digital network
• More Than 1 million paying subscribers for WSJ.com
• Sites include:
•WSJ.com
•MarketWatch.com
•Barrons.com
•AllThingsD.com
•SmartMoney.com
OFFICE NETWORK• 780 Class A office
buildings
• 15 top markets
• More than 1 million uniques every day
• More than 35,000 Businesses
• 22 million monthly impressions
VIDEO / COMMUNITY• 5.6 million streams each
month
• 140,400 WSJ.comCommunity members
• 200,000 MarketWatch.com Community members
MOBILE• Top Mobile audience in
the financial news category
• 3.1 million Uniques
• 7 minutes avg/visit
• 11 million WAP site pg views
• 1.6 million+ downloads of the wsj.com iPhone App
• 80,000+ downloads of the ATD.com iPhone App
• 226,000+ downloads of the MarketWatch iPhone App
• 1.5 million podcast downloads each month
iPad• 517,000 + Active Users
• Over One Million Downloads
WSJ DIGITAL WORLD
Mobile Device Strategy
• Strategy– Support mobile device connectivity to both internal network
resources and public internet
– Global WiFi infrastructure that provides seamless access to
all employees
– Deployment supports regulatory efforts and security model
• Challenges– Immature market causes a fragmented approach to access
– All devices released to date are consumer focused – not
enterprise
– Variations between devices required individual certification
– Lack of standard approach to security
Dow Jones Wireless
The DJ WiFi infrastructure consists of three networks:
• Vendor_WiFi:– Used for vendors only
– Access credentials setup by the Help Desk/Corporate Security.
– Default of 2 hours of access.
– Provides direct access to the Internet
• External_WiFi:– Provides employees access to unfettered Internet access
– Captive Portal requires domain credentials
– Provides access for laptops, iPhones/iPads, and Android devices
– All traffic is monitored for abuse
• Internal_WiFi:– Provides direct access to internal network resources
– Requires device registration and strong authentication
DJ Mobile Device Standards
• Supported Device Types:
– All DJ Corporate laptops, including Mac’s
– iPhone/iPad with OS 3.0 and higher
– Devices which support Windows Mobile
– Palm devices which use WebOS 1.3 and higher
– Droid devices which use 2.2 or higher (Internet access only)
• ActiveSync:
– Any device which connects to ActiveSync must adhere to the
Corporate ActiveSync standard
– Must meet or exceed BlackBerry standards
– Requires managers approval
– Device Password enforcement
– Encrypted communications
– Screen timeouts
– Remote wipe
Key Considerations
• We are not alone– Proactive disassociation is not
generally a viable solution
• PCI requires authentication of
individuals – not machines
• Potential of abuse by outsiders
– Imagine someone attacking a
competitor from our wireless
network
• Functionally no different than
VPN… remote access is
remote access
• Its always about the data – not
the device
The Apple-verse
• iPhones have been approved for 2 years (OS 3.0)
• iPads where approved within 1 week of retail sale date
• Can leverage External_WiFi and ActiveSync to access email,
calendar, and contacts– Current configuration has them as secure as a BlackBerry
• Internal network access is on an as-needed basis only– Internal access requires device registration and strong authentication
– Apple supports Digital Certificates and our current infrastructure
– Unfortunately, Apple does not support ‘over the air’ certificate distribution
– Every device must be manually configured by a security admin
Internal Network access is not a security issue – it’s a support issue
The Droid-o-sphere
• Google’s Android Operating System has been wildly popular
• Should follow organizations approach to ‘Open Source’
solutions
• Almost every phone manufacturer has an Android device or
has plans for one in the near term
• No ‘Approval Board’ for Android functionality on devices– Hardware vendors can implement features however they want
– No mandatory support of standard functionality
– No review of apps in the Marketplace
• Of the four devices tested recently, all four had very different
user interactions
• ActiveSync support is different on each device, potentially
requiring an additional app to access email
• Each device had to be configured by Tech Support – and each
setup was different!
User Awareness
• User Awareness is crucial– Millions of cell phones are ‘lost’ annually
– Even though it may be personal, password protect your
device
– Always think about the apps you put on your phone – we
have already seen malware on Androids
– Think about the data you store on your phone. Do you
really need your credit card numbers, passwords, or alarm
codes in your ‘notes’ app?
– WiFi is just as insecure on a phone or tablet as it is on a
laptop. Use caution when connecting to open WiFi
hotspots
Questions?
Thank You!