Wednesday, June 20, 2012

#mlearncon Security and Mobile

Because I know I'm gonna get asked when I get back into the office.....

Critical Issues: Balancing Security and Mobility for Learning
Presenter: Robert Gadd, OnPoint Digital

These are devices that are easily lost or stolen.

90% of IT mgrs set to implement mobile apps in 2012.
50% of those say that successfull mobile app management will be top priority

Concerns
- 54% cost concerns
- 25% - lack of direct experience
- 75% security

But mobile can be MORE SECURE than eLearning
- easier to verify identity (will prove)

Everyone bought the devices NOT to do mobile learning
- Bought for communication (emails, calls, text)
- Layer of training on device
- early on - browser based
- Of course - "course on phone". 
- Starting to see requests for - access for info, social components, user-generated content,
- Now - gamification layer, this is big

Avg mobile person may have a different class of device.

Feature phones / Data enabled handset / web apps / native apps / PC-Laptop
- The Native Apps will be your secure one
  + This one ensures that you are looking at the right person at the right time

CellCast model - more server-side stuff.

Core - security and encryption on the device itself

BYOD can be very secure - if you know about the person and the device as long as it's approached directly.
- It's out there whether IT central likes it or not
- Employee feel more productive and happier with it.
- The device will be work and personal

Interestingly - BYOD is NOT cheaper for the organization
- but time and effort.  The staff time offsets the staff cost.
- Employee more happy - a good thing

People lose phones every day
And concerns about the information on those phone

Security methods - 4 approaches x 4 ways
- Text and voice
- Mobile Web - HTML
- Web Apps - HTML5
- Native Apps - C#, iOS, Java

Each deal with security differently
Each has different encription

Biggest challenge is that there is a broadening range of devices - more coming in than disappearing
- Range of capability
- (little to no standardization)
- Also think about the old phones that are out there too that we need to support.
- If you are going to "impose security" you have to figure out what you are delivering on

Tablets - also beginning to change all the time
- Apple and Samsung making money on it
- Kindle allows Amazon to sell stuff - loss leader

Key Considerations
- Device (Physical ) Security
  + Device-level encryption (also BES - all traffic through their gate / traffic hub)
  + Device-specific authentication parameters
  + Device passwords - do you use them?
  + Platform level security
  + There is info about the device burned into the Cell Phone.  UDID or burned in ROM, MTN.
     ++ Can expose the information about phone number and serial number to use as authentication

- Application
  + Account verification and pin code validation
  + Password policy management and admin
  + Private app stores
  + mobile app management capabilities
  + Security of Mobile Web and Mobile App

- Platform - only last couple of years
  + Secure Device-to-Cloud-to-server path
  + Single Sign-on authentication - way to make sure still in the club + define time period the person can remain logged on with the app. (most elegant solution for security, even offline)
  + Remote device management control - software from other folks, how IT locks down the phone
    ++ In BYOD - can allow you to go to company store and download app next to Angry Birds
    ++ Allow self vs. corporate
    ++ We can render the app useless or get rid of app or "brick" the device

- Other Environmentals
  + The "BYOD" Movement
    ++ Would like to see orgs "draw a line" in terms of what will support.
  + Multi-Server Environments
    ++ Content loaded to device - no real "test" server
    ++ Plus, how do you avoid blowing away content
    ++ Synchronize identity change - has to appear seamless to the user
  + Time-based restrictions for the app
    ++ mLearning = conflict with union-based training rules and payment (this is important for our environment)
    ++ Don't trust "mobile" to get the content over correctly.  How do reconcile the record differences?
         ++ The "SCORM" things helps.  Allows the synch.  Not reported very frequently in the field.
  + Two-Factor Authentication ("TFA") Options
    ++ The RSA Security ID dongle or biometrics etc
  + "FIPS" Compliance (no one really doing this yet - gov't requirement)

(I probably need to get the slides for this.  Very technical conversation and would probably be best to get the Mobility Guru in touch with this presenter.  Not sure what the Technical mobile guys are thinking)

Biggest security challenge - Sony just got hacked, PlayStation.  Right now overly paranoid.

Really a cornucopia of choice. Depending on what the IT folks have done - you may see a mix of these solutions.
  + Mobile device management

----------------------
Tangent
We are a year away from knowing whether Tin Can will blow up or fizz
- Tried something - put together in 40 hours = good.
- But he is working in a closed network
- Tin Can, by it's current nature, is public
- The vocabulary of what the verbs are needs to be synchronized. 
---------------
MobileIron most frequent security product for mobile.  Considered a good one.
(He talked about others- I didn't catch them.  Figure it is an issue for Mobility Guru.)

(Rest of the session was a demo - Onpoint Digital.)

No comments: