URL for slides (you’re gonna need it, the slides have thousands of bullets and I couldn’t possibly capture all of it here): http://bit.ly/csun-ibm-secure
- Costs to business of incompatible mobile secrity and accessibility?
- Weak links
- There are security gaps to be checked for
- Examples of inaccessible security
- Risks of inaccessible secirty
- Risks of non-secure accessibility
- Items to consider when implementing a secure accessibility
- Challenges you’ll encounter
A whole slide of disclaimers: how IBM is approaching this topic, conclusions are based on anecdotal experiences, etc.
Risks related to inaccessible security: biggest risk is the human element
Some interesting stats on BYOD:: most enterprises have personal devices accessing corporate resources, 89% of IT departments support them, but 46% are unmanaged.
Accessibility and Security don’t always work together; we start from a foundation of risks (508 and other intl. legislation). Showed a slide of big corporations that had litigation against them, Target, Netflix, Google, etc. Yes, the “risk” is real, but of course we all know that corporations should do accessibility because it’s good for business AND it’s the right thing to do. Presenter Talked about brand, what it’s worth to your company, that sort of thing. Sadly, the presentations I’ve seen given to corporate audiences seem to be driven primarily by fear and pursuit of the bottom line. This presentation (so far) is following that line.
PDFs recently had an issue where secured docs could be read with a screen reader. Within IBM, Antivirus could not be used by blind employees, so they needed to use an alternate AV program.
QUOTABLE QUOTE: “If a security test fails an individual’s capabilities, it fails as an implementation. If a security test fails the situation, it fails as a solution.”
- AT do not function correctly in a secure env
- Unverified AT leave exposures to secrity
- Security is unusable
- Secure solutions may not be able to be retrofitted for accessibility
They had a complicated slide that showed “10-Steps to security”
Slide with a triangle containing: Accessibility, Security, Enterprise
Embed standards into the enterprise (mandates, processes, guidance, metrics, education, documentation, tools)
WHY DOES EVERY IBM SLIDE HAVE TO HAVE 20 BULLETS AND SMALL FONTS?
Slide about platforms: OS, Hardware, carrier, AT
Slide showing a pie chart of platforms, there were about 50 (completely unreadable, but did show the scale of the problem)
BRIDGE BETWEEN SECURITY AND ACCESSIBILITY (directly from slide)
- AT (SR, Zoom, preconfigure, dev tools)
- Security (platform settings, policy, partitioning)
THIS PART WAS INTERESTING
Siri is a problem because “we don’t know what happens to that spoken utterance, it doesn’t stay on the device, it goes to what we’re told is a secure server.”
QUESTION: what about captioning and transcription services? These fall into the same bucket. Concern is the unknown about “who’s wearing the Siri face” right now.
Evaluate AT for security
- Does it run correctly when the security is engaged?
- Have artifacts that leave unprotected content (logs, buffers, off-device processing, transmission, secure processing, is encription adequate
- Does it work in public / private situations?
- Does it require a network connection?
- Pwd length, complexity, time-outs, alternatives
- Biometrics: consider cost, environmental considerations, alternatives
- Graphical pwds (not suitable for device without a mouse or touch-screen access
- MDM, Security, Enterprise Applications
- Bare metal vs. Hosted (type 2 like VMWare)
- Container virtualization (i.e. Enterproid Divide), similar to UNIX chroot solution
- Have to assess these solutions for accessibility
Paul’s sidebar regarding the “model” of IBM presentations: they provide lots of big-sounding questions and problems, present slides that are overloaded with gobs of information, focus on compliance (often injected with fear), but not a lot of practical information. Ya gots ta pay for that stuff, buddy.
IBM uses “Worklight,” a tool that sounds similar to PhoneGap, but it comes with a lot more under-the-hood stuff for policies, server interaction, endpoint management and management of services, etc.
Enable, monitor, and enforce compliance
System settings, software inventory, software distribution, automation, monitoring, reporting, taking action
Slide: Rapid transformation of change (loaded with literally a hundred items and completely unreadable. Again, shows just how complicated things are)
Mobile standards are lagging growth
New hypervisors have been announced by VMware (type 2) and Redbend vLogix Mobile (type 1)
10 new MDM solutions reported May 2012
Retrofitting is expensive and may in fact not work at all
One reply on “Making Mobile Both Accessible and Secure”
[…] Notes from Paul Schantz […]