Bring your own-computer_to work
-
Upload
netiq -
Category
Technology
-
view
1.212 -
download
2
description
Transcript of Bring your own-computer_to work
© 2010 NetIQ Corporation. All rights reserved.© 2010 NetIQ Corporation. All rights reserved.
Bring Your Own Computer To Work - What Now?
Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCISPYRUS, Inc
Michael F. Angelo, CSANetIQ Corporation
© 2010 NetIQ Corporation. All rights reserved.
Bring your own computer
2
BYOC is Consumerization of IT
How IT Happens
Organizational Benefits and Impact
Action Today, Tomorrow, Future
© 2010 NetIQ Corporation. All rights reserved.
Bring your own computer
3
Summery
Questions
Pop Down to the Pub
© 2010 NetIQ Corporation. All rights reserved.
BYOC isConsumerization of IT
4
© 2010 NetIQ Corporation. All rights reserved.
What Is Consumerization?
Changing the Face of Work− Consumer-based Social Media for advertising− Consumer-based Financial Services for accounts receivable− Use of consumer or Free Software for sustaining corporate
infrastructure
And… What we are going to focus on:− Use of personal equipment in the corporate environment
5
© 2010 NetIQ Corporation. All rights reserved.
EvolutionMice
KeyboardMonitors
Home equipment for remote access
Mobile Phone
Wi-Fi CardFlash Drive
PDAMusic PlayerSmart Phone
Desktop / Laptop
Consumerization of IT
6
Use of employee owned resources for company work
© 2010 NetIQ Corporation. All rights reserved.
HOW WIDESPREAD IS consumerization?
7
Source:In-Stat
Laptop PDA Mobile Phone Smart Phone0
10
20
30
40
50
60
70
80
Employee Purchased
Primary Machine
© 2010 NetIQ Corporation. All rights reserved.
How It Happens
8
© 2010 NetIQ Corporation. All rights reserved.
How It Happens
Don’t want to use your Pentium III with 256mb RAM & 60gb HD
Don’t want to use your OS
Don’t want to use IE6
Don’t want to use your software tools
Don’t want to be locked down
9
© 2010 NetIQ Corporation. All rights reserved.
What is your policy?
Secretive
Ignored
Unofficially Supported
Officially Supported
Subsidized
10
© 2010 NetIQ Corporation. All rights reserved.
Benefit and Impact
11
© 2010 NetIQ Corporation. All rights reserved.
Benefits and drawbacks
12
Companies save 9-40% on equipment purchase cost*
Exit the hardware business
Employee satisfaction
Higher productivity
Longer work hours
Helpdesk
Knowledge
Loaner
Hardware
Capability
Configuration
Maintenance / warranty
Upgrades
Software
Interoperability
Upgrades / updates
Vulnerabilities
*Source: Gartner
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - ownership
Logins− Personal login information on corporate machine
− Social Networks / Professional Associations
− Corporate login information on personal machine− VPN Configuration− User IDs and passwords stored in browsers
Software Ownership− Personal software
− Restricted use licenses
− Corporate software on home equipment
13
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - legal Issues
Legislated Privacy− EU data protection act− USA HIPAA, SOX, GLBA− Country, state/province, local (e.g. CA SB 1386)− More laws pending
Cross contamination− Corporate backup includes personal information− Personal backup includes corporate information
14
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - Security
Information Leakage− Family & friends− Device Loss− Virus − Personal email – Spear Fishing
Increased Exposure to Threats− Surfing at Home <> Surfing at Work− Torrents
15
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - Non Obvious Issues
Acceptable use policies− How to apply to personal machines?
Out processing of individuals− How do you know organizational data is removed from the
employee machine? − Software− PST files− Passwords / wireless / VPN Access
− Residual data− Employee / corporate backups
16
© 2010 NetIQ Corporation. All rights reserved.
Action To Take
17
© 2010 NetIQ Corporation. All rights reserved.
Action to take today
Is it already there?− Run, don’t walk to your legal staff
Decide if you will allow Consumerization− Don’t wait for it to happen and then rush to formulate policy and
procedures
Decision must explicitly include all possible components
Decision must be extended as new technology becomes available
18
© 2010 NetIQ Corporation. All rights reserved.
Action today - Define policies
Balance:− Corporate vs Employee vs Customer
Corporate:− Must comply with laws− Must maintain fiduciary responsibility− Must not expose corporate assets− At a minimum should address
− Employee responsibility− Acceptable use− Protection of assets
19
© 2010 NetIQ Corporation. All rights reserved.
Action today - Incident response plan
Even with Policies & Procedures accidents can happen…
Need incident response plan
20
© 2010 NetIQ Corporation. All rights reserved.
Technical Solutions
21
© 2010 NetIQ Corporation. All rights reserved.
Action today
Security 101: − Keep secret stuff separate from non–secret stuff− Keep corporate stuff separate from personal stuff
Separate personal and corporate identities− Compartmentalize the environments to reduce the risk of accidents.
22
© 2010 NetIQ Corporation. All rights reserved.
Action today - Compartmentalization
Application isolation
Separate user accounts
Virtual Desktop Infrastructure (VDI)
Hypervisor on PC
OS or Hypervisor on USB drive− Windows-on-a-stick− PC-in-my-pocket
23
© 2010 NetIQ Corporation. All rights reserved.
Action today - Separate user accounts
Work and Personal
Mac, PC, or Linux
Fast user switching− Separate Context− Subject to worms and viruses− Can share information via common file system
24
Computer
Separate Users
Host OS
User 2User 1
AppApp AppApp
© 2010 NetIQ Corporation. All rights reserved.
Action today- VDI
25
Virtual Desktop Infrastructure (VDI)
© 2010 NetIQ Corporation. All rights reserved.
Action today - Type 2 hypervisor
Aka Hosted Hypervisor
Still subject to worms and viruses
Harder to accidentally share informationbut cross-contamination still possible
26
Computer
Type 2 Hypervisor
Host OS
Apps Hypervisor
HostedOS
Apps
© 2010 NetIQ Corporation. All rights reserved.
Action not-quite-today - Type 1 hypervisor
Aka Native Hypervisor
Almost impossible to share information
Only common attack is hypervisor itself
Each OS can be attacked separately
27
Computer
Type 1 Hypervisor
Hypervisor
OS 2OS 1
AppApp AppApp
© 2010 NetIQ Corporation. All rights reserved.
Action Today - Type 2 portable hypervisor
28
Hosted (Type 2) VM− Running PC loads hypervisor from device− OS from device and OS from host HD completely separated− Does not prevent attack via ‘host’ OS− Does not protect the information if device is lost− Does not stop access after employment
OS Partition
User Settings
FileFileFileAppAppApp
Operating System
Hypervisor
© 2010 NetIQ Corporation. All rights reserved.
Action today - Virtualized OS-on-a-stick
29
− On-board cryptography authenticates and protects− Boots OS from device, loads hypervisor, then loads hosted OS− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device− Management system can block device when employee leaves
Encrypted OS Partition
User Settings
FileFileFileAppAppApp
Operating SystemBoot Partition
OS + Virtual Machine
© 2010 NetIQ Corporation. All rights reserved.
Action today - Native OS-on-a-stick
30
− On-board cryptography authenticates and protects− Boots OS directly from device− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device− Management system can block device when employee leaves
Encrypted OS Partition
User Settings
FileFileFileAppAppApp
Operating SystemBoot Partition
Boot Loader
© 2010 NetIQ Corporation. All rights reserved.
Native versus hypervisor
31
PC Hardware
Applications
PC Hardware
Hypervisor
Applications
Note the additional overhead and larger attack surface of a hypervisor-based approach since two operating systems are required. It will be noticeably slower and possibly less secure.
Virtualized OS Native OS
© 2010 NetIQ Corporation. All rights reserved.
Action tomorrow - Native OS-on-a-stick + TPM
32
− Provides a mechanism to generate and measure system characteristics upon which a security decision can be made.
− In almost all commercial grade computers− For more info see: the Trusted Computing Group
www.trustedcomputinggroup.org
Encrypted OS Partition
User Settings
FileFileFileAppAppApp
Operating SystemBoot Partition
Secure Boot Loader
© 2010 NetIQ Corporation. All rights reserved.
Action tomorrow: Native OS-on-a-stick + TPM
Can also be used to ‘seal’ information to a snapshot− A snapshot consists of information relevant to defining an
identity or entity
Information can not be ‘unsealed’ if any element used to ‘seal’ is not an exact match or available.
33
© 2010 NetIQ Corporation. All rights reserved.
Summary
34
© 2010 NetIQ Corporation. All rights reserved.
Summary
Immediately− Consult with legal dept− Review current information ownership / protection policies and make
appropriate changes− Put Consumerization policies in place− Separate user accounts
35
© 2010 NetIQ Corporation. All rights reserved.
Summary
Longer Term− Legal policies and procedures
− Enforce them!
− Technical policies and procedures− Apply, rinse, repeat
− Technical Tools− Isolate applications, virtualization
36
© 2010 NetIQ Corporation. All rights reserved.
Thank YouMichael F. AngeloNetIQ Corporation
1233 West Loop South, Ste 810Houston, TX 77027
Ron LaPedisSPYRUS, Inc.
1860 Hartog Dr.San Jose, CA [email protected]