Bring Your Own Device Could you, would you should you

The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Bring Your Own DeviceCould you, would you should you

May 2012Benjamin JH

Ramduny



What is Bring Your Own Device (BYOD)?

We say that:“BYOD describes an end user computing strategy supported by a set of policies and controls, which in conjunction with a technical solution provide a managed and secure framework for employees to access corporate data from their personal device whilst providing the enterprise with a

level of control over both the device and the data it can access”

Wikipedia has this to say:“Bring Your Own Device describes the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases”



BYOD in the News



Who is adopting BYOD

Over four in five companies say they already allow BYOD or will do within the next 24 months and sixty per cent of employees claim they are already allowed to connect personally-owned devices to the corporate network. - BT

CIO attitudes that showed 48% of companies would NEVER authorize employees to bring their own devices to the workplace. 57% of IT managers said that employees do it anyway. - Cisco

64% of IT managers surveyed thought it was too risky to let personal devices be integrated into the business network. However 52% of companies allowed some form of access. - Absolute Software



Could you BYOD



BYOD Options

There are two main options when considering BYOD; augmentation

or replacement

Augmentation:

You can augment your current end user computing by allowing your employees to bring in their own mobile devices, sometimes referred to a mobile/laptop consumerisation

Opt in scheme for employees who are not entitled to a corporate phone to use their personal phone to access services such as email or corporate web apps.

Opt in scheme for employees who are entitled to a corporate phone but also want to use their own handset

Replacement:

You replace your current end user computing with only employee owned devices. This strategy can cover desktop/laptop and mobile devices

Opt in scheme for employees who are entitled to a corporate phone but want to use their own handset and contract (with stipend or expenses support for corporate call costs)



The BYOD Family Tree

Apple iPhone

Android Mobile

Windows Phone

Apple iPad

Android Tablet

Blackberry

Playbook

Mobile Phone Tablet

Windows

LaptopApple Mac

Hand Held Laptop

Mobile Device

Desktop

Device

BYOD

Note: Desktops and Blackberries are not shown

The BYOD policy must detail which items are allowed and the controls that will be applied.

When defining the scope of any BYOD implementation consideration must be given to which end user devices* will be allowed.Each device type has its own set of risks and management issues.

** * * * *

* *



Strategy and Policy

What devices will be subject to BYOD

What over arching method of resource access will be used for:

Hand held devices

Laptops

How will the solution and end users be supported

How will business units be charged for the service

StrategyUnderstanding the business reasons for adopting BYOD is crucial for a successful BYOD implementation

PolicyGetting the policy right protects the business from the risks associated with BYOD

What devices makes and models will be allowed

How will Antivirus be handled

What actions does the company reserve the right to carry

out on an employees personal device (e.g. remote wipe on

loss)

How will leavers be handled

What access controls will be used (Certificate based

authentication, Pin Number lengths)



A Quick Survey – Who has a some form of BYOD in their organisation?



Would you BYOD



Why Do It?

Increased user mobilityIncreased user satisfactionHelp retain top performersIncrease productivity*Reduce capital costsHelps to attract younger talent*



Laptop ConsumerisationManagement Options

Service AccessVirtualisation (VDI)Web Apps OnlyNetwork BootMDM platform with Windows supportDesktop on a Pen Drive technologies

Access ControlNACPKI / Certificate based Authentication



Laptop ConsumerisationManagement Solutions

Virtualisation Network Boot

MDM USB

Pros:• Secure• User gets

complete desktop and application suite

Cons:• Expensive• Get it wrong

and performance is slow

Pros:• Secure• User gets

complete desktop and application suite

• Uses the full power of the hardware

Cons:• Requires

network access• Its not here yet

Pros:• Leverages

Windows inbuilt security

• No Network dependence

Cons:• Users might not

like you restricting their PC

• Only a few vendors

Pros:• Small and light

weight• Works with any

Hardware• Full desktop

available• No Network

dependence

Cons:• New emerging

technology



Operating System Security Considerations Enterprise Management Tools Virtualization

Pre IOS 4.0 device encryption is weak.

Apples iOS release cycles make interception of new versions easier than Android

Enterprise management can be accomplished via the Apple iPhone Configuration Utility or by 3rd party applications: Excitor, Sybase, and Good Technology, Excitor, Mobile Iron and AirWatch. Exchange support also through MS ActiveSync.

• Citrix Receiver / XenApp

• VMware through Wyse PocketCloud

Pre Android 4.0 (ICS) the native email client does not support ActiveSync with certificate based authentication.

Full device encryption weak before Android 3.0

Adhoc and fragmented development cycles makes intercepting new versions difficult

Reliance on multiple vendors passing on new patches and OS versions means that many users do not receive the latest security patches and OS’s

No native enterprise management tools. Enterprise management can be accomplished via 3rd party: InnoPath, Good Technology, Excitor, Mobile Iron and AirWatch

• VMware MVP• Citrix Receiver /

XenApp (Q409?)

Windows phone 7 email client does not support certificate based authentication

Devices are not restricted from running unsigned code leaving them at a greater risk of malware attack

Comprehensive enterprise management of devices through MS System Center Mobile Device Manager and via 3rd parties such as: Good Technology, Excitor, Mobile Iron and AirWatch

• Citrix Receiver / XenApp

• VMware MVP

Mobile ConsumerisationMobile Device Options

iPhone

Android

Windows Phone



Mobile ConsumerisationMobile Device Management

MDM products fall into 2 categories MDM

Native MDM

Containerised

Level of containerisation



Mobile Consumerisation Gartner



Should You BYOD



Major Considerations

Protection of Corporate Data

Reimbursement

Legal Concerns

Support Strategy

The Cost of Moving to a BYOD Environment

Scope Definition

Vendor Selection




Protection of Corporate DataYour data is as valuable as gold, and losing it can have a big impact on the business, from financial penalties if the DPA is breached to reputational damage.

Letting users have corporate data on their personal device is a big risk, and so to reduce the risk to an acceptable level there are several controls that can be implemented. On a laptop you can virtualised either your corporate applications or the employees entire desktop. On a mobile device you can use an Mobile Device Management solution to enforce some security features on the device itself (e.g. Device encryption, remote wipe if the device is lost).

Not all applications are suitable for virtualisation, and this must be carefully assessed before designing any solution

Desktop virtualisation can offer the best form of security on a laptop, however there are drawbacks, mainly that many believe that they can use there super powerful personal laptop and get the benefits of using a powerful pc over their older work laptop. Unfortunately laptop power has little relevancy in a thin client/virtual desktop where most the processing is done server side. A second draw back of virtualisation is that the more users on the virtualised infrastructure the slower it gets.

It is worth noting that network boot solutions are in the wings and will start to become prevalent in 2012 allowing the full power of the laptop to be utilise.

Mobile devices can be secured to some extent through the use of an MDM tool. Our current view is that this market is still under development and all of the main vendors have weaknesses in their products which can lead to less control over the device than required.

The biggest challenge is how to ensure there is no corporate data on a personal device that is no longer required by the user

ReimbursementOne of the benefits of a corporate liability mobile device over and personal liability device is that the corporate device is usually able to take advantage of a preferential call tariffs with the service provider.

When adopting BYOD for mobile devices and when replacing corporate issued devices there must be careful consideration of how the increased data usage will affect the employee monthly bill and how the organization will reimburse this cost.

An additional issue that should be considered when moving to an enforced BYOD model is the incentive for an employee to use their personal device, in order to compensate for the increased ware.

Questions that need to be addressed are:

Can the employee claim back line rental, or receive a stipend, how is the capped.

Will the employee be given a benefit in kind to by the device, if so does this have an tax implications

Legal ConcernsIf a MDM solution is being used to manage mobile devices and the BYOD policy states that a lost mobile device will be fully wiped (factory rest) then it is important that any employee who is using their personal device is clearly aware of this and that they have signed a EULA.

If the employee is expected to travel as part of their role then the organization must consider if there are any legal implications of taking their device to a country that prohibits encrypted devices (assuming device encryption is being used)




Vendor SelectionWhen the decision has been made that BYOD fits with the end user computing strategy, and that the solution will be secured in some way then a vendor selection process needs to be carried out.

Choosing the right MDM product is a difficult task due to the current immaturity of the market. Getting the vendors involved and seeing hands on demonstrations of the end to end solutions is essential. Getting hand on experiences is crucial to ensuring that any selected product meets your requirement for security and usability, since one can heavily impact on the other.

Different vendors have very different strengths and researching which vendors product fits your requirements will be useful.

Where possible agree for a vendor pilot before committing to deploying the full solution. There are numerous enterprises that have either delayed a full deployment or canned it altogether following a pilot.

Support StrategyIn any organization support for the business critical infrastructure is a major concern and an organizations inability to support their infrastructure represents a significant business risk.

When supporting a traditional corporate liability environment where all devices are owned by the organization, it is relatively easy to exert a level of control over the hardware and software to be used. Having a limited number of makes and models of laptops and desktops and a standard OS configuration enables a support function to become skilled in these systems.

When BYOD is adopted there will be significant increase in the number of different types of hardware, drivers, OS configurations and applications that will be in use and so it is important to assess the existing support organizations capability to support the new devices.

A BYOD policy must consider if personal devices will be supported and how much time will be spent tying to resolve an issue with a personal device.

If you opt for a full BYOD strategy you will also always require a pool of spare laptops (and to some extent phones) to cover the occasions when an employees laptops or phone is damaged and sent for repair

The Cost of Moving to a BYOD EnvironmentAdopting BYOD as a full strategy replacing all end user computing can be seen as having huge cost saving benefits, however indications from early adopters lead to the conclusion that the savings are not huge.

For a secure desktop/laptop replacement project the virtualisation costs or web app development costs an be significant. In a virtualised desktop solution you will need a redundant set of servers. Licences will also be still need to be purchased for each virtual desktop and the software running on it.

BYOD can be restricted to just handheld devices , but again to do this in a secure manner does required some form of Mobile Device Management tool, and all its associated hardware.

Define the scopeBYOD can be as simple as allowing an employee to access corporate email on their personal mobile phone all the way to a full replacement BYOD implementation where all end user computing is swapped out for personal devices.

Corporate email on a personal mobile device can be the easiest to deploy and depending on the classification of the data being sent over email can be relatively cheap to implement.

Matching the scope to the business requirements will help to ensure that the right solution is chosen



Separation of Business and Personal

• Work life balance is important

• Using computing devices for both business and pleasure can lead to cross over between the two

• Guidelines and protections should be in place to protect employees free time and personal data

• Any tools or technologies must:

• Protect the business and

• Preserve the personal



Data Loss

Not unique to Bring Your Own Device, but the risk is increased.

Must be balanced with controls, policies and governance.

Encryption should be mandatory.



Data Loss

Walsall Council: 981 records of residents postal votes statements containing names, addresses, date of birth and signatures dumped in a skip

Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million recordsMalicious software/hack compromises unknown number of credit cards at fifth largest credit card processor

NHS: 2664 records lost due to personal laptop stolen from a staff members home containing name, address, date of birth, NHS numbers

Data Loss Headlines ‘Today’ Data Loss Headlines ‘Tomorrow’Council: 981 records of residents postal votes statements containing names, addresses, date of birth and

signatures found on an iPhone sold on eBay

Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million recordsMalicious app downloaded from the App Store compromised an employees iPad allowing the theft of an unknown number of credit cards at fifth largest credit card processor

NHS: 2664 records lost due to personal

mobile phone stolen from a staff members home containing name, address, date of birth, NHS numbers

Mobile Device Management is crucial when allowing personal mobile phones to access corporate data



ISF survey

A total of 53 different representatives from different Member environments.Respondents from the following areas: Australasia (2), Canada (3), Denmark (2), Finland (6), Francophone (1), India (1), Middle East (1), Norway (4), Benelux (5), Spain (1), Sweden (3), United Kingdom (12), United States (11)Respondents from the following areas: Electricity gas steam and air conditioning supply (2), Financial and insurance activities (16), Information and communication (8), Manufacturing (13), Mining and quarrying (3), Professional scientific and technical activities (2), Public administration and defence; compulsory social security (5), Transportation and storage (3), Wholesale and retail trade; repair of motor vehicles and motorcycles (1)



ISF Survey – Question 7

What is the most critical issue your organisation faces when trying to provide security for BYOD?As expected, leakage of business information was the number one answer, however many organisations have stated a different challenge to be their most critical issue for BYOD: Business information left on personal devices

sent for repair or disposal Protecting the organisations intellectual

property Insecure mobile operating systems,

discrepancies between different versions Diversity of mobile platforms Users are not aware of the risks Device limitations prevent controls to be put

in place Separation of personal and business material Cost of support Network access control to the corporate

network

Maintaining the devices updated with the latest security fixes

Executive interference in the planning process

HR and Legal concerns eDiscovery requirement for physical access

to the device Differing technical capabilities across the

geographic spread of the company Buy in User acceptance of corporate fiddling with

their own ‘personal’ device Regulations, eg PCI compliance Lack of good management tools




Please share your top three misconceptions about your BYOD experience:Misconceptions included: No need to invest in infrastructure It will be

cheaper for the organisation Lack of information security funding will

prevent this from happening User awareness is enough to prevent

business information from being stored locally on the device

User awareness, user awareness, user awareness

User expectations of reduced need for support, no downtime

Mobile phones connected to the network will introduce viruses

BYOD is easy and the demand for it is high (neither is particularly true)

Adding controls to BYOD makes it considerably less attractive to people who wanted it BYOD will affect productivity (either in a good or bad way)

BYOD cannot be secured Required for attracting new employees, will

increase user satisfaction BYOD is a technology problem Must be usable with every device




Please share your top three tips regarding your BYOD approach:

Agree the organisation’s risk appetite before designing a solution

Security agreement with the end user, make them accountable – make sure the agreement / policy is reasonably strict but still workable

Apply a lot of personal attention to executives wanting to use BYOD, to make them aware and create best practice

Work on a mobility strategy Pickup early with your architecture team to

allow development of deployment strategy, as well as penetration testing teams to assess security Involve legal and HR early enough

Deploy in stages – most demand is related to iPhones, so start with one type of devices and be prepared to expand in the future

Leverage other investments to enforce or improve security

Manage expectations with end users Communicate with your user base in a 2 way

manner Do not treat everyone the same – not one

size fits all Define your service model early Get a decent MDM and NAC Dual factor

authentication Consider laws (eg labour laws) that will

mandate specific reimbursements to employees

Promote in-house secure App developments and open your own App store



My experience

1. Major battle between the business who wants it user friendly and Information Security who want it secure (or not at all)

2. MDM’s, all of them, are immature, poorly coded and offer more security features than they deliver

3. Getting the EULA right takes time4. Training is one of the most relied on controls, get it in

place before go live, make sure its good, ensure every one takes it, repeat it regularly

5. Engagement with the vendor can help drive product enhancement

6. Minimum 6 digit Alphanumeric PINs



A Quick Survey – Has any one suffered a Security breach as a result of BYOD?



No is No Longer An Option

BYOD is already in your organisation!

There Here



Questions and Answers

Questions

31



Thank youBenjamin JH

RamdunyKPMG LLP

+44 (0)7825 [email protected]

www.kpmg.co.uk

Information is as valuable as goldyet it can slip through your fingers like water

Bring Your Own Device Could you, would you should you

Documents

Transcript of Bring Your Own Device Could you, would you should you