Bring Your Own Device Could you, would you should you
description
Transcript of Bring Your Own Device Could you, would you should you
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Bring Your Own DeviceCould you, would you should you
May 2012Benjamin JH
Ramduny
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
What is Bring Your Own Device (BYOD)?
We say that:“BYOD describes an end user computing strategy supported by a set of policies and controls, which in conjunction with a technical solution provide a managed and secure framework for employees to access corporate data from their personal device whilst providing the enterprise with a
level of control over both the device and the data it can access”
Wikipedia has this to say:“Bring Your Own Device describes the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases”
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
BYOD in the News
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Who is adopting BYOD
Over four in five companies say they already allow BYOD or will do within the next 24 months and sixty per cent of employees claim they are already allowed to connect personally-owned devices to the corporate network. - BT
CIO attitudes that showed 48% of companies would NEVER authorize employees to bring their own devices to the workplace. 57% of IT managers said that employees do it anyway. - Cisco
64% of IT managers surveyed thought it was too risky to let personal devices be integrated into the business network. However 52% of companies allowed some form of access. - Absolute Software
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Could you BYOD
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
BYOD Options
There are two main options when considering BYOD; augmentation
or replacement
Augmentation:
You can augment your current end user computing by allowing your employees to bring in their own mobile devices, sometimes referred to a mobile/laptop consumerisation
Opt in scheme for employees who are not entitled to a corporate phone to use their personal phone to access services such as email or corporate web apps.
Opt in scheme for employees who are entitled to a corporate phone but also want to use their own handset
Replacement:
You replace your current end user computing with only employee owned devices. This strategy can cover desktop/laptop and mobile devices
Opt in scheme for employees who are entitled to a corporate phone but want to use their own handset and contract (with stipend or expenses support for corporate call costs)
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The BYOD Family Tree
Apple iPhone
Android Mobile
Windows Phone
Apple iPad
Android Tablet
Blackberry
Playbook
Mobile Phone Tablet
Windows
LaptopApple Mac
Hand Held Laptop
Mobile Device
Desktop
Device
BYOD
Note: Desktops and Blackberries are not shown
The BYOD policy must detail which items are allowed and the controls that will be applied.
When defining the scope of any BYOD implementation consideration must be given to which end user devices* will be allowed.Each device type has its own set of risks and management issues.
** * * * *
* *
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Strategy and Policy
What devices will be subject to BYOD
What over arching method of resource access will be used for:
Hand held devices
Laptops
How will the solution and end users be supported
How will business units be charged for the service
StrategyUnderstanding the business reasons for adopting BYOD is crucial for a successful BYOD implementation
PolicyGetting the policy right protects the business from the risks associated with BYOD
What devices makes and models will be allowed
How will Antivirus be handled
What actions does the company reserve the right to carry
out on an employees personal device (e.g. remote wipe on
loss)
How will leavers be handled
What access controls will be used (Certificate based
authentication, Pin Number lengths)
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
A Quick Survey – Who has a some form of BYOD in their organisation?
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Would you BYOD
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Why Do It?
Increased user mobilityIncreased user satisfactionHelp retain top performersIncrease productivity*Reduce capital costsHelps to attract younger talent*
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Laptop ConsumerisationManagement Options
Service AccessVirtualisation (VDI)Web Apps OnlyNetwork BootMDM platform with Windows supportDesktop on a Pen Drive technologies
Access ControlNACPKI / Certificate based Authentication
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Laptop ConsumerisationManagement Solutions
Virtualisation Network Boot
MDM USB
Pros:• Secure• User gets
complete desktop and application suite
Cons:• Expensive• Get it wrong
and performance is slow
Pros:• Secure• User gets
complete desktop and application suite
• Uses the full power of the hardware
Cons:• Requires
network access• Its not here yet
Pros:• Leverages
Windows inbuilt security
• No Network dependence
Cons:• Users might not
like you restricting their PC
• Only a few vendors
Pros:• Small and light
weight• Works with any
Hardware• Full desktop
available• No Network
dependence
Cons:• New emerging
technology
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Operating System Security Considerations Enterprise Management Tools Virtualization
Pre IOS 4.0 device encryption is weak.
Apples iOS release cycles make interception of new versions easier than Android
Enterprise management can be accomplished via the Apple iPhone Configuration Utility or by 3rd party applications: Excitor, Sybase, and Good Technology, Excitor, Mobile Iron and AirWatch. Exchange support also through MS ActiveSync.
• Citrix Receiver / XenApp
• VMware through Wyse PocketCloud
Pre Android 4.0 (ICS) the native email client does not support ActiveSync with certificate based authentication.
Full device encryption weak before Android 3.0
Adhoc and fragmented development cycles makes intercepting new versions difficult
Reliance on multiple vendors passing on new patches and OS versions means that many users do not receive the latest security patches and OS’s
No native enterprise management tools. Enterprise management can be accomplished via 3rd party: InnoPath, Good Technology, Excitor, Mobile Iron and AirWatch
• VMware MVP• Citrix Receiver /
XenApp (Q409?)
Windows phone 7 email client does not support certificate based authentication
Devices are not restricted from running unsigned code leaving them at a greater risk of malware attack
Comprehensive enterprise management of devices through MS System Center Mobile Device Manager and via 3rd parties such as: Good Technology, Excitor, Mobile Iron and AirWatch
• Citrix Receiver / XenApp
• VMware MVP
Mobile ConsumerisationMobile Device Options
iPhone
Android
Windows Phone
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Mobile ConsumerisationMobile Device Management
MDM products fall into 2 categories MDM
Native MDM
Containerised
Level of containerisation
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Mobile Consumerisation Gartner
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Should You BYOD
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Major Considerations
Protection of Corporate Data
Reimbursement
Legal Concerns
Support Strategy
The Cost of Moving to a BYOD Environment
Scope Definition
Vendor Selection
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Major Considerations
Protection of Corporate DataYour data is as valuable as gold, and losing it can have a big impact on the business, from financial penalties if the DPA is breached to reputational damage.
Letting users have corporate data on their personal device is a big risk, and so to reduce the risk to an acceptable level there are several controls that can be implemented. On a laptop you can virtualised either your corporate applications or the employees entire desktop. On a mobile device you can use an Mobile Device Management solution to enforce some security features on the device itself (e.g. Device encryption, remote wipe if the device is lost).
Not all applications are suitable for virtualisation, and this must be carefully assessed before designing any solution
Desktop virtualisation can offer the best form of security on a laptop, however there are drawbacks, mainly that many believe that they can use there super powerful personal laptop and get the benefits of using a powerful pc over their older work laptop. Unfortunately laptop power has little relevancy in a thin client/virtual desktop where most the processing is done server side. A second draw back of virtualisation is that the more users on the virtualised infrastructure the slower it gets.
It is worth noting that network boot solutions are in the wings and will start to become prevalent in 2012 allowing the full power of the laptop to be utilise.
Mobile devices can be secured to some extent through the use of an MDM tool. Our current view is that this market is still under development and all of the main vendors have weaknesses in their products which can lead to less control over the device than required.
The biggest challenge is how to ensure there is no corporate data on a personal device that is no longer required by the user
ReimbursementOne of the benefits of a corporate liability mobile device over and personal liability device is that the corporate device is usually able to take advantage of a preferential call tariffs with the service provider.
When adopting BYOD for mobile devices and when replacing corporate issued devices there must be careful consideration of how the increased data usage will affect the employee monthly bill and how the organization will reimburse this cost.
An additional issue that should be considered when moving to an enforced BYOD model is the incentive for an employee to use their personal device, in order to compensate for the increased ware.
Questions that need to be addressed are:
Can the employee claim back line rental, or receive a stipend, how is the capped.
Will the employee be given a benefit in kind to by the device, if so does this have an tax implications
Legal ConcernsIf a MDM solution is being used to manage mobile devices and the BYOD policy states that a lost mobile device will be fully wiped (factory rest) then it is important that any employee who is using their personal device is clearly aware of this and that they have signed a EULA.
If the employee is expected to travel as part of their role then the organization must consider if there are any legal implications of taking their device to a country that prohibits encrypted devices (assuming device encryption is being used)
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Major Considerations
Vendor SelectionWhen the decision has been made that BYOD fits with the end user computing strategy, and that the solution will be secured in some way then a vendor selection process needs to be carried out.
Choosing the right MDM product is a difficult task due to the current immaturity of the market. Getting the vendors involved and seeing hands on demonstrations of the end to end solutions is essential. Getting hand on experiences is crucial to ensuring that any selected product meets your requirement for security and usability, since one can heavily impact on the other.
Different vendors have very different strengths and researching which vendors product fits your requirements will be useful.
Where possible agree for a vendor pilot before committing to deploying the full solution. There are numerous enterprises that have either delayed a full deployment or canned it altogether following a pilot.
Support StrategyIn any organization support for the business critical infrastructure is a major concern and an organizations inability to support their infrastructure represents a significant business risk.
When supporting a traditional corporate liability environment where all devices are owned by the organization, it is relatively easy to exert a level of control over the hardware and software to be used. Having a limited number of makes and models of laptops and desktops and a standard OS configuration enables a support function to become skilled in these systems.
When BYOD is adopted there will be significant increase in the number of different types of hardware, drivers, OS configurations and applications that will be in use and so it is important to assess the existing support organizations capability to support the new devices.
A BYOD policy must consider if personal devices will be supported and how much time will be spent tying to resolve an issue with a personal device.
If you opt for a full BYOD strategy you will also always require a pool of spare laptops (and to some extent phones) to cover the occasions when an employees laptops or phone is damaged and sent for repair
The Cost of Moving to a BYOD EnvironmentAdopting BYOD as a full strategy replacing all end user computing can be seen as having huge cost saving benefits, however indications from early adopters lead to the conclusion that the savings are not huge.
For a secure desktop/laptop replacement project the virtualisation costs or web app development costs an be significant. In a virtualised desktop solution you will need a redundant set of servers. Licences will also be still need to be purchased for each virtual desktop and the software running on it.
BYOD can be restricted to just handheld devices , but again to do this in a secure manner does required some form of Mobile Device Management tool, and all its associated hardware.
Define the scopeBYOD can be as simple as allowing an employee to access corporate email on their personal mobile phone all the way to a full replacement BYOD implementation where all end user computing is swapped out for personal devices.
Corporate email on a personal mobile device can be the easiest to deploy and depending on the classification of the data being sent over email can be relatively cheap to implement.
Matching the scope to the business requirements will help to ensure that the right solution is chosen
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Separation of Business and Personal
• Work life balance is important
• Using computing devices for both business and pleasure can lead to cross over between the two
• Guidelines and protections should be in place to protect employees free time and personal data
• Any tools or technologies must:
• Protect the business and
• Preserve the personal
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Data Loss
Not unique to Bring Your Own Device, but the risk is increased.
Must be balanced with controls, policies and governance.
Encryption should be mandatory.
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Data Loss
Walsall Council: 981 records of residents postal votes statements containing names, addresses, date of birth and signatures dumped in a skip
Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million recordsMalicious software/hack compromises unknown number of credit cards at fifth largest credit card processor
NHS: 2664 records lost due to personal laptop stolen from a staff members home containing name, address, date of birth, NHS numbers
Data Loss Headlines ‘Today’ Data Loss Headlines ‘Tomorrow’Council: 981 records of residents postal votes statements containing names, addresses, date of birth and
signatures found on an iPhone sold on eBay
Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million recordsMalicious app downloaded from the App Store compromised an employees iPad allowing the theft of an unknown number of credit cards at fifth largest credit card processor
NHS: 2664 records lost due to personal
mobile phone stolen from a staff members home containing name, address, date of birth, NHS numbers
Mobile Device Management is crucial when allowing personal mobile phones to access corporate data
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
ISF survey
A total of 53 different representatives from different Member environments.Respondents from the following areas: Australasia (2), Canada (3), Denmark (2), Finland (6), Francophone (1), India (1), Middle East (1), Norway (4), Benelux (5), Spain (1), Sweden (3), United Kingdom (12), United States (11)Respondents from the following areas: Electricity gas steam and air conditioning supply (2), Financial and insurance activities (16), Information and communication (8), Manufacturing (13), Mining and quarrying (3), Professional scientific and technical activities (2), Public administration and defence; compulsory social security (5), Transportation and storage (3), Wholesale and retail trade; repair of motor vehicles and motorcycles (1)
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
ISF Survey – Question 7
What is the most critical issue your organisation faces when trying to provide security for BYOD?As expected, leakage of business information was the number one answer, however many organisations have stated a different challenge to be their most critical issue for BYOD: Business information left on personal devices
sent for repair or disposal Protecting the organisations intellectual
property Insecure mobile operating systems,
discrepancies between different versions Diversity of mobile platforms Users are not aware of the risks Device limitations prevent controls to be put
in place Separation of personal and business material Cost of support Network access control to the corporate
network
Maintaining the devices updated with the latest security fixes
Executive interference in the planning process
HR and Legal concerns eDiscovery requirement for physical access
to the device Differing technical capabilities across the
geographic spread of the company Buy in User acceptance of corporate fiddling with
their own ‘personal’ device Regulations, eg PCI compliance Lack of good management tools
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
ISF Survey – Question 8
Please share your top three misconceptions about your BYOD experience:Misconceptions included: No need to invest in infrastructure It will be
cheaper for the organisation Lack of information security funding will
prevent this from happening User awareness is enough to prevent
business information from being stored locally on the device
User awareness, user awareness, user awareness
User expectations of reduced need for support, no downtime
Mobile phones connected to the network will introduce viruses
BYOD is easy and the demand for it is high (neither is particularly true)
Adding controls to BYOD makes it considerably less attractive to people who wanted it BYOD will affect productivity (either in a good or bad way)
BYOD cannot be secured Required for attracting new employees, will
increase user satisfaction BYOD is a technology problem Must be usable with every device
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
ISF Survey – Question 9
Please share your top three tips regarding your BYOD approach:
Agree the organisation’s risk appetite before designing a solution
Security agreement with the end user, make them accountable – make sure the agreement / policy is reasonably strict but still workable
Apply a lot of personal attention to executives wanting to use BYOD, to make them aware and create best practice
Work on a mobility strategy Pickup early with your architecture team to
allow development of deployment strategy, as well as penetration testing teams to assess security Involve legal and HR early enough
Deploy in stages – most demand is related to iPhones, so start with one type of devices and be prepared to expand in the future
Leverage other investments to enforce or improve security
Manage expectations with end users Communicate with your user base in a 2 way
manner Do not treat everyone the same – not one
size fits all Define your service model early Get a decent MDM and NAC Dual factor
authentication Consider laws (eg labour laws) that will
mandate specific reimbursements to employees
Promote in-house secure App developments and open your own App store
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
My experience
1. Major battle between the business who wants it user friendly and Information Security who want it secure (or not at all)
2. MDM’s, all of them, are immature, poorly coded and offer more security features than they deliver
3. Getting the EULA right takes time4. Training is one of the most relied on controls, get it in
place before go live, make sure its good, ensure every one takes it, repeat it regularly
5. Engagement with the vendor can help drive product enhancement
6. Minimum 6 digit Alphanumeric PINs
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
A Quick Survey – Has any one suffered a Security breach as a result of BYOD?
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
No is No Longer An Option
BYOD is already in your organisation!
There Here
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Questions and Answers
Questions
31
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Thank youBenjamin JH
RamdunyKPMG LLP
+44 (0)7825 [email protected]
www.kpmg.co.uk
Information is as valuable as goldyet it can slip through your fingers like water