BYOD: Beating IT’s Kobayashi Maru
-
Upload
michele-chubirka -
Category
Technology
-
view
199 -
download
2
description
Transcript of BYOD: Beating IT’s Kobayashi Maru
BYOD: Beating IT’s
Kobayashi Maru
Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security architect and professional contrarian.
• Analyst, blogger, podcaster.• Researches and pontificates on topics such as
security architecture and best practices.
www.healthyparanoia.net
https://www.novainfosec.com/author/mrsy/@MrsYisWhy www.linkedin.com/in/mchubirka/
Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes.
http://www.gartner.com/newsroom/id/2466615
Agenda
• The Neuroscience and Psychology Behind BYOD
• Creating a Project Team• Policies • Data Classification + User Classification =
Access Control• Supported Applications and Resource
Matrix• Tools and Supporting Technologies • Common Misconceptions• Some Use Cases• Takeaways
Neuroscience, Psychology and BYOD:
How IT Gets it Wrong
• A recent survey of 3,872 20-something workers on BYOD policies found more than half view it as a right, not a privilege.
• 1 out of 3 would violate a company's security policy that forbids them using personal devices at work or for work purposes.
• Research from Samsung found 29% of employees will use their personal devices in the office without knowing whether this is permitted by their employer's workplace policy.
Shadow IT
Homunculus Argument
A cognitive fallacy based upon the illusion of Cartesian Theater: i.e. a little person or homunculus inside the head watching sensory data on a screen.
Illusion of Cartesian Theater
Physical Boundaries of Mind
• Neuroscientist, V.S. Ramachandran, studies Phantom Limb Syndrome.
• 60% to 80% of those with amputations experience phantom sensations, including pain.
• While working with combat veteran amputees, he discovered that they found relief when another person massaged his own limb.
Extended Mind
“Consider two subjects carry out a mathematical task. The first completes the task solely in her head, while the second completes the task with the assistance of paper and pencil. … as long as the cognitive results are the same there is no reason to count the means employed by the two subjects as different.…”
-Neurophilosopher, Andy Clark
The idea that mind is limited to “skin and skull” is arbitrary and false.
Beyond Neuroplasticity: The Hybrid Age
“The Hybrid Age is a new sociotechnical era that is unfolding as technologies merge with each other and humans merge with technology …. Externally, technology no longer simply processes our instructions on a one-way street…. We don’t just use technology; we absorb it.”
- Parag Khanna and Ayesha Khanna
Ubiquitous Computing
"The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it."
- Mark Weiser, Chief Scientist at Xerox PARC
The End of Ownership
• According to Drupal creator and co-founder of Acquia, Dries Buytaert, industries now succeed by eliminating production.
• Examples– Open Source software– Tesla releases patents– Uber– Airbnb– Spotify and Pandora
The answer to BYOD cannot be, “No,” but a qualified “Yes, and….”
How To Start
Building the Project Team• Involve stakeholders from all areas of the business, including; HR, Finance,
Legal, Information Security• Buy-in is critical to get project off the ground.
Taxonomy: Policy, Standards, Guidelines and Procedures
http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/
Definition: Policy
A course or principle of action adopted or proposed by a government, party, business, or individual.- Oxford Dictionary
This should be a high level statement.
Definition: Standards
Mandatory activities, actions or rules. Standards give a policy its support and reinforcement in direction.
- CISSP Exam Guide, Shon Harris
Definition: Guidelines
Recommended actions and operational guides.
- CISSP Exam Guide, Shon Harris
Definitions: Procedure
A particular way of accomplishing something. Detailed series of tasks. Instructions.
Policies + Standards = Requirements
You should have the following in place for BYOD:– High-level BYOD Policy– Acceptable Use Policy (AUP)– End User Agreement (EUA)– Data Classification and Handling Standards– Basic User Roles/Classification– Supported Application List– Resource Matrix, aka Business and Service Technical Catalogs
BYOD Policy
• Leverage templates from Gartner, Corporate Executive Board, Info~Tech or even the White House (http://www.whitehouse.gov/digitalgov/bring-your-own-device).
• Learn from other organizations such as academia.• Make sure to define terms clearly.
– Example: policy definition of a mobile device?• Establishes the “rules of engagement” with users. • Should align closely with your AUP. • Include references to “supported” applications, operating systems and
devices itemized in a separate standards document. • Describe categories of access based upon controls: container, full
management or internet-only.
AUP and EUA
• Agreements establish the boundaries between the organization and the user community for how digital resources may be used.
• Protects the organization and the user by defining the responsibilities of each party and the consequences to the user for violation.
• Addresses security issues related to accessing the device in the event of a malware or data breach.
• Establishes opt-in for device posturing or agent installation on the users’ hardware.
• Defines privacy and confidentiality issues related to organization’s vs. user’s data.
Sample AUP Template
https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
End User Agreement
Data Classification + User Classification = Access Control
• Data has value and should be organized according to”– Sensitivity to loss– Disclosure – Unavailability
• Appropriate application of controls creates the handling standards.• User roles or personas determine privilege levels.• Access controls are determined by the intersection of data classification with
user classification.
Sample Data Classification Matrix
User Classification
What Will You Support?
• Even though you don’t own the device, what applications will you license and/or support on it?
• How will you communicate and document this?
• Many support costs don’t go away, they simply shift.
Supported Applications
Resource Matrix
• Decide what enterprise applications will be offered for BYOD users.
• Base it on the data classification and level of risk the organization will accept.
• Build the matrix from existing business and service technical catalogs.
Resource Matrix
Device Management Categories
• Mobile Device Management• Mobile Application Management• Containers
Container or Sandbox
• Provides a secure space for managed content on the device. • All resources, including proprietary applications, business email, calendar
and contacts reside here. • Accomplished by installation of an app.• User retains full control of the device.
Containers Vs. Full Device Management
• Offer users choices based on the type of data and access they want.• By offering options, you improve adoption and compliance.• Helps address users’ privacy concerns and control issues with BYOD, while
still allowing the business to secure its data.
Tools and Supporting Technologies
• RADIUS• 802.1X• LDAP• Mobile Device Management
(MDM) tools for onboarding • Endpoint agents• VDI/DaaS• Other traditional security
controls
RADIUS, LDAP and 802.1X
• Remote Authentication Dial In User Service (RADIUS) – Centralized Authentication, Authorization, and Accounting (AAA) for
network services– Free RADIUS, Radiator, Cisco ISE
• Lightweight Directory Access Protocol (LDAP)– Based on X.500– Distributed directory over IP network
• 802.1X– IEEE standard for port-based network access control– Defines EAP (extensible authentication protocol)– Frequently used in enterprise wireless
MDM and VDI
• Mobile Device Management (MDM) – Jamf, Airwatch, Citrix, MobileIron, Good Technology
• Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS)– Citrix, VMware, Microsoft
Use Cases: What Worked and What Didn’t
• Academia: the original BYOD environment
• Consultants/contractors• Non-profit with researchers • Media company: implicit BYOD
Common Misconceptions
• BYOD is less secure.• I can say “no” to BYOD.• BYOD will always save money. • I have to buy expensive solutions.• I have to reimburse users to force adoption.• We don’t need to consult HR or Legal.
Takeaways
• Controls should focus on data/resources, not technology.• Policies become requirements, don’t jump to solutions.
You will pay for it later if you skip this step. • Get executive buy-in on policies and sign-off on design. Otherwise you’ll be
redesigning later.• Training and end user support is critical. • Offer options: full device management vs. containerization.• BYOD is no longer optional.
Questions?
Where Can Find You Me?
Michele ChubirkaSpending quality time in kernel mode.Star Trek, never Star Wars.http://www.healthyparanoia.net http://novainfosec.comTwitter @MrsYisWhy Google+ [email protected]