BYOD: Beating IT’s

Kobayashi Maru

Who Am I?

• Michele Chubirka, aka "Mrs. Y.,” Security architect and professional contrarian.

• Analyst, blogger, podcaster.• Researches and pontificates on topics such as

security architecture and best practices.

www.healthyparanoia.net

chubirka@postmodernsecurity.com

https://www.novainfosec.com/author/mrsy/@MrsYisWhy www.linkedin.com/in/mchubirka/

Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes.

http://www.gartner.com/newsroom/id/2466615

Agenda

• The Neuroscience and Psychology Behind BYOD

• Creating a Project Team• Policies • Data Classification + User Classification =

Access Control• Supported Applications and Resource

Matrix• Tools and Supporting Technologies • Common Misconceptions• Some Use Cases• Takeaways

Neuroscience, Psychology and BYOD:

How IT Gets it Wrong

• A recent survey of 3,872 20-something workers on BYOD policies found more than half view it as a right, not a privilege.

• 1 out of 3 would violate a company's security policy that forbids them using personal devices at work or for work purposes.

• Research from Samsung found 29% of employees will use their personal devices in the office without knowing whether this is permitted by their employer's workplace policy.

Shadow IT

Homunculus Argument

A cognitive fallacy based upon the illusion of Cartesian Theater: i.e. a little person or homunculus inside the head watching sensory data on a screen.

Illusion of Cartesian Theater

Physical Boundaries of Mind

• Neuroscientist, V.S. Ramachandran, studies Phantom Limb Syndrome.

• 60% to 80% of those with amputations experience phantom sensations, including pain.

• While working with combat veteran amputees, he discovered that they found relief when another person massaged his own limb.

Extended Mind

“Consider two subjects carry out a mathematical task. The first completes the task solely in her head, while the second completes the task with the assistance of paper and pencil. … as long as the cognitive results are the same there is no reason to count the means employed by the two subjects as different.…”

-Neurophilosopher, Andy Clark

The idea that mind is limited to “skin and skull” is arbitrary and false.

Beyond Neuroplasticity: The Hybrid Age

“The Hybrid Age is a new sociotechnical era that is unfolding as technologies merge with each other and humans merge with technology …. Externally, technology no longer simply processes our instructions on a one-way street…. We don’t just use technology; we absorb it.”

- Parag Khanna and Ayesha Khanna

Ubiquitous Computing

"The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it."

- Mark Weiser, Chief Scientist at Xerox PARC

The End of Ownership

• According to Drupal creator and co-founder of Acquia, Dries Buytaert, industries now succeed by eliminating production.

• Examples– Open Source software– Tesla releases patents– Uber– Airbnb– Spotify and Pandora

The answer to BYOD cannot be, “No,” but a qualified “Yes, and….”

How To Start

Building the Project Team• Involve stakeholders from all areas of the business, including; HR, Finance,

Legal, Information Security• Buy-in is critical to get project off the ground.

Taxonomy: Policy, Standards, Guidelines and Procedures

http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/

Definition: Policy

A course or principle of action adopted or proposed by a government, party, business, or individual.- Oxford Dictionary

This should be a high level statement.

Definition: Standards

Mandatory activities, actions or rules. Standards give a policy its support and reinforcement in direction.

- CISSP Exam Guide, Shon Harris

Definition: Guidelines

Recommended actions and operational guides.

- CISSP Exam Guide, Shon Harris

Definitions: Procedure

A particular way of accomplishing something. Detailed series of tasks. Instructions.

Policies + Standards = Requirements

You should have the following in place for BYOD:– High-level BYOD Policy– Acceptable Use Policy (AUP)– End User Agreement (EUA)– Data Classification and Handling Standards– Basic User Roles/Classification– Supported Application List– Resource Matrix, aka Business and Service Technical Catalogs

BYOD Policy

• Leverage templates from Gartner, Corporate Executive Board, Info~Tech or even the White House (http://www.whitehouse.gov/digitalgov/bring-your-own-device).

• Learn from other organizations such as academia.• Make sure to define terms clearly.

– Example: policy definition of a mobile device?• Establishes the “rules of engagement” with users. • Should align closely with your AUP. • Include references to “supported” applications, operating systems and

devices itemized in a separate standards document. • Describe categories of access based upon controls: container, full

management or internet-only.

AUP and EUA

• Agreements establish the boundaries between the organization and the user community for how digital resources may be used.

• Protects the organization and the user by defining the responsibilities of each party and the consequences to the user for violation.

• Addresses security issues related to accessing the device in the event of a malware or data breach.

• Establishes opt-in for device posturing or agent installation on the users’ hardware.

• Defines privacy and confidentiality issues related to organization’s vs. user’s data.

Sample AUP Template

https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

End User Agreement

Data Classification + User Classification = Access Control

• Data has value and should be organized according to”– Sensitivity to loss– Disclosure – Unavailability

• Appropriate application of controls creates the handling standards.• User roles or personas determine privilege levels.• Access controls are determined by the intersection of data classification with

user classification.

Sample Data Classification Matrix

User Classification

What Will You Support?

• Even though you don’t own the device, what applications will you license and/or support on it?

• How will you communicate and document this?

• Many support costs don’t go away, they simply shift.

Supported Applications

Resource Matrix

• Decide what enterprise applications will be offered for BYOD users.

• Base it on the data classification and level of risk the organization will accept.

• Build the matrix from existing business and service technical catalogs.

Resource Matrix

Device Management Categories

• Mobile Device Management• Mobile Application Management• Containers

Container or Sandbox

• Provides a secure space for managed content on the device. • All resources, including proprietary applications, business email, calendar

and contacts reside here. • Accomplished by installation of an app.• User retains full control of the device.

Containers Vs. Full Device Management

• Offer users choices based on the type of data and access they want.• By offering options, you improve adoption and compliance.• Helps address users’ privacy concerns and control issues with BYOD, while

still allowing the business to secure its data.

Tools and Supporting Technologies

• RADIUS• 802.1X• LDAP• Mobile Device Management

(MDM) tools for onboarding • Endpoint agents• VDI/DaaS• Other traditional security

controls

RADIUS, LDAP and 802.1X

• Remote Authentication Dial In User Service (RADIUS) – Centralized Authentication, Authorization, and Accounting (AAA) for

network services– Free RADIUS, Radiator, Cisco ISE

• Lightweight Directory Access Protocol (LDAP)– Based on X.500– Distributed directory over IP network

• 802.1X– IEEE standard for port-based network access control– Defines EAP (extensible authentication protocol)– Frequently used in enterprise wireless

MDM and VDI

• Mobile Device Management (MDM) – Jamf, Airwatch, Citrix, MobileIron, Good Technology

• Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS)– Citrix, VMware, Microsoft

Use Cases: What Worked and What Didn’t

• Academia: the original BYOD environment

• Consultants/contractors• Non-profit with researchers • Media company: implicit BYOD

Common Misconceptions

• BYOD is less secure.• I can say “no” to BYOD.• BYOD will always save money. • I have to buy expensive solutions.• I have to reimburse users to force adoption.• We don’t need to consult HR or Legal.

Takeaways

• Controls should focus on data/resources, not technology.• Policies become requirements, don’t jump to solutions.

You will pay for it later if you skip this step. • Get executive buy-in on policies and sign-off on design. Otherwise you’ll be

redesigning later.• Training and end user support is critical. • Offer options: full device management vs. containerization.• BYOD is no longer optional.

Questions?

Where Can Find You Me?

Michele ChubirkaSpending quality time in kernel mode.Star Trek, never Star Wars.http://www.healthyparanoia.net http://novainfosec.comTwitter @MrsYisWhy Google+ MrsYisWhychubirka@postmodernsecurity.com