2012-11-28 byod the apocalypse - compliancenov 28, 2012 · byod shirley erp, cissp cisa november...
TRANSCRIPT
BYOD
Shirley Erp, CISSP CISANovember 28, 2012
and Mobile Device Security
Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/SWCAcademy.html.
If you wish to ask questions:
• Click on the “Raise Hand” button . The webinar administrator will un‐mute you at the appropriate time. Note: Remember to turn down your speaker volume to avoid feedback.
• Questions may also be typed in the GoToWebinar Question panel.
CPE credit is available for this webinar for attendees who attend the live webinar. Please request credit by sending an email to the UT Systemwide Compliance Office at [email protected].
Please provide your feedback in the post‐session survey.
Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011–2016
http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11‐520862.html
1 EB = 1,000,000,000 gigabytes or 1,000,000 terabytes
BYOD(Bring Your Own Device)
Why? = Savings:
• No product purchases, management, or maintenance• No training, replacement, or support headaches• Employee satisfaction with freedom to choose• Device consolidation (work cell + personal cell + work iPad + etc.)
• Work and communication flexibility 24x7
BYOD(Bring Your Own Device)
User Considerations:
• Privacy ‐ personal phone is like a wallet • Device ownership and service expenses• Numerous applications and malware • Insecure habits• Unencrypted sensitive university data
It Is The Way WeLive
Work
Eat
And Play
Summary: More of us are bringing our smartphones and tablets to work, but very few enable even the most basic security measures.
0%10%20%30%40%50%60%70%80%90%100%
Laptop Smartphone Tablet
1/3 1/4 1/10
51%
38%
15%
UnprotectedUse Auto‐Lock
http://www.zdnet.com/blog/mobile‐gadgeteer/byod‐security‐problem‐less‐than‐10‐of‐tablet‐owners‐use‐auto‐lock/5536
March 1, 2012Article From
Personal Devices Used for Work
BYOD is a Security Problem
Assume Owners are Zombies
Key findings fromSymantec’s Smartphone Honey Stick Project
50%
70%83%
89% 96%
0%10%20%30%40%50%60%70%80%90%100%
Owner Contacted
Accessed Personaland Business
Accessed Business
Accessed Personal
General Access
Mobile Data Risks
http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=symantec-smartphone-honey-stick-project
Default Configuration After Configuration
Default Configuration After Configuration
Default Configuration After Configuration
What is MDM?
• Enterprise software that secures, monitors, manages and supports various mobile devices
• Devices include: mobile phones, tablets, laptops, etc.
• May be a managed Cloud service or a company run technology
• A server component with web‐enabled remote management
• Agent or Agentless
MDM(Mobile Device Management)
MDM(Mobile Device Management)
What Can It Do?
Central management functions may include: • Encryption • Policy management and enforcement• Separation of personal vs. business data • Software/application management• Firmware updates• Backup and restores• Network usage and support• Asset tracking and management• Remote lock and selective wipes• Troubleshooting and diagnostics tools• Logging and reporting• Remote administration, configuration, and provisioning
ActiveSync vs. MDM
ActiveSync is a data synchronization technology and protocol integrated into Exchange, which provides: • Synchronization of email, calendar, contacts, and tasks • Supports various mobile platforms• Supports basic security policies limited to those ActiveSync
features integrated into the mobile device • ActiveSync has no way of identifying which mailboxes have a
mobile device paired with it• ActiveSync cannot identify the number of mobile devices or type
of mobile devices paired with a mailbox
ActiveSync vs. MDMActiveSync Security Features Include: • Transmission Encryption ‐ SSL • Two‐factor authentication• Remote wipe ‐ erases all data from the mobile phone• Device password policies include several options:
1) Minimum password length 2) Require alphanumeric password3) Inactivity time lockup 4) Enforce password history5) Enable password recovery 6) Wipe device after failed attempts
• Device Encryption Policies include:1) Requiring encryption on device 2) Require encryption on storage cards
MDMSecurity Decisions
Security Requirements? • Formal Policy• Email• Calendar• Contacts• Attachments• Browsing• Passwords • Secure Connection• Secure Bluetooth • Encryption – stored and in transit• Protections – Jailbroken, malware, etc.• Compliance requirements – HIPAA, FISMA, etc.
MDMConsiderations
Enterprise Needs:• Platforms – iPhone, Android, tablet, laptop, etc.• Location mobility• BYOD – Bring your own device• Ease of use and deployment• Assistance ‐ help desk or self‐service• Staff resources • Enterprise Applications – SharePoint, Web apps• Administration ‐ inside and outside • Travel to Foreign Countries• Carrier cost for enterprise agents• Total Cost of Ownership (TCO)
Architecture?INSIDE OUTSIDE
BYOD
Enterprise Apps MDM Server?
A PerspectiveMust Haves:• Support device diversity• Not allow jail broken devices (must be able to detect)• Support auto password locking features• Encrypt institution’s data (both data at rest and in transit)• Support containerization • Be user friendly and intuitive• Remotely lock devices• Support automated agent software updates • Be affordable and scalable• Wipe university data remotely (controlled wipe)• Support controls for access to enterprise assets• Auto‐clean devices that have not access the network over a specified
period of time• Have the ability to manage attachments (i.e. read‐only, not allowing .exe)
A Perspective
Nice To Haves:
• Antivirus where needed and available• Software and version standards and requirements prior to access • Register and vet users with an Active Directory association with the university• Administrative control and viewing of activity and tagging for stolen devices• Password and encrypt strength controls• Grouping and role capabilities that allow for varying configurations
up to and including FISMA standards• Reporting, monitoring, and inventory management• Easy user registration with auto network identity integration checks• Support/service channels within the product
MDMProject Plan
.
Initiate• BYOD plan• Risk assessment• MDM research• Desired features• Identify stakeholders• Designate sponsor• Funding source• Business case• Preliminary budgetestimate
Plan• Scope• MDM Requirements• Product testing• Product selection• Architecture• Procurement• Resource staffing• Schedule• Budget• Carrier requirements• Decide performancemetrics
Implement• Mobile Policy • Carrier and serviceneeds awareness
• User agreements• Security standards• Training• Communication• Support structure• Phased roll‐out• Performance tracking• Reporting
Maintain• Monitor• Troubleshoot• Update product• Update agents• User Instructions• FAQs, Tips, Q&As• Self‐service options• User support• Device management and retirement
• Assess new features• Review risks
Example BYOD Policy
Example BYOD Policy ‐ continued…
Example StandardsAll mobile devices will:
• Support certificates for registration and authentication• Must run the latest operating systems available and within a month of being released• Be locked with a PIN containing a minimum length of 6 characters• Run university approved and required anti‐virus software, where possible• Access enterprise applications using the provided VPN client, SSL or IPSec• Change their PIN annually or immediately after exposure• Use the encryption container for storing sensitive university data on the device• Have the device wiped after a maximum of 15 failed attempts• Set the auto‐lock feature or idle time‐out to 5 minutes• Not allow peer‐to‐peer (P2P) file sharing applications• Not install unapproved cloud‐based applications for use with university data• Not utilize instant messaging applications for university information• Not utilize unapproved third party applications for university data or businessetc.
MDMUser Agreements
Requirements: • Make known the security vs. privacy tradeoffs• Avoid bill shock ‐ awareness of the usage implications• If employer stipends are available• Communicate security configuration requirements and IT actions:
wiping data tracking locations removing applications restricting attachments deploying agents Monitoring
• User responsibilities legal mandates, open records, audits device purchases, service charges, accessories Employer notification (lost, stolen, replacements)
Example ‐BYOD User AgreementI understand and will abide by the following:1. I understand by using my mobile device(s) for university business, there are some privacy and usability tradeoffs due to
technology constraints or required security controls. 2. By using my personal mobile device(s) for university business, I understand it is my responsibility to help protect university
data located on my mobile device(s) and protect the information on any backup systems.3. I am responsible for providing and maintaining my mobile device(s), cellular service plan(s), associated equipment, and
accessories.4. I am solely responsible for any and all expenses incurred from the use, damage, loss and/or theft of my mobile device(s) and
the university has no financial or legal liability.5. I shall observe all applicable local, state, and federal laws for my mobile device(s), which are used for university purposes.6. I understand a university product agent will be installed on my mobile device to provide security and remote management
for protecting university data. 7. I understand the university reserves the right to wipe some or all data from my mobile device(s) in the event that I separate,
opt out, or loose/replace the mobile device. Where possible, reasonable measures will be taken to preserve personal data.8. If my mobile device(s) is placed on legal hold, I must surrender it immediately to the university if requested and all relevant
files may be copied and used in a university legal matter. 9. I understand my mobile device(s) are subject to open records requests or audit processes, where I must cooperate by
providing the university data stored on my mobile device(s) in a verifiable manner.10. The password on the mobile device(s) must be maintained at all times and must only be known to me. 11. I understand university administrators own and manage the agent on my mobile device(s) and I also give them permission to
manage my mobile device(s) according to the university mobile device configuration standard.12. I understand the university has the right, at any time and without notice, to suspend or deny access to university resources.13. I have the right to opt‐out of the university BYOD mobile device program; however, all university owned data will be
removed. I am also responsible for removing any university data from all other locations where it has been copied.14. The university has a right to change or terminate stipend programs at any time upon thirty (60) days advance notice without
further reimbursement obligation.15. I have read and will abide by all university policies.
___________________________________ ___________________________________________ _____________________Printed Name Signature Date
Technologies
Priorities
Policy
BYOD
Resources
Direction
Discussion