bring your own-computer_to work

© 2010 NetIQ Corporation. All rights reserved.© 2010 NetIQ Corporation. All rights reserved.

Bring Your Own Computer To Work - What Now?

Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCISPYRUS, Inc

Michael F. Angelo, CSANetIQ Corporation

© 2010 NetIQ Corporation. All rights reserved.

Bring your own computer

2

BYOC is Consumerization of IT

How IT Happens

Organizational Benefits and Impact

Action Today, Tomorrow, Future


Bring your own computer

3

Summery

Questions

Pop Down to the Pub


BYOC isConsumerization of IT

4


What Is Consumerization?

Changing the Face of Work− Consumer-based Social Media for advertising− Consumer-based Financial Services for accounts receivable− Use of consumer or Free Software for sustaining corporate

infrastructure

And… What we are going to focus on:− Use of personal equipment in the corporate environment

5


EvolutionMice

KeyboardMonitors

Home equipment for remote access

Mobile Phone

Wi-Fi CardFlash Drive

PDAMusic PlayerSmart Phone

Desktop / Laptop

Consumerization of IT

6

Use of employee owned resources for company work


HOW WIDESPREAD IS consumerization?

7

Source:In-Stat

Laptop PDA Mobile Phone Smart Phone0

10

20

30

40

50

60

70

80

Employee Purchased

Primary Machine


How It Happens

8


How It Happens

Don’t want to use your Pentium III with 256mb RAM & 60gb HD

Don’t want to use your OS

Don’t want to use IE6

Don’t want to use your software tools

Don’t want to be locked down

9


What is your policy?

Secretive

Ignored

Unofficially Supported

Officially Supported

Subsidized

10


Benefit and Impact

11


Benefits and drawbacks

12

Companies save 9-40% on equipment purchase cost*

Exit the hardware business

Employee satisfaction

Higher productivity

Longer work hours

Helpdesk

Knowledge

Loaner

Hardware

Capability

Configuration

Maintenance / warranty

Upgrades

Software

Interoperability

Upgrades / updates

Vulnerabilities

*Source: Gartner


Organizational impact - ownership

Logins− Personal login information on corporate machine

− Social Networks / Professional Associations

− Corporate login information on personal machine− VPN Configuration− User IDs and passwords stored in browsers

Software Ownership− Personal software

− Restricted use licenses

− Corporate software on home equipment

13


Organizational impact - legal Issues

Legislated Privacy− EU data protection act− USA HIPAA, SOX, GLBA− Country, state/province, local (e.g. CA SB 1386)− More laws pending

Cross contamination− Corporate backup includes personal information− Personal backup includes corporate information

14


Organizational impact - Security

Information Leakage− Family & friends− Device Loss− Virus − Personal email – Spear Fishing

Increased Exposure to Threats− Surfing at Home <> Surfing at Work− Torrents

15


Organizational impact - Non Obvious Issues

Acceptable use policies− How to apply to personal machines?

Out processing of individuals− How do you know organizational data is removed from the

employee machine? − Software− PST files− Passwords / wireless / VPN Access

− Residual data− Employee / corporate backups

16


Action To Take

17


Action to take today

Is it already there?− Run, don’t walk to your legal staff

Decide if you will allow Consumerization− Don’t wait for it to happen and then rush to formulate policy and

procedures

Decision must explicitly include all possible components

Decision must be extended as new technology becomes available

18


Action today - Define policies

Balance:− Corporate vs Employee vs Customer

Corporate:− Must comply with laws− Must maintain fiduciary responsibility− Must not expose corporate assets− At a minimum should address

− Employee responsibility− Acceptable use− Protection of assets

19


Action today - Incident response plan

Even with Policies & Procedures accidents can happen…

Need incident response plan

20


Technical Solutions

21


Action today

Security 101: − Keep secret stuff separate from non–secret stuff− Keep corporate stuff separate from personal stuff

Separate personal and corporate identities− Compartmentalize the environments to reduce the risk of accidents.

22


Action today - Compartmentalization

Application isolation

Separate user accounts

Virtual Desktop Infrastructure (VDI)

Hypervisor on PC

OS or Hypervisor on USB drive− Windows-on-a-stick− PC-in-my-pocket

23


Action today - Separate user accounts

Work and Personal

Mac, PC, or Linux

Fast user switching− Separate Context− Subject to worms and viruses− Can share information via common file system

24

Computer

Separate Users

Host OS

User 2User 1

AppApp AppApp


Action today- VDI

25

Virtual Desktop Infrastructure (VDI)


Action today - Type 2 hypervisor

Aka Hosted Hypervisor

Still subject to worms and viruses

Harder to accidentally share informationbut cross-contamination still possible

26

Computer

Type 2 Hypervisor

Host OS

Apps Hypervisor

HostedOS

Apps


Action not-quite-today - Type 1 hypervisor

Aka Native Hypervisor

Almost impossible to share information

Only common attack is hypervisor itself

Each OS can be attacked separately

27

Computer

Type 1 Hypervisor

Hypervisor

OS 2OS 1

AppApp AppApp


Action Today - Type 2 portable hypervisor

28

Hosted (Type 2) VM− Running PC loads hypervisor from device− OS from device and OS from host HD completely separated− Does not prevent attack via ‘host’ OS− Does not protect the information if device is lost− Does not stop access after employment

OS Partition

User Settings

FileFileFileAppAppApp

Operating System

Hypervisor


Action today - Virtualized OS-on-a-stick

29

− On-board cryptography authenticates and protects− Boots OS from device, loads hypervisor, then loads hosted OS− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device− Management system can block device when employee leaves

Encrypted OS Partition

User Settings


Operating SystemBoot Partition

OS + Virtual Machine


Action today - Native OS-on-a-stick

30

− On-board cryptography authenticates and protects− Boots OS directly from device− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device− Management system can block device when employee leaves


User Settings



Boot Loader


Native versus hypervisor

31

PC Hardware

Applications

PC Hardware

Hypervisor

Applications

Note the additional overhead and larger attack surface of a hypervisor-based approach since two operating systems are required. It will be noticeably slower and possibly less secure.

Virtualized OS Native OS


Action tomorrow - Native OS-on-a-stick + TPM

32

− Provides a mechanism to generate and measure system characteristics upon which a security decision can be made.

− In almost all commercial grade computers− For more info see: the Trusted Computing Group

www.trustedcomputinggroup.org


User Settings



Secure Boot Loader

http://www.trustedcomputinggroup.org/


Action tomorrow: Native OS-on-a-stick + TPM

Can also be used to ‘seal’ information to a snapshot− A snapshot consists of information relevant to defining an

identity or entity

Information can not be ‘unsealed’ if any element used to ‘seal’ is not an exact match or available.

33


Summary

34


Summary

Immediately− Consult with legal dept− Review current information ownership / protection policies and make

appropriate changes− Put Consumerization policies in place− Separate user accounts

35


Summary

Longer Term− Legal policies and procedures

− Enforce them!

− Technical policies and procedures− Apply, rinse, repeat

− Technical Tools− Isolate applications, virtualization

36


Thank YouMichael F. AngeloNetIQ Corporation

1233 West Loop South, Ste 810Houston, TX 77027

[email protected]

Ron LaPedisSPYRUS, Inc.

1860 Hartog Dr.San Jose, CA [email protected]

bring your own-computer_to work

Technology

action todaysecurity

corporate assetsat

corporate information14

corporate environment5

use of personal equipment

hypervisor itselfeach

protectsboots os

virtualized os