bring your own-computer_to work
DESCRIPTION
At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as embodied with the use of non-corporate owned computers in the corporate environment. With this in mind, they discussed the potential bleed out of intellectual property and mitigation techniques. You can read Michael's blogs on the subject here: http://bit.ly/11BhzCTRANSCRIPT
© 2010 NetIQ Corporation. All rights reserved.© 2010 NetIQ Corporation. All rights reserved.
Bring Your Own Computer To Work - What Now?
Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCISPYRUS, Inc
Michael F. Angelo, CSANetIQ Corporation
© 2010 NetIQ Corporation. All rights reserved.
Bring your own computer
2
BYOC is Consumerization of IT
How IT Happens
Organizational Benefits and Impact
Action Today, Tomorrow, Future
© 2010 NetIQ Corporation. All rights reserved.
Bring your own computer
3
Summery
Questions
Pop Down to the Pub
© 2010 NetIQ Corporation. All rights reserved.
BYOC isConsumerization of IT
4
© 2010 NetIQ Corporation. All rights reserved.
What Is Consumerization?
Changing the Face of Work− Consumer-based Social Media for advertising− Consumer-based Financial Services for accounts receivable− Use of consumer or Free Software for sustaining corporate
infrastructure
And… What we are going to focus on:− Use of personal equipment in the corporate environment
5
© 2010 NetIQ Corporation. All rights reserved.
EvolutionMice
KeyboardMonitors
Home equipment for remote access
Mobile Phone
Wi-Fi CardFlash Drive
PDAMusic PlayerSmart Phone
Desktop / Laptop
Consumerization of IT
6
Use of employee owned resources for company work
© 2010 NetIQ Corporation. All rights reserved.
HOW WIDESPREAD IS consumerization?
7
Source:In-Stat
Laptop PDA Mobile Phone Smart Phone0
10
20
30
40
50
60
70
80
Employee Purchased
Primary Machine
© 2010 NetIQ Corporation. All rights reserved.
How It Happens
8
© 2010 NetIQ Corporation. All rights reserved.
How It Happens
Don’t want to use your Pentium III with 256mb RAM & 60gb HD
Don’t want to use your OS
Don’t want to use IE6
Don’t want to use your software tools
Don’t want to be locked down
9
© 2010 NetIQ Corporation. All rights reserved.
What is your policy?
Secretive
Ignored
Unofficially Supported
Officially Supported
Subsidized
10
© 2010 NetIQ Corporation. All rights reserved.
Benefit and Impact
11
© 2010 NetIQ Corporation. All rights reserved.
Benefits and drawbacks
12
Companies save 9-40% on equipment purchase cost*
Exit the hardware business
Employee satisfaction
Higher productivity
Longer work hours
Helpdesk
Knowledge
Loaner
Hardware
Capability
Configuration
Maintenance / warranty
Upgrades
Software
Interoperability
Upgrades / updates
Vulnerabilities
*Source: Gartner
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - ownership
Logins− Personal login information on corporate machine
− Social Networks / Professional Associations
− Corporate login information on personal machine− VPN Configuration− User IDs and passwords stored in browsers
Software Ownership− Personal software
− Restricted use licenses
− Corporate software on home equipment
13
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - legal Issues
Legislated Privacy− EU data protection act− USA HIPAA, SOX, GLBA− Country, state/province, local (e.g. CA SB 1386)− More laws pending
Cross contamination− Corporate backup includes personal information− Personal backup includes corporate information
14
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - Security
Information Leakage− Family & friends− Device Loss− Virus − Personal email – Spear Fishing
Increased Exposure to Threats− Surfing at Home <> Surfing at Work− Torrents
15
© 2010 NetIQ Corporation. All rights reserved.
Organizational impact - Non Obvious Issues
Acceptable use policies− How to apply to personal machines?
Out processing of individuals− How do you know organizational data is removed from the
employee machine? − Software− PST files− Passwords / wireless / VPN Access
− Residual data− Employee / corporate backups
16
© 2010 NetIQ Corporation. All rights reserved.
Action To Take
17
© 2010 NetIQ Corporation. All rights reserved.
Action to take today
Is it already there?− Run, don’t walk to your legal staff
Decide if you will allow Consumerization− Don’t wait for it to happen and then rush to formulate policy and
procedures
Decision must explicitly include all possible components
Decision must be extended as new technology becomes available
18
© 2010 NetIQ Corporation. All rights reserved.
Action today - Define policies
Balance:− Corporate vs Employee vs Customer
Corporate:− Must comply with laws− Must maintain fiduciary responsibility− Must not expose corporate assets− At a minimum should address
− Employee responsibility− Acceptable use− Protection of assets
19
© 2010 NetIQ Corporation. All rights reserved.
Action today - Incident response plan
Even with Policies & Procedures accidents can happen…
Need incident response plan
20
© 2010 NetIQ Corporation. All rights reserved.
Technical Solutions
21
© 2010 NetIQ Corporation. All rights reserved.
Action today
Security 101: − Keep secret stuff separate from non–secret stuff− Keep corporate stuff separate from personal stuff
Separate personal and corporate identities− Compartmentalize the environments to reduce the risk of accidents.
22
© 2010 NetIQ Corporation. All rights reserved.
Action today - Compartmentalization
Application isolation
Separate user accounts
Virtual Desktop Infrastructure (VDI)
Hypervisor on PC
OS or Hypervisor on USB drive− Windows-on-a-stick− PC-in-my-pocket
23
© 2010 NetIQ Corporation. All rights reserved.
Action today - Separate user accounts
Work and Personal
Mac, PC, or Linux
Fast user switching− Separate Context− Subject to worms and viruses− Can share information via common file system
24
Computer
Separate Users
Host OS
User 2User 1
AppApp AppApp
© 2010 NetIQ Corporation. All rights reserved.
Action today- VDI
25
Virtual Desktop Infrastructure (VDI)
© 2010 NetIQ Corporation. All rights reserved.
Action today - Type 2 hypervisor
Aka Hosted Hypervisor
Still subject to worms and viruses
Harder to accidentally share informationbut cross-contamination still possible
26
Computer
Type 2 Hypervisor
Host OS
Apps Hypervisor
HostedOS
Apps
© 2010 NetIQ Corporation. All rights reserved.
Action not-quite-today - Type 1 hypervisor
Aka Native Hypervisor
Almost impossible to share information
Only common attack is hypervisor itself
Each OS can be attacked separately
27
Computer
Type 1 Hypervisor
Hypervisor
OS 2OS 1
AppApp AppApp
© 2010 NetIQ Corporation. All rights reserved.
Action Today - Type 2 portable hypervisor
28
Hosted (Type 2) VM− Running PC loads hypervisor from device− OS from device and OS from host HD completely separated− Does not prevent attack via ‘host’ OS− Does not protect the information if device is lost− Does not stop access after employment
OS Partition
User Settings
FileFileFileAppAppApp
Operating System
Hypervisor
© 2010 NetIQ Corporation. All rights reserved.
Action today - Virtualized OS-on-a-stick
29
− On-board cryptography authenticates and protects− Boots OS from device, loads hypervisor, then loads hosted OS− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device− Management system can block device when employee leaves
Encrypted OS Partition
User Settings
FileFileFileAppAppApp
Operating SystemBoot Partition
OS + Virtual Machine
© 2010 NetIQ Corporation. All rights reserved.
Action today - Native OS-on-a-stick
30
− On-board cryptography authenticates and protects− Boots OS directly from device− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device− Management system can block device when employee leaves
Encrypted OS Partition
User Settings
FileFileFileAppAppApp
Operating SystemBoot Partition
Boot Loader
© 2010 NetIQ Corporation. All rights reserved.
Native versus hypervisor
31
PC Hardware
Applications
PC Hardware
Hypervisor
Applications
Note the additional overhead and larger attack surface of a hypervisor-based approach since two operating systems are required. It will be noticeably slower and possibly less secure.
Virtualized OS Native OS
© 2010 NetIQ Corporation. All rights reserved.
Action tomorrow - Native OS-on-a-stick + TPM
32
− Provides a mechanism to generate and measure system characteristics upon which a security decision can be made.
− In almost all commercial grade computers− For more info see: the Trusted Computing Group
www.trustedcomputinggroup.org
Encrypted OS Partition
User Settings
FileFileFileAppAppApp
Operating SystemBoot Partition
Secure Boot Loader
© 2010 NetIQ Corporation. All rights reserved.
Action tomorrow: Native OS-on-a-stick + TPM
Can also be used to ‘seal’ information to a snapshot− A snapshot consists of information relevant to defining an
identity or entity
Information can not be ‘unsealed’ if any element used to ‘seal’ is not an exact match or available.
33
© 2010 NetIQ Corporation. All rights reserved.
Summary
34
© 2010 NetIQ Corporation. All rights reserved.
Summary
Immediately− Consult with legal dept− Review current information ownership / protection policies and make
appropriate changes− Put Consumerization policies in place− Separate user accounts
35
© 2010 NetIQ Corporation. All rights reserved.
Summary
Longer Term− Legal policies and procedures
− Enforce them!
− Technical policies and procedures− Apply, rinse, repeat
− Technical Tools− Isolate applications, virtualization
36
© 2010 NetIQ Corporation. All rights reserved.
Thank YouMichael F. AngeloNetIQ Corporation
1233 West Loop South, Ste 810Houston, TX 77027
Ron LaPedisSPYRUS, Inc.
1860 Hartog Dr.San Jose, CA [email protected]