The document provides an overview of a conference on IT consumerization and BYOD. It discusses the benefits of BYOD programs including cost savings, productivity gains, and employee empowerment. It also covers some of the security challenges like data leakage, unauthorized access, and legal issues. The document proposes several approaches to address these challenges, such as using mobile device management, virtual desktop infrastructure, or containerization.

2. WELCOME TO SECURE360 2013
 Don’t forget to pick up your Certificate of
Attendance at the end of each day.
 Please complete the Session Survey front
and back, and leave it on your seat.
 Are you tweeting? #Sec360

3. WELCOME TO SECURE360 2013
 Come see my talks on Wed!
 The Accidental Insider – Wed. 1:15P
 3 Factors of Fail! – Wed. 2:35P

5. http://about.me/barrycaplin
securityandcoffee.blogspot.com

6. Housekeeping
 We’re here all morning! 
 There will be breaks (but make your own if you need one)
 Questions – ask ‘em if you got ‘em
 IT Consumer devices – on of course! (but
vibrate or silent would be polite)

7. Agenda
Admire the problem
Solve the problem
(kind of)

8. Please Share
This is not a “solved problem”
(I don’t know what is!)
We all learn from each others’
experiences

9. Agenda 1
Admire the problem
Framing the Issue
Solve the problem (kind of)

10.  Etrade baby video

11.  Baby trying to scroll magazine like ipad video

12. Why are we here?
1. Have a program
2. Considering a program
3. Just discovered iPads in the office
4. Wanted out of the office for the
morning

13. What is IT Consumerization?
 More than just devices.
 2 Parts:
 Consumer devices
 Consumer software tools
 Using these in the workplace in addition to,
or instead of, company provided

14. Why are we talking about this?
But really, all
connected!

15. History – 1980’s
 Early home PCs
 Could augment work with
home learning/practice
 First Mac
Mac
$2500
Commodore 64
$600

16. History – 1980’s
 “luggables”
IBM “Portable” 5155
$4225
30 lbs
4.77MHz 8088

17. History – 1990’s
Home machines
get smaller
Laptops
PDAs

18. History – 2000’s
Laptops get lighter
PDAs go mainstream
(then disappear!)
Blackberry
iPhone/Android

19. History – Now

21. Apr. 3, 2010
300K ipads
1M apps
250K ebooks
… day 1!

22. Apple ‘12

23. 2011 – tablet/
smartphone
sales exceeded
PCs

25. The real reason we need tablets

26. Don't Touch!
Pharmaceutical
coating

27. • 17% have > 1 in their household
• 37% - their partner uses it
• 14% bought cause their kid has one
• 19% considering purchasing another
http://today.yougov.co.uk/sites/today.yougov.co.uk/files/Tablet_ownersh
ip_in_households.pdf
Of iPad owners...

34. Business Driver?

35. What about…

36. Ineffective
Controls

38.  Forrester 2011 study – 37% using consumer
tech without permission
 IDC survey
 2010 30% BYOPC / 2011 40%
 2010 69% company device / 2011 59%
 Use of social doubled
 Most important tool – 49% laptop, 9%
tablet, 6% smartphone

39. Self Sufficient?
 PwC white paper:
“companies that have allowed Macintosh
computers… into their workplaces… find
those users support themselves and each
other. The same is true of iOS and Android
mobile users, users of software as a service
[SaaS] and other cloud services, and social
networking users.”

40. Empowered Employees
Forrester report, “How
Consumerization Drives Innovation,”
“a business’s best friend”
 Empowerment Drives Innovation
 Empowered employees improve processes
and productivity

41. Empowered Employees
Self-taught experts know:
 how to use smartphones, tablets, Web
apps like Google Docs and Dropbox
 what they’re good for
 how they can help the business
 willing to do just that

42. Benefits
Forrester lists four
1. Communications – internal use speeds
communication
2. Social – use of tools to be in touch with
customers and shape message/attitude
3. HR – allow personal devices and you attract
young workers
4. Productivity – much consumer tech is self-
supported

43. Our Story Begins...

44. PEDs
Computers
Device Convergence

45. Example
• The “PED” policy
• Personal Electronic Device
• Acceptable use
• Connections
• Data storage

46. 1 Day

47. 5 Stages of Tablet Grief
• Surprise
• Fear
• Concern
• Understanding
• Evangelism

48. Considerations
Scaled-down
device v
multi-
purpose
computer
Want v Need
Reduced
attack
surface v
eggs in one
basket
Need for
mobility v
mobile
issues
Does remote
access apply?

49. What needs to change for “local”
remote access?

50. BYO

51. BYO
BYOC or BYOD

52. Agenda 2
Admire the problem
Framing the Issue
Security Concerns
Solve the problem (kind of)

53. Security Concerns

54. Considerations
Physical*
Access control*
Logical
Data*
Communications
Validation (config control)
Haven’t been around that long
Users are the administrators

55. Data Leakage

56. Unauthorized Access

57. “Authorized” Access

58. Risk v Hype

63. Legal
IANAL
Privacy – mixing staff/company data
Discovery – on POE
Separation – what going out the door?

64. Legal
Collection – when staff leave
How do you?:
 Get data from a personal device?
 Keep personal data off company networks?

65. Phones and texting
Phone?
Exposing personal phone number
Voicemail
Text history and storage
Siri, Google Now, etc.

66. Consumer Software
We have enough problems with
commercial and internally developed
software!
Privacy policies
Leakage
Discovery

67. Consumer Software
Ownership
Data Disposition – if they go under
Competitive Intelligence
Trade Secrets
Mixing personal and professional
(twitter)

68. The Business Side

69. The Business Side
It is critical that we
Think as
Are seen as
A strategic partner with the business
This doesn’t happen enough

70. A
 Doctor
 Lawyer
 Salesperson
 Systems Administrator
Walk into a bar…

71. Use Cases
What do you need?
What do you want?

72. Security Response
Consider the business request
What works?
What doesn’t?
What compromise can be made?

73. Agenda 3
Admire the problem
Framing the Issue
Security Concerns
Solve the problem (kind of)
BYOD

74. What is IT Consumerization?
 More than just devices.
 2 Parts:
 Consumer devices
 Consumer software tools
 Using these in the workplace in addition to,
or instead of, company provided

75. Three Main Issues
Technology
Policy
Financial

76. How can we do BYOD?

79. Capacity
Not necessarily a security issue
With greater use:
Access Points (issue with any
portables)
Upstream bandwidth
3G/4G repeaters

80. Benefits
Costs
Productivity
Innovation
Speed to Market
Often better home device – more
frequent upgrade

81. Benefits
Deputized IT rather than Shadow IT
Users help each other
Always-On =? Always-Available
(hourly issues)
This takes time

82. 2 Key Financial Decisions
Provisioning
Purchase
Plan
Usage
Who Pays

83. More Decisions
Usage
Terms
Software
Wipe (remote detonation)
Lock (aut0-detonation?)
Encryption
Monitoring
Management

84. 2012 Trend Micro study
Pros and cons that emerged from the analysis:
 12%+ productivity
 15%- device replacement costs
 8%- reimbursement for employee data expense
 5%- training/education costs
 3%+ bottom line revenues
 8%+ help desk calls
 7%+ MDM costs
 3%+ corporate liable data costs
 3%+ server costs
 2%+ regulatory compliance expenses

85. Classic Security Balance
Control
Usability

86. Security Challenges
Exposure of data
Leakage of data – sold, donated, tossed,
repaired drives
Malware
But don’t we have all this now???

87. Can’t be both…
Trend Micro survey
91% of employees would not grant
employer control over personal device
80% of enterprises stated they would
have to install management
mechanisms on mobile devices.

88. Impasse?
Resolution is in approach
Strategic
Cross-organization
Business and IT together
HR, Security, Privacy, Legal, Audit

89. Impasse?
Define approach
Create clear policy/procedures
IT tools
Self-help documentation

90. MDM
~60 vendor tools… and more coming
Basic types:
 Pure MDM
 Containerization/MAM
 Hybrid
 VDI (not really MDM but can be used)

91. MDM
Selection criteria:
 Device diversity
 Policy enforcement
 Security/
compliance
 Containerization
 Inventory
management
 Software
distribution
 Administration
 Reporting; more?

92. Method 1 - Sync
• Direct, Net Connect or OTA
Issues:
• Need Controls – a/v, app install
control, filtering, encryption, remote
detonation
• Authentication – 2-factor?
• Leakage!
• Support

93. Method 2 – VDI
• Citrix or similar
Pros:
• Leakage – no remnants; disable screen
scrape, local save, print
• Reduced support needed
• Web filtering covered
Issues:
• Unauthorized access still an issue; User
experience; Support

94. Method 3 – Containerization
• Encrypted sandbox
• Separate work and home
• Many products
Pros:
• Better user experience
• Central management/policy
• Many products – local/cloud
• Leakage – config separation, encryption
Issues: access ; support; cloud issues

95. Method 4 – Direct Connection
• Directly connect devices to
network
• Or PC via usb
• Don’t do this! - Included for
completeness
Pros:
• Easy
Issues: no controls; no management;
no enforcement; leakage; remants; etc.

96. Apps
“non-standard” software a challenge
Updates, patches
Malware detection – can’t enumerate
badness
Business – how to transfer knowledge if
everyone uses different tools?

97. Case Study
Kraft
 Deployed iPhones 2008 – by 2009 to half
of mobile users
 Wanted to instill innovation
 “opens employees’ minds to what is
possible”
 Internal success led to successful
consumer apps – recipes, cooking videos,
shopping lists, store locator

98. Cost Example
 Hypothetical
 1000 blackberrys
 Unlimited data + calling = ~$50 -
$70/user/month ($60K/m)
 BES – ~$35K
 Hardware – $20K/3y
 Helpdesk – 1 FTE $50K/y
 Server Ops – 1 FTE $100K/y
 Total = >$900K/y

99. Cost Example
 Hypothetical
 1000 BYODs
 Stipend = $25/user/month ($25K/m)
 MDM – ~$50K/y
 Hardware – $20K/3y
 Helpdesk – none!
 Server Ops – 1 FTE $100K/y
 Total = ~$450K/y

100. Other HR benefits
Employee satisfaction
Recruiting young workers
“Hip” factor

101. Phones and texting
Phone?
Exposing personal phone number
Voicemail
Text history and storage

102. DHS view - POE
• Policy
• Supervisor
approval
• Citrix only
• No Gov't records
on POE
(unencrypted)
• 3G or wired
• Guest wireless
• FAQs for
users/sups
• Metrics

103. DHS view – State-owned
• Policy
• Supervisor
approval
• MDM
• 3G or wired
• Apple-only
• Core wireless
• 802.1x
• FAQs for
users/sups
• Metrics

104. Other Issues
• Notes or manually entered data
• Enterprise email/OWA
• Discovery
• Voicemail/video

105. The Future
• More tablets/phones/small devices
• More “slim” OS's – chrome, android,
ios, etc
• Cost savings/stipend?
• Cloud
• User Experience –Divide, Good,
Fixmo, VMware Horizon, Citrix XEN
• BES Fusion, Microsoft ???

106. MDM Capabilities to Consider
• Device encryption
• Transport encryption
• Complex PWs/policy
• VPN support
• Disable camera
• Restrict/block apps
• Anti-malware
 InfoWorld Feb 2013 MDM Deep Dive
• Restrict/block
networks
• Remote lockout
• Remote/selected
wipe
• Policy enforcement
• OTA management
• 2-factor/OTP

107. Agenda 4
Admire the problem
Framing the Issue
Security Concerns
Solve the problem (kind of)
BYOD
Software

108. What is IT Consumerization?
 More than just devices.
 2 Parts:
 Consumer devices
 Consumer software tools
 Using these in the workplace in addition to,
or instead of, company provided

109. Use of Consumer Tools
Skype – key for communications in
some countries
Facebook/Twitter for interacting with
customers
Twelpforce

110. Twelpforce video

111. Examples
 Google docs or Dropbox for public info
(make sure the data is public)
 Youtube, Vimeo for training videos (avoid
social engineering blueprints)
 Facebook fan page
 Twitter, LinkedIn, G+ for press releases,
outreach, customer support (just remember
who you are!)

112. Customer Expectations
Access to you is:
Mobile capable
Available online and on social
Through no wrong door

113. Twitter and Facebook
The places to be
What are people
saying about your
company?

114. Great Ideas
 Ford – gave Fiestas to 100 social media
influencers, sent on “missions”, documented
on channels. Rcvd 50K inquires and sold 10K
cars in 6 days.
 Pepsi – used social network outreach for
ideas for new Dew flavors
 Levi Strauss – early use of location-specific
deals.

115. Social
Is there a strategy?
Or doing it to be hip? (and without a
clue?)

116. Social
Connecting with customers
Internal collaboration
Internal connections –
communities of interest
Innovation
Doesn’t happen in a vacuum

117. Phishing

118. Phishing on Social Networks
Scams seem real when they come from
a “friend”
Malicious links/apps
Spread quickly when posted or “liked”
“Just say no” to apps

119. Installs app
Grabs info
Posts on your wall
Click-fraud

120. Expectations

121. What Should We Do?

122. Proactive
Policy
Management Support
Support/Helpdesk Implications

123. Policy
Examine existing – augment
New, but only if needed
(shouldn’t use of social be part of
your AUP? Who needs a social
media policy?)

124. Software/Apps
“non-standard” software is a challenge
Updates, patches
Malware detection – can’t enumerate
badness
Business – how to transfer knowledge if
everyone uses different tools?

125. Non-Standard Software - YMMV
Inventory
Watch
changes
X-ref v.
CVE/malware
Watch
rights
Auto-
patch
Handle
exceptions

126. Cloud
Ask:
Whose data is it?
Where is it going?
3rd party agreements?
Know your data (classification)
PIE – pre-Internet encryption

127. BYOPlan

128. Summary
What are people doing?
Establish business need
BYOD, Consumer apps, or both?
Cross-domain planning (security,
IT, legal, audit, privacy, HR,
business)
Document requirements

129. Summary
Policy, Technical, Financial
aspects
Watch the data
Make easy for users
Education/Awareness
Reap the benefits!

132. Discussion…
Slides at http://slideshare.net/bcaplin
barry.caplin@state.mn.us
bc@bjb.org, @bcaplin, +barry caplin
http://securityandcoffee.blogspot.com/