The document provides an overview of a conference on IT consumerization and BYOD. It discusses the benefits of BYOD programs including cost savings, productivity gains, and employee empowerment. It also covers some of the security challenges like data leakage, unauthorized access, and legal issues. The document proposes several approaches to address these challenges, such as using mobile device management, virtual desktop infrastructure, or containerization.
Secure360 2013 Conference Welcome and BYOD Security Overview
1.
2. WELCOME TO SECURE360 2013
Don’t forget to pick up your Certificate of
Attendance at the end of each day.
Please complete the Session Survey front
and back, and leave it on your seat.
Are you tweeting? #Sec360
3. WELCOME TO SECURE360 2013
Come see my talks on Wed!
The Accidental Insider – Wed. 1:15P
3 Factors of Fail! – Wed. 2:35P
6. Housekeeping
We’re here all morning!
There will be breaks (but make your own if you need one)
Questions – ask ‘em if you got ‘em
IT Consumer devices – on of course! (but
vibrate or silent would be polite)
12. Why are we here?
1. Have a program
2. Considering a program
3. Just discovered iPads in the office
4. Wanted out of the office for the
morning
13. What is IT Consumerization?
More than just devices.
2 Parts:
Consumer devices
Consumer software tools
Using these in the workplace in addition to,
or instead of, company provided
14. Why are we talking about this?
But really, all
connected!
15. History – 1980’s
Early home PCs
Could augment work with
home learning/practice
First Mac
Mac
$2500
Commodore 64
$600
16. History – 1980’s
“luggables”
IBM “Portable” 5155
$4225
30 lbs
4.77MHz 8088
27. • 17% have > 1 in their household
• 37% - their partner uses it
• 14% bought cause their kid has one
• 19% considering purchasing another
http://today.yougov.co.uk/sites/today.yougov.co.uk/files/Tablet_ownersh
ip_in_households.pdf
Of iPad owners...
38. Forrester 2011 study – 37% using consumer
tech without permission
IDC survey
2010 30% BYOPC / 2011 40%
2010 69% company device / 2011 59%
Use of social doubled
Most important tool – 49% laptop, 9%
tablet, 6% smartphone
39. Self Sufficient?
PwC white paper:
“companies that have allowed Macintosh
computers… into their workplaces… find
those users support themselves and each
other. The same is true of iOS and Android
mobile users, users of software as a service
[SaaS] and other cloud services, and social
networking users.”
41. Empowered Employees
Self-taught experts know:
how to use smartphones, tablets, Web
apps like Google Docs and Dropbox
what they’re good for
how they can help the business
willing to do just that
42. Benefits
Forrester lists four
1. Communications – internal use speeds
communication
2. Social – use of tools to be in touch with
customers and shape message/attitude
3. HR – allow personal devices and you attract
young workers
4. Productivity – much consumer tech is self-
supported
73. Agenda 3
Admire the problem
Framing the Issue
Security Concerns
Solve the problem (kind of)
BYOD
74. What is IT Consumerization?
More than just devices.
2 Parts:
Consumer devices
Consumer software tools
Using these in the workplace in addition to,
or instead of, company provided
86. Security Challenges
Exposure of data
Leakage of data – sold, donated, tossed,
repaired drives
Malware
But don’t we have all this now???
87. Can’t be both…
Trend Micro survey
91% of employees would not grant
employer control over personal device
80% of enterprises stated they would
have to install management
mechanisms on mobile devices.
88. Impasse?
Resolution is in approach
Strategic
Cross-organization
Business and IT together
HR, Security, Privacy, Legal, Audit
92. Method 1 - Sync
• Direct, Net Connect or OTA
Issues:
• Need Controls – a/v, app install
control, filtering, encryption, remote
detonation
• Authentication – 2-factor?
• Leakage!
• Support
93. Method 2 – VDI
• Citrix or similar
Pros:
• Leakage – no remnants; disable screen
scrape, local save, print
• Reduced support needed
• Web filtering covered
Issues:
• Unauthorized access still an issue; User
experience; Support
94. Method 3 – Containerization
• Encrypted sandbox
• Separate work and home
• Many products
Pros:
• Better user experience
• Central management/policy
• Many products – local/cloud
• Leakage – config separation, encryption
Issues: access ; support; cloud issues
95. Method 4 – Direct Connection
• Directly connect devices to
network
• Or PC via usb
• Don’t do this! - Included for
completeness
Pros:
• Easy
Issues: no controls; no management;
no enforcement; leakage; remants; etc.
96. Apps
“non-standard” software a challenge
Updates, patches
Malware detection – can’t enumerate
badness
Business – how to transfer knowledge if
everyone uses different tools?
97. Case Study
Kraft
Deployed iPhones 2008 – by 2009 to half
of mobile users
Wanted to instill innovation
“opens employees’ minds to what is
possible”
Internal success led to successful
consumer apps – recipes, cooking videos,
shopping lists, store locator
104. Other Issues
• Notes or manually entered data
• Enterprise email/OWA
• Discovery
• Voicemail/video
105. The Future
• More tablets/phones/small devices
• More “slim” OS's – chrome, android,
ios, etc
• Cost savings/stipend?
• Cloud
• User Experience –Divide, Good,
Fixmo, VMware Horizon, Citrix XEN
• BES Fusion, Microsoft ???
106. MDM Capabilities to Consider
• Device encryption
• Transport encryption
• Complex PWs/policy
• VPN support
• Disable camera
• Restrict/block apps
• Anti-malware
InfoWorld Feb 2013 MDM Deep Dive
• Restrict/block
networks
• Remote lockout
• Remote/selected
wipe
• Policy enforcement
• OTA management
• 2-factor/OTP
107. Agenda 4
Admire the problem
Framing the Issue
Security Concerns
Solve the problem (kind of)
BYOD
Software
108. What is IT Consumerization?
More than just devices.
2 Parts:
Consumer devices
Consumer software tools
Using these in the workplace in addition to,
or instead of, company provided
109. Use of Consumer Tools
Skype – key for communications in
some countries
Facebook/Twitter for interacting with
customers
Twelpforce
111. Examples
Google docs or Dropbox for public info
(make sure the data is public)
Youtube, Vimeo for training videos (avoid
social engineering blueprints)
Facebook fan page
Twitter, LinkedIn, G+ for press releases,
outreach, customer support (just remember
who you are!)
114. Great Ideas
Ford – gave Fiestas to 100 social media
influencers, sent on “missions”, documented
on channels. Rcvd 50K inquires and sold 10K
cars in 6 days.
Pepsi – used social network outreach for
ideas for new Dew flavors
Levi Strauss – early use of location-specific
deals.
115. Social
Is there a strategy?
Or doing it to be hip? (and without a
clue?)
118. Phishing on Social Networks
Scams seem real when they come from
a “friend”
Malicious links/apps
Spread quickly when posted or “liked”
“Just say no” to apps
123. Policy
Examine existing – augment
New, but only if needed
(shouldn’t use of social be part of
your AUP? Who needs a social
media policy?)
124. Software/Apps
“non-standard” software is a challenge
Updates, patches
Malware detection – can’t enumerate
badness
Business – how to transfer knowledge if
everyone uses different tools?
125. Non-Standard Software - YMMV
Inventory
Watch
changes
X-ref v.
CVE/malware
Watch
rights
Auto-
patch
Handle
exceptions
126. Cloud
Ask:
Whose data is it?
Where is it going?
3rd party agreements?
Know your data (classification)
PIE – pre-Internet encryption
128. Summary
What are people doing?
Establish business need
BYOD, Consumer apps, or both?
Cross-domain planning (security,
IT, legal, audit, privacy, HR,
business)
Document requirements
Check out my about.me, with links to twitter feed and Security and Coffee blog.
I used one of these for remote access at my first job!
First IBM thinkpad; Apple PowerBook; Apple Newton; Palm Pilot
Spring Break 2011 in Chicago. There was a line each morning across from our hotel.We saw similar lines 2012 in NYC.
Mall of America – Apple and Msoft stores are situated opposite each other. The Apple store is always packed, Msoft always empty.
This is important because of potential for 2-factor auth adoption
Tablets pulling ahead of phones, but PC’s still rule… for now
The devices are hot and driving the space, but it’s really about the ability to have mobility – to bring the product or service to the consumer/customer.Not just “flavor of the week”.
Just say no is not a viable IT or Security strategy or response.We must partner with the business/user to provide what is needed.Just say no is an…
If your organization is saying “just say no” to consumer devices and apps, then they are already in your environmentTake opportunity to partner, lead and add value.
There is even a BYOD strategy out of the White House for federal agencies
Another example of risk v hype in the system/server world. This is from the 2012 Verizon DBIR and shows that most attacks are simple and can be avoided using basic methods
Lumension 2013 BYOD and Mobile Security report
Split into 4 groups, 1 group for each of Dr., lawyer, salesperson, sys admin. Be that business consumer and consider the use cases. Describe your business need/want. Create requirements + wish list. Describe your desired user experience. Choose a spokesperson. Share.
Now we will trade among groups. Given the use cases… now you are the CISO… respond to meet the business case AND protect the organization!
Datalossdb.org and Accidental Insider. 10% of 2nd-hand drives bought had company/private data. StarTrib malware.