The document discusses bring your own computer (BYOC) programs where employees use personally owned devices for work. It outlines four techniques for delivering corporate services to BYOC devices securely, including web apps, remote desktops, virtualized apps, and managed VMs. The document emphasizes securing BYOC devices as untrusted endpoints through antivirus, encryption, policies, authentication, and more. It addresses challenges like diverse platforms, offline access, ownership issues, and gaining organizational support for BYOC programs. Results from example programs showed increased usage and productivity with fewer support calls when employees invested in their own devices.
4. What is BYOC?
BYOC = “Bring your own Computer”
a.k.a. BYOPC, BYOL
Three models:
1. Employer provides a stipend for the employee to
purchase their laptop of choice, which will then be
owned by the employee.
2. Employee chooses laptop from a list of pre-approved
machines.
3. Employee is given instructions on how to connect to
corporate resources, but can use any machine.
4
5. Why BYOC?
User demand
Choice computing
“Executive bling”
Extension of smartphones
New generation – “millennials”
Business demand
Reduce hardware assets
Part-time workers, contractors
Enable work from anywhere
Happy employees = productive employees
Bottom line: Users are doing it, with or without IT…
5
6. What you can apply from this session
At the end of this session, you will be able to:
Understand the predominant models for BYOC and
their relative strengths and weaknesses
Evaluate the security of a BYOC solution
Avoid common pitfalls in BYOC
Plan a successful BYOC deployment
6
8. Example: Citrix BYOC Program
$2100 stipend (taxable)
About 50% employees opt in to program
40% of those in the program chose Macs
Employees often chipped in their own money to get a
better machine
After a three month pilot in US, rolled out globally
8
9. How to deliver services?
Technique 1: Provide essential services via web
applications
Technique 2: Provide a remote desktop (VDI or
TS) session
Technique 3: Provide virtualized applications
that run locally
Technique 4: Provide managed corporate virtual
machine to run locally
9
10. Technique 1:
Port everything to the web
Good: Access from any device
Bad: Takes a long time to rewrite all your apps,
no offline access
10
11. Technique 2:
Remote Desktop to VDI or TS
Good:
Access from many devices
Bad:
Requires major server infrastructure
Can’t run offline
Bad interactive performance
11
14. Securing the endpoint device
Need to treat BYOC as an untrusted
device
No VPN
DLP
Host checker
Two-factor authentication
Keyloggers, screen scrapers
Encryption of data-at-rest
Domain join and group policies
Access control, remote
management of corporate data
Security policy enforcement
14
15. Threat Models
Malicious employees
Malware infections
Screen scrapers or keyloggers
Generic viruses/worms
Targeted malware
Lost or stolen laptops, “borrowed”
machines
Targeted attacks and espionage
15
16. Dealing with Infected Endpoint Devices
Anti-virus and anti-malware
OS patch level
Network quarantine
Keyloggers and screen-scrapers
Data loss prevention
16
17. Enterprise-Level Layered Security
7 Layers of Security
• Anti-virus scan of host PC
• Full virtual machine encapsulation
• AES-256 encryption
• Tamper resistance and copy protection
• AD and two-factor authentication
• Granular security policies
• Remote kill
17
18. Anti-virus scan of host PC
Protects against most known attacks/malware
Policy enforcement:
Maximum age of signature file
Periodic scan frequency
Automatic keyboard/screen lock until scan completes
18
19. Full virtual machine encapsulation
Protects against non-targeted attacks
Run on a separate, locked-down operating system
Rejuvenate to latest golden system disk on every
boot
Out-of-band updates of golden system disk
Device passthrough of keyboard/mouse and video card
foils most keyloggers/screen scrapers
Hardware support for encapsulation (VT-x, VT-d)
19
20. AES-256 encryption
Encryption of data-at-rest protects against
lost/stolen laptops
Key escrow
Dealing with lost/changed passwords
Administrator unlock without user password
Don’t forget swap space!
20
21. Tamper resistance and copy protection
Protect against copying data to another device
Tie the virtual machine to physical hardware
identifiers and/or TPM
HMAC of all data to detect tampering
21
22. AD and two-factor authentication
Use RSA SecurID or other second-factor
authentication
Protects against lost password, lost device;
limits exposure window
22
23. Security policies
Targeting security policies by AD group
Offline lease time: Maximum time a user can run
without checking in
Auto-kill: Self-destruct after a given time
Version enforcement: Ensure users have latest
security patches
Peripheral restrictions: USB devices, microphone,
printing, CD/DVD, etc.
AD group policies: Use existing AD policy sets
23
24. Remote kill
Can mark a device as lost or stolen
Device receives a “kill pill”, securely zeroes all
data and sends back confirmation
Mitigates risk from a lost device or rogue
employee/contractor
24
25. More Challenges to BYOC
Supporting diverse platforms (Mac,etc.)
Offline access
Legal
Organizational / Political
25
26. Supporting Diverse Platforms
Mac support
Data shows Macs require much less
support
No mature, robust management tools for
OSX hosts yet
Best: Provide corporate Windows
environment for Mac users
Windows 7 support
Can provide virtual Windows XP
environment for now, upgrade to Win7
once corp standardizes on it
Hardware support
Give minimum hardware specs for BYOPC
Require support package from vendor
26
27. Legal Challenges
Who owns the hardware? Who owns the
software? Who owns the data?
Mixing corporate and personal on the same
device
Liability concerns
Software licensing
What to do when someone is terminated or
leaves the company?
Not much different than BYO Smartphone,
work-from-home
One solution: Put corporate environment on
separate USB or SD card
Need a way to reclaim licenses, erase
corporate data (“poison pill”)
27
28. Organizational and Political Challenges
Most common: Business wants it done, but IT dragging
feet
Refocusing IT staff to focus on services, not hardware
Education: “You are making me buy my own machine?”
28
29. Results
Significant proportion choose Macs
Increased machine usage
More work on weekends and after
hours
Fewer support calls
Users more tolerant and responsible,
willing to learn
Fewer lost devices
Take better care because they are
invested in it
29
30. Key Takeaways
1. Focus on securing the data, not the device
2. Good security practices are essential, with or without
BYOC
3. BYOC can save money, reduce support calls, and lead
to happier users
30