SlideShare une entreprise Scribd logo
1  sur  30
Télécharger pour lire hors ligne
BYOC: Securing Untrusted,
Employee-Owned Desktops
                           John Whaley
                          CTO, MokaFive




                        Session ID: xxx-xxxx
       Session Classification: xxxxxxxxxxxx
Agenda


                    What is BYOC?



                 Techniques for BYOC



             BYOC Security Considerations



         Keys to a Successful BYOC Deployment




                          2
BYOC: Securing Untrusted, Employee-
         Owned Desktops




                 3
What is BYOC?
  BYOC = “Bring your own Computer”
    a.k.a. BYOPC, BYOL
  Three models:
 1. Employer provides a stipend for the employee to
    purchase their laptop of choice, which will then be
    owned by the employee.
 2. Employee chooses laptop from a list of pre-approved
    machines.
 3. Employee is given instructions on how to connect to
    corporate resources, but can use any machine.




                           4
Why BYOC?
 User demand
   Choice computing
   “Executive bling”
   Extension of smartphones
   New generation – “millennials”
 Business demand
   Reduce hardware assets
   Part-time workers, contractors
   Enable work from anywhere
   Happy employees = productive employees

 Bottom line: Users are doing it, with or without IT…


                            5
What you can apply from this session

  At the end of this session, you will be able to:
    Understand the predominant models for BYOC and
    their relative strengths and weaknesses
    Evaluate the security of a BYOC solution
    Avoid common pitfalls in BYOC
    Plan a successful BYOC deployment




                          6
Users vs IT




              7
Example: Citrix BYOC Program

 $2100 stipend (taxable)

 About 50% employees opt in to program

 40% of those in the program chose Macs

 Employees often chipped in their own money to get a
 better machine

 After a three month pilot in US, rolled out globally




                             8
How to deliver services?

  Technique 1: Provide essential services via web
  applications
  Technique 2: Provide a remote desktop (VDI or
  TS) session
  Technique 3: Provide virtualized applications
  that run locally
  Technique 4: Provide managed corporate virtual
  machine to run locally



                         9
Technique 1:
 Port everything to the web




Good: Access from any device
Bad: Takes a long time to rewrite all your apps,
     no offline access


                               10
Technique 2:
Remote Desktop to VDI or TS
 Good:
   Access from many devices
 Bad:
   Requires major server infrastructure
   Can’t run offline
   Bad interactive performance




                          11
Technique 3:
Application Virtualization
  Good: Can run locally, but
  managed centrally

  Bad: Not cross-platform,
  not very secure




                               12
Technique 4:
Client-side Virtual Machine




  Good: Secure, personalized, offline access, cross-
  platform, local execution, easy recovery
  Bad: Minimum HW requirement


                            13
Securing the endpoint device

 Need to treat BYOC as an untrusted
 device
   No VPN
   DLP
   Host checker
   Two-factor authentication
   Keyloggers, screen scrapers
   Encryption of data-at-rest
   Domain join and group policies
   Access control, remote
   management of corporate data
   Security policy enforcement

                          14
Threat Models

 Malicious employees
 Malware infections
    Screen scrapers or keyloggers
    Generic viruses/worms
    Targeted malware
 Lost or stolen laptops, “borrowed”
 machines
 Targeted attacks and espionage




                           15
Dealing with Infected Endpoint Devices

 Anti-virus and anti-malware

 OS patch level

 Network quarantine

 Keyloggers and screen-scrapers

 Data loss prevention




                           16
Enterprise-Level Layered Security




               7 Layers of Security

               •   Anti-virus scan of host PC
               •   Full virtual machine encapsulation
               •   AES-256 encryption
               •   Tamper resistance and copy protection
               •   AD and two-factor authentication
               •   Granular security policies
               •   Remote kill




                            17
Anti-virus scan of host PC

  Protects against most known attacks/malware
  Policy enforcement:
    Maximum age of signature file
    Periodic scan frequency
    Automatic keyboard/screen lock until scan completes




                          18
Full virtual machine encapsulation

  Protects against non-targeted attacks
  Run on a separate, locked-down operating system
      Rejuvenate to latest golden system disk on every
      boot
      Out-of-band updates of golden system disk
  Device passthrough of keyboard/mouse and video card
  foils most keyloggers/screen scrapers
  Hardware support for encapsulation (VT-x, VT-d)




                           19
AES-256 encryption

 Encryption of data-at-rest protects against
 lost/stolen laptops
    Key escrow
    Dealing with lost/changed passwords
    Administrator unlock without user password
    Don’t forget swap space!




                          20
Tamper resistance and copy protection

 Protect against copying data to another device
 Tie the virtual machine to physical hardware
 identifiers and/or TPM
 HMAC of all data to detect tampering




                       21
AD and two-factor authentication

 Use RSA SecurID or other second-factor
 authentication
 Protects against lost password, lost device;
 limits exposure window




                        22
Security policies

  Targeting security policies by AD group
    Offline lease time: Maximum time a user can run
    without checking in
    Auto-kill: Self-destruct after a given time
    Version enforcement: Ensure users have latest
    security patches
    Peripheral restrictions: USB devices, microphone,
    printing, CD/DVD, etc.
    AD group policies: Use existing AD policy sets




                           23
Remote kill

 Can mark a device as lost or stolen
 Device receives a “kill pill”, securely zeroes all
 data and sends back confirmation
 Mitigates risk from a lost device or rogue
 employee/contractor




                         24
More Challenges to BYOC

 Supporting diverse platforms (Mac,etc.)

 Offline access

 Legal

 Organizational / Political




                              25
Supporting Diverse Platforms
 Mac support
    Data shows Macs require much less
    support
    No mature, robust management tools for
    OSX hosts yet
    Best: Provide corporate Windows
    environment for Mac users
 Windows 7 support
    Can provide virtual Windows XP
    environment for now, upgrade to Win7
    once corp standardizes on it
 Hardware support
    Give minimum hardware specs for BYOPC
    Require support package from vendor


                             26
Legal Challenges
 Who owns the hardware? Who owns the
 software? Who owns the data?
 Mixing corporate and personal on the same
 device
 Liability concerns
 Software licensing
 What to do when someone is terminated or
 leaves the company?
 Not much different than BYO Smartphone,
 work-from-home
 One solution: Put corporate environment on
 separate USB or SD card
 Need a way to reclaim licenses, erase
 corporate data (“poison pill”)

                                 27
Organizational and Political Challenges

  Most common: Business wants it done, but IT dragging
  feet
  Refocusing IT staff to focus on services, not hardware
  Education: “You are making me buy my own machine?”




                            28
Results

  Significant proportion choose Macs
  Increased machine usage
     More work on weekends and after
     hours
  Fewer support calls
     Users more tolerant and responsible,
     willing to learn
  Fewer lost devices
     Take better care because they are
     invested in it




                            29
Key Takeaways

1. Focus on securing the data, not the device
2. Good security practices are essential, with or without
   BYOC
3. BYOC can save money, reduce support calls, and lead
   to happier users




                             30

Contenu connexe

Tendances

CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Corporation
 
Better than BYOD: Lenovo Services & Devices Give IT 5 Ways to Win
Better than BYOD: Lenovo Services & Devices Give IT 5 Ways to WinBetter than BYOD: Lenovo Services & Devices Give IT 5 Ways to Win
Better than BYOD: Lenovo Services & Devices Give IT 5 Ways to WinLenovo Business
 
ESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure AuthenticationESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure AuthenticationESET
 
Preventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint SecurityPreventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint SecurityIntel IT Center
 
V Pro Bp08505 Phase Iii Edited
V Pro Bp08505 Phase Iii EditedV Pro Bp08505 Phase Iii Edited
V Pro Bp08505 Phase Iii EditedSHC
 
Rune - Empowering User-based Security
Rune  - Empowering User-based SecurityRune  - Empowering User-based Security
Rune - Empowering User-based SecurityRob Levey
 
Revolutionary Security. Ultimate Performance. Minimal Management.
Revolutionary Security. Ultimate Performance. Minimal Management.Revolutionary Security. Ultimate Performance. Minimal Management.
Revolutionary Security. Ultimate Performance. Minimal Management.Webroot
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?IBM Security
 
V Pro Bp08505 Phase Ii Edited
V Pro Bp08505 Phase Ii EditedV Pro Bp08505 Phase Ii Edited
V Pro Bp08505 Phase Ii EditedSHC
 
TM - product overview
TM - product overviewTM - product overview
TM - product overviewJason Pears
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, ArduinoParis Open Source Summit
 
TrendMicro Worry Free Version 9
TrendMicro Worry Free Version 9TrendMicro Worry Free Version 9
TrendMicro Worry Free Version 9Motty Ben Atia
 
Intel® V Pro™ Technology
Intel® V Pro™ TechnologyIntel® V Pro™ Technology
Intel® V Pro™ TechnologySHC
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenBitdefender Enterprise
 
jentu-product-press-release-july-16th2016--omni_axcess-final
jentu-product-press-release-july-16th2016--omni_axcess-finaljentu-product-press-release-july-16th2016--omni_axcess-final
jentu-product-press-release-july-16th2016--omni_axcess-finalBen Ohana
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
UserLock Datasheet
UserLock DatasheetUserLock Datasheet
UserLock DatasheetIS Decisions
 

Tendances (20)

CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And DataCoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Whitepaper: Protecting PCI Systems And Data
 
Better than BYOD: Lenovo Services & Devices Give IT 5 Ways to Win
Better than BYOD: Lenovo Services & Devices Give IT 5 Ways to WinBetter than BYOD: Lenovo Services & Devices Give IT 5 Ways to Win
Better than BYOD: Lenovo Services & Devices Give IT 5 Ways to Win
 
ESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure AuthenticationESET is introducing its brand new product ESET Secure Authentication
ESET is introducing its brand new product ESET Secure Authentication
 
Preventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint SecurityPreventing Stealthy Threats with Next Generation Endpoint Security
Preventing Stealthy Threats with Next Generation Endpoint Security
 
V Pro Bp08505 Phase Iii Edited
V Pro Bp08505 Phase Iii EditedV Pro Bp08505 Phase Iii Edited
V Pro Bp08505 Phase Iii Edited
 
Rune - Empowering User-based Security
Rune  - Empowering User-based SecurityRune  - Empowering User-based Security
Rune - Empowering User-based Security
 
Revolutionary Security. Ultimate Performance. Minimal Management.
Revolutionary Security. Ultimate Performance. Minimal Management.Revolutionary Security. Ultimate Performance. Minimal Management.
Revolutionary Security. Ultimate Performance. Minimal Management.
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
 
V Pro Bp08505 Phase Ii Edited
V Pro Bp08505 Phase Ii EditedV Pro Bp08505 Phase Ii Edited
V Pro Bp08505 Phase Ii Edited
 
TM - product overview
TM - product overviewTM - product overview
TM - product overview
 
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
#OSSPARIS19 : The evolving (IoT) security landscape - Gianluca Varisco, Arduino
 
TrendMicro Worry Free Version 9
TrendMicro Worry Free Version 9TrendMicro Worry Free Version 9
TrendMicro Worry Free Version 9
 
Intel® V Pro™ Technology
Intel® V Pro™ TechnologyIntel® V Pro™ Technology
Intel® V Pro™ Technology
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
jentu-product-press-release-july-16th2016--omni_axcess-final
jentu-product-press-release-july-16th2016--omni_axcess-finaljentu-product-press-release-july-16th2016--omni_axcess-final
jentu-product-press-release-july-16th2016--omni_axcess-final
 
Spo1 t18
Spo1 t18Spo1 t18
Spo1 t18
 
Sophos Wireless Protection Overview
Sophos Wireless Protection OverviewSophos Wireless Protection Overview
Sophos Wireless Protection Overview
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Beam datasheet final 7 28-12
Beam datasheet final 7 28-12Beam datasheet final 7 28-12
Beam datasheet final 7 28-12
 
UserLock Datasheet
UserLock DatasheetUserLock Datasheet
UserLock Datasheet
 

Similaire à RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops

Mitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsMitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsBitglass
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeemu Tiainen
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 
Microsoft on open source and security
Microsoft on open source and securityMicrosoft on open source and security
Microsoft on open source and securityDavid Voyles
 
Bring your own-computer_to work
Bring your own-computer_to workBring your own-computer_to work
Bring your own-computer_to workNetIQ
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!Dell EMC World
 
How Endpoint Security works ?
How Endpoint Security works ?How Endpoint Security works ?
How Endpoint Security works ?William hendric
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?Priyanka Aash
 
VMworld 2013: Unleashing Productivity in the New Mobile Era
VMworld 2013: Unleashing Productivity in the New Mobile Era VMworld 2013: Unleashing Productivity in the New Mobile Era
VMworld 2013: Unleashing Productivity in the New Mobile Era VMworld
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc  Lyon Part 1Portakal Teknoloji Otc  Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterAbdessabour Arous
 
Top 5 IT Challenges resolved by Cloud Desktops
Top 5 IT Challenges resolved by Cloud DesktopsTop 5 IT Challenges resolved by Cloud Desktops
Top 5 IT Challenges resolved by Cloud DesktopsKelly Beardmore
 
The Good, the bad, and the ugly of Thin Client/Server Computing
The Good, the bad, and the ugly of Thin Client/Server ComputingThe Good, the bad, and the ugly of Thin Client/Server Computing
The Good, the bad, and the ugly of Thin Client/Server ComputingThe Integral Worm
 
IT Pros and The Cloud
IT Pros and The CloudIT Pros and The Cloud
IT Pros and The CloudStephen Rose
 

Similaire à RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops (20)

NAC_p3.pptx
NAC_p3.pptxNAC_p3.pptx
NAC_p3.pptx
 
Securing Devices at Home
Securing Devices at HomeSecuring Devices at Home
Securing Devices at Home
 
Mitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security ThreatsMitigating the Top 5 Cloud Security Threats
Mitigating the Top 5 Cloud Security Threats
 
Teknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimuksetTeknisen tietoturvan minimivaatimukset
Teknisen tietoturvan minimivaatimukset
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
 
Cloud security
Cloud securityCloud security
Cloud security
 
Microsoft on open source and security
Microsoft on open source and securityMicrosoft on open source and security
Microsoft on open source and security
 
Bring your own-computer_to work
Bring your own-computer_to workBring your own-computer_to work
Bring your own-computer_to work
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!MT50 Data is the new currency: Protect it!
MT50 Data is the new currency: Protect it!
 
How Endpoint Security works ?
How Endpoint Security works ?How Endpoint Security works ?
How Endpoint Security works ?
 
What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?What is needed in the next generation cloud trusted platform ?
What is needed in the next generation cloud trusted platform ?
 
VMworld 2013: Unleashing Productivity in the New Mobile Era
VMworld 2013: Unleashing Productivity in the New Mobile Era VMworld 2013: Unleashing Productivity in the New Mobile Era
VMworld 2013: Unleashing Productivity in the New Mobile Era
 
OwnYIT CSAT + SIEM
OwnYIT CSAT + SIEMOwnYIT CSAT + SIEM
OwnYIT CSAT + SIEM
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc  Lyon Part 1Portakal Teknoloji Otc  Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Top 5 IT Challenges resolved by Cloud Desktops
Top 5 IT Challenges resolved by Cloud DesktopsTop 5 IT Challenges resolved by Cloud Desktops
Top 5 IT Challenges resolved by Cloud Desktops
 
The Good, the bad, and the ugly of Thin Client/Server Computing
The Good, the bad, and the ugly of Thin Client/Server ComputingThe Good, the bad, and the ugly of Thin Client/Server Computing
The Good, the bad, and the ugly of Thin Client/Server Computing
 
IT Pros and The Cloud
IT Pros and The CloudIT Pros and The Cloud
IT Pros and The Cloud
 

RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops

  • 1. BYOC: Securing Untrusted, Employee-Owned Desktops John Whaley CTO, MokaFive Session ID: xxx-xxxx Session Classification: xxxxxxxxxxxx
  • 2. Agenda What is BYOC? Techniques for BYOC BYOC Security Considerations Keys to a Successful BYOC Deployment 2
  • 3. BYOC: Securing Untrusted, Employee- Owned Desktops 3
  • 4. What is BYOC? BYOC = “Bring your own Computer” a.k.a. BYOPC, BYOL Three models: 1. Employer provides a stipend for the employee to purchase their laptop of choice, which will then be owned by the employee. 2. Employee chooses laptop from a list of pre-approved machines. 3. Employee is given instructions on how to connect to corporate resources, but can use any machine. 4
  • 5. Why BYOC? User demand Choice computing “Executive bling” Extension of smartphones New generation – “millennials” Business demand Reduce hardware assets Part-time workers, contractors Enable work from anywhere Happy employees = productive employees Bottom line: Users are doing it, with or without IT… 5
  • 6. What you can apply from this session At the end of this session, you will be able to: Understand the predominant models for BYOC and their relative strengths and weaknesses Evaluate the security of a BYOC solution Avoid common pitfalls in BYOC Plan a successful BYOC deployment 6
  • 8. Example: Citrix BYOC Program $2100 stipend (taxable) About 50% employees opt in to program 40% of those in the program chose Macs Employees often chipped in their own money to get a better machine After a three month pilot in US, rolled out globally 8
  • 9. How to deliver services? Technique 1: Provide essential services via web applications Technique 2: Provide a remote desktop (VDI or TS) session Technique 3: Provide virtualized applications that run locally Technique 4: Provide managed corporate virtual machine to run locally 9
  • 10. Technique 1: Port everything to the web Good: Access from any device Bad: Takes a long time to rewrite all your apps, no offline access 10
  • 11. Technique 2: Remote Desktop to VDI or TS Good: Access from many devices Bad: Requires major server infrastructure Can’t run offline Bad interactive performance 11
  • 12. Technique 3: Application Virtualization Good: Can run locally, but managed centrally Bad: Not cross-platform, not very secure 12
  • 13. Technique 4: Client-side Virtual Machine Good: Secure, personalized, offline access, cross- platform, local execution, easy recovery Bad: Minimum HW requirement 13
  • 14. Securing the endpoint device Need to treat BYOC as an untrusted device No VPN DLP Host checker Two-factor authentication Keyloggers, screen scrapers Encryption of data-at-rest Domain join and group policies Access control, remote management of corporate data Security policy enforcement 14
  • 15. Threat Models Malicious employees Malware infections Screen scrapers or keyloggers Generic viruses/worms Targeted malware Lost or stolen laptops, “borrowed” machines Targeted attacks and espionage 15
  • 16. Dealing with Infected Endpoint Devices Anti-virus and anti-malware OS patch level Network quarantine Keyloggers and screen-scrapers Data loss prevention 16
  • 17. Enterprise-Level Layered Security 7 Layers of Security • Anti-virus scan of host PC • Full virtual machine encapsulation • AES-256 encryption • Tamper resistance and copy protection • AD and two-factor authentication • Granular security policies • Remote kill 17
  • 18. Anti-virus scan of host PC Protects against most known attacks/malware Policy enforcement: Maximum age of signature file Periodic scan frequency Automatic keyboard/screen lock until scan completes 18
  • 19. Full virtual machine encapsulation Protects against non-targeted attacks Run on a separate, locked-down operating system Rejuvenate to latest golden system disk on every boot Out-of-band updates of golden system disk Device passthrough of keyboard/mouse and video card foils most keyloggers/screen scrapers Hardware support for encapsulation (VT-x, VT-d) 19
  • 20. AES-256 encryption Encryption of data-at-rest protects against lost/stolen laptops Key escrow Dealing with lost/changed passwords Administrator unlock without user password Don’t forget swap space! 20
  • 21. Tamper resistance and copy protection Protect against copying data to another device Tie the virtual machine to physical hardware identifiers and/or TPM HMAC of all data to detect tampering 21
  • 22. AD and two-factor authentication Use RSA SecurID or other second-factor authentication Protects against lost password, lost device; limits exposure window 22
  • 23. Security policies Targeting security policies by AD group Offline lease time: Maximum time a user can run without checking in Auto-kill: Self-destruct after a given time Version enforcement: Ensure users have latest security patches Peripheral restrictions: USB devices, microphone, printing, CD/DVD, etc. AD group policies: Use existing AD policy sets 23
  • 24. Remote kill Can mark a device as lost or stolen Device receives a “kill pill”, securely zeroes all data and sends back confirmation Mitigates risk from a lost device or rogue employee/contractor 24
  • 25. More Challenges to BYOC Supporting diverse platforms (Mac,etc.) Offline access Legal Organizational / Political 25
  • 26. Supporting Diverse Platforms Mac support Data shows Macs require much less support No mature, robust management tools for OSX hosts yet Best: Provide corporate Windows environment for Mac users Windows 7 support Can provide virtual Windows XP environment for now, upgrade to Win7 once corp standardizes on it Hardware support Give minimum hardware specs for BYOPC Require support package from vendor 26
  • 27. Legal Challenges Who owns the hardware? Who owns the software? Who owns the data? Mixing corporate and personal on the same device Liability concerns Software licensing What to do when someone is terminated or leaves the company? Not much different than BYO Smartphone, work-from-home One solution: Put corporate environment on separate USB or SD card Need a way to reclaim licenses, erase corporate data (“poison pill”) 27
  • 28. Organizational and Political Challenges Most common: Business wants it done, but IT dragging feet Refocusing IT staff to focus on services, not hardware Education: “You are making me buy my own machine?” 28
  • 29. Results Significant proportion choose Macs Increased machine usage More work on weekends and after hours Fewer support calls Users more tolerant and responsible, willing to learn Fewer lost devices Take better care because they are invested in it 29
  • 30. Key Takeaways 1. Focus on securing the data, not the device 2. Good security practices are essential, with or without BYOC 3. BYOC can save money, reduce support calls, and lead to happier users 30