Simply preventing personal devices from accessing your network might not be the best option for your business. A well thought out BYOD policy and the proper wireless security strategy can empower your employees, save costs, and increase productivity while maintaining security and control.
This presentation covers:
• The security implications of BYOD
• Steps to prepare your network for BYOD
• Strategies for managing remote users, branch offices and wireless access
Find out more about BYOD here: http://bit.ly/Ob1Giz
2. Join us on Twitter
Live tweeting from
@Sophos_News
Send us your thoughts
#SophosLive
3. Agenda
Q&A What is
BYOD?
Strategies BYOD
Agenda Benefits
Concerns &
BYOD Implications
Preparation
4. What is BYOD?
Sometimes known as BYOP, BYOT, or the “Consumerization of Technology”
• One of those terms that means different things to different
people (Like ‘Cloud’)
• Most agree it means allowing personal devices to access
business networks
• Big topic that covers more than just mobile phones, may also
include Guest wireless access
• Also used to describe programs where equipment is provided
(1 – 1 initiatives in schools)
5. Why is BYOD a hot topic?
Powerful Access Mixed User in
devices everywhere ownership charge
6. Why consider BYOD ?
What benefits does a BYOD program bring?
• BYOD should hopefully reduce IT costs
• BYOD can lead to greater employee satisfaction
• Satisfaction can lead to greater productivity
• Many users expect to be able to use their own devices,
may see IT as a business obstacle
• Not allowing may result in employees doing it anyway
7. What are the concerns?
BYOD risks include:
• Data Leakage
• Increased chance of malware
• Regulatory violations
• Legal Issues
• BYOD devices may also place a greater load on your
network and wireless devices
• Balancing user expectations with security requirements
8. What are the Security Implications of
BYOD?
• Personal device use may conflict with company security
policies
• Allowing ‘any’ device to participate may reduce security
• Personal devices with company data blurs lines of
responsibility
9. Steps to prepare for BYOD
As with any IT Initiative, we start with a plan
• Form a committee of stakeholders
• Identify the risk elements that BYOD introduces
• Decide on policies and acceptable use
• Build the plan
• Evaluate Network and identify any missing components
• Implement solutions
• Periodically reassess solutions
10. Form a committee of stakeholders
Gather input from different groups
• Business
• IT
• Security
• Legal
• HR
11. Identify Risk Elements
Stakeholders can help you understand where risks are
Measure how the risk can impact your business
• How much damage would be incurred by lost or stolen data?
Map risk elements to regulations where applicable
• Are you subject to compliance rules?
• What rules do they have regarding mobile devices?
12. Define Policies and Acceptable use
This may be a good time to look at Endpoint and VPN policies and programs
Mobile devices
• Which types are allowed? What applications are acceptable?
Tablets
• Which types are allowed? What applications are acceptable?
Portable computers
• Is an Endpoint agent used to scan for AV and enforce policies?
13. Build the plan
• Remote device management
• Application Control
• Policy compliance and audit reports
• Data and device encryption
• Cloud storage security
• Wiping of devices
• Revoking/changing access if employee status changes
• Guest options
14. Mobile Device Management
Choose an MDM solution
• Primary purpose is to protect corporate data
• MDM solutions can be on premise or provided as SAAS
• Should have basic features such as:
• Remote lock/wipe
• Turn on native security features
• Compliance checking to ensure device isn’t ‘Jailbroken’
• Should support existing mobile platforms and be
upgradeable for future products
15. BYOD Infrastructure Considerations
The Network
• Are new users/devices being added onto your network?
• How many? Twice as many? 3 times?
• Can you easily segregate Guest user traffic from the LAN?
• How much extra work is this going to be for IT staff?
• How do I expand this out to remote offices?
16. Review Network and Identify Missing
pieces
• Network Security Solutions to see if they can be used
with BYOD traffic (E.g. Web policies, Application Control)
• Bandwidth throttling capabilities
• Time based policy options
• Reporting Capabilities
• If MDM is on premise, how do I securely setup access?
17. Review Wireless Capabilities
Your Wireless solution and its capabilities
• Can equipment support multiple SSID’s (wireless
zones)?
• Does equipment support 802.11n?
• What levels of encryption does it offer?
• How easy it is to add capacity?
• What are the Guest capabilities?
18. Evaluate Encryption Tools
Need to think about where the data is now that its mobile
• Need to protect data in transit, and at rest
• Need to consider that data may be used in the ‘Cloud’
19. Implement Solutions
• Begin with pilot group from each department
• Educate Users on BYOD risks and rewards
• Gather feedback from pilot group
I
• Expand to all users
my
iPad
20. Periodically reassess
• Especially important due to rapid changes in mobile
market and technology
• Keep an eye on compliance changes
• Include vendors and trusted advisors to get info
• Look at existing vendor roadmaps
• Look at new cost saving options such as group plans
• Invest in user awareness
21. Strategies for BYOD Success
• Setup a ‘Guest’ Wireless LAN for BYOD devices
• Define a list of supported BYOD devices as part of your
BYOD plan, and be prepared to modify as needed
• Use an MDM solution to support BYOD devices and
provide a security baseline
• Use encryption to protect data allowed on mobile
devices
• Define what ‘app’s are acceptable and which are not
22. Strategies for BYOD Success
• Consider using tools like Citrix or HTML5 portals to
prevent data from being transferred to mobile devices
• Understand how compliance may affect your BYOD
program
• Educate users about BYOD issues and concerns
23. What do we need to support BYOD?
At a minimum
• A robust network that can handle increased traffic
• Ability to identify and control ‘Mobile’ user traffic when
on network
• An MDM solution to manage devices
• Encryption to protect data
24. Sophos UTM Integrated security
Once connected to the UTM easily integrates with other security features
Strong Encryption
Sophos UTM
Integrated UTM Security
24
25. Complete security
Endpoint Web Email Data Mobile Network
Reduce attack surface Protect everywhere Stop attacks and breaches Keep people working
URL Filtering Web Application Endpoint Web Encryption Data Control Access control Automation WiFi security
Firewall Protection for cloud
Anti-spam Patch Manager Mobile Control Virtualization Anti-malware User education Visibility Local self-help
Application Mobile app Clean up Technical
Device Control Secure branch Intrusion Firewall
Control security support
offices prevention
Encryption Live Protection Email
encryption
26. Staying ahead of the curve
Staying ahead of the curve
US and Canada
facebook.com/securitybysophos 1-866-866-2802
NASales@sophos.com
Sophos on Google+
UK and Worldwide
linkedin.com/company/sophos
+ 44 1235 55 9933
Sales@sophos.com
twitter.com/Sophos_News
nakedsecurity.sophos.com
26
Notes de l'éditeur
What is BYOD –Bring your own device which is used to describe the practice of allowing personal technology (laptops, Ipads, smart phones, etc…) access to privileged resources such as business networks and/or data. In the business world BYOD is fairly well known and accepted, and used so that personal devices can access company sensitive data or LAN’s. Allowing personal devices to be used in this manner offers flexibility to the employees and can provide real cost savings to the business. To ensure that this data is not lost and to ensure employees are using resources appropriately BYOD policies often include the use of Endpoint and Mobile Device Management solutions. These solutions allow users to register their devices with the company who then can control what applications may be used on the device and to ensure proper security settings are in place such as password strength and to ensure AV is used
What is BYOD –Bring your own device which is used to describe the practice of allowing personal technology (laptops, Ipads, smart phones, etc…) access to privileged resources such as business networks and/or data. In the business world BYOD is fairly well known and accepted, and used so that personal devices can access company sensitive data or LAN’s. Allowing personal devices to be used in this manner offers flexibility to the employees and can provide real cost savings to the business. To ensure that this data is not lost and to ensure employees are using resources appropriately BYOD policies often include the use of Endpoint and Mobile Device Management solutions. These solutions allow users to register their devices with the company who then can control what applications may be used on the device and to ensure proper security settings are in place such as password strength and to ensure AV is used
Seventy percent of respondents in a recent survey by Gartner, Inc. said that they have or are planning to have "bring your own device" (BYOD) policies within the next 12 months to allow employees to use personal mobile devices to connect to enterprise applications. Thirty-three percent of all organizations surveyed currently have BYOD policies in place for mobile devices, such as smartphones and tablets. “Shifting from an enterprise-owned mobile device fleet to having employees bringing their own devices has a major impact on the way of thinking and acting about mobile security,” said DionisioZumerle, principal research analyst at Gartner. “Policies and tools initially put in place to deal with mobile devices offering consumer-grade security must be revised to deal with these devices being under the ultimate control of a private user, rather than the organization.” IT departments should be perceived as the lubricant in the machine that powers an organization. BYOD is a great opportunity to make life easier for your users. But convenience is always a trade-off with security. How do you strike a balance between security and productivity? Letting users connect to your network with just any device probably isn’t an attractive thought since it can quickly lead to chaos and loss of control. A well thought out BYOD policy along with the proper solutions can be a win win for all parties. Before wading into the BYOD waters though you’ll want to carefully consider how it’ll affect your network and data.http://www.gartner.com/newsroom/id/2263115
Just not allowing BYOD may not be a good idea as employees have come to expect this, and besides the items listed as benefits not having BYOD can result in dissatisfaction, seeing IT as a business obstacle, and result in employees trying to do it anyway which could lead to issues such as data leakage.Employees that are using equipment they’re comfortable may be more productive which benefits the business. For example many people may prefer viewing documents on their ipad rather than pulling out their work laptop. The convenience of not having both a personal and business phone can also be a big deal to people who are looking for simplicity. Many businesses are realizing that having a BYOD policy is also attractive in recruitment and retention.And businesses are always looking at ways to cut costs, and BYOD can do just that. By allowing employees to provide their own hardware, costs can be cut in both administration and equipment.
So if you’re going to allow BYOD in your org you need to consider a number of things. How much access will we allow BYOD devices to network resources? This may depend on a few factors that we want to consider. Without having some control over devices you need to be very careful about what permissions are allowed as you can’t know how secure the BYOD device is (are they even using passwords?), or if it’s even in the employees hands (what if it’s been stolen and is not secured, does someone else then have access into your network?)Mobile devices are increasingly targeted by malware increasing the risk of it spreading once they’re connected to your network.
Companies must consider these 3 security implications when implementing a BYOD program:Allowing users the ability to use their personal devices conflicts with enterprise mobile security policies and increases the risk of data leakage and the exploiting of vulnerabilitiesUsing a personal device allows workers to access whatever URLs or apps they want which increases the risk of data loss, whether through legitimate but unsupported apps or mobile malware.There are many types of mobile devices on the market today but not all have or enforce basic security features. This means that allowing users complete freedom to choose their preferred device will make it difficult for IT to enforce security policies and help manage and secure all devices. All devices should have at least these basic security features: password controls, lock controls for inactivity and password retry limits, data encryption, and remote lock/wipe. Allowing the user to own the device while you control it raises privacy concerns and could prevent your team from taking certain actions such as wiping a lost device. Discussing with legal and getting written consent from the user to enforce policies is necessary to avoid problems.Overall these concerns relate to changing organizational thinking when it relates to these personal devices. There is a certain loss of control that must be dealt with, as well as an understanding of what type of risk the organization is willing to deal with regarding sensitive data and access from personal devices.
So as you can tell there are quite a few things to consider when implementing a BYOD program, which is why we suggest putting together a plan. The plan should be a cooperative effort with input taken from various teams so that all parties understand the risks and benefits. From there you can then decide on what type of access BYOD devices should have to your network, and what is considered acceptable use once they’re connected. This information can then be used to build and document your plan. Once you have your plan and know what’s needed for your BYOD program you can evaluate your network and wireless infrastructure to see what is needed for this new initiative.
So at a minimum we would suggest getting input from the following departments.… different views are needed so nothing is missed. For example what happens if you wipe a device and there were personal pictures that a spouse had put on, and they want compensation. Is that addressed in usage agreement? What are the views of the business teams on benefits that this program might bring? Do they have any problems with limiting the type of devices that would be allowed? Or do they want to allow any type of device for some reason? How would that type of request affect IT? Would they be expected to help support all these devices and do they have the skills and manpower to do so? These are just some of the issues that should be discussed with the stakeholder group.
Risks come in many forms and differ from business to business. All businesses have sensitive data though and so should be concerned about where that data is, and who has access to it. Personal devices increase the chance that this data will be lost or stolen. Personal devices that are not secured properly may also be more susceptible to malware, which could then spread onto your network, or which could be used to steal information on the personal device (including passwords, data, etc..) Businesses that have to comply with regulations also need to carefully consider BYOD as less control over information may result in violations. For example if a user uses their BYOD device to transfer data to the Cloud the server its now on may be located outside the required geographic boundaries. Compliance standards have mainly focused on the traditional PC, but regulators are paying more attention to mobile devices. All kinds of devices which hold sensitive data are now in the spotlight. It’s therefore essential to address the security and operational issues relating to mobile devices now, rather than risk fines and sanctions due to data loss. Remember, regulators won’t care whether you’ve lost sensitive data on a laptop or a mobile device. There may be no difference in the eyes of the law, but security controls for laptops are quite different from those applied to other mobile devices
Once you understand your risks and needs you can start to figure out what type of access policies are appropriate for your organization. You may also need different rules for different devices, and different devices will often have different capabilities. For example personal Windows computers may be able to use an Endpoint client that features sufficient security so that they can access via VPN. Will some devices get more access than others?When do we have the right to access employee-owned devices?Should we whitelist and blacklist apps to protect devices and data? Should we create an internal app store instead?Will we push specific apps to employee-owned devices?
So once you’ve figured out your risks and have an idea on what type of policies would apply you can start actually building your plan. This plan should include: Remote Device management- Will all device types be supported or only some? It may be difficult to support all devices, but with the right solutions and equipment you could have different policies for ‘approved’ devices and unsupported. The policy may be as simple as ‘if you’re not using a device on this list you have to go back to the manufacturer with any questions’Do you plan to use an MDM solution to manage personal devices? MDM solutions can greatly enhance security by providing policy enforcement and reporting. They’re also necessary if you want to ensure that only approved applications are used by these devices. This may be necessary to ensure that sensitive data is not leaked, and to prevent users from connecting to both your business network, and cloud based networks at the same time (BYON). In all cases its also suggested that encryption be used to protect your company data once its on these devices. That ensures that even if the device is or stolen, and someone is able to access it, that they aren’t able to view your data.You’ll also need to ensure that plans are in place for transitioning BYOD devices back to personal only devices. What happens when an employee leaves the organization and you have to wipe their data.
The primary objective of an MDM solution is to protect corporate data. This is achieved by enforcing compliance with corporate security policies. Before granting data access, mobile devices must be registered with the MDM solution. When a registered device connects, the MDM solution checks the device against a set of company rules like jailbreak detection, password configuration or blacklisted apps. Devices that comply with your security policies are granted access to corporate dataWhile on-premise requires an upfront CAPEX investment and OPEX, these deployments are fully integrated into the organization’s IT, allowing for more granular control. On-premise deployments use an EAS proxy, Active Directory, an LDAP connection, and offer backup options. While on-premise is the most common delivery model, it’s not the only option. Some MDM providers offer their software as a service. Software as a service (SaaS) is great for organizations that need to get up and running quickly. No on-site installation or maintenance is necessary, saving you time and operating expenses. And as there are no changes to the local IT environment and no hardware investment, you won’t incur capital expenses. SaaS is typically considered an option only for large organizations, but it is well suited for smaller organizations or specific user groups as well. In fact, MDM in the cloud puts mobile device management within reach of smaller organizations and user groups that require centralized control but don’t have the resources to implement and manage an on-premise deployment. Companies should look for a solution that offers the scalability they need and is not over-dimensioned leading to complexityBlackBerry recently told CBR that it thinks its approach to BYOD is a winner. Its upcoming BB10 platform has the capability to run two separate accounts on one device. Data connected to the work account cannot be copied across and if a device is lost the business data can be remotely wiped, without touching the personal side.
Once you have your plan and know the device types and what type of access they’ll need you can evaluate the solutions you have in place to understand what else you may need, and identify what may be missing. You’ll need to consider the impact on your network and determine if that equipment can be used to effectively support your BYOD policy, or if you need to acquire new equipment or solutions.Can you segment your BYOD traffic the way you want? For example you may have determined during your planning that you’ll need to have separate wireless networks for pure ‘Guest’ traffic, and for BYOD devices that are managed by your MDM solution. This would allow you to give different levels of access to devices, but you will still want to ensure that you can properly control and scan all traffic on your network to enforce web and application policies, and to limit bandwidth. When considering Guest networks its also a good idea to look at time based policies which can shut off access outside of business hours. And reporting is always an important part of any solution as it’ll allow you to understand your traffic patterns and build a baseline from which you can measure traffic.
If my MDM willl be on premise you have to think about a few things such as where it will sit. As an internet facing server you need to make sure this device is properly protected. Most network security devices provide some type of DMZ capability so that should be looked at. A reverse proxy and/or appliation firewall is also a good idea to protect your MDM solution and to avoid exploits.
Obviously wireless is a big part of BYOD, and depending on your program details it may see increased usage once your plan is put into place. Most business wireless solutions allow for multiple SSID’s which allow to setup different levels of permissions. You could for example setup a Guest only SSID which requires acceptance of a Terms of Service which may also include a link to your MDM solution should you want to register your device. Users that don’t choose to do that would stay on the Guest wireless SSID with limited access, while those that register their devices can have receive a policy which then allows them to connect to wireless LAN with greater access.Another of the benefits of using an MDM solution is that you may be able to set policies so that BYOD devices in the office use the office wireless for connectivity which can save on data plans. This also allows for better enforcement of policies, but can definitely increase the load on your wireless devices. So an assessment should be done once you understand what you’d like to do.
Many BYOD users are also using cloud services such as Dropbox to store and access files from any location. This makes things very convienant for the user, but increases the risk of data loss and depending on your business could cause serious issues.
Make sure your organization has clear guidance in your acceptable use policy on what devices youallow and what users are required to do to use them for work. The user can be the ultimate weaklink with a consumer device. To protect your data and theirs, make sure they think before they click.
Technology and business needs change and so any plan should be re-assessed periodically. Do your current solutions allow for upgrades and/or changes? Will your wireless controller and AP’s be able to support new standards when/if they come out and are supported on new devices? Will your MDM solution support new smart phones and tablets as they hit the market? Vendors often run promotions which can help save you money. Periodically check in with your vendors to see what they have to offer as it may save you money.
Technology and business needs change and so any plan should be re-assessed periodically. Do your current solutions allow for upgrades and/or changes? Will your wireless controller and AP’s be able to support new standards when/if they come out and are supported on new devices? Will your MDM solution support new smart phones and tablets as they hit the market? Vendors often run promotions which can help save you money. Periodically check in with your vendors to see what they have to offer as it may save you money.
Technology and business needs change and so any plan should be re-assessed periodically. Do your current solutions allow for upgrades and/or changes? Will your wireless controller and AP’s be able to support new standards when/if they come out and are supported on new devices? Will your MDM solution support new smart phones and tablets as they hit the market? Vendors often run promotions which can help save you money. Periodically check in with your vendors to see what they have to offer as it may save you money.
So if you’re going to allow BYOD in your org you need to consider a number of things. How much access will we allow BYOD devices to network resources? This may depend on a few factors that we want to consider. Without having some control over devices you need to be very careful about what permissions are allowed as you can’t know how secure the BYOD device is (are they even using passwords?), or if it’s even in the employees hands (what if it’s been stolen and is not secured, does someone else then have access into your network?)
Complete security means we don’t just detect threats, we:Reduce the attack surface – We address the things that bring risk like vulnerabilities and applications.Protect everywhere – We make sure your users are protected wherever they are and whatever device they’re using.Stop attacks and breaches – Of course we can detect and prevent threats and data loss. But we’ve moved beyond signatures with innovations like live protection, which means we can stop new threats instantly.Crucially, we Keep people working – Both your users and the IT team. We engineer our products to simplify the tasks that take too much time today, like cleaning up infections and recovering forgotten passwords. So, as the threat and the ways that we use IT for work evolve, so does your protection. We stay on top of them, to simply give you all you need to stay secure. We engineer our products to work better together. And we look for opportunities to unify endpoint agents, gateway defenses, security policies and intelligence so it’s even easier.Agents – for every device, combining security to maximise protection and performanceAt the Gateway – virtual or hardware appliances and software options that match your protection priorities and sizeThroughPolicies - We let you create a policy once, and apply it anywhere to give you consistent protection and user experienceFrom our Labs - our experts have visibility of all aspects of security threats and use that expertise to actively fine-tune your protection for you and deliver instantly from the cloud