Presentation delivered to the Charlotte CISO Summit and Ballantyne IT Pro security summit events. I cover how security has positively partnered with the business at NGC to very securely deploy BYOD and enable mobile access to email, documents and business data.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
BYOD - Mobility - Protection: security partnering with business
1. Are We the Watchers
or Their Partners?
Mike Brannon, National Gypsum
2. National Gypsum Company is a fully integrated building products manufacturer
Headquartered in Charlotte, NC with
mines and quarries, and
manufacturing plants across North
America
3. Charlotte Metro ISSA
Email us at info@charlotteissa.org
Twitter: @cltissa
http://www.charlotteissa.org/
ISSA local chapter delivers excellent
and low cost Security Training, hosts an
annual Summit event and sponsors
UNCC scholarships
Frequent gatherings to share practices
and network – support from sponsor /
partners for meetings –
Next Meeting 8/27/13 at NGC HQ – and
TacoMac
Please Join Us!
4. 4
4
We Are The Watchers…
Only We Understand Threats…
We Must Not Let Them Pass!
5. 5
5
The more the CIO/CISO says no,
the less secure the organization becomes.
Vivek Kundra, Former U.S. Federal CIO
Be responsible, not restrictive
Mike Brannon, National Gypsum
6. 6
6
NGC Example: BYOD/Mobility
Business Needs:
• Business needed improved mobile access
• Devices of their choice, ‘native interfaces’ on devices
• Explosion of options for devices, apps on app stores…
Security Concerns:
• Recently gained control of company provided PCs – Now
we allow any chosen device / app?
• Limited support / management resources in IT
• Serious concerns about responsible content management
(both Security and Legal teams)
10. 10
10
Open
In
Copy
Save
View
SharePoint documents
Open
In
Copy
Save
View
Email attachments
MobileIron Confidential
10
Secure your document repositories
• Solve “open in” problem
• Store documents securely on device
• Control cut / copy / paste actions
• Selectively wipe documents
• Prevent unauthorized distribution
• Control end-to-end with policy
• Leverage existing content repositories
• Prevent use of unauthorized tools –
– DropBox for example
Open
In
Copy
Save
View
Box shared documents
13. 13
13
Closed-loop actions when compromised
13
Remediation
Notify
Block
Quarantine
Closed-loop actions
• Notify user and admin
• Prevent access
• Remove saved files
• Remove SharePoint config
• Protect enterprise persona
MobileIron Confidential
14. 14
14
National Gypsum Implementation
• Risks / Threats Addressed:
– Loss of Company Data / Lost Devices / Departing Employees
– All Devices and Users Registered / Security Policies Enforced
– Ease of Use for Employees AND Improved Security & Efficiency
• What We Deployed (And Timeline)
– MobileIron device (VSP) and support (Sentry) – All Smartphones
– Blackberry (now gone), Apple iOS and Android Devices
– Push Secure WiFi Config to Minimize Data Use On Premise
– Rush To Adopt iPads – From 0 to 100’s of Devices!
– More than email access! Apps for SharePoint and Data!
– Manage “Allowed” and “Disallowed” Settings / Apps (DropBox)
• Replaced with BOX Enterprise – Block ALL Other “Web Content Stores”
– Leverage Internal PKI and Push Webclips – Deliver Business Data
15. 15
15
• Where Are We Now?
– BES Retired – 70% iOS, 25% Android, 5% Windows Devices
– User/Device Configuration Management Implemented
– iPad is currently only supported Tablet –
• Actively testing Samsung SAFE Android, others (Nexus, Surface)
– Plans to allow Windows 8 and MAC OS/X BYOD
– Colligo Briefcase for SharePoint Document Access
– BOX for External Data Sharing with Partners
– Two Apps Deployed on iOS with “One Tap For Data”
• Certificates delivered to Device and to User (SCEP/MobileIron)
• Invisible Authentication via Juniper Secure Access
• IIS Web Server & Application Configuration – “Last Seen User State”
• HTML5 / JavaScript to deliver SQL and Mainframe Data
National Gypsum Implementation
17. 17
17
Content doesn’t exist in isolation
Enterprise
Mobile Persona
Native experience
Data separation
Shared policy Selective wipe
Secure communications
Email
Apps Certs
Policy
Content
Federated identity
18. 18
18
Security considerations 2013+ …
“No” not a sustainable option -> provide credible alternatives
Massive content ecosystem -> crowd-source but don’t lock-in
Uncertain economics -> establish “help-yourself-desk”
Dynamic risk at endpoint -> automate your mobile trust model
Content always one-click from cloud -> co-habitate responsibly
Blurring between content and app -> explore new forms
19. 19
19
Security Partnering With Business…
Understand incentives of others-> help them look good first
Seek to understand -> ask questions, don’t issue demands
Uncertain economics -> agile, incremental work not big bang
Add value always -> strive to integrate security transparently
Leverage outside partners-> “Wall Watchers” contract MSS
Be flexible and recalibrate -> build stakeholders and allies
20. Thank you - Resources
Mike Brannon (mebrannon@nationalgypsum.com
http://www.charlotteissa.org/
Notes de l'éditeur
Info Security is full of challenges – Technical challenges getting things to work at all – http://adversari.es/blog/2013/06/19/cant-we-all-just-get-along/The ‘JERK PROBLEM’Interlude: we are the watchers on the wallsMany in the Infosec community are fond of casting the security world as “us versus them,” where “they” aren’t external, malicious actors but unaware users, clueless managers, and bumbling executives within our own organizations. We like to see ourselves as the Night’s Watch of the tech world: out in the cold with little love or support, putting in long nights protecting the realm against the real threats (which the pampered never take seriously) so everyone else can get on with their lives in comfort. We develop a jaundiced attitude: only we understand the real danger, we think, and while we’re doing our best to stave off outsider threats, when the long night comes we need fast and unquestioning cooperation from the rest of the organization lest (hopefully metaphorical) frozen undead kill us all.
EmpathyThe jaundiced attitude among Infosec mentioned above, coupled with differing incentive structures, has an unfortunate tendency to spill over into external interactions. If 90% of lunch conversations are complaints about how terrible users are, how management doesn’t get it, and how the dev team on Project Foo are a bunch of incompetent turd-burglars — the next time you have to meet with Project Foo’s team, you’ll be hard-pressed to give them a fair hearing as they explain how their lack of proper resources and mountain of technical debt prevent them from addressing problems properly.When we go for the easy answers:This {system, product, device, network} is {insecure, vulnerable, unsafe, slow, broken, unprofitable, incomplete, poorly designed, ugly} because the {designer, manager, dev team, executives, QA, sales} {is incompetent, is lazy, doesn’t care about security, is an asshat}we erode our ability to evaluate the true cause of a situation. (Social psychology refers to this as the Fundamental Attribution Error – the tendency to attribute others’ mistakes to their inherent failings, while attributing our own mistakes to the situation at hand.) We damage our reputation (and that of Infosec as a field), make ourselves unpleasant to deal with, and generally make the world a worse place.We also get used to thinking of people and teams in that way. We genuinely become less kind people.
Lost Devices – From the beginning we could assist with trying to find devices, and we could SELECTIVELY wipe our corporate data and configuration from the devicesSome devices will appear to accept ActiveSync host directives – but then NOT actually do it! An Agent on the device, using the MFG API – does enforce our policy!Installation – Obtain the App in the store – then one very simple registration to then connect to the device and user – Interaction with Active Directory, policy engine in MI and our internal PKI – full configuration “appears” after registration!
We went from more than 900 devices managed via our BES to none in 5 years.Those Blackberry devices were replaced by a much more diverse set of devices all chosen by our employees – NOT by the IT Group!We are certain that the new fleet of devices is at least as secure – if not more secure – than the old one! We have BYOD working securely!In addition the setup and management of the new fleet of diverse devices works very efficiently and delivers data people need to do their jobs better!(Old BES only delivered email / calendar – NOT Apps!)
We went from more than 900 devices managed via our BES to none in 5 years.Those Blackberry devices were replaced by a much more diverse set of devices all chosen by our employees – NOT by the IT Group!We are certain that the new fleet of devices is at least as secure – if not more secure – than the old one! We have BYOD working securely!In addition the setup and management of the new fleet of diverse devices works very efficiently and delivers data people need to do their jobs better!(Old BES only delivered email / calendar – NOT Apps!)