Bring your own-computer_to work
 

Like this? Share it with your network

Share

Bring your own-computer_to work

on

  • 1,523 views

At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as ...

At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as embodied with the use of non-corporate owned computers in the corporate environment. With this in mind, they discussed the potential bleed out of intellectual property and mitigation techniques. You can read Michael's blogs on the subject here: http://bit.ly/11BhzC

Statistics

Views

Total Views
1,523
Views on SlideShare
1,523
Embed Views
0

Actions

Likes
2
Downloads
35
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NoDerivs LicenseCC Attribution-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • WinMo and Blackberry not listed because they are considered to be corporate devices.Why?At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranetWinMo and Blackberry not listed because they are considered to be corporate devices.Why?At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranet
  • Gartner says 10% are primary system
  • After waiting 30 minutes for a ten year old work Pentium PC to boot Windows 98 we can see how the concept of a shiny new notebook you can call your own would be appealing
  • 68% of SMB IT managers say their departments provide technical support for personal devices, including smartphones and computers.
  • ConfigurationBIOSDocuments & SettingsFirewall / Anti-Virus / Anti-malwareWireless networksVPN
  • Why?At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranet
  • Things that you might do at home might get you in trouble when you put your corporate information at risk by doing them …
  • Various laws protect customer dataEmployee must protect assets whether physical or informational. Protect devices, encrypt HD, remove HD if needed.
  • Paging file could be a leakage point. Keylogger
  • Virus on hosted OS can only take out the hosted OS, but virus on host OS can take out both.
  • Virus on hosted OS can only take out the hosted OS, but virus on host OS can take out both.
  • BIOS protections…
  • So VM can be modified while running through rogue / compromised environment.
  • So VM can be modified while running through rogue / compromised environment.
  • So VM can be modified while running through rogue / compromised environment.

Bring your own-computer_to work Presentation Transcript

  • 1. Bring Your Own Computer To Work - What Now?
    Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCI
    SPYRUS, Inc
    Michael F. Angelo, CSA
    NetIQ Corporation
  • 2. Bring your own computer
    2
  • 3. Bring your own computer
    3
  • 4. BYOC isConsumerization of IT
    4
  • 5. What Is Consumerization?
    Changing the Face of Work
    Consumer-based Social Media for advertising
    Consumer-based Financial Services for accounts receivable
    Use of consumer or Free Software for sustaining corporate infrastructure
    And… What we are going to focus on:
    Use of personal equipment in the corporate environment
    5
  • 6. Consumerization of IT
    Use of employee owned resources for company work
    6
  • 7. HOW WIDESPREAD IS consumerization?
    Source:In-Stat
    7
  • 8. How It Happens
    8
  • 9. How It Happens
    Don’t want to use your Pentium III with 256mb RAM & 60gb HD
    Don’t want to use your OS
    Don’t want to use IE6
    Don’t want to use your software tools
    Don’t want to be locked down
    9
  • 10. What is your policy?
    Secretive
    Ignored
    Unofficially Supported
    Officially Supported
    Subsidized
    10
  • 11. Benefit and Impact
    11
  • 12. Benefits and drawbacks
    Companies save 9-40% on equipment purchase cost*
    Exit the hardware business
    Employee satisfaction
    Higher productivity
    Longer work hours
    • Helpdesk
    • 13. Knowledge
    • 14. Loaner
    • 15. Hardware
    • 16. Capability
    • 17. Configuration
    • 18. Maintenance / warranty
    • 19. Upgrades
    • 20. Software
    • 21. Interoperability
    • 22. Upgrades / updates
    • 23. Vulnerabilities
    12
    *Source: Gartner
  • 24. Organizational impact - ownership
    Logins
    Personal login information on corporate machine
    Social Networks / Professional Associations
    Corporate login information on personal machine
    VPN Configuration
    User IDs and passwords stored in browsers
    Software Ownership
    Personal software
    Restricted use licenses
    Corporate software on home equipment
    13
  • 25. Organizational impact - legal Issues
    Legislated Privacy
    EU data protection act
    USA HIPAA, SOX, GLBA
    Country, state/province, local (e.g. CA SB 1386)
    More laws pending
    Cross contamination
    Corporate backup includes personal information
    Personal backup includes corporate information
    14
  • 26. Organizational impact - Security
    Information Leakage
    Family & friends
    Device Loss
    Virus
    Personal email – Spear Fishing
    Increased Exposure to Threats
    Surfing at Home <> Surfing at Work
    Torrents
    15
  • 27. Organizational impact - Non Obvious Issues
    Acceptable use policies
    How to apply to personal machines?
    Out processing of individuals
    How do you know organizational data is removed from the employee machine?
    Software
    PST files
    Passwords / wireless / VPN Access
    Residual data
    Employee / corporate backups
    16
  • 28. Action To Take
    17
  • 29. Action to take today
    Is it already there?
    Run, don’t walk to your legal staff
    Decide if you will allow Consumerization
    Don’t wait for it to happen and then rush to formulate policy and procedures
    Decision must explicitly include all possible components
    Decision must be extended as new technology becomes available
    18
  • 30. Action today - Define policies
    Balance:
    Corporate vs Employee vs Customer
    Corporate:
    Must comply with laws
    Must maintain fiduciary responsibility
    Must not expose corporate assets
    At a minimum should address
    Employee responsibility
    Acceptable use
    Protection of assets
    19
  • 31. Action today - Incident response plan
    Even with Policies & Procedures accidents can happen…
    Need incident response plan
    20
  • 32. Technical Solutions
    21
  • 33. Action today
    Security 101:
    Keep secret stuff separate from non–secret stuff
    Keep corporate stuff separate from personal stuff
    Separate personal and corporate identities
    Compartmentalize the environments to reduce the risk of accidents.
    22
  • 34. Action today - Compartmentalization
    Application isolation
    Separate user accounts
    Virtual Desktop Infrastructure (VDI)
    Hypervisor on PC
    OS or Hypervisor on USB drive
    Windows-on-a-stick
    PC-in-my-pocket
    23
  • 35. Action today - Separate user accounts
    Work and Personal
    Mac, PC, or Linux
    Fast user switching
    Separate Context
    Subject to worms and viruses
    Can share information via common file system
    App
    App
    App
    App
    User 1
    User 2
    Host OS
    Computer
    Separate Users
    24
  • 36. Action today- VDI
    Virtual Desktop Infrastructure (VDI)
    25
  • 37. Action today - Type 2 hypervisor
    Aka Hosted Hypervisor
    Still subject to worms and viruses
    Harder to accidentally share informationbut cross-contamination still possible
    Apps
    HostedOS
    Hypervisor
    Apps
    Host OS
    Computer
    Type 2 Hypervisor
    26
  • 38. Action not-quite-today - Type 1 hypervisor
    Aka Native Hypervisor
    Almost impossible to share information
    Only common attack is hypervisor itself
    Each OS can be attacked separately
    App
    App
    App
    App
    OS 1
    OS 2
    Hypervisor
    Computer
    Type 1 Hypervisor
    27
  • 39. Action Today - Type 2 portable hypervisor
    App
    App
    App
    File
    File
    File
    Hosted (Type 2) VM
    Running PC loads hypervisor from device
    OS from device and OS from host HD completely separated
    Does not prevent attack via ‘host’ OS
    Does not protect the information if device is lost
    Does not stop access after employment
    OS Partition
    Operating System
    Hypervisor
    User Settings
    28
  • 40. Action today - Virtualized OS-on-a-stick
    Encrypted OS Partition
    Operating System
    User Settings
    App
    App
    App
    File
    File
    File
    On-board cryptography authenticates and protects
    Boots OS from device, loads hypervisor, then loads hosted OS
    Host provides mouse, keyboard, RAM
    Encryption can protect information if device is lost
    Limited to OS on device
    Management system can block device when employee leaves
    Boot Partition
    OS + Virtual Machine
    29
  • 41. Action today - Native OS-on-a-stick
    Encrypted OS Partition
    Operating System
    User Settings
    App
    App
    App
    File
    File
    File
    On-board cryptography authenticates and protects
    Boots OS directly from device
    Host provides mouse, keyboard, RAM
    Encryption can protect information if device is lost
    Limited to OS on device
    Management system can block device when employee leaves
    Boot Partition
    Boot Loader
    30
  • 42. Native versus hypervisor
    Applications
    Hypervisor
    Applications
    PC Hardware
    PC Hardware
    Virtualized OS
    Native OS
    Note the additional overhead and larger attack surface of a hypervisor-based approach since two operating systems are required. It will be noticeably slower and possibly less secure.
    31
  • 43. Action tomorrow - Native OS-on-a-stick + TPM
    Encrypted OS Partition
    Operating System
    User Settings
    App
    App
    App
    File
    File
    File
    Provides a mechanism to generate and measure system characteristics upon which a security decision can be made.
    In almost all commercial grade computers
    For more info see: the Trusted Computing Group www.trustedcomputinggroup.org
    Boot Partition
    Secure Boot Loader
    32
  • 44. Action tomorrow: Native OS-on-a-stick + TPM
    Can also be used to ‘seal’ information to a snapshot
    A snapshot consists of information relevant to defining an identity or entity
    Information can not be ‘unsealed’ if any element used to ‘seal’ is not an exact match or available.
    33
  • 45. Summary
    34
  • 46. Summary
    Immediately
    Consult with legal dept
    Review current information ownership / protection policies and make appropriate changes
    Put Consumerization policies in place
    Separate user accounts
    35
  • 47. Summary
    Longer Term
    Legal policies and procedures
    Enforce them!
    Technical policies and procedures
    Apply, rinse, repeat
    Technical Tools
    Isolate applications, virtualization
    36
  • 48. Thank You
    Michael F. Angelo
    NetIQ Corporation
    1233 West Loop South, Ste 810
    Houston, TX 77027
    angelom@netiq.com
    Ron LaPedis
    SPYRUS, Inc.
    1860 Hartog Dr.
    San Jose, CA 95131
    rlapedis@spyrus.com