• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
IT Consumerization – iPad’ing the Enterprise or BYO Malware?
 

IT Consumerization – iPad’ing the Enterprise or BYO Malware?

on

  • 746 views

Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms ...

Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms BYOC and BYOD (like Bring Your Own Beer - Bring Your Own Computer/Device) have become mainstream technology terms. But what does BYOD mean for the enterprise? Can we mix personally owned devices and enterprise workstations/cellphones in our environment? How do we control configuration and data on personal devices? What about malware and other security concerns? What about improper disclosure of private data and intellectual property? And how will staff get work done when they are busy playing Angry Birds?
Is BYOD the flavor of the week or is the future of end-user hardware? Regardless of how security leaders may feel about the concept, we need to be prepared. We must understand what is driving BYOD, how it may, or may not, fit our environments, and have policy and tools ready.
In this interactive session we will discuss: What is IT Consumerization/BYOD? What are the benefits and concerns? Is there a cost savings? What are the Security concerns - BYOMalware? How do we protect data? And how can I start BYOD in my organization?
And yes, you can Bring Your Own Devices to this session!
Secure360 05-13-2013.

Statistics

Views

Total Views
746
Views on SlideShare
746
Embed Views
0

Actions

Likes
1
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Check out my about.me, with links to twitter feed and Security and Coffee blog.
  • I used one of these for remote access at my first job!
  • First IBM thinkpad; Apple PowerBook; Apple Newton; Palm Pilot
  • Spring Break 2011 in Chicago. There was a line each morning across from our hotel.We saw similar lines 2012 in NYC.
  • Mall of America – Apple and Msoft stores are situated opposite each other. The Apple store is always packed, Msoft always empty.
  • This is important because of potential for 2-factor auth adoption
  • Tablets pulling ahead of phones, but PC’s still rule… for now
  • The devices are hot and driving the space, but it’s really about the ability to have mobility – to bring the product or service to the consumer/customer.Not just “flavor of the week”.
  • Just say no is not a viable IT or Security strategy or response.We must partner with the business/user to provide what is needed.Just say no is an…
  • If your organization is saying “just say no” to consumer devices and apps, then they are already in your environmentTake opportunity to partner, lead and add value.
  • There is even a BYOD strategy out of the White House for federal agencies
  • Another example of risk v hype in the system/server world. This is from the 2012 Verizon DBIR and shows that most attacks are simple and can be avoided using basic methods
  • Lumension 2013 BYOD and Mobile Security report
  • Split into 4 groups, 1 group for each of Dr., lawyer, salesperson, sys admin. Be that business consumer and consider the use cases. Describe your business need/want. Create requirements + wish list. Describe your desired user experience. Choose a spokesperson. Share.
  • Now we will trade among groups. Given the use cases… now you are the CISO… respond to meet the business case AND protect the organization!
  • Datalossdb.org and Accidental Insider. 10% of 2nd-hand drives bought had company/private data. StarTrib malware.

IT Consumerization – iPad’ing the Enterprise or BYO Malware? IT Consumerization – iPad’ing the Enterprise or BYO Malware? Presentation Transcript

  • WELCOME TO SECURE360 2013 Don’t forget to pick up your Certificate ofAttendance at the end of each day. Please complete the Session Survey frontand back, and leave it on your seat. Are you tweeting? #Sec360
  • WELCOME TO SECURE360 2013 Come see my talks on Wed! The Accidental Insider – Wed. 1:15P 3 Factors of Fail! – Wed. 2:35P
  • http://about.me/barrycaplinsecurityandcoffee.blogspot.com
  • Housekeeping We’re here all morning!  There will be breaks (but make your own if you need one) Questions – ask ‘em if you got ‘em IT Consumer devices – on of course! (butvibrate or silent would be polite)
  • AgendaAdmire the problemSolve the problem(kind of)
  • Please ShareThis is not a “solved problem”(I don’t know what is!)We all learn from each others’experiences
  • Agenda 1Admire the problemFraming the IssueSolve the problem (kind of)
  •  Etrade baby video
  •  Baby trying to scroll magazine like ipad video
  • Why are we here?1. Have a program2. Considering a program3. Just discovered iPads in the office4. Wanted out of the office for themorning
  • What is IT Consumerization? More than just devices. 2 Parts: Consumer devices Consumer software tools Using these in the workplace in addition to,or instead of, company provided
  • Why are we talking about this?But really, allconnected!
  • History – 1980’s Early home PCs Could augment work withhome learning/practice First MacMac$2500Commodore 64$600
  • History – 1980’s “luggables”IBM “Portable” 5155$422530 lbs4.77MHz 8088
  • History – 1990’sHome machinesget smallerLaptopsPDAs
  • History – 2000’sLaptops get lighterPDAs go mainstream(then disappear!)BlackberryiPhone/Android
  • History – Now
  • Apr. 3, 2010300K ipads1M apps250K ebooks… day 1!
  • Apple ‘12
  • 2011 – tablet/smartphonesales exceededPCs
  • The real reason we need tablets
  • Dont Touch!Pharmaceuticalcoating
  • • 17% have > 1 in their household• 37% - their partner uses it• 14% bought cause their kid has one• 19% considering purchasing anotherhttp://today.yougov.co.uk/sites/today.yougov.co.uk/files/Tablet_ownership_in_households.pdfOf iPad owners...
  • Business Driver?
  • What about…
  • IneffectiveControls
  •  Forrester 2011 study – 37% using consumertech without permission IDC survey 2010 30% BYOPC / 2011 40% 2010 69% company device / 2011 59% Use of social doubled Most important tool – 49% laptop, 9%tablet, 6% smartphone
  • Self Sufficient? PwC white paper:“companies that have allowed Macintoshcomputers… into their workplaces… findthose users support themselves and eachother. The same is true of iOS and Androidmobile users, users of software as a service[SaaS] and other cloud services, and socialnetworking users.”
  • Empowered EmployeesForrester report, “HowConsumerization Drives Innovation,”“a business’s best friend” Empowerment Drives Innovation Empowered employees improve processesand productivity
  • Empowered EmployeesSelf-taught experts know: how to use smartphones, tablets, Webapps like Google Docs and Dropbox what they’re good for how they can help the business willing to do just that
  • BenefitsForrester lists four1. Communications – internal use speedscommunication2. Social – use of tools to be in touch withcustomers and shape message/attitude3. HR – allow personal devices and you attractyoung workers4. Productivity – much consumer tech is self-supported
  • Our Story Begins...
  • PEDsComputersDevice Convergence
  • Example• The “PED” policy• Personal Electronic Device• Acceptable use• Connections• Data storage
  • 1 Day
  • 5 Stages of Tablet Grief• Surprise• Fear• Concern• Understanding• Evangelism
  • ConsiderationsScaled-downdevice vmulti-purposecomputerWant v NeedReducedattacksurface veggs in onebasketNeed formobility vmobileissuesDoes remoteaccess apply?
  • What needs to change for “local”remote access?
  • BYO
  • BYOBYOC or BYOD
  • Agenda 2Admire the problemFraming the IssueSecurity ConcernsSolve the problem (kind of)
  • Security Concerns
  • ConsiderationsPhysical*Access control*LogicalData*CommunicationsValidation (config control)Haven’t been around that longUsers are the administrators
  • Data Leakage
  • Unauthorized Access
  • “Authorized” Access
  • Risk v Hype
  • LegalIANALPrivacy – mixing staff/company dataDiscovery – on POESeparation – what going out the door?
  • LegalCollection – when staff leaveHow do you?: Get data from a personal device? Keep personal data off company networks?
  • Phones and textingPhone?Exposing personal phone numberVoicemailText history and storageSiri, Google Now, etc.
  • Consumer SoftwareWe have enough problems withcommercial and internally developedsoftware!Privacy policiesLeakageDiscovery
  • Consumer SoftwareOwnershipData Disposition – if they go underCompetitive IntelligenceTrade SecretsMixing personal and professional(twitter)
  • The Business Side
  • The Business SideIt is critical that weThink asAre seen asA strategic partner with the businessThis doesn’t happen enough
  • A Doctor Lawyer Salesperson Systems AdministratorWalk into a bar…
  • Use CasesWhat do you need?What do you want?
  • Security ResponseConsider the business requestWhat works?What doesn’t?What compromise can be made?
  • Agenda 3Admire the problemFraming the IssueSecurity ConcernsSolve the problem (kind of)BYOD
  • What is IT Consumerization? More than just devices. 2 Parts: Consumer devices Consumer software tools Using these in the workplace in addition to,or instead of, company provided
  • Three Main IssuesTechnologyPolicyFinancial
  • How can we do BYOD?
  • CapacityNot necessarily a security issueWith greater use:Access Points (issue with anyportables)Upstream bandwidth3G/4G repeaters
  • BenefitsCostsProductivityInnovationSpeed to MarketOften better home device – morefrequent upgrade
  • BenefitsDeputized IT rather than Shadow ITUsers help each otherAlways-On =? Always-Available(hourly issues)This takes time
  • 2 Key Financial DecisionsProvisioningPurchasePlanUsageWho Pays
  • More DecisionsUsageTermsSoftwareWipe (remote detonation)Lock (aut0-detonation?)EncryptionMonitoringManagement
  • 2012 Trend Micro studyPros and cons that emerged from the analysis: 12%+ productivity 15%- device replacement costs 8%- reimbursement for employee data expense 5%- training/education costs 3%+ bottom line revenues 8%+ help desk calls 7%+ MDM costs 3%+ corporate liable data costs 3%+ server costs 2%+ regulatory compliance expenses
  • Classic Security BalanceControlUsability
  • Security ChallengesExposure of dataLeakage of data – sold, donated, tossed,repaired drivesMalwareBut don’t we have all this now???
  • Can’t be both…Trend Micro survey91% of employees would not grantemployer control over personal device80% of enterprises stated they wouldhave to install managementmechanisms on mobile devices.
  • Impasse?Resolution is in approachStrategicCross-organizationBusiness and IT togetherHR, Security, Privacy, Legal, Audit
  • Impasse?Define approachCreate clear policy/proceduresIT toolsSelf-help documentation
  • MDM~60 vendor tools… and more comingBasic types: Pure MDM Containerization/MAM Hybrid VDI (not really MDM but can be used)
  • MDMSelection criteria: Device diversity Policy enforcement Security/compliance Containerization Inventorymanagement Softwaredistribution Administration Reporting; more?
  • Method 1 - Sync• Direct, Net Connect or OTAIssues:• Need Controls – a/v, app installcontrol, filtering, encryption, remotedetonation• Authentication – 2-factor?• Leakage!• Support
  • Method 2 – VDI• Citrix or similarPros:• Leakage – no remnants; disable screenscrape, local save, print• Reduced support needed• Web filtering coveredIssues:• Unauthorized access still an issue; Userexperience; Support
  • Method 3 – Containerization• Encrypted sandbox• Separate work and home• Many productsPros:• Better user experience• Central management/policy• Many products – local/cloud• Leakage – config separation, encryptionIssues: access ; support; cloud issues
  • Method 4 – Direct Connection• Directly connect devices tonetwork• Or PC via usb• Don’t do this! - Included forcompletenessPros:• EasyIssues: no controls; no management;no enforcement; leakage; remants; etc.
  • Apps“non-standard” software a challengeUpdates, patchesMalware detection – can’t enumeratebadnessBusiness – how to transfer knowledge ifeveryone uses different tools?
  • Case StudyKraft Deployed iPhones 2008 – by 2009 to halfof mobile users Wanted to instill innovation “opens employees’ minds to what ispossible” Internal success led to successfulconsumer apps – recipes, cooking videos,shopping lists, store locator
  • Cost Example Hypothetical 1000 blackberrys Unlimited data + calling = ~$50 -$70/user/month ($60K/m) BES – ~$35K Hardware – $20K/3y Helpdesk – 1 FTE $50K/y Server Ops – 1 FTE $100K/y Total = >$900K/y
  • Cost Example Hypothetical 1000 BYODs Stipend = $25/user/month ($25K/m) MDM – ~$50K/y Hardware – $20K/3y Helpdesk – none! Server Ops – 1 FTE $100K/y Total = ~$450K/y
  • Other HR benefitsEmployee satisfactionRecruiting young workers“Hip” factor
  • Phones and textingPhone?Exposing personal phone numberVoicemailText history and storage
  • DHS view - POE• Policy• Supervisorapproval• Citrix only• No Govt recordson POE(unencrypted)• 3G or wired• Guest wireless• FAQs forusers/sups• Metrics
  • DHS view – State-owned• Policy• Supervisorapproval• MDM• 3G or wired• Apple-only• Core wireless• 802.1x• FAQs forusers/sups• Metrics
  • Other Issues• Notes or manually entered data• Enterprise email/OWA• Discovery• Voicemail/video
  • The Future• More tablets/phones/small devices• More “slim” OSs – chrome, android,ios, etc• Cost savings/stipend?• Cloud• User Experience –Divide, Good,Fixmo, VMware Horizon, Citrix XEN• BES Fusion, Microsoft ???
  • MDM Capabilities to Consider• Device encryption• Transport encryption• Complex PWs/policy• VPN support• Disable camera• Restrict/block apps• Anti-malware InfoWorld Feb 2013 MDM Deep Dive• Restrict/blocknetworks• Remote lockout• Remote/selectedwipe• Policy enforcement• OTA management• 2-factor/OTP
  • Agenda 4Admire the problemFraming the IssueSecurity ConcernsSolve the problem (kind of)BYODSoftware
  • What is IT Consumerization? More than just devices. 2 Parts: Consumer devices Consumer software tools Using these in the workplace in addition to,or instead of, company provided
  • Use of Consumer ToolsSkype – key for communications insome countriesFacebook/Twitter for interacting withcustomersTwelpforce
  • Twelpforce video
  • Examples Google docs or Dropbox for public info(make sure the data is public) Youtube, Vimeo for training videos (avoidsocial engineering blueprints) Facebook fan page Twitter, LinkedIn, G+ for press releases,outreach, customer support (just rememberwho you are!)
  • Customer ExpectationsAccess to you is:Mobile capableAvailable online and on socialThrough no wrong door
  • Twitter and FacebookThe places to beWhat are peoplesaying about yourcompany?
  • Great Ideas Ford – gave Fiestas to 100 social mediainfluencers, sent on “missions”, documentedon channels. Rcvd 50K inquires and sold 10Kcars in 6 days. Pepsi – used social network outreach forideas for new Dew flavors Levi Strauss – early use of location-specificdeals.
  • SocialIs there a strategy?Or doing it to be hip? (and without aclue?)
  • SocialConnecting with customersInternal collaborationInternal connections –communities of interestInnovationDoesn’t happen in a vacuum
  • Phishing
  • Phishing on Social NetworksScams seem real when they come froma “friend”Malicious links/appsSpread quickly when posted or “liked”“Just say no” to apps
  • Installs appGrabs infoPosts on your wallClick-fraud
  • Expectations
  • What Should We Do?
  • ProactivePolicyManagement SupportSupport/Helpdesk Implications
  • PolicyExamine existing – augmentNew, but only if needed(shouldn’t use of social be part ofyour AUP? Who needs a socialmedia policy?)
  • Software/Apps“non-standard” software is a challengeUpdates, patchesMalware detection – can’t enumeratebadnessBusiness – how to transfer knowledge ifeveryone uses different tools?
  • Non-Standard Software - YMMVInventoryWatchchangesX-ref v.CVE/malwareWatchrightsAuto-patchHandleexceptions
  • CloudAsk:Whose data is it?Where is it going?3rd party agreements?Know your data (classification)PIE – pre-Internet encryption
  • BYOPlan
  • SummaryWhat are people doing?Establish business needBYOD, Consumer apps, or both?Cross-domain planning (security,IT, legal, audit, privacy, HR,business)Document requirements
  • SummaryPolicy, Technical, FinancialaspectsWatch the dataMake easy for usersEducation/AwarenessReap the benefits!
  • Discussion…Slides at http://slideshare.net/bcaplinbarry.caplin@state.mn.usbc@bjb.org, @bcaplin, +barry caplinhttp://securityandcoffee.blogspot.com/