Like this? Share it with your network

Share

BYOD - Mobility - Protection: security partnering with business

on

  • 464 views

Presentation delivered to the Charlotte CISO Summit and Ballantyne IT Pro security summit events. I cover how security has positively partnered with the business at NGC to very securely deploy BYOD ...

Presentation delivered to the Charlotte CISO Summit and Ballantyne IT Pro security summit events. I cover how security has positively partnered with the business at NGC to very securely deploy BYOD and enable mobile access to email, documents and business data.

Statistics

Views

Total Views
464
Views on SlideShare
458
Embed Views
6

Actions

Likes
0
Downloads
3
Comments
0

2 Embeds 6

http://www.linkedin.com 3
https://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Info Security is full of challenges – Technical challenges getting things to work at all – http://adversari.es/blog/2013/06/19/cant-we-all-just-get-along/The ‘JERK PROBLEM’Interlude: we are the watchers on the wallsMany in the Infosec community are fond of casting the security world as “us versus them,” where “they” aren’t external, malicious actors but unaware users, clueless managers, and bumbling executives within our own organizations. We like to see ourselves as the Night’s Watch of the tech world: out in the cold with little love or support, putting in long nights protecting the realm against the real threats (which the pampered never take seriously) so everyone else can get on with their lives in comfort. We develop a jaundiced attitude: only we understand the real danger, we think, and while we’re doing our best to stave off outsider threats, when the long night comes we need fast and unquestioning cooperation from the rest of the organization lest (hopefully metaphorical) frozen undead kill us all.
  • EmpathyThe jaundiced attitude among Infosec mentioned above, coupled with differing incentive structures, has an unfortunate tendency to spill over into external interactions. If 90% of lunch conversations are complaints about how terrible users are, how management doesn’t get it, and how the dev team on Project Foo are a bunch of incompetent turd-burglars — the next time you have to meet with Project Foo’s team, you’ll be hard-pressed to give them a fair hearing as they explain how their lack of proper resources and mountain of technical debt prevent them from addressing problems properly.When we go for the easy answers:This {system, product, device, network} is {insecure, vulnerable, unsafe, slow, broken, unprofitable, incomplete, poorly designed, ugly} because the {designer, manager, dev team, executives, QA, sales} {is incompetent, is lazy, doesn’t care about security, is an asshat}we erode our ability to evaluate the true cause of a situation. (Social psychology refers to this as the Fundamental Attribution Error – the tendency to attribute others’ mistakes to their inherent failings, while attributing our own mistakes to the situation at hand.) We damage our reputation (and that of Infosec as a field), make ourselves unpleasant to deal with, and generally make the world a worse place.We also get used to thinking of people and teams in that way. We genuinely become less kind people.
  • Lost Devices – From the beginning we could assist with trying to find devices, and we could SELECTIVELY wipe our corporate data and configuration from the devicesSome devices will appear to accept ActiveSync host directives – but then NOT actually do it! An Agent on the device, using the MFG API – does enforce our policy!Installation – Obtain the App in the store – then one very simple registration to then connect to the device and user – Interaction with Active Directory, policy engine in MI and our internal PKI – full configuration “appears” after registration!
  • We went from more than 900 devices managed via our BES to none in 5 years.Those Blackberry devices were replaced by a much more diverse set of devices all chosen by our employees – NOT by the IT Group!We are certain that the new fleet of devices is at least as secure – if not more secure – than the old one! We have BYOD working securely!In addition the setup and management of the new fleet of diverse devices works very efficiently and delivers data people need to do their jobs better!(Old BES only delivered email / calendar – NOT Apps!)
  • We went from more than 900 devices managed via our BES to none in 5 years.Those Blackberry devices were replaced by a much more diverse set of devices all chosen by our employees – NOT by the IT Group!We are certain that the new fleet of devices is at least as secure – if not more secure – than the old one! We have BYOD working securely!In addition the setup and management of the new fleet of diverse devices works very efficiently and delivers data people need to do their jobs better!(Old BES only delivered email / calendar – NOT Apps!)

BYOD - Mobility - Protection: security partnering with business Presentation Transcript

  • 1. Are We the Watchers or Their Partners? Mike Brannon, National Gypsum
  • 2. National Gypsum Company is a fully integrated building products manufacturer Headquartered in Charlotte, NC with mines and quarries, and manufacturing plants across North America
  • 3. Charlotte Metro ISSA Email us at info@charlotteissa.org Twitter: @cltissa http://www.charlotteissa.org/ ISSA local chapter delivers excellent and low cost Security Training, hosts an annual Summit event and sponsors UNCC scholarships Frequent gatherings to share practices and network – support from sponsor / partners for meetings – Next Meeting 8/27/13 at NGC HQ – and TacoMac Please Join Us!
  • 4. 44 We Are The Watchers… Only We Understand Threats… We Must Not Let Them Pass!
  • 5. 55 The more the CIO/CISO says no, the less secure the organization becomes. Vivek Kundra, Former U.S. Federal CIO Be responsible, not restrictive Mike Brannon, National Gypsum
  • 6. 66 NGC Example: BYOD/Mobility Business Needs: • Business needed improved mobile access • Devices of their choice, „native interfaces‟ on devices • Explosion of options for devices, apps on app stores… Security Concerns: • Recently gained control of company provided PCs – Now we allow any chosen device / app? • Limited support / management resources in IT • Serious concerns about responsible content management (both Security and Legal teams)
  • 7. 77 Traditional enterprise security 7 Firewall & VPN
  • 8. 88 The perimeter is gone Copy/Paste Open-in Forward
  • 9. 99 Securing data-at-rest
  • 10. 1010 Open In Copy SaveView SharePoint documents Open In Copy SaveView Email attachments MobileIron Confidential10 Secure your document repositories • Solve “open in” problem • Store documents securely on device • Control cut / copy / paste actions • Selectively wipe documents • Prevent unauthorized distribution • Control end-to-end with policy • Leverage existing content repositories • Prevent use of unauthorized tools – – DropBox for example Open In Copy SaveView Box shared documents
  • 11. 1111 Securing email attachments 11 Email App Secure Content Viewer Email with Attachment REMOVE
  • 12. 1212 Colligo App Viewer Securing SharePoint 12 REMOVE Sharepoint
  • 13. 1313 Closed-loop actions when compromised 13 Remediation Notify Block Quarantine Closed-loop actions • Notify user and admin • Prevent access • Remove saved files • Remove SharePoint config • Protect enterprise persona MobileIron Confidential
  • 14. 1414 National Gypsum Implementation • Risks / Threats Addressed: – Loss of Company Data / Lost Devices / Departing Employees – All Devices and Users Registered / Security Policies Enforced – Ease of Use for Employees AND Improved Security & Efficiency • What We Deployed (And Timeline) – MobileIron device (VSP) and support (Sentry) – All Smartphones – Blackberry (now gone), Apple iOS and Android Devices – Push Secure WiFi Config to Minimize Data Use On Premise – Rush To Adopt iPads – From 0 to 100‟s of Devices! – More than email access! Apps for SharePoint and Data! – Manage “Allowed” and “Disallowed” Settings / Apps (DropBox) • Replaced with BOX Enterprise – Block ALL Other “Web Content Stores” – Leverage Internal PKI and Push Webclips – Deliver Business Data
  • 15. 1515 • Where Are We Now? – BES Retired – 70% iOS, 25% Android, 5% Windows Devices – User/Device Configuration Management Implemented – iPad is currently only supported Tablet – • Actively testing Samsung SAFE Android, others (Nexus, Surface) – Plans to allow Windows 8 and MAC OS/X BYOD – Colligo Briefcase for SharePoint Document Access – BOX for External Data Sharing with Partners – Two Apps Deployed on iOS with “One Tap For Data” • Certificates delivered to Device and to User (SCEP/MobileIron) • Invisible Authentication via Juniper Secure Access • IIS Web Server & Application Configuration – “Last Seen User State” • HTML5 / JavaScript to deliver SQL and Mainframe Data National Gypsum Implementation
  • 16. 1616 National Gypsum Implementation
  • 17. 1717 Content doesn’t exist in isolation Enterprise Mobile Persona Native experience Data separation Shared policy Selective wipe Secure communications Email Apps Certs Policy Content Federated identity
  • 18. 1818 Security considerations 2013+ … “No” not a sustainable option -> provide credible alternatives Massive content ecosystem -> crowd-source but don‟t lock-in Uncertain economics -> establish “help-yourself-desk” Dynamic risk at endpoint -> automate your mobile trust model Content always one-click from cloud -> co-habitate responsibly Blurring between content and app -> explore new forms
  • 19. 1919 Security Partnering With Business… Understand incentives of others-> help them look good first Seek to understand -> ask questions, don‟t issue demands Uncertain economics -> agile, incremental work not big bang Add value always -> strive to integrate security transparently Leverage outside partners-> “Wall Watchers” contract MSS Be flexible and recalibrate -> build stakeholders and allies
  • 20. Thank you - Resources Mike Brannon (mebrannon@nationalgypsum.com http://www.charlotteissa.org/