RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops

  • 3,131 views
Uploaded on

Presentation given at RSA Conference 2011 on Feb 16.

Presentation given at RSA Conference 2011 on Feb 16.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
3,131
On Slideshare
2,741
From Embeds
390
Number of Embeds
8

Actions

Shares
Downloads
74
Comments
0
Likes
0

Embeds 390

http://www.mokafive.com 201
http://www.moka5.com 146
http://live.m5.local 20
http://mokafive.com 12
http://moka5.com 8
http://translate.googleusercontent.com 1
https://www.mokafive.com 1
http://www.slashdocs.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. BYOC: Securing Untrusted,Employee-Owned Desktops John Whaley CTO, MokaFive Session ID: xxx-xxxx Session Classification: xxxxxxxxxxxx
  • 2. Agenda What is BYOC? Techniques for BYOC BYOC Security Considerations Keys to a Successful BYOC Deployment 2
  • 3. BYOC: Securing Untrusted, Employee- Owned Desktops 3
  • 4. What is BYOC? BYOC = “Bring your own Computer” a.k.a. BYOPC, BYOL Three models: 1. Employer provides a stipend for the employee to purchase their laptop of choice, which will then be owned by the employee. 2. Employee chooses laptop from a list of pre-approved machines. 3. Employee is given instructions on how to connect to corporate resources, but can use any machine. 4
  • 5. Why BYOC? User demand Choice computing “Executive bling” Extension of smartphones New generation – “millennials” Business demand Reduce hardware assets Part-time workers, contractors Enable work from anywhere Happy employees = productive employees Bottom line: Users are doing it, with or without IT… 5
  • 6. What you can apply from this session At the end of this session, you will be able to: Understand the predominant models for BYOC and their relative strengths and weaknesses Evaluate the security of a BYOC solution Avoid common pitfalls in BYOC Plan a successful BYOC deployment 6
  • 7. Users vs IT 7
  • 8. Example: Citrix BYOC Program $2100 stipend (taxable) About 50% employees opt in to program 40% of those in the program chose Macs Employees often chipped in their own money to get a better machine After a three month pilot in US, rolled out globally 8
  • 9. How to deliver services? Technique 1: Provide essential services via web applications Technique 2: Provide a remote desktop (VDI or TS) session Technique 3: Provide virtualized applications that run locally Technique 4: Provide managed corporate virtual machine to run locally 9
  • 10. Technique 1: Port everything to the webGood: Access from any deviceBad: Takes a long time to rewrite all your apps, no offline access 10
  • 11. Technique 2:Remote Desktop to VDI or TS Good: Access from many devices Bad: Requires major server infrastructure Can’t run offline Bad interactive performance 11
  • 12. Technique 3:Application Virtualization Good: Can run locally, but managed centrally Bad: Not cross-platform, not very secure 12
  • 13. Technique 4:Client-side Virtual Machine Good: Secure, personalized, offline access, cross- platform, local execution, easy recovery Bad: Minimum HW requirement 13
  • 14. Securing the endpoint device Need to treat BYOC as an untrusted device No VPN DLP Host checker Two-factor authentication Keyloggers, screen scrapers Encryption of data-at-rest Domain join and group policies Access control, remote management of corporate data Security policy enforcement 14
  • 15. Threat Models Malicious employees Malware infections Screen scrapers or keyloggers Generic viruses/worms Targeted malware Lost or stolen laptops, “borrowed” machines Targeted attacks and espionage 15
  • 16. Dealing with Infected Endpoint Devices Anti-virus and anti-malware OS patch level Network quarantine Keyloggers and screen-scrapers Data loss prevention 16
  • 17. Enterprise-Level Layered Security 7 Layers of Security • Anti-virus scan of host PC • Full virtual machine encapsulation • AES-256 encryption • Tamper resistance and copy protection • AD and two-factor authentication • Granular security policies • Remote kill 17
  • 18. Anti-virus scan of host PC Protects against most known attacks/malware Policy enforcement: Maximum age of signature file Periodic scan frequency Automatic keyboard/screen lock until scan completes 18
  • 19. Full virtual machine encapsulation Protects against non-targeted attacks Run on a separate, locked-down operating system Rejuvenate to latest golden system disk on every boot Out-of-band updates of golden system disk Device passthrough of keyboard/mouse and video card foils most keyloggers/screen scrapers Hardware support for encapsulation (VT-x, VT-d) 19
  • 20. AES-256 encryption Encryption of data-at-rest protects against lost/stolen laptops Key escrow Dealing with lost/changed passwords Administrator unlock without user password Don’t forget swap space! 20
  • 21. Tamper resistance and copy protection Protect against copying data to another device Tie the virtual machine to physical hardware identifiers and/or TPM HMAC of all data to detect tampering 21
  • 22. AD and two-factor authentication Use RSA SecurID or other second-factor authentication Protects against lost password, lost device; limits exposure window 22
  • 23. Security policies Targeting security policies by AD group Offline lease time: Maximum time a user can run without checking in Auto-kill: Self-destruct after a given time Version enforcement: Ensure users have latest security patches Peripheral restrictions: USB devices, microphone, printing, CD/DVD, etc. AD group policies: Use existing AD policy sets 23
  • 24. Remote kill Can mark a device as lost or stolen Device receives a “kill pill”, securely zeroes all data and sends back confirmation Mitigates risk from a lost device or rogue employee/contractor 24
  • 25. More Challenges to BYOC Supporting diverse platforms (Mac,etc.) Offline access Legal Organizational / Political 25
  • 26. Supporting Diverse Platforms Mac support Data shows Macs require much less support No mature, robust management tools for OSX hosts yet Best: Provide corporate Windows environment for Mac users Windows 7 support Can provide virtual Windows XP environment for now, upgrade to Win7 once corp standardizes on it Hardware support Give minimum hardware specs for BYOPC Require support package from vendor 26
  • 27. Legal Challenges Who owns the hardware? Who owns the software? Who owns the data? Mixing corporate and personal on the same device Liability concerns Software licensing What to do when someone is terminated or leaves the company? Not much different than BYO Smartphone, work-from-home One solution: Put corporate environment on separate USB or SD card Need a way to reclaim licenses, erase corporate data (“poison pill”) 27
  • 28. Organizational and Political Challenges Most common: Business wants it done, but IT dragging feet Refocusing IT staff to focus on services, not hardware Education: “You are making me buy my own machine?” 28
  • 29. Results Significant proportion choose Macs Increased machine usage More work on weekends and after hours Fewer support calls Users more tolerant and responsible, willing to learn Fewer lost devices Take better care because they are invested in it 29
  • 30. Key Takeaways1. Focus on securing the data, not the device2. Good security practices are essential, with or without BYOC3. BYOC can save money, reduce support calls, and lead to happier users 30