Bring Your Own Computer To Work - What Now?<br />Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCI<br />SPYRUS, Inc<br />Michael...
Bring your own computer<br />2<br />
Bring your own computer<br />3<br />
BYOC isConsumerization of IT<br />4<br />
What Is Consumerization?<br />Changing the Face of Work<br />Consumer-based Social Media for advertising<br />Consumer-bas...
Consumerization of IT<br />Use of employee owned resources for company work<br />6<br />
HOW WIDESPREAD IS consumerization?<br />Source:In-Stat<br />7<br />
How It Happens<br />8<br />
How It Happens<br />Don’t want to use your Pentium III with 256mb RAM & 60gb HD<br />Don’t want to use your OS<br />Don’t ...
What is your policy?<br />Secretive<br />Ignored<br />Unofficially Supported<br />Officially Supported<br />Subsidized<br ...
Benefit and Impact<br />11<br />
Benefits and drawbacks<br />Companies save 9-40% on equipment purchase cost*<br />Exit the hardware business<br />Employee...
Knowledge
Loaner
Hardware
Capability
Configuration
Maintenance / warranty
Upgrades
Software
Interoperability
Upgrades / updates
Vulnerabilities</li></ul>12<br />*Source: Gartner<br />
Organizational impact - ownership<br />Logins<br />Personal login information on corporate machine <br />Social Networks /...
Organizational impact - legal Issues<br />Legislated Privacy<br />EU data protection act<br />USA HIPAA, SOX, GLBA<br />Co...
Organizational impact - Security<br />Information Leakage<br />Family & friends<br />Device Loss<br />Virus<br />Personal ...
Organizational impact - Non Obvious Issues<br />Acceptable use policies<br />How to apply to personal machines?<br />Out p...
Action To Take <br />17<br />
Action to take today<br />Is it already there?<br />Run, don’t walk to your legal staff<br />Decide if you will allow Cons...
Action today - Define policies<br />Balance:<br />Corporate vs Employee vs Customer<br />Corporate:<br />Must comply with ...
Action today - Incident response plan<br />Even with Policies & Procedures accidents can happen…<br />Need incident respon...
Technical Solutions<br />21<br />
Action today<br />Security 101: <br />Keep secret stuff separate from non–secret stuff<br />Keep corporate stuff separate ...
Action today - Compartmentalization<br />Application isolation<br />Separate user accounts<br />Virtual Desktop Infrastruc...
Action today - Separate user accounts<br />Work and Personal<br />Mac, PC, or Linux<br />Fast user switching<br />Separate...
Action today- VDI<br />Virtual Desktop Infrastructure (VDI)<br />25<br />
Action today - Type 2 hypervisor<br />Aka Hosted Hypervisor<br />Still subject to worms and viruses<br />Harder to acciden...
Upcoming SlideShare
Loading in …5
×

Bring your own-computer_to work

1,477 views

Published on

At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as embodied with the use of non-corporate owned computers in the corporate environment. With this in mind, they discussed the potential bleed out of intellectual property and mitigation techniques. You can read Michael's blogs on the subject here: http://bit.ly/11BhzC

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,477
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • WinMo and Blackberry not listed because they are considered to be corporate devices.Why?At the office, you&apos;ve got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company&apos;s internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You&apos;ve got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don&apos;t always figure out exactly what you&apos;re looking for, they&apos;re practically clairvoyant compared with your company intranetWinMo and Blackberry not listed because they are considered to be corporate devices.Why?At the office, you&apos;ve got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company&apos;s internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You&apos;ve got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don&apos;t always figure out exactly what you&apos;re looking for, they&apos;re practically clairvoyant compared with your company intranet
  • Gartner says 10% are primary system
  • After waiting 30 minutes for a ten year old work Pentium PC to boot Windows 98 we can see how the concept of a shiny new notebook you can call your own would be appealing
  • 68% of SMB IT managers say their departments provide technical support for personal devices, including smartphones and computers.
  • ConfigurationBIOSDocuments &amp; SettingsFirewall / Anti-Virus / Anti-malwareWireless networksVPN
  • Why?At the office, you&apos;ve got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company&apos;s internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You&apos;ve got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don&apos;t always figure out exactly what you&apos;re looking for, they&apos;re practically clairvoyant compared with your company intranet
  • Things that you might do at home might get you in trouble when you put your corporate information at risk by doing them …
  • Various laws protect customer dataEmployee must protect assets whether physical or informational. Protect devices, encrypt HD, remove HD if needed.
  • Paging file could be a leakage point. Keylogger
  • Virus on hosted OS can only take out the hosted OS, but virus on host OS can take out both.
  • Virus on hosted OS can only take out the hosted OS, but virus on host OS can take out both.
  • BIOS protections…
  • So VM can be modified while running through rogue / compromised environment.
  • So VM can be modified while running through rogue / compromised environment.
  • So VM can be modified while running through rogue / compromised environment.
  • Bring your own-computer_to work

    1. 1. Bring Your Own Computer To Work - What Now?<br />Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCI<br />SPYRUS, Inc<br />Michael F. Angelo, CSA<br />NetIQ Corporation <br />
    2. 2. Bring your own computer<br />2<br />
    3. 3. Bring your own computer<br />3<br />
    4. 4. BYOC isConsumerization of IT<br />4<br />
    5. 5. What Is Consumerization?<br />Changing the Face of Work<br />Consumer-based Social Media for advertising<br />Consumer-based Financial Services for accounts receivable<br />Use of consumer or Free Software for sustaining corporate infrastructure<br />And… What we are going to focus on:<br />Use of personal equipment in the corporate environment<br />5<br />
    6. 6. Consumerization of IT<br />Use of employee owned resources for company work<br />6<br />
    7. 7. HOW WIDESPREAD IS consumerization?<br />Source:In-Stat<br />7<br />
    8. 8. How It Happens<br />8<br />
    9. 9. How It Happens<br />Don’t want to use your Pentium III with 256mb RAM & 60gb HD<br />Don’t want to use your OS<br />Don’t want to use IE6<br />Don’t want to use your software tools<br />Don’t want to be locked down<br />9<br />
    10. 10. What is your policy?<br />Secretive<br />Ignored<br />Unofficially Supported<br />Officially Supported<br />Subsidized<br />10<br />
    11. 11. Benefit and Impact<br />11<br />
    12. 12. Benefits and drawbacks<br />Companies save 9-40% on equipment purchase cost*<br />Exit the hardware business<br />Employee satisfaction <br />Higher productivity<br />Longer work hours<br /><ul><li>Helpdesk
    13. 13. Knowledge
    14. 14. Loaner
    15. 15. Hardware
    16. 16. Capability
    17. 17. Configuration
    18. 18. Maintenance / warranty
    19. 19. Upgrades
    20. 20. Software
    21. 21. Interoperability
    22. 22. Upgrades / updates
    23. 23. Vulnerabilities</li></ul>12<br />*Source: Gartner<br />
    24. 24. Organizational impact - ownership<br />Logins<br />Personal login information on corporate machine <br />Social Networks / Professional Associations<br />Corporate login information on personal machine<br />VPN Configuration<br />User IDs and passwords stored in browsers<br />Software Ownership<br />Personal software<br />Restricted use licenses<br />Corporate software on home equipment<br />13<br />
    25. 25. Organizational impact - legal Issues<br />Legislated Privacy<br />EU data protection act<br />USA HIPAA, SOX, GLBA<br />Country, state/province, local (e.g. CA SB 1386)<br />More laws pending<br />Cross contamination<br />Corporate backup includes personal information<br />Personal backup includes corporate information<br />14<br />
    26. 26. Organizational impact - Security<br />Information Leakage<br />Family & friends<br />Device Loss<br />Virus<br />Personal email – Spear Fishing<br />Increased Exposure to Threats<br />Surfing at Home <> Surfing at Work<br />Torrents<br />15<br />
    27. 27. Organizational impact - Non Obvious Issues<br />Acceptable use policies<br />How to apply to personal machines?<br />Out processing of individuals<br />How do you know organizational data is removed from the employee machine? <br />Software<br />PST files<br />Passwords / wireless / VPN Access<br />Residual data<br />Employee / corporate backups<br />16<br />
    28. 28. Action To Take <br />17<br />
    29. 29. Action to take today<br />Is it already there?<br />Run, don’t walk to your legal staff<br />Decide if you will allow Consumerization<br />Don’t wait for it to happen and then rush to formulate policy and procedures<br />Decision must explicitly include all possible components<br />Decision must be extended as new technology becomes available<br />18<br />
    30. 30. Action today - Define policies<br />Balance:<br />Corporate vs Employee vs Customer<br />Corporate:<br />Must comply with laws<br />Must maintain fiduciary responsibility<br />Must not expose corporate assets<br />At a minimum should address<br />Employee responsibility<br />Acceptable use<br />Protection of assets<br />19<br />
    31. 31. Action today - Incident response plan<br />Even with Policies & Procedures accidents can happen…<br />Need incident response plan<br />20<br />
    32. 32. Technical Solutions<br />21<br />
    33. 33. Action today<br />Security 101: <br />Keep secret stuff separate from non–secret stuff<br />Keep corporate stuff separate from personal stuff<br />Separate personal and corporate identities<br />Compartmentalize the environments to reduce the risk of accidents.<br />22<br />
    34. 34. Action today - Compartmentalization<br />Application isolation<br />Separate user accounts<br />Virtual Desktop Infrastructure (VDI)<br />Hypervisor on PC<br />OS or Hypervisor on USB drive<br />Windows-on-a-stick<br />PC-in-my-pocket<br />23<br />
    35. 35. Action today - Separate user accounts<br />Work and Personal<br />Mac, PC, or Linux<br />Fast user switching<br />Separate Context<br />Subject to worms and viruses<br />Can share information via common file system<br />App<br />App<br />App<br />App<br />User 1<br />User 2<br />Host OS<br />Computer<br />Separate Users<br />24<br />
    36. 36. Action today- VDI<br />Virtual Desktop Infrastructure (VDI)<br />25<br />
    37. 37. Action today - Type 2 hypervisor<br />Aka Hosted Hypervisor<br />Still subject to worms and viruses<br />Harder to accidentally share informationbut cross-contamination still possible<br />Apps<br />HostedOS<br />Hypervisor<br />Apps<br />Host OS<br />Computer<br />Type 2 Hypervisor<br />26<br />
    38. 38. Action not-quite-today - Type 1 hypervisor<br />Aka Native Hypervisor<br />Almost impossible to share information<br />Only common attack is hypervisor itself<br />Each OS can be attacked separately<br />App<br />App<br />App<br />App<br />OS 1<br />OS 2<br />Hypervisor<br />Computer<br />Type 1 Hypervisor<br />27<br />
    39. 39. Action Today - Type 2 portable hypervisor<br />App<br />App<br />App<br />File<br />File<br />File<br />Hosted (Type 2) VM<br />Running PC loads hypervisor from device<br />OS from device and OS from host HD completely separated<br />Does not prevent attack via ‘host’ OS<br />Does not protect the information if device is lost<br />Does not stop access after employment<br />OS Partition<br />Operating System<br />Hypervisor<br />User Settings<br />28<br />
    40. 40. Action today - Virtualized OS-on-a-stick<br />Encrypted OS Partition<br />Operating System<br />User Settings<br />App<br />App<br />App<br />File<br />File<br />File<br />On-board cryptography authenticates and protects<br />Boots OS from device, loads hypervisor, then loads hosted OS<br />Host provides mouse, keyboard, RAM<br />Encryption can protect information if device is lost<br />Limited to OS on device<br />Management system can block device when employee leaves<br />Boot Partition<br />OS + Virtual Machine<br />29<br />
    41. 41. Action today - Native OS-on-a-stick<br />Encrypted OS Partition<br />Operating System<br />User Settings<br />App<br />App<br />App<br />File<br />File<br />File<br />On-board cryptography authenticates and protects<br />Boots OS directly from device<br />Host provides mouse, keyboard, RAM<br />Encryption can protect information if device is lost<br />Limited to OS on device<br />Management system can block device when employee leaves<br />Boot Partition<br />Boot Loader<br />30<br />
    42. 42. Native versus hypervisor<br />Applications<br />Hypervisor<br />Applications<br />PC Hardware<br />PC Hardware<br />Virtualized OS<br />Native OS<br />Note the additional overhead and larger attack surface of a hypervisor-based approach since two operating systems are required. It will be noticeably slower and possibly less secure. <br />31<br />
    43. 43. Action tomorrow - Native OS-on-a-stick + TPM<br />Encrypted OS Partition<br />Operating System<br />User Settings<br />App<br />App<br />App<br />File<br />File<br />File<br />Provides a mechanism to generate and measure system characteristics upon which a security decision can be made.<br />In almost all commercial grade computers<br />For more info see: the Trusted Computing Group www.trustedcomputinggroup.org<br />Boot Partition<br />Secure Boot Loader<br />32<br />
    44. 44. Action tomorrow: Native OS-on-a-stick + TPM<br />Can also be used to ‘seal’ information to a snapshot<br />A snapshot consists of information relevant to defining an identity or entity <br />Information can not be ‘unsealed’ if any element used to ‘seal’ is not an exact match or available.<br />33<br />
    45. 45. Summary<br />34<br />
    46. 46. Summary<br />Immediately<br />Consult with legal dept<br />Review current information ownership / protection policies and make appropriate changes<br />Put Consumerization policies in place<br />Separate user accounts<br />35<br />
    47. 47. Summary<br />Longer Term<br />Legal policies and procedures<br />Enforce them!<br />Technical policies and procedures<br />Apply, rinse, repeat<br />Technical Tools<br />Isolate applications, virtualization<br />36<br />
    48. 48. Thank You<br />Michael F. Angelo<br />NetIQ Corporation<br />1233 West Loop South, Ste 810<br />Houston, TX 77027<br />angelom@netiq.com<br />Ron LaPedis<br />SPYRUS, Inc.<br />1860 Hartog Dr.<br />San Jose, CA 95131<br />rlapedis@spyrus.com<br />

    ×