Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy


Published on

This presentation was delivered on November 15, 2012

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Companies managing employee devices cut in half, down from 40% to 21%.
  • If you were to authenticate users through location, device, and applications being requested, where does the organization need to touch the device?
  • How do organizations apply common fraud controls against these new devices without angering the employees who own their devices •    And what if the employer needs to locate devices, or wipe sensitive access and data off devices that are infected, lost or stolen?
  • Internet/Social Integration – Desktop Browser or Mobile – easy add on to existing OAM
  • LocalUsername and Password-or-Social Logon(can be user choice)Step up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
  • Single Sign on between native applications, and also with mobile browser based applications
  • Mobile Security – web and mobile appDevice registration and fingerprintLost & stolen device securityGPS/WIFI based location awareness
  • Once secure access is setup, you can enforce mobile access policy
  • Risk analysis to determine whether to allow, flag, challenge or blockEnforce unjailbroken status, check VPN statusDetailed reporting on device attributes like OS version, GPS/WIFI geolocation, MAC/IP address
  • Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy

    1. 1. Developing and Enforcing a Bring-Your- Own-Device (BYOD) PolicySANS Analysts:Tony DeLaGrange, Senior Security ConsultantSecure Ideas Lee Howarth, Senior Product ManagerBen Wright, SANS Instructor, Attorney, Oracle CorporationTechnology Law Expert/Author © 2012 The SANS™ Institute -
    2. 2. Tony DeLaGrange• Security Consultant at Secure Ideas• Over 25 Years IT Experience – 15 Years in financial services – Over decade in IT Security• Co-author of SEC571 – Mobile Device Security• Open Source Project Lead – MobiSec & SH5ARK• Co-chair of SANS first Mobile Device Security Summit © 2012 The SANS™ Institute - 2
    3. 3. Topics Today • Mobility Security Survey • Mobile Security Policies • Top 3 Security Practices • Conclusions 3© 2012 The SANS™ Institute -
    4. 4. Mobility Survey• Full results here: ysts_program• Focused on policies and controls• Survey ran in the 3rd quarter of 2012• More than 650 people responded – From a wide range of organizations 4© 2012 The SANS™ Institute -
    5. 5. Criticality of Mobile Policies• It starts with the policies – 97% believe its important• Yet so many dont have mobile policies – Improvement from last year (58%) 5 © 2012 The SANS™ Institute -
    6. 6. Ends of the Spectrum• Most stringent – 24% do not permit personal devices to access company resources• Most lenient – Besides no policy at all  – 14% let employees secure their own mobile devices• Somewhere in between – 21% manage employees devices – 27% use mobile sync with minimal device management controls 6 © 2012 The SANS™ Institute -
    7. 7. Top 3 Mobile Security Practices• Authentication to corporate resources• Access to corporate information• Protect corporate data on devices 7 © 2012 The SANS™ Institute -
    8. 8. Authenticating Mobile Users 8© 2012 The SANS™ Institute -
    9. 9. Controlling Access to Resources 9© 2012 The SANS™ Institute -
    10. 10. Challenges• How should companies implement authentication and access controls? – User credentials? – Location? – Device type? – Applications?• Where should organizations "touch" employee devices? – Device? – Applications? 10 © 2012 The SANS™ Institute -
    11. 11. Protecting Corporate Data 11© 2012 The SANS™ Institute -
    12. 12. Challenges• How should employers ensure protection of data on lost/stolen devices? – Wipe sensitive data? – Wipe entire device? – Locate the device? – Lock/Disable the device?• How should fraud controls be implemented? 12 © 2012 The SANS™ Institute -
    13. 13. Conclusions• Policies are important – 37% still dont have them – Many are developing policies after building their controls• Companies are most interested in – Authentication – Access to resources – Data protection• Challenges with BYOD – Finding a balance in controls – While not upsetting employees too much  13 © 2012 The SANS™ Institute -
    14. 14. Tony DeLaGrange 904-639-6709© 2012 The SANS™ Institute -
    15. 15. Bring Your Own Device (BYOD) PolicyBenjamin WrightAttorney & SANS Institute Instructorbenjaminwright.usThis is education, not legal advice.
    16. 16. Bring Your Own Device (BYOD)• Rules for employees using own laptop, tablet, smartphone, webmail services for business• Controversial topic; no perfect policy exists• See discussions:,,,
    17. 17. Subpoena for Employee’s Home Hard Drive• Local government employment dispute• Plaintiff able to subpoena hard drive of manager’s home computer• Wood v. Town of Warsaw, N.C., No. 7:10-CV-00219-D, 2011 WL 6748797 (E.D.N.C. Dec. 22, 2011)
    18. 18. Employer Liability for Security• Massachusetts 201 CMR 17.00: PII on mobile devices must be encrypted• Cal SB 1386 - many breach notices because of stolen, unencrypted laptops (e.g. Guin v. Brazos Higher Education)
    19. 19. $1.5 Million Fine + Costly Security Upgrades • Unencrypted patient data • stolen laptop • Massachusetts Eye and Ear Infirmary (hospital) • HIPAA penalties imposed by Dept. Health and Human Service • 19© 2012 The SANS™ Institute -
    20. 20. Employer Incentives• Device and service monitoring• Data wiping (selective or whole device)• Encryption• Confiscation if monitoring identifies device or service as a risk or threat
    21. 21. Policy/Agreement Challenges• Warning employees• Getting employee consent• Employee privacy• Liability for damage to employee data, device or service
    22. 22. BYOD Policy – Sample Language•• Workable policy will come from negotiations among stakeholders• This language tilts toward needs of employer
    23. 23. BYOD Policy"Employees are informed that when theycreate electronic records or work product inthe course of their work for the Company,the records and work product belong to theCompany."
    24. 24. BYOD Policy Continued"When an employee uses his or her own device,such as a computer, a digital tablet or asmartphone, to connect to Company informationresources, then the Company reserves the rightto take security measures relative to the device,including but not limited to inspect the device and. . ."
    25. 25. BYOD ContinuedEmployees are informed, and employees agree, as follows: If theCompany takes control or possession of a Device or Service, ortakes security measures relative to it, then:(a) the Company might not return the Device or Service;(b) the employee is entitled to no compensation for loss of use,control or possession of the Device or Service;(c) the Device or Service could be damaged, the employee couldlose data and the employee’s data could be disclosed to others.The Company will not be liable or responsible for such damage,loss or disclosure.
    26. 26. BYOD Policy Continued"As a matter of honor and reputation -- but not asa matter of legal liability or obligation – theCompany aspires to be forthcoming withemployees as a whole about the practical impactof this Policy on employees over time."
    27. 27. Blogs: benjaminwright.usThis presentation is not legal advice for any particular situation. If youneed legal advice, you should consult the lawyer who advises yourorganization.Any person may reuse this material freely.
    28. 28. Enforcing your BYOD Mobile Access Policies with Oracle Access ManagementLee HowarthSenior Principal Product ManagerOracle
    29. 29. Mobile Access Roadmap• Establish Mobile Access Policies – Monitor and Enforce usage• Extend Enterprise Access to Mobile Devices – Integrates native mobile apps, mobile web with corporate systems & information – Access management, authorizations, API security, and fraud detection – Device context based fine-grained authorization• Enable Mobile Device Security Elements – Support for native security – Device security – jailbreak detection at login – Device lifecycle – white-list/blacklist/lost device management – Device fingerprinting
    30. 30. Mobile device connection methods• The native web browser on the device• Native mobile device clients acting as a web browser• Native mobile device clients connecting to gateways or applications Copyright © 2011, Oracle. All rights reserved
    31. 31. Extend Enterprise Access Mobile Requirements• Mobile Security Platform – Authentication and SSO – Strong authentication, device fingerprinting and risk-based access – Mobile SDK• Internet / Social Integration• REST/Cloud interfaces
    32. 32. Mobile AuthenticationFlexible options for devices, applications and users
    33. 33. Mobile Single Sign-onMany applications, one sign-on, global logout
    34. 34. Mobile Security Architecture Mobile Device Mobile Interfaces IDM Infrastructure Features Device Fingerprinting & Access Management Tracking Authorization Device Registration API OAM ServiceOracle Native App Lost & Stolen DevicesSDK OAAM Service GPS/WIFI Location Awareness Risk-based KBA & OTP Authentication OPSS Service Web App Platform Security Services Transactional risk analysis API (OPSS) White & Black Lists User Profile Directory Services User Self Registration/Self Security REST Service App API User Profile Services White Pages applications
    35. 35. Context Aware Access Management Account Detail Request Has he accessed between 00:00 – 03:00 in the last two months? Behavioral Patterns Has he used this device more than 20% in the last three months? Does subject live in same geography as requestor? Does he usually perform account lookups? Valid Credentials given fromGet Account Information: outside network, but already logged in from inside network.John, DoeIrvine, CA 92602 Which session is really who we think it is?
    36. 36. Mobile Authorization & Data Redaction isAuthorized(user = Bob Doe, Acme Corp Device = iOS 5.0, non-registered Location = 37.53043790,-122.26648800 customerId = 99999 action = getCustomerDetail)HTTP / REST / SOAP / OAuth Clients Customer Service - getCustomerDetail Request - updateCustomer - deleteCustomer… Oracle Enterprise Response Gateway { “CustomerDetailResponse“: { “customerID”: “99999” “name”: “Sally Smith” “phone”: “555-1234567” “SSN”: “***********“ “creditCardNo”: ”@^*%&@$#%!“ Oracle Entitlements “purchaseHistory”: “…” Server } } 36
    37. 37. Detailed Mobile VisibilityRealtime and historic device and user access attempts and risk scoresDevice characteristics analysis, including OS and SDK versions
    38. 38. Oracle Mobile Access Technology• Oracle Enterprise Gateway – Enables Mobile Application REST API’s and protects API’s, webservices, and SOA infrastructure from external threats and invalid / suspicious requests – Extends Access Management with authentication, authorization, audit to REST API’s, web services• Oracle Access Management Suite+ – Mobile Identity and Access – Authentication, Registration, and User Profile Services for Mobile – Last mile security for an organizations backend web services and SOA infrastructure – Device Fingerprinting and Registration Database – Risk-Based Authentication that Factors Mobile Context – Make Authorization Decisions and Redact Data based on User, Mobile, or any other Context – Externalize Authorization Policies from Application Code 38 © 2012 The SANS™ Institute -
    39. 39. Oracle Mobile Access Management Summary Bridges the gap between mobile devices and REST-ful enterprise IDM systems Interfaces Provides context-driven, Device Device Context Registration risk-aware access management Simplifies developer Location Single Data MANAGEMENT Sign-on access to IDM Supports BYOD Provides visibility and control
    40. 40. Q&AIf we don’t answer your questionduring the webcast, we will post afollow up on:
    41. 41. Thank You!Associated Paper: