Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Consumerization – iPad’ing the Enterprise or BYO Malware?


Published on

Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms BYOC and BYOD (like Bring Your Own Beer - Bring Your Own Computer/Device) have become mainstream technology terms. But what does BYOD mean for the enterprise? Can we mix personally owned devices and enterprise workstations/cellphones in our environment? How do we control configuration and data on personal devices? What about malware and other security concerns? What about improper disclosure of private data and intellectual property? And how will staff get work done when they are busy playing Angry Birds?
Is BYOD the flavor of the week or is the future of end-user hardware? Regardless of how security leaders may feel about the concept, we need to be prepared. We must understand what is driving BYOD, how it may, or may not, fit our environments, and have policy and tools ready.
In this interactive session we will discuss: What is IT Consumerization/BYOD? What are the benefits and concerns? Is there a cost savings? What are the Security concerns - BYOMalware? How do we protect data? And how can I start BYOD in my organization?
And yes, you can Bring Your Own Devices to this session!
Secure360 05-13-2013.

Published in: Technology
  • Be the first to comment

IT Consumerization – iPad’ing the Enterprise or BYO Malware?

  1. 1. WELCOME TO SECURE360 2013 Don’t forget to pick up your Certificate ofAttendance at the end of each day. Please complete the Session Survey frontand back, and leave it on your seat. Are you tweeting? #Sec360
  2. 2. WELCOME TO SECURE360 2013 Come see my talks on Wed! The Accidental Insider – Wed. 1:15P 3 Factors of Fail! – Wed. 2:35P
  3. 3.
  4. 4. Housekeeping We’re here all morning!  There will be breaks (but make your own if you need one) Questions – ask ‘em if you got ‘em IT Consumer devices – on of course! (butvibrate or silent would be polite)
  5. 5. AgendaAdmire the problemSolve the problem(kind of)
  6. 6. Please ShareThis is not a “solved problem”(I don’t know what is!)We all learn from each others’experiences
  7. 7. Agenda 1Admire the problemFraming the IssueSolve the problem (kind of)
  8. 8.  Etrade baby video
  9. 9.  Baby trying to scroll magazine like ipad video
  10. 10. Why are we here?1. Have a program2. Considering a program3. Just discovered iPads in the office4. Wanted out of the office for themorning
  11. 11. What is IT Consumerization? More than just devices. 2 Parts: Consumer devices Consumer software tools Using these in the workplace in addition to,or instead of, company provided
  12. 12. Why are we talking about this?But really, allconnected!
  13. 13. History – 1980’s Early home PCs Could augment work withhome learning/practice First MacMac$2500Commodore 64$600
  14. 14. History – 1980’s “luggables”IBM “Portable” 5155$422530 lbs4.77MHz 8088
  15. 15. History – 1990’sHome machinesget smallerLaptopsPDAs
  16. 16. History – 2000’sLaptops get lighterPDAs go mainstream(then disappear!)BlackberryiPhone/Android
  17. 17. History – Now
  18. 18. Apr. 3, 2010300K ipads1M apps250K ebooks… day 1!
  19. 19. Apple ‘12
  20. 20. 2011 – tablet/smartphonesales exceededPCs
  21. 21. The real reason we need tablets
  22. 22. Dont Touch!Pharmaceuticalcoating
  23. 23. • 17% have > 1 in their household• 37% - their partner uses it• 14% bought cause their kid has one• 19% considering purchasing another iPad owners...
  24. 24. Business Driver?
  25. 25. What about…
  26. 26. IneffectiveControls
  27. 27.  Forrester 2011 study – 37% using consumertech without permission IDC survey 2010 30% BYOPC / 2011 40% 2010 69% company device / 2011 59% Use of social doubled Most important tool – 49% laptop, 9%tablet, 6% smartphone
  28. 28. Self Sufficient? PwC white paper:“companies that have allowed Macintoshcomputers… into their workplaces… findthose users support themselves and eachother. The same is true of iOS and Androidmobile users, users of software as a service[SaaS] and other cloud services, and socialnetworking users.”
  29. 29. Empowered EmployeesForrester report, “HowConsumerization Drives Innovation,”“a business’s best friend” Empowerment Drives Innovation Empowered employees improve processesand productivity
  30. 30. Empowered EmployeesSelf-taught experts know: how to use smartphones, tablets, Webapps like Google Docs and Dropbox what they’re good for how they can help the business willing to do just that
  31. 31. BenefitsForrester lists four1. Communications – internal use speedscommunication2. Social – use of tools to be in touch withcustomers and shape message/attitude3. HR – allow personal devices and you attractyoung workers4. Productivity – much consumer tech is self-supported
  32. 32. Our Story Begins...
  33. 33. PEDsComputersDevice Convergence
  34. 34. Example• The “PED” policy• Personal Electronic Device• Acceptable use• Connections• Data storage
  35. 35. 1 Day
  36. 36. 5 Stages of Tablet Grief• Surprise• Fear• Concern• Understanding• Evangelism
  37. 37. ConsiderationsScaled-downdevice vmulti-purposecomputerWant v NeedReducedattacksurface veggs in onebasketNeed formobility vmobileissuesDoes remoteaccess apply?
  38. 38. What needs to change for “local”remote access?
  39. 39. BYO
  40. 40. BYOBYOC or BYOD
  41. 41. Agenda 2Admire the problemFraming the IssueSecurity ConcernsSolve the problem (kind of)
  42. 42. Security Concerns
  43. 43. ConsiderationsPhysical*Access control*LogicalData*CommunicationsValidation (config control)Haven’t been around that longUsers are the administrators
  44. 44. Data Leakage
  45. 45. Unauthorized Access
  46. 46. “Authorized” Access
  47. 47. Risk v Hype
  48. 48. LegalIANALPrivacy – mixing staff/company dataDiscovery – on POESeparation – what going out the door?
  49. 49. LegalCollection – when staff leaveHow do you?: Get data from a personal device? Keep personal data off company networks?
  50. 50. Phones and textingPhone?Exposing personal phone numberVoicemailText history and storageSiri, Google Now, etc.
  51. 51. Consumer SoftwareWe have enough problems withcommercial and internally developedsoftware!Privacy policiesLeakageDiscovery
  52. 52. Consumer SoftwareOwnershipData Disposition – if they go underCompetitive IntelligenceTrade SecretsMixing personal and professional(twitter)
  53. 53. The Business Side
  54. 54. The Business SideIt is critical that weThink asAre seen asA strategic partner with the businessThis doesn’t happen enough
  55. 55. A Doctor Lawyer Salesperson Systems AdministratorWalk into a bar…
  56. 56. Use CasesWhat do you need?What do you want?
  57. 57. Security ResponseConsider the business requestWhat works?What doesn’t?What compromise can be made?
  58. 58. Agenda 3Admire the problemFraming the IssueSecurity ConcernsSolve the problem (kind of)BYOD
  59. 59. What is IT Consumerization? More than just devices. 2 Parts: Consumer devices Consumer software tools Using these in the workplace in addition to,or instead of, company provided
  60. 60. Three Main IssuesTechnologyPolicyFinancial
  61. 61. How can we do BYOD?
  62. 62. CapacityNot necessarily a security issueWith greater use:Access Points (issue with anyportables)Upstream bandwidth3G/4G repeaters
  63. 63. BenefitsCostsProductivityInnovationSpeed to MarketOften better home device – morefrequent upgrade
  64. 64. BenefitsDeputized IT rather than Shadow ITUsers help each otherAlways-On =? Always-Available(hourly issues)This takes time
  65. 65. 2 Key Financial DecisionsProvisioningPurchasePlanUsageWho Pays
  66. 66. More DecisionsUsageTermsSoftwareWipe (remote detonation)Lock (aut0-detonation?)EncryptionMonitoringManagement
  67. 67. 2012 Trend Micro studyPros and cons that emerged from the analysis: 12%+ productivity 15%- device replacement costs 8%- reimbursement for employee data expense 5%- training/education costs 3%+ bottom line revenues 8%+ help desk calls 7%+ MDM costs 3%+ corporate liable data costs 3%+ server costs 2%+ regulatory compliance expenses
  68. 68. Classic Security BalanceControlUsability
  69. 69. Security ChallengesExposure of dataLeakage of data – sold, donated, tossed,repaired drivesMalwareBut don’t we have all this now???
  70. 70. Can’t be both…Trend Micro survey91% of employees would not grantemployer control over personal device80% of enterprises stated they wouldhave to install managementmechanisms on mobile devices.
  71. 71. Impasse?Resolution is in approachStrategicCross-organizationBusiness and IT togetherHR, Security, Privacy, Legal, Audit
  72. 72. Impasse?Define approachCreate clear policy/proceduresIT toolsSelf-help documentation
  73. 73. MDM~60 vendor tools… and more comingBasic types: Pure MDM Containerization/MAM Hybrid VDI (not really MDM but can be used)
  74. 74. MDMSelection criteria: Device diversity Policy enforcement Security/compliance Containerization Inventorymanagement Softwaredistribution Administration Reporting; more?
  75. 75. Method 1 - Sync• Direct, Net Connect or OTAIssues:• Need Controls – a/v, app installcontrol, filtering, encryption, remotedetonation• Authentication – 2-factor?• Leakage!• Support
  76. 76. Method 2 – VDI• Citrix or similarPros:• Leakage – no remnants; disable screenscrape, local save, print• Reduced support needed• Web filtering coveredIssues:• Unauthorized access still an issue; Userexperience; Support
  77. 77. Method 3 – Containerization• Encrypted sandbox• Separate work and home• Many productsPros:• Better user experience• Central management/policy• Many products – local/cloud• Leakage – config separation, encryptionIssues: access ; support; cloud issues
  78. 78. Method 4 – Direct Connection• Directly connect devices tonetwork• Or PC via usb• Don’t do this! - Included forcompletenessPros:• EasyIssues: no controls; no management;no enforcement; leakage; remants; etc.
  79. 79. Apps“non-standard” software a challengeUpdates, patchesMalware detection – can’t enumeratebadnessBusiness – how to transfer knowledge ifeveryone uses different tools?
  80. 80. Case StudyKraft Deployed iPhones 2008 – by 2009 to halfof mobile users Wanted to instill innovation “opens employees’ minds to what ispossible” Internal success led to successfulconsumer apps – recipes, cooking videos,shopping lists, store locator
  81. 81. Cost Example Hypothetical 1000 blackberrys Unlimited data + calling = ~$50 -$70/user/month ($60K/m) BES – ~$35K Hardware – $20K/3y Helpdesk – 1 FTE $50K/y Server Ops – 1 FTE $100K/y Total = >$900K/y
  82. 82. Cost Example Hypothetical 1000 BYODs Stipend = $25/user/month ($25K/m) MDM – ~$50K/y Hardware – $20K/3y Helpdesk – none! Server Ops – 1 FTE $100K/y Total = ~$450K/y
  83. 83. Other HR benefitsEmployee satisfactionRecruiting young workers“Hip” factor
  84. 84. Phones and textingPhone?Exposing personal phone numberVoicemailText history and storage
  85. 85. DHS view - POE• Policy• Supervisorapproval• Citrix only• No Govt recordson POE(unencrypted)• 3G or wired• Guest wireless• FAQs forusers/sups• Metrics
  86. 86. DHS view – State-owned• Policy• Supervisorapproval• MDM• 3G or wired• Apple-only• Core wireless• 802.1x• FAQs forusers/sups• Metrics
  87. 87. Other Issues• Notes or manually entered data• Enterprise email/OWA• Discovery• Voicemail/video
  88. 88. The Future• More tablets/phones/small devices• More “slim” OSs – chrome, android,ios, etc• Cost savings/stipend?• Cloud• User Experience –Divide, Good,Fixmo, VMware Horizon, Citrix XEN• BES Fusion, Microsoft ???
  89. 89. MDM Capabilities to Consider• Device encryption• Transport encryption• Complex PWs/policy• VPN support• Disable camera• Restrict/block apps• Anti-malware InfoWorld Feb 2013 MDM Deep Dive• Restrict/blocknetworks• Remote lockout• Remote/selectedwipe• Policy enforcement• OTA management• 2-factor/OTP
  90. 90. Agenda 4Admire the problemFraming the IssueSecurity ConcernsSolve the problem (kind of)BYODSoftware
  91. 91. What is IT Consumerization? More than just devices. 2 Parts: Consumer devices Consumer software tools Using these in the workplace in addition to,or instead of, company provided
  92. 92. Use of Consumer ToolsSkype – key for communications insome countriesFacebook/Twitter for interacting withcustomersTwelpforce
  93. 93. Twelpforce video
  94. 94. Examples Google docs or Dropbox for public info(make sure the data is public) Youtube, Vimeo for training videos (avoidsocial engineering blueprints) Facebook fan page Twitter, LinkedIn, G+ for press releases,outreach, customer support (just rememberwho you are!)
  95. 95. Customer ExpectationsAccess to you is:Mobile capableAvailable online and on socialThrough no wrong door
  96. 96. Twitter and FacebookThe places to beWhat are peoplesaying about yourcompany?
  97. 97. Great Ideas Ford – gave Fiestas to 100 social mediainfluencers, sent on “missions”, documentedon channels. Rcvd 50K inquires and sold 10Kcars in 6 days. Pepsi – used social network outreach forideas for new Dew flavors Levi Strauss – early use of location-specificdeals.
  98. 98. SocialIs there a strategy?Or doing it to be hip? (and without aclue?)
  99. 99. SocialConnecting with customersInternal collaborationInternal connections –communities of interestInnovationDoesn’t happen in a vacuum
  100. 100. Phishing
  101. 101. Phishing on Social NetworksScams seem real when they come froma “friend”Malicious links/appsSpread quickly when posted or “liked”“Just say no” to apps
  102. 102. Installs appGrabs infoPosts on your wallClick-fraud
  103. 103. Expectations
  104. 104. What Should We Do?
  105. 105. ProactivePolicyManagement SupportSupport/Helpdesk Implications
  106. 106. PolicyExamine existing – augmentNew, but only if needed(shouldn’t use of social be part ofyour AUP? Who needs a socialmedia policy?)
  107. 107. Software/Apps“non-standard” software is a challengeUpdates, patchesMalware detection – can’t enumeratebadnessBusiness – how to transfer knowledge ifeveryone uses different tools?
  108. 108. Non-Standard Software - YMMVInventoryWatchchangesX-ref v.CVE/malwareWatchrightsAuto-patchHandleexceptions
  109. 109. CloudAsk:Whose data is it?Where is it going?3rd party agreements?Know your data (classification)PIE – pre-Internet encryption
  110. 110. BYOPlan
  111. 111. SummaryWhat are people doing?Establish business needBYOD, Consumer apps, or both?Cross-domain planning (security,IT, legal, audit, privacy, HR,business)Document requirements
  112. 112. SummaryPolicy, Technical, FinancialaspectsWatch the dataMake easy for usersEducation/AwarenessReap the benefits!
  113. 113. Discussion…Slides at, @bcaplin, +barry caplin