Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Copyright 2013 The Word & Brown Companies BYOD (and other acronyms of interest) Orange County CIO Roundtable September 12, 2013 Jeff Hecht, Chief Compliance & Security Officer The Word & Brown Companies
  2. 2. Two competing desires are increasingly at odds with each other: expanding mobility to leverage productivity gains—and controlling mobility to combat significant risks…. Agenda BYOD basic issues How widespread is it? What are the risks? How are enterprises dealing with it? What categories of tools are or soon will be available to manage BYOD? How can we develop an acceptable approach for BYOD that balances access and security? Copyright 2013 The Word & Brown Companies
  3. 3. BYOD Challenges and Opportunities  There is a growing demand from employees to use their own electronic devices at work to access corporate assets.  Employees argue they are more productive on devices they’ve chosen and mastered.  High level business executives often are part of this demand.  Younger employees in particular find the idea of a small list of corporate devices unacceptable.  Some studies suggest employees are more likely to work more hours and in more places when they can do it on their device of choice.  Many of these devices may be unsupported by IT departments. The versions change quickly as employees bring in the latest and greatest devices and upgrade on their schedule not their employer’s. Copyright 2013 The Word & Brown Companies
  4. 4. BYOD Challenges and Opportunities  The expense of always providing the latest and greatest devices is too much for most enterprises, so having the employee provide their own device appears attractive financially.  The devices offer instant connectivity to the Internet and cloud services that can easily evade traditional control measures an IT department uses with corporate assets.  Concerns about data security, device control, data ownership, patching, backups and other issues generally handled for corporate devices are not fully resolved for most IT Departments on personally owned devices. Keeping corporate data secure is largely at odds with the idea of “my device” and ubiquitous access.  Employee don’t always trust their employer with their own information, particularly geo-location data and may be reluctant to follow some policies. Copyright 2013 The Word & Brown Companies
  5. 5. Copyright 2013 The Word & Brown Companies Major Security Concerns and Controls
  6. 6. Copyright 2013 The Word & Brown Companies Moving Ahead Regardless SC Magazine
  7. 7. Copyright 2013 The Word & Brown Companies Moving Ahead Regardless SC Magazine
  8. 8. There’s plenty of hype  Many vendors have products positioned to “solve” the “BYOD problem”.  It’s unclear how big the issues are and equally unclear how effectively the current product sets address the issues.  Each organization needs to assess what their exposure is and how best to control it. Factors such as regulations, the specific type of data held and exactly what is exposed to mobile connections are key.  Many of these issues have similar concerns regardless of whether the device is owned by the organization or the employee, but they are magnified with BYOD. Copyright 2013 The Word & Brown Companies
  9. 9. Copyright 2013 The Word & Brown Companies Fast Growth
  10. 10. Copyright 2013 The Word & Brown Companies Really?
  11. 11. Copyright 2013 The Word & Brown Companies Policies are evolving
  12. 12. Copyright 2013 The Word & Brown Companies Policies are evolving
  13. 13. Copyright 2013 The Word & Brown Companies More devices are owned by employees
  14. 14. The Goals Copyright 2013 The Word & Brown Companies
  15. 15. The Goals  Enable employee choice and flexibility  Prohibit unauthorized access, control where corporate data goes  Manage threats and vulnerabilities  Ensure network availability and performance. Deliver predictable user experience  Understand and control the true costs (and benefits) Copyright 2013 The Word & Brown Companies
  16. 16. Copyright 2013 The Word & Brown Companies Alphabet Soup BYOD – Bring Your Own Device also sometimes called BYOT (Technology) This is the blanket term for the trend and the industry that’s springing up around controlling the access. Generally BYOD means an employee owns the device and the service contract for it’s connectivity. Sometimes the employer may provide a stipend to offset some of the costs but often the employee bears the whole cost. MBYOD – Managed Bring Your Own Device More of a marketing term than an actual category, there are various levels and ways the device can be controlled in a corporate environment. (More on this in the balance of the presentation). CYOD – Choose Your Own Device The employee can choose a device from a list of either specific models or levels of operating system. Depending on the program the employer may purchase and own the device (sometimes referred to as COPE Company Owned Personally Enabled) or the employee buys the device and service but must choose a device from the approved list to get connectivity to corporate resources.
  17. 17. Copyright 2013 The Word & Brown Companies Alphabet Soup BYOA – Bring Your Own Application BYOA intersects two of the most visible trends in technology today – mobility and cloud computing – where employees use a public application for work. The app itself could be a mobile app, a Web-based cloud app, or a combination both access methods. The app might be free or paid-for and can be “brought” into the workplace on a mobile device or through a company PC’s Web browser. Enterprises will invariably be faced with managing data in public apps. A similar idea is BYOS or Bring Your Own Service MDM – Mobile Device Management The general category of tools to control access from mobile devices regardless of their ownership. They have some method of device registration, monitoring and remote wipe in case of loss or theft. Usually they can enforce password rules and require device encryption. More advanced versions of these management suites include the ability to create separate, encrypted data partitions to store and access corporate data. Some include basic data leakage prevention systems (DLP). These tools are primarily device centric – that is you are registering a physical device and the specific controls are applied to that device.
  18. 18. Copyright 2013 The Word & Brown Companies Alphabet Soup MAM – Mobile Application Management/MIM Mobile Information Management Where MDM is device centric MAM/MIM are application and data centric. There are several approaches to controlling what corporate applications and data can be accessed. These can be white/black listed applications and what can or cannot be connected to remotely. Containerization may be used to segregate and control data, although this sometimes impacts the user experience. Perhaps the most promising is the use of virtualization to provide access to data without actually allowing it to be transferred to mobile devices. MDSM – Mobile Device Security Management Similar to a security suite for PCs (but not yet so comprehensive) including malware scanning and protection, enforcement of iPSec VPNs for connection to company resources, IPS, content filtering and firewalls. These tools are in their infancy and many MDM vendors claim their products provide device security, but most are very limited in what they can really do. MDDCA – Mobile Device Detection/contextual awareness MDDCA is an attempt to enforce context based policy management. This might be geographic (you can’t access Facebook from within the company facility but can from home), method of access related (your iPad will connect to full company resources on the company WiFi but only to the email server from another connection point) or day of the week or time related. Some tools can segregate down to the individual access point (ok on the IT floor, not ok in a public area).
  19. 19. Copyright 2013 The Word & Brown Companies Spectrum of Control
  20. 20. Things To Consider With A BYOD Program  Recognize these devices are going to be in your environment (no doubt already are) so figure out your position. Are you trying to prohibit them? Embrace them? Control them? Do you have money to spend on tools to do this or do you have to rely on what you already have and policy enforcement. Engage business management to understand and shape their positions. Identify the company data you want to provide access to – email access may be quite a different risk than the corporate accounting system.  Specify What Devices Are Permitted. Decide exactly what you mean when you say "bring your own device." Should you really be saying, bring your own iPhone but not your own Android phone or only your Android with an OS 4.0 or later?  Decide What Apps Will Be Allowed or Banned. Can users download, install and use an application that presents security or legal risk on devices that have access to sensitive corporate resources? Can you control it? The technology for preventing downloads of questionable apps or copyright-infringing music and media on personal phones is immature at best, but that doesn’t mean you shouldn’t have policy against it. Copyright 2013 The Word & Brown Companies
  21. 21. Things To Consider With A BYOD Program  Identify which employees will be allowed to use their own devices. Is this everyone? Mangers? Sales people? Only those you would have otherwise given corporate equipment? Figure out who and why, you’ll be expected to defend the decisions.  Establish a clear security requirements for all Devices. For example, If your users want to use their devices with your systems, then they'll have to accept a complex password attached to their devices at all times just as they do on the company owned equipment. They also may have to agree to a device wipe policy, timeout limit and device encryption. You almost surely want to restrict jail broken or rooted devices.  Make It Clear Who Owns What Apps and Data At a some point devices will be lost or stolen and data will have to be wiped. While some devices support selective data wipes it is always possible that all content on the phone may be erased, including personal pictures, music and applications that the individual, not the company, may have paid for. It may be impossible to replace these items. Be sure you make it clear that you assert the right to wipe these devices. Provide guidance on how employees can secure their own content and back it up so they can restore personal information if phone device has to be wiped or replaced. Can you control where they might back up the company data on the device? Copyright 2013 The Word & Brown Companies
  22. 22.  Figure out what level of support you can provide. Will you provide support for broken devices? Is your support basically a "wipe and reconfigure" operation? How quickly and efficiently can you respond to lost device situations? Are users on their own after initial set up?  Define ahead of time an Employee Exit Strategy. What will happen when employees with devices on your BYOD platform leave the company? How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information? It's not as simple as having the employee return the corporate-issued phone. You may need to perform a wipe of the BYOD-enabled device as a mandatory exit strategy and make it clear that you reserve the right to issue a wipe command if the employee hasn't made alternate arrangement with your IT department prior to exit time. Copyright 2013 The Word & Brown Companies Things To Consider With A BYOD Program
  23. 23.  Write it all down and communicate it. There was never a more important time to have a clear detailed written policy and be prepared to revise and update it regularly as unforeseen situations change the landscape. Have your users sign an acknowledgement that they’ve read and agreed to the conditions you decide to impose. Invest in training BYOD users on the policy and the specific security threats associated with mobile access.  Integrate Your BYOD Plan With Your Acceptable Use Policy. Allowing personal devices to connect to your VPN introduces some doubt about what activities may and may not be permitted. If you set up a VPN tunnel on a personally owned device and then post to Facebook, is this a violation? What if your employees browse objectionable websites while on their device's VPN? What if they transmit inappropriate material over your network, even though they're using a device they own personally? Are there sanctions for such activity? What monitoring strategies and tools are available to enforce such policies? What rights do you have to set up rules in this arena? Copyright 2013 The Word & Brown Companies Things To Consider With A BYOD Program
  24. 24. Copyright 2013 The Word & Brown Companies One approach to a process
  25. 25. Questions And Discussion Copyright 2013 The Word & Brown Companies