This document summarizes a presentation about managing risks and enabling opportunities related to bring your own device (BYOD), the cloud, mobile technologies, and the Internet of Things. The presenter discusses viewing these trends through three lenses: personal vs corporate data, who pays, and shifts in culture and relationships. A variety of security control options are presented, including mobile device management, virtual desktop infrastructure, application wrappers, and network access control. The presenter advocates for a comprehensive, multilayered approach combining several controls to balance security and business needs like access agility.
The Cisco 2010 Midyear Security Report includes:
* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
The document discusses the challenges of BYOD (bring your own device) security and proposes an alternative approach of focusing on securing corporate data rather than devices. It notes that traditional MDM (mobile device management) approaches are too complex, restrict employee privacy, and don't effectively secure access to cloud applications. The document proposes that companies instead use data-centric security technologies like persistent digital watermarking and DLP (data loss prevention) to protect corporate data on any device or application, without imposing controls on personal data or device usage. This allows employees freedom while securely enabling the use of BYOD and cloud services.
How the Internet of Things Leads to Better, Faster Crisis CommunicationBlackBerry
The Internet of Things promises to provide a wide range of futuristic benefits, but what is often overlooked is how deeply IoT sensors and data analytics already impact how we live and how we conduct business. This is especially true of crisis communications. Here, IoT has far-reaching implications, both in the present and in the future.
This whitepaper explores how IoT sensors powerfully expand the capabilities of networked crisis communication solutions. It also discusses typical scenarios for incorporating IoT sensor data within emergency preparedness scenarios. Finally, it demonstrates why AtHoc is particularly well suited for using IoT data to deliver faster, more accurate situational awareness in an intuitive manner, without inundating employees with excess data or forcing emergency management staff to become data scientists.
Internet of things enabling tech - challenges - opportunities (2016)Davor Dokonal
This document discusses the Internet of Things (IoT) by outlining its technical perspectives, enabling technologies, opportunities, and challenges. It begins by defining IoT and discussing efforts to standardize it. It then explains the core enabling technologies of devices/nanotech, cloud computing, networking, and programmability. Additional enabling social technologies discussed include big data, augmented reality, crowdsourcing, algorithms, machine learning, and artificial intelligence. The document outlines many opportunities that IoT presents across various industries. It also examines important challenges related to privacy, security, technological issues, and societal impacts. It concludes by advising what chief information officers should consider regarding IoT's implementation.
The Future of Security in Australia: a Think Tank Report by BlackBerry. This white paper from BlackBerry, the mobile-native software and services company dedicated to securing the Enterprise of Things, features the analysis and thoughts from a 10-expert roundtable late last year looking at trends in cyber and mobile security.
Enterprise Mobility Applications: Addressing a Growing GapBlackBerry
This new report on enterprise mobility applications highlights the alarming gap between Central IT and line-of-business IT environments. Millennials in particular are showing signs of growing frustration with the devices and software tools available to support them in the workplace. Many are making their own mobility arrangements, through ‘shadow IT’, despite growing regulatory risk. The advent of the ‘Internet of Things’ will further exacerbate the situation as mobile staff seek access to real time data from their phones and tablets.
Our recent survey of over 100 financial service organizations, conducted by Forbes Insights in the UK and North America, indicates that despite current business and employee demand, enterprise mobile applications remain at a very early stage of maturity, with less than a quarter of employees eligible to access such facilities. The implications here are profound, given the need to support mobile working with appropriate tools in every sphere of corporate activity today.
Many employees complain that the only advance over the last ten years has been to ‘mobilize the laptop’. This merely emulates the traditional desktop environment outside the office. Set against this stark background of underperformance in the mobility area, Central IT appears to be preoccupied with legacy issues such as costly infrastructures and aging systems. Our survey reveals that despite having developed policies and tools to address enterprise mobility, Central IT has little visibility of what is actually going on within the lines of business or at the end user level.
Nor does it have the necessary resources currently to respond rapidly to the growing pressures for workplace mobility. External agencies appear to be stepping in to fill this gap, frequently circumventing Central IT. Mobility remains low on the Central IT agenda.
IDC: Top Five Considerations for Cloud-Based Securityarms8586
The document discusses considerations for enterprises moving to cloud-based web security solutions. It addresses key drivers like the dissolution of network perimeters and rise of mobile/BYOD usage. Challenges include enforcing consistent social media policies and securing unmanaged devices. Cloud solutions can provide ubiquitous security without on-device agents. Hybrid models combining on-premise and cloud are also discussed.
A Business-Driven Approach to Mobile Enterprise SecurityТранслируем.бел
This document summarizes a white paper on a business-driven approach to mobile enterprise security. The key points are:
1) The mobile enterprise presents new security challenges as it allows a variety of devices, cloud applications, and flexible network access. Existing security controls are not designed for these demands.
2) A strategic approach is needed that involves collaborative policy creation between business and IT, building the right infrastructure to support policies and enforcement, and ongoing monitoring and improvement.
3) Mobile enterprise security policies should define supported devices, configurations, user access privileges based on roles and locations, and application usage policies to balance security and business needs. Existing tools often cannot provide the integrated enforcement required.
The Cisco 2010 Midyear Security Report includes:
* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
The document discusses the challenges of BYOD (bring your own device) security and proposes an alternative approach of focusing on securing corporate data rather than devices. It notes that traditional MDM (mobile device management) approaches are too complex, restrict employee privacy, and don't effectively secure access to cloud applications. The document proposes that companies instead use data-centric security technologies like persistent digital watermarking and DLP (data loss prevention) to protect corporate data on any device or application, without imposing controls on personal data or device usage. This allows employees freedom while securely enabling the use of BYOD and cloud services.
How the Internet of Things Leads to Better, Faster Crisis CommunicationBlackBerry
The Internet of Things promises to provide a wide range of futuristic benefits, but what is often overlooked is how deeply IoT sensors and data analytics already impact how we live and how we conduct business. This is especially true of crisis communications. Here, IoT has far-reaching implications, both in the present and in the future.
This whitepaper explores how IoT sensors powerfully expand the capabilities of networked crisis communication solutions. It also discusses typical scenarios for incorporating IoT sensor data within emergency preparedness scenarios. Finally, it demonstrates why AtHoc is particularly well suited for using IoT data to deliver faster, more accurate situational awareness in an intuitive manner, without inundating employees with excess data or forcing emergency management staff to become data scientists.
Internet of things enabling tech - challenges - opportunities (2016)Davor Dokonal
This document discusses the Internet of Things (IoT) by outlining its technical perspectives, enabling technologies, opportunities, and challenges. It begins by defining IoT and discussing efforts to standardize it. It then explains the core enabling technologies of devices/nanotech, cloud computing, networking, and programmability. Additional enabling social technologies discussed include big data, augmented reality, crowdsourcing, algorithms, machine learning, and artificial intelligence. The document outlines many opportunities that IoT presents across various industries. It also examines important challenges related to privacy, security, technological issues, and societal impacts. It concludes by advising what chief information officers should consider regarding IoT's implementation.
The Future of Security in Australia: a Think Tank Report by BlackBerry. This white paper from BlackBerry, the mobile-native software and services company dedicated to securing the Enterprise of Things, features the analysis and thoughts from a 10-expert roundtable late last year looking at trends in cyber and mobile security.
Enterprise Mobility Applications: Addressing a Growing GapBlackBerry
This new report on enterprise mobility applications highlights the alarming gap between Central IT and line-of-business IT environments. Millennials in particular are showing signs of growing frustration with the devices and software tools available to support them in the workplace. Many are making their own mobility arrangements, through ‘shadow IT’, despite growing regulatory risk. The advent of the ‘Internet of Things’ will further exacerbate the situation as mobile staff seek access to real time data from their phones and tablets.
Our recent survey of over 100 financial service organizations, conducted by Forbes Insights in the UK and North America, indicates that despite current business and employee demand, enterprise mobile applications remain at a very early stage of maturity, with less than a quarter of employees eligible to access such facilities. The implications here are profound, given the need to support mobile working with appropriate tools in every sphere of corporate activity today.
Many employees complain that the only advance over the last ten years has been to ‘mobilize the laptop’. This merely emulates the traditional desktop environment outside the office. Set against this stark background of underperformance in the mobility area, Central IT appears to be preoccupied with legacy issues such as costly infrastructures and aging systems. Our survey reveals that despite having developed policies and tools to address enterprise mobility, Central IT has little visibility of what is actually going on within the lines of business or at the end user level.
Nor does it have the necessary resources currently to respond rapidly to the growing pressures for workplace mobility. External agencies appear to be stepping in to fill this gap, frequently circumventing Central IT. Mobility remains low on the Central IT agenda.
IDC: Top Five Considerations for Cloud-Based Securityarms8586
The document discusses considerations for enterprises moving to cloud-based web security solutions. It addresses key drivers like the dissolution of network perimeters and rise of mobile/BYOD usage. Challenges include enforcing consistent social media policies and securing unmanaged devices. Cloud solutions can provide ubiquitous security without on-device agents. Hybrid models combining on-premise and cloud are also discussed.
A Business-Driven Approach to Mobile Enterprise SecurityТранслируем.бел
This document summarizes a white paper on a business-driven approach to mobile enterprise security. The key points are:
1) The mobile enterprise presents new security challenges as it allows a variety of devices, cloud applications, and flexible network access. Existing security controls are not designed for these demands.
2) A strategic approach is needed that involves collaborative policy creation between business and IT, building the right infrastructure to support policies and enforcement, and ongoing monitoring and improvement.
3) Mobile enterprise security policies should define supported devices, configurations, user access privileges based on roles and locations, and application usage policies to balance security and business needs. Existing tools often cannot provide the integrated enforcement required.
"In this issue of “The 10 Most Trusted Companies in
Enterprise Security” Insights Success has shortlisted
those enterprise security providers which are providing
solutions that are systematically profile and
contextualize security threats with a level of detail and
granularity that has never been achieved before."
Networking Plus December 2014: Connecting Mobile WorkersEric Wong
An excerpt from magazine where Peplink, Citrix, Vodafone and Cisco voice their thoughts on BYOD, mobile and remote workers, and the devices that make it possible.
Growing BYOD Trend Brings New Security Challenges for IT in Allowing Greater ...Dana Gardner
Transcript of a BriefingsDirect podcast on how Dell Software is helping to bring standardized and flexible approaches to making BYOD a positive new force to enterprise productivity.
Building the Anytime, Anywhere Network -
Mobile technologies are opening enormous new
business opportunities. Capitalizing on them takes
a new approach to networking. To learn more, visit Juniper Networks at: http://juni.pr/CMlpCMPss
This document discusses the implementation of a Bring Your Own Device (BYOD) policy and program. It begins by explaining how the proliferation of mobile devices in the workplace has led to the rise of BYOD. It notes that most employees are already using their own devices for work purposes. The rest of the document outlines "The Ten Commandments of BYOD" which provide guidance on how to create a secure and productive mobile environment that supports BYOD while protecting corporate data. The ten commandments cover topics like creating a BYOD policy, identifying existing devices, simplifying enrollment, configuring devices remotely, giving users self-service options, and protecting personal information.
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
Cyber security is center stage in the world today, thanks to almost continuous revelations about incidents and breaches. In this context of unpredictability and insecurity, organizations are redefining their approach to security, trying to find the balance between risk, innovation and cost. At the same time, the field of cyber security is undergoing many dramatic changes, demanding organizations embrace new practices and skill sets.
Cyber security risk is now squarely a business risk – dropping the ball on security can threaten an organization’s future – yet many organizations continue to manage and understand cyber security in the context of the it department. This has to change.
How to Gain Advanced Cyber Resilience and Recovery Across Digital Business Wo...Dana Gardner
A transcript of a discussion on how comprehensive cloud security solutions need to go beyond on-premises threat detection and remediation to significantly strengthen extended digital business workflows.
This document discusses mobile security for businesses. It begins by noting that mobile devices present new security risks that companies often only address reactively after a breach. However, mobile security allows businesses to capitalize on opportunities from mobile applications if done properly. The document then provides an overview of common mobile security threats like malware, privacy issues, and social engineering. It concludes by offering a 7-step checklist for better mobile security practices that IT administrators can implement, including securing devices with passwords and preparing phone location/remote wipe services.
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...mkeane
The american workplace is in a period of unprecedented change as the combination of mobile technology and social media is changing the "who, what, when and where" of work.
Mobile Security: Preparing for the 2017 Threat LandscapeBlackBerry
For years, security researchers and leaders have warned: “The mobile threat is coming.” Well, in 2016 it arrived in full force. Attackers are finding new, creative means of stealing user credentials and penetrating critical systems via the mobile channel. And healthcare entities—with an increasingly mobile workforce and patient population—are square in the middle of this expanding mobile threatscape, as attackers seek to capture and monetize critical healthcare data.
What are the most prevalent new threats, and what are leading organizations doing to bolster mobile security as we head into 2017?
This interview with BlackBerry VP Government Solutions Sinisha Patkovic, on Mobile Security: Preparing for the 2017 Threat Landscape, was produced for of a recent ISMG Security Executive Roundtable sponsored By BlackBerry.
Read Navigating the Flood of BYOD to find out what challenges to secure your network architecture. When Total Application and Network Visibility is implemented, BYOD helps employees to stay in touch with their personal lives while keeping their business lives separate, preserving the confidentiality and integrity of each—all on the same device. This adds up to productivity, security and morale.
Mobile devices present new challenges for backing up data as more employees use their personal smartphones and tablets for work. IT needs to implement a smart mix of policies, cloud services, and mobile device management to address these challenges. Specifically, the policy should clearly define the company's requirements for accessing corporate data on personal devices and clarify IT's responsibilities for backing up corporate versus personal data. The cloud can help with backups, but full device backups are difficult due to limitations of mobile operating systems.
Cisco io t for vietnam cio community 2 apr 2015 - splitPhuc (Peter) Huynh
The document discusses opportunities, business models, and applications/use cases related to the Internet of Things (IoT). It provides examples of sensors that can be connected in IoT applications. These include gesture recognition, accelerometer, gyroscope, and sensors that detect light, temperature, humidity, and other environmental factors. The document also discusses how IoT can transform industries and businesses by connecting people, processes, data and things to create new opportunities and efficiencies. Key drivers of IoT adoption include declining technology costs and the ability to gain insights from analyzing large amounts of data collected through connected devices.
The Internet of Things: the 4 security dimensions of smart devicesWavestone
Like all major technological revolutions, digital transformation is spreading over many areas. The Internet of Things plays an important role in this trend, trough the emergence of numerous devices.
Social Enterprise: Trust; Vision; RevolutionPeter Coffee
Becoming a social enterprise is not a technical evolution, but a business transformation. Technologies enable it, but only a cultural commitment will achieve it. Doing it is not optional, unless going out of business is also considered an OK option.
The document discusses the opportunities and challenges for CIOs with the rise of the Internet of Things (IoT). It notes that IoT will generate vast amounts of data from a growing number of connected devices. CIOs must help their organizations adapt by embracing new technologies, data sources, and ways of analyzing data to drive business value from IoT. While IT organizations currently focus on cost and stability, IoT requires an approach that also fosters innovation.
Overcoming The Biggest Barriers To Cloud Computing?Bernard Marr
During the current coronavirus pandemic, cloud computing is playing an increasingly prominent part in many of our lives. From how we stay entertained, to socialising with friends and doing business, it’s fair to say that when things eventually return to normal many people will have a far greater appreciation of cloud and the way it empowers us to work, play and do business differently.
Consumidores Digitais: The Executive's Guide to the Internet of Things (ZD Net)Consumidores Digitais
A Internet das Coisas, ou Machine-to-Machine (M2M), é um dos temas mais atuais na tecnologia. Neste guia está o que os líderes empresariais precisam saber para potencializar seus benefícios.
This document outlines William H. Miller Jr.'s presentation at the EVANTA CIO Executive Summit on December 8, 2015. The presentation was titled "Debunking Common IT Myths 2.0" and aimed to explore five IT topics that are subject to many misconceptions: 1) the inevitability of cloud computing, 2) the role of ERP systems, 3) cybersecurity investment, 4) demands for IT ROI, and 5) innovation in technical organizations. For each topic, Miller presented hypotheses and provocative statements to ignite discussion and debate among participants, with the goal of exposing perspectives and potentially debunking common IT myths.
This document discusses issues related to Bring Your Own Device (BYOD) policies in corporations. It outlines some of the risks of BYOD including threats to network access and security, data leakage, increased bandwidth usage, and potential breaches of acceptable use policies. It emphasizes that developing a formal BYOD policy is important to address these risks and ensure all employees understand and agree to the policy. The policy needs to consider supporting a variety of personal devices including laptops, tablets, and smartphones running different operating systems. It also needs to address compatibility issues for browsers and mobile device management tools.
"In this issue of “The 10 Most Trusted Companies in
Enterprise Security” Insights Success has shortlisted
those enterprise security providers which are providing
solutions that are systematically profile and
contextualize security threats with a level of detail and
granularity that has never been achieved before."
Networking Plus December 2014: Connecting Mobile WorkersEric Wong
An excerpt from magazine where Peplink, Citrix, Vodafone and Cisco voice their thoughts on BYOD, mobile and remote workers, and the devices that make it possible.
Growing BYOD Trend Brings New Security Challenges for IT in Allowing Greater ...Dana Gardner
Transcript of a BriefingsDirect podcast on how Dell Software is helping to bring standardized and flexible approaches to making BYOD a positive new force to enterprise productivity.
Building the Anytime, Anywhere Network -
Mobile technologies are opening enormous new
business opportunities. Capitalizing on them takes
a new approach to networking. To learn more, visit Juniper Networks at: http://juni.pr/CMlpCMPss
This document discusses the implementation of a Bring Your Own Device (BYOD) policy and program. It begins by explaining how the proliferation of mobile devices in the workplace has led to the rise of BYOD. It notes that most employees are already using their own devices for work purposes. The rest of the document outlines "The Ten Commandments of BYOD" which provide guidance on how to create a secure and productive mobile environment that supports BYOD while protecting corporate data. The ten commandments cover topics like creating a BYOD policy, identifying existing devices, simplifying enrollment, configuring devices remotely, giving users self-service options, and protecting personal information.
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
Cyber security is center stage in the world today, thanks to almost continuous revelations about incidents and breaches. In this context of unpredictability and insecurity, organizations are redefining their approach to security, trying to find the balance between risk, innovation and cost. At the same time, the field of cyber security is undergoing many dramatic changes, demanding organizations embrace new practices and skill sets.
Cyber security risk is now squarely a business risk – dropping the ball on security can threaten an organization’s future – yet many organizations continue to manage and understand cyber security in the context of the it department. This has to change.
How to Gain Advanced Cyber Resilience and Recovery Across Digital Business Wo...Dana Gardner
A transcript of a discussion on how comprehensive cloud security solutions need to go beyond on-premises threat detection and remediation to significantly strengthen extended digital business workflows.
This document discusses mobile security for businesses. It begins by noting that mobile devices present new security risks that companies often only address reactively after a breach. However, mobile security allows businesses to capitalize on opportunities from mobile applications if done properly. The document then provides an overview of common mobile security threats like malware, privacy issues, and social engineering. It concludes by offering a 7-step checklist for better mobile security practices that IT administrators can implement, including securing devices with passwords and preparing phone location/remote wipe services.
When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobil...mkeane
The american workplace is in a period of unprecedented change as the combination of mobile technology and social media is changing the "who, what, when and where" of work.
Mobile Security: Preparing for the 2017 Threat LandscapeBlackBerry
For years, security researchers and leaders have warned: “The mobile threat is coming.” Well, in 2016 it arrived in full force. Attackers are finding new, creative means of stealing user credentials and penetrating critical systems via the mobile channel. And healthcare entities—with an increasingly mobile workforce and patient population—are square in the middle of this expanding mobile threatscape, as attackers seek to capture and monetize critical healthcare data.
What are the most prevalent new threats, and what are leading organizations doing to bolster mobile security as we head into 2017?
This interview with BlackBerry VP Government Solutions Sinisha Patkovic, on Mobile Security: Preparing for the 2017 Threat Landscape, was produced for of a recent ISMG Security Executive Roundtable sponsored By BlackBerry.
Read Navigating the Flood of BYOD to find out what challenges to secure your network architecture. When Total Application and Network Visibility is implemented, BYOD helps employees to stay in touch with their personal lives while keeping their business lives separate, preserving the confidentiality and integrity of each—all on the same device. This adds up to productivity, security and morale.
Mobile devices present new challenges for backing up data as more employees use their personal smartphones and tablets for work. IT needs to implement a smart mix of policies, cloud services, and mobile device management to address these challenges. Specifically, the policy should clearly define the company's requirements for accessing corporate data on personal devices and clarify IT's responsibilities for backing up corporate versus personal data. The cloud can help with backups, but full device backups are difficult due to limitations of mobile operating systems.
Cisco io t for vietnam cio community 2 apr 2015 - splitPhuc (Peter) Huynh
The document discusses opportunities, business models, and applications/use cases related to the Internet of Things (IoT). It provides examples of sensors that can be connected in IoT applications. These include gesture recognition, accelerometer, gyroscope, and sensors that detect light, temperature, humidity, and other environmental factors. The document also discusses how IoT can transform industries and businesses by connecting people, processes, data and things to create new opportunities and efficiencies. Key drivers of IoT adoption include declining technology costs and the ability to gain insights from analyzing large amounts of data collected through connected devices.
The Internet of Things: the 4 security dimensions of smart devicesWavestone
Like all major technological revolutions, digital transformation is spreading over many areas. The Internet of Things plays an important role in this trend, trough the emergence of numerous devices.
Social Enterprise: Trust; Vision; RevolutionPeter Coffee
Becoming a social enterprise is not a technical evolution, but a business transformation. Technologies enable it, but only a cultural commitment will achieve it. Doing it is not optional, unless going out of business is also considered an OK option.
The document discusses the opportunities and challenges for CIOs with the rise of the Internet of Things (IoT). It notes that IoT will generate vast amounts of data from a growing number of connected devices. CIOs must help their organizations adapt by embracing new technologies, data sources, and ways of analyzing data to drive business value from IoT. While IT organizations currently focus on cost and stability, IoT requires an approach that also fosters innovation.
Overcoming The Biggest Barriers To Cloud Computing?Bernard Marr
During the current coronavirus pandemic, cloud computing is playing an increasingly prominent part in many of our lives. From how we stay entertained, to socialising with friends and doing business, it’s fair to say that when things eventually return to normal many people will have a far greater appreciation of cloud and the way it empowers us to work, play and do business differently.
Consumidores Digitais: The Executive's Guide to the Internet of Things (ZD Net)Consumidores Digitais
A Internet das Coisas, ou Machine-to-Machine (M2M), é um dos temas mais atuais na tecnologia. Neste guia está o que os líderes empresariais precisam saber para potencializar seus benefícios.
This document outlines William H. Miller Jr.'s presentation at the EVANTA CIO Executive Summit on December 8, 2015. The presentation was titled "Debunking Common IT Myths 2.0" and aimed to explore five IT topics that are subject to many misconceptions: 1) the inevitability of cloud computing, 2) the role of ERP systems, 3) cybersecurity investment, 4) demands for IT ROI, and 5) innovation in technical organizations. For each topic, Miller presented hypotheses and provocative statements to ignite discussion and debate among participants, with the goal of exposing perspectives and potentially debunking common IT myths.
This document discusses issues related to Bring Your Own Device (BYOD) policies in corporations. It outlines some of the risks of BYOD including threats to network access and security, data leakage, increased bandwidth usage, and potential breaches of acceptable use policies. It emphasizes that developing a formal BYOD policy is important to address these risks and ensure all employees understand and agree to the policy. The policy needs to consider supporting a variety of personal devices including laptops, tablets, and smartphones running different operating systems. It also needs to address compatibility issues for browsers and mobile device management tools.
The document discusses how to balance security and productivity with FAMOC and Samsung KNOX mobile device management solutions. It provides perspectives from a CIO and employee on the changing role of IT and increasing use of mobile devices for work. It then outlines several steps an organization can take including letting devices in but focusing on security, keeping user experience in mind, and engaging and educating employees. It highlights key features of FAMOC and Samsung KNOX like application containers and VPN configuration to secure corporate data while allowing personal use of devices.
Bring Your Own Device (BYOD) is Here to Stay, But What About The RisksLogicalis
Bring your own device (BYOD) allows employees to use personal devices for work but raises security risks. There are several options for managing these risks, including traditional Network Access Control (NAC), Mobile Device Management (MDM) to lock down devices, or a hybrid MDM/Mobile Application Management (MAM) approach. A hybrid MDM/MAM solution that balances security and user flexibility may be preferred, as it allows IT to control only corporate apps and data without accessing personal information. Finding the right balance between user satisfaction and security is key for organizations enabling BYOD.
Bring your own device (byod) is here to stay, but what about the risksLogicalis
James Tay, CEO at Logicalis Asia, considers the options when it comes to managing the data security risks
associated with BYOD. Should it be the traditional Network Access Control (NAC) approach, the belt and braces
of Mobile Device Management or the less invasive Mobile Application Management?
TEC H 10042013 @ 615PM 15,497 viewsCell phone.docxssuserf9c51d
The document discusses the potential risks associated with BYOD (Bring Your Own Device) programs if organizations do not establish proper governance strategies and security protocols. It provides examples of "rogue IT" behaviors from employees using unsanctioned apps and services that have led to data breaches, lawsuits, and financial penalties costing organizations billions. While BYOD can increase productivity, the author argues governance is needed to manage risks and that both IT and employees must work together to balance flexibility with necessary controls.
TEC H 10042013 @ 615PM 15,497 viewsCell phone.docxmattinsonjanel
TEC H | 10/04/2013 @ 6:15PM | 15,497 views
“Cell phones” at work are not new. Nor are smart phones. Many credit
Blackberry for inventing the concept, but few would argue that Apple with its
iPhone, more than other device created this explosive phenomena called
BYOD – Bring Your Own Device to work.
Most of what BYOD seems to represent so far is an unbalanced equation in
favor of employees. Employees may be happier because they can carry their
favorite device to get company email, but it is not clear that employers are
happy with the results. Keep in mind, that 90%+ of BYOD activities are
email, calendar, personal banking, news, family life coordination, Twitter
and Facebook, but little else.
In my conversations with business and technology leaders, many
organizations are asking themselves if the fully loaded costs of
~$5.50/month/employee, in addition to any device or services subsidy, is
worth it to the company.
If BYOD 1.0 is about employees, what might a BYOD 2.0 look like?
What are enterprises looking to get out of BYOD going forward? With this in
mind, I have been asking a lot of CIO’s, Directors of IT and other smart
people what they think.
Once such person is Yaacov Cohen, CEO of harmon.ie, a fast growing
enterprise mobility company. Yaacov talks to senior executives around the
world about how better collaborated ideas and increased productivity can
take place via personal use of mobile devices at work – and he has some
pretty interesting insights to share.
1. Yaacov, how do we move from this Bring Your Own Device (BYOD)
paradigm into BYOD 2.0, which you talk about as more of a “Use Your Own
Device” mentality?
“Everyone has been talking about BYOD, which should be more than
bringing their devices to work and then putting them to the side and saying,
“Hey, stay quiet. Don’t disturb me. I’ve got a lot of work to do.” And they go
to their laptops and do most of their work.”
“We want to change that. Business leaders are looking for change. The
mobile enterprise and BYOD 2.0 is not about bringing devices to work; it is
about using devices for work. How does business turn these shiny new toys
into business tools?”
“That means allowing employees to work with customers, review contracts,
write blog posts – do real work on mobile devices.”
2. Is BYOD a good idea in a practical sense?
“BYOD essentially means freedom of choice. Today’s IT professionals
recognize the need to work with users rather than impose procedures and
systems on them. BYOD is an expression of our world, which is becoming
more democratic and more engaging.”
“We’ve gotten stuck on the infrastructure side of things. It is true that mobile
brings a lot of questions about security. What happens if I lose my device?
What happens if an employee leaves the company with sensitive records on
his mobile device? We need to address these issues and then we need to
move beyond them.”
3. What are the key business drivers for how enterprise should invest in
BYOD 2.0?
“The p ...
Integrating Enterprise Mobility - an Assessment WHITE PAPERMobiloitte
We offer complete satisfaction to our customers by following standardized SDLC processes, hiring the best of breed developers and mastering most of our requirements gathering, wireframing, designing, developing, testing, delivering, deploying and maintenance tasks.
Ours is an off-shore model, but we ensure that both customer and Mobiloitte are always in touch by keeping communications open, providing regular updates and iterative releases so that the customer is always well informed.
How a Minnesota Law Firm Brings Mission Critical Security To Myriad Mobile De...Dana Gardner
Transcript of a discussion on how a Minnesota law firm puts the power of diverse mobility to widespread use and keeps confidential and regulated data under strict control.
The SolarWinds hack, first detected in December 2020 and referred to as “the largest and most sophisticated attack the world has ever seen” by the president of Microsoft, was a watershed moment in cybersecurity. Hundreds of organizations, including Fortune 500 companies and government agencies, were affected, with sensitive data compromised. A year on, a major study conducted by Splunk has found that 78% of companies expect the same thing to happen again.
Telecommunications Working from home Security and remote working caalehosickg3
Telecommunications Working from home Security and remote working can be a headache for digital nomads, and their clients or employers. If you’re a remote worker and have multiple clients, sometimes in different locations around the world, you may need to use different security applications for each of them. You will probably have to comply with multiple policies and regulations and may feel anxious about accessing and inadvertently compromising a client’s network. And, on the other hand, it is understandable if you are wary of giving up some of your own privacy to your employer (wang, qiao & lima, 2018) . It’s not just remote workers themselves who are at risk. Permanent employees who occasionally do work at home can face (and cause) security issues when remotely interfacing with an organization’s network. Let’s say we have a situation where our organization has 20 sales representatives working outside organization remotely. Case: Letter to CEO If we like to have remote team in our organization first we need to convince every one because there are several risks involved first we need to point the risk then has to come up with possible solutions Here in the letter we start with identification of risk. Here are some of the risks faced by the organization. Connection quality. If the user has a poor internet connection or a weak Wi-Fi signal, both of which are common at hotels or public hotspots for example, then the remote desktop connection will also be slow. Accessing applications or files becomes cumbersome. VPNs. VPNs, or virtual private networks, are very sensitive. Many public internet connections will not allow users to work at all, making remote connection almost impossible. Performance. There are many low-cost methods available, such as LogMeIn and GoToMyPC that simply do not have the speed necessary for accomplishing hours of work. The delays inherent in these solutions mean they are only viable options for quick tasks or small amounts of work. In addition, they may not allow for local file and printer access(Diekmann & Naab, 2019). Security. Public hotspots are common at coffee shops, airports, hotels, and even public parks. While they are convenient, they are also highly susceptible to hackers who would be able to access any of the data you’re working on while using the shared Wi-Fi. Application availability. Systems like Citrix and Terminal Server only allow access to certain programs that have been configured by the IT administrator. Often times, users need access to applications they installed themselves, special plugins, configurations, or files from their desktop, or other resources that are not on the remote access server. What’s more, these systems often work differently than the desktops. This change in habitual processes is inconvenient and sure to slow any user down. Open applications. If a user left files or applications open on their business desktop, they are locked there. It is impossible to log in to them a ...
This document discusses preparing for "Bring Your Own Device" (BYOD) in corporate IT environments. It notes that corporate IT departments have largely lost the ability to restrict which devices employees use and that there is now a wide variety of devices. The solution is for IT to accept this diversity and focus on securing access to corporate information on different devices rather than trying to manage each device directly. The document recommends taking a risk-based approach and creating a matrix to define how different applications and information can be accessed securely from different device classes through options like secure browsers, virtual desktops, or custom apps. While securing access across many devices is challenging, the document argues it is more feasible than attempting to manage or restrict each individual device type.
A discussion on IT trends forecast for the year ahead in respect to entrepreneurs & students.
The transcript of my oral notes for the presentation are added to the last slides.
The document discusses the impact and growth of the Internet of Things (IoT). It summarizes perspectives from Intel Security executives on IoT. They state that IoT will have as big an impact as the industrial revolution and will be embedded in nearly all devices. By 2020, the IoT market is expected to reach $8.9 trillion with 26 billion connected devices. However, for IoT to succeed, security must be built into devices from the beginning as breaches could destroy businesses and privacy.
Similar to 7.5 steps to overlaying BYoD & IoT on Existing Investments (20)
Master gardeners... meet... "High Yech"Caston Thomas
The document discusses the benefits of gardening for physical and mental health. It notes that gardening is an outdoor activity that improves self-esteem and increases serotonin levels due to bacteria in soil. It then provides tips for choosing gardening apps and lists popular app categories like plant diaries, landscape design, and plant identification. It emphasizes using technology to supplement, not replace, real-world gardening. Lastly, it gives resources for gardening apps and software.
Fundamentals about how to secure your small business, with an emphasis on companies that use or host CRM information. This includes checklists & step-by-step recommendations
New challenges to secure the IoT (with notes)Caston Thomas
The document discusses several key concepts regarding IoT security:
1. IoT security is not the same as BYOD security, as IoT encompasses a wider range of connected devices beyond just personal devices, including devices built into emerging technologies like smart home systems.
2. Many IoT devices have inherent security weaknesses like a lack of encryption, weak authentication, and inability to receive software updates. These weaknesses are similar to issues previously seen with wired devices and software.
3. Securing IoT requires a multi-pronged approach including education on risks, network segmentation, supplier certification of new devices, and using technologies to scan for and assess IoT security regularly. The complexity of interconnected IoT systems poses
This document discusses how to adapt security frameworks for the Internet of Things (IoT). It begins by defining IoT and providing examples of past IoT security incidents. It then discusses how IoT will change security and potential risks and exposures. The document outlines building a risk model for IoT by defining use cases, identifying impacts and vulnerabilities, and evolving threats. It stresses securing diverse IoT devices and rethinking security strategies. The document concludes by providing actions organizations can take over the next week, 90 days and year to prepare security frameworks for IoT.
This document outlines 10 steps for implementing a Bring Your Own Device (BYOD) program. It discusses defining use cases and policies, protecting the network and data, and evaluating solutions. Key aspects include assembling a cross-departmental team, gathering existing device and application usage data, creating an economic model, and building a project plan to address remote device management, cloud storage, and device wiping. The overall goal is to balance access, agility and security when allowing personal devices on the corporate network.
Information Security Professionals are fast realizing that they are facing new challenges:
1) How do I strategize, budget, & execute today for a world that I can’t even imagine five years from now?
2) How do I sleep at night when after 99 successes, one small miscalculation could put my name on the front page of the Wall Street Journal or the headline of the Drudge Report?
3) Now that the guys in the high-back chairs in the corner offices want to invite me to their meetings, how do I put all this craziness into words that they can understand?
In this fast changing world, let’s be honest, the pocketbooks have opened & IT Security is getting the funds <<yea>> & the attention <<boo>> that we need. The bottom line? You’ll leave this discussion with four or five things you can do that will keep you on the road to those 99 successes while making that story above the fold a little less likely.
The internet of things (io t) for issa v1.3Caston Thomas
The Internet of Things (IoT) is getting a lot of hype, some of it valid. The underlying issue for organizations is how do we prepare, from a security standpoint, for "Things" that we can't anticipate coming onto our networks. This presentation covers some of the ways that we can "prepare for the unpreparable".
Inter works golden circles for healthcare itCaston Thomas
This document discusses key drivers for healthcare organizations to adopt new technologies. It identifies improving the patient and family experience, increasing patient satisfaction and flow, avoiding penalties for readmissions and infections, ensuring quality care and privacy, and addressing competitive pressures as important motivations. Operational efficiency, personalized customer experiences, community-centric care models, and data analytics are areas that new technologies can impact to address these strategic drivers.
How I learned to stop worrying & love the BYODCaston Thomas
1. BYOD refers to employees bringing their own devices to work and accessing corporate networks and applications. It represents a shift in how computing costs are allocated from corporate-owned to personally-owned devices.
2. There are various risks associated with BYOD including data loss, unauthorized access, malware, and non-compliance. Organizations must decide how to manage devices, restrict data access, control applications, and secure the network.
3. A 10 step approach is proposed to implement a BYOD program that includes forming a committee, gathering data, creating policies, evaluating security options, and implementing solutions in a phased pilot and rollout. Protecting the network and data are key challenges that solutions need to address.
7.5 steps to overlaying BYoD & IoT on Existing Investments
1. Welcome, my name is Caston Thomas, with InterWorks
We’re all struggling with this BYoD/IoT phenomenon.
It’s become the rule rather than the exception. Although it may be a convenience to
users, we need to think about its impact on our organizations – from a risk standpoint
but also from a cultural standpoint as well.
Today, I’m going to talk about the risks & rewards of BYOD, the cloud, mobile and the
“Internet of Things”.
We’ll discuss how we can adapt to this fast changing world while preserving the
investments you’ve already made into security, applications, Infrastructure, processes,
HR procedures, etc.
1
2. When I talk about these things, let’s take “BYOD” as the example, the first thing I do is to look at
the subject through the same prism. From my standpoint, there are three ways to look at
BYoD. And similar perspectives on IoT & cloud hold true as well.
We’re talking about the single greatest evolution that IT has ever had to grapple with these
days. It is a transformation of not only the device types, but who owns thm, who manages
them, who supports them, who pays for them. And the worst part, there’s no “line of
demarkation”. It’s a world of gray and I don’t expect that to change any time soon, just
because of how fast things are changing.
Option 1… personal vs corporate data
Option 2…who pays?
Option 3… fundamental shift in culture and the relationships that IT & management have with
our end users, contractors, guests, & even trading partners
BYOD encompasses smartphones, tablets, BlackBerrys, as well as traditional notebook
computers. Moving forward it will include things like personal health devices & monitoring
equipment, google glass, Apple TV, and new technologies that will sit on our network that
provide new information creation points as well as security exposures. Get ready, because here
it comes. The last ten years was a cakewalk compared with where we’re headed the next ten
years!
& it is not just about the devices, it is also about the software & services that will be used --
cloud services & other tools on the web.
2
3. I won’t be telling we anything we don’t already know.
I hope to put it into a perspective and then a framework that allows we to prepare &
adapt.
The role of IT will change. Budget battles will change. IT operations might slip into
irrelevance if LOB can buy its ERP/MRP/CRM from the cloud. But even if that extreme
view did occur, the strategic relevance of IT becomes even more instrumental.
New turf… new battles… new opportunities… new risks….
3
4. So we are an IT security manager, we might be wondering, should we fight or embrace
the trends?
Many analysts have spoken out on this issue, such as Gartner & Forrester. They think
fighting the tide is impossible, & not only that, it’s not even a sensible decision when
we look at all the dimensions of the issue.
4
5. Other analysts have stated that BYOD & IoT will be huge cost-savers, if it is done right.
Either way, it’s going to transform our organizations, for better… or worse.
5
6. Questionsarise…
Internal threats
Incident response
Change management
If we don’t change some fundamentalassumptions and our ways of thinking, things will get even worse. Today, on
average, there’s a 2.5 day gap between identifying a security breech and fixing it.
We have to change!!! Just one example, we as IT & IT security professionalshave a fundamental flaw in how we’ve
approached network security. This is it. Everything we’ve done until now has been under the assumption that we
must detect and then respond, remediate, fix the vulnerability. We think… “no matter what we do, the bad guys will
find a way to get what they want. We’re always on our heels. We’re always on defense.
It not part of this presentation,but there are exciting,revolutionary technologies& processes that have been
developed. They’re starting to come onto the market and will be mainstreamsoon. I won’t go into it now, but
here’s my challenge to you… What if we stop thinking about detecting & responding, and start thinking about
PREVENTING!?!
Obviously, mobile devices, & more specificallypersonally owned mobile devices, opens we up to all kinds of bad
stuff on our network. The most pressing concern is data loss. What happens when the device is stolen, or
jailbroken. What happens when an unauthorizeduser or device downloads or uploads data from our network.
Malware: In 2013, 80% of organizationswith BYOD policies have seen botnet compromises increase by 100 percent
inside their networks.
And of course, compliance.The number & type of endpoint devices is multiplying rapidly, & yet we as an IT security
manager are tasked with compliance issues. How do we do it? It gets much harder if the endpoint is not one that we
own, as is the case with BYOD. & besides mobile devices, there are other issues, such as an employee trying to work
around IT by installing their own wireless access point, or using iCloud or Dropbox which we might not want.
6
7. Comprehensive approach solves different exposures to how different end users need
data. It’s how we create a structure for addressing flexibility AND control. We’ve got to
stop being “the guys who only say NO”!
So let’s talk about the most common security controls for this new world, & I will
describe the characteristics of each type of control.
7
8. When we think about “mobile”, we tend to think about tablets & phones. But we need to think
of it more as mobile data, NOT mobile devices. When we think mobile data, we think also
about he data on laptops, on home computers, portable storage, maybe even sites like box &
dropbox – and certainly those new classes of devices that will come onto our networks in the
future.
We think about MDM in a generic sense, but that primarily manages the devices. MDM as we
know ti today doesn’t do the DLP, or malware, or document classification. There ahs to be
more… and there is!
--- old notes ----
you could try to manage all the devices on our network. The first iteration of this we know as
“Mobile Device Management”, or MDM. This approach has gained a lot of traction, & it allows
to lock down parts of the device itself – assuming the device has actually been enrolled in the
MDM system & has an agent installed. But MDM usually does not support all the mobile
devices that employees are bringing into the office, for example it doesn’t help we secure
personally-owned MacBooks & windows PCs. Another problem is the fact that MDM is usually
installed as a separate system, with a separate management console, not integrated with
anything else. & MDM does nothing to protect our network from unauthorized devices, or
devices that are not yet enrolled into the MDM system.
8
9. Limits of this use case is when the users is disconnected, poor user interface, and a few other
minor things. The important part of this is that it goes far in protecting the DATA!
--- old presentation ---
Your second option, we could restrict the data so that it never gets onto mobile devices. The
data never gets copied down to the device. This is very strong data protection, but it does not
provide a good user experience for owners of phones & tablets. The form-factor is wrong.
These are small-screen devices, & the users are not going to want to use a Windows interface
on their iPhone. Moreover, VDI does not work if we don’t have a live Internet connection. So
for large populations of mobile users who work on airplanes & taxis, this is a non-starter.
Some people think that if we user VDI, we don’t have to worry about the security of the
endpoint, but Gartner says this is not the case. They say that “Network access control (NAC) &
Network Access Protection (NAP) solutions, including Secure Sockets Layer (SSL) VPN, become
vital, allowing policy engines to check that endpoint devices meet minimum specifications
before accessing their VDI session (including OS patch levels, presence of an antivirus [AV]
solution, up-to-date AV signature files & an acceptable network context).”
9
10. Wrapper approach, or the mobile application specific VPN
In most cases, this needs to still operating side by side with an MDM, but this is really
about application control and a degree of data security. IT doesn’t take care of email,
calendaring, address books, etc.
--- old presentation ---
The third option is that we can control the applications that mobile users run. We can
build our own enterprise applications using a mobile enterprise application platform
(MEAM), or we can use a mobile application wrapper (MAW) from vendors like Mocana
& Nukona. These application wrappers help we encrypt & contain the data that the
applications use. These approaches are fairly new, it is a niche market. We would
probably need some in-house development expertise to roll it out. It looks like a
promising approach. But even this approach is not a panacea, because if we read the
whitepapers written by these vendors, you’ll see that they rely on we having a
distribution mechanism like MDM to distribute & manage the apps. & they don’t
necessarily work with email, which is the most common application.
10
11. A lot of organizations are moving to NAC… Start thinking about the next evolution of
NAC. It’s not about “access control”. Change our thinking to “policy enforcement”.
Again, a slightly different approach that makes a HUGE difference. Let’s start thinking in
terms of “network access policy enforcement”! In doing so, we start to create
congruence between security policy (compliance, governance, framework &
architecture) and SecOps!
Another change… A single “point of policy” should cover all access methods, whether
wired, wireless, VPN or mobile.
--- old presentation ---
Lastly, we can control network access in a very intelligent way. I’m not talking about
“blocking all personal devices” from the network, that was solution #1, I’m talking
about granting specific network access on the basis of who the user is & what the user
has, & how secure that device is. This too is not a panacea, but it’s simple, it’s future-
proof. Get 100% visibility & control over everything on our network, & we won’t need
any software agents. NAC doesn’t protect the device itself, so if we decide to allow
mobile devices onto our network, & we decide to allow data onto the mobile devices
(or unbeknownst to you, data winds up on the mobile device), you’ll need something
else to protect that data. For example, MDM.
11
12. I agree with Gartner that two of these controls are especially useful. NAC is
foundational to any BYOD strategy, & MDM is also a very popular & useful approach. &
these technologies can work together. We can mix-and-match technologies, because in
the area of BYOD, a single control is probably not sufficient.
In fact, depending on what we are trying to do, different controls are appropriate. Let
me explain.
12
13. Here’s the way I look at the our options.
One of our first decisions will have to be to what extent we want to
mobilize our workforce. & our choice might be different for different
populations of users. For some users, we want to support mobile devices in
a limited way, say with just email. But for other users we might choose to
fully mobilize them & extend sales force automation systems or home-
grown business applications to these users.
So think in terms of a range of choices, as shown on this diagram. What are
the appropriate security controls for each choice?
*** There’s a fundamental process in doing this. We can go through this
process for each use case, each user group or role, and/or each
application. ***
13
14. Going back to the issue of NAC. There’s a low cost BYoD/NAC approach. And
that’s what I call WAP-NAC. Built into wifi vendors Aerohive, Meraki, &
Rukus/Meru (to a lessor degree) are NAC-like capabilities. This gives a good
solution for wifi only access, and can be a good interim solution. On all these
solutions, there is no additional license charge above the base cost.
A slightly different approach could include a guest access/802.1X/certificate
approach. There are certainly places where this can (or should) be done, but it’s
clearly not a long-term, strategic, unified solution.
If we choose to block mobile devices completely, the most common approach is
to lock down the wifi and implement MDM restrictions. We can use the built-in
mechanisms from the wifi, such as requiring certs on every endpoint that
connects to the wireless access point.
*** New malware exposures are opening a new issue on personal devices.
Hackers are going after their ability to turn on mic’s, camera, GPS tracking
etcetera. The problem is that “high value conversations” (board meetings,
planning sessions, preparation for negotiations, or personal conversations with
loved ones can expose individuals, but also corporate assets.
14
15. If we want to be more flexible, we want to let mobile devices get onto our
wireless network, but we want to limit access with more granularity. NAC
can do this, & in fact they allow us to provide different levels of access for
different people, groups, roles, and/or device types..
Reiterate a single policy for ALL access.
15
16. If we want to more aggressively extend mobile applications & out to our
users, or to certain classes of users, on top of NAC we should think about
combinations of NAC, VDI & MDM systems.
Multiple levels of security. TO complete this, we need to add endpoint
posture & endpoint tools. Some NAC systems can do posture without a
dedicated client.
802.1X can’t do this alone.
16
17. This is where we want to end up. Even if we do this over a couple of
budget cycles, we should create the vision now. There’s a lot of “feature
overlap” so having a plan is absolutely required. (This is one good place
where InterWorks can help. There are some framing questions that can
make the entire process much more linear.)
This is a good place to talk about market consolidation… emergence of
VDI/MDM convergence vs document classification. Good point for
discussion/dialogue, if time.
=== old presentation ===
And if we want to fully mobilize our workforce, we should be thinking
about a mobile enterprise application management system & ways to push
out the applications, update the applications, push out data, secure the
data, etc.
17
18. When security comes face-to-face with business, rule #1 is “Business
always win!” Security vs. agility…
And if we want to fully mobilize our workforce, we have to be thinking
about onboarding, offboarding, mobile enterprise application
management system, ways to push out the applications, update the
applications, push out data, secure the data, etc.
So what do NAC and these other technologies look like with implemented?
What is the ultimate approach to all of this look like?
18
20. CAN’T SECURE WHAT WE CAN’T SEE!!
Grant access vs. limit access approach
Remediation vs. prevention
Agility vs security
Don’t just find the gaps, fill them!
Don’t just find the problems, fix them!
Orders of magnitude faster filling of gaps. If time, discuss the changing landscape of technology integration.
=== old presentation ===
The key problem to address – is how to balance “access agility” with security.
[click]
What I mean when I say “access agility” is the ability to have all kinds of people, & all kinds of devices such as
smartphones,connecting to our network through many different types of connections. This is what is happening
today, it is the road warrior experience, ant it is driving increases in productivity.
[click]
Of course we have to be concerned about security. We lose a laptop or a smartphone that has corporate data on it,
we have a data loss event. Are all the many devices like iPads running antivirus? We bet they are not, & we don’t
control those devices anyway, so this is a potential threat vector. What does all this mean with respect to
regulations & compliance? It is a concern, because many of these mobile devices are devices that we do not control.
Yet we remain responsible for network security.
[click twice]
To manage these risks & enable the business benefits of accessibility requires a solution that provides visibility &
control which is seamless to the end user & highly automated for IT.
Now …. Let me expand on the idea of comprehensive visibility. Becauseit is extremely important. We can’t secure
what we can’t see. Let me illustratewhat gaps we might have today.
20
21. 21
===ADD ===
Continually inspect the device, the traffic, the posture, the “state”…
Let’s see how this cycle works…
1. visibility into what is on our network. “see” everything. what is on our network, with deep
information about security posture & who is logged into the device.
2. grant network access as per our security policy. Be flexible, for example if we prefer to
grant access very liberally & only block access to computers that are seriously infected.
This is the stage where we can limit access to just portions of our network, or maybe just
grant Internet access.
3. The fourth step is Remediation. not only find security gaps, fix them.
4. continuously inspect the traffic from ever network device to protect our network against
attacks.
Let me show we details of how this entire cycle works. Let’s start with “see”.
22. – in real time – what is on our network.
[click]
detect endpoints, network devices, users & applications.
22
23. The next step is to grant network access.
Have a range of actions ranging from gentle actions such as sending alerts to the
administrator, educational actions such as telling the user that they are violating a
policy, or more assertive actions such as restricting network access.
If we don’t want unauthorized devices or people on our network…
[click]
remove them. Automatically.
So those unauthorized devices are now gone from our network. But we still might have
some problems with the authorized endpoints themselves. That is where our second
level of automated enforcement comes into play. Automated endpoint remediation.
23
24. We help we find & fix problems with our endpoints.
[click]
Update the operating system.
[click]
Disable USB memory sticks.
[click]
Kill applications we don’t want running.
Automated, saving time & money.
24
25. Talk about the “range of enforcement” -> gentle actions versus assertive
Even though unauthorized devices are gone, my still have significant exposures
Good endpoint goes bad
Automate the process
Zeroday??? What to do? What to do!?!
built-in threat prevention that has the smarts to detect when an otherwise “good”
endpoint has gone bad due to some sort of infection or compromise. zero-day
protection against like Conficker, Zeus, Stuxnet.
25
27. directly remediate Apple iOS devices. Some of the actions are shown here – we can lock
the device, set the password, wipe the data, etc.
27
28. If you’d like to download a complementary whitepaper from the SANS institute, or from
IDC, drop me an email & I’ll be happy to forward we links.
28
29. Step 1: Form a committee
The BYOD program will fail if it does not meet theneeds of all theconstituencies. So we will need a team which includes members from different IT departments (e.g., security, network, endpoint & application) plus a representativesampleof users in our organization.
It’s important to discuss who is actually accountablefor thesuccess of the BYOD program, & who will beaccountablefor the enforcement of whatever security policies wedecide on. An exampleof why a committeeis important is that in our experience, the IT department should not beheld accountablefor
enforcement, because that puts IT in a bad position, & thewrong position. Theemployeeworks for his business unit, for his manager, & theemployeeusually has a dotted linerelationship usuallyto HR. Whatever BYODpolicy that our committeedevelops needs to bean agreement between theemployee&
his manager, or between theemployee& HR. So if the employeedoes something against policy, & wehavean IT control that discovers theviolation, & theIT control revokes theability for thedeviceto access the network –we want the business unit & theHR department to bethe primary stakeholders that
are responsiblefor that situation between theemployee& theorganization.
Step 2: Gatherdata
You need to document the status quo. Review current policies, & make note of the prevailingattitudes toward security &
management. Is it supportive, antagonistic or
Indifferent? Identify which departments/groups/individualshave been most active in developing policies in the past.
Gather data about our status quo including
• Counts of devices in use by platform, OS version, company-owned, personally owned or in the hands of non-
company personnel, such as contractors
• Assessment of data currently passing onto & through mobile devices
• Mobile device applications in use, app ownership & app security profiles
• All entry paths used by mobile devices, such as cellular, Wi-Fi, bridge to workstation or VPN
Step 3: Identify & Prioritize Use Cases via WorkforceAnalysis
To be effective, mobile device policies must be context-oriented to match the reality of a company's use cases. We will
need to plan out:
• How will mobile devices be used?
• Which mobile applicationsneed to be used offline such as on airplanes & in elevators?
• What informationwill be accessible through mobile devices?
• What informationwill be stored on the mobile devices?
Step 4: Create an economic model
Step 4 is the point where we can start to create an economic model. We won’t finish it in step 4, because subsequent steps
are going to feed into that moel, but this is the right place to start the process.
29
30. The jury is out as to whether BYOD programs save money or not. Some organizationssay they do, some
organizationssay they don’t. Even if BYOD does not save we money, it still might be a great thing for our
organizationbecause it will result in productivitygains & employee satisfaction gains. If our company’s
success depends on our ability to hire bright 20-year-olds, & if we are competing for talent, then having a
BYOD program might be an essential element in our corporate strategy.
Some of the costs are shown here – we have device costs & data connectivitycosts. We may or may not
choose to give our employees a stipend to cover either. Some companies decide to cover the data plans
for their employees, achieve economies of scale, & not have to worry about hassling with expense
reports. We may with to provide our employees with 3G or 4G data access for their laptop computers –
turn them into road warriors. Then we have the cost of software licenses. Keeping track of software that
we own, but which is installed on personally owned computers, might be challenging. You’ll need a
tracking system for that. Last on this list are infrastructurecosts. We will likely need additional security &
management systems for BYOD. We may choose to deploy a mobile device managementsystem. They
are not cheap. Some strategies for providingnetwork access involve putting the mobile devices directly
on the wireless LAN, some strategies involve putting the mobile devices on the Internet & routing them
back into the network via a VPN. The latter is a much more expensive route to take, & we need to account
for it if that is what we choose to do. Last is the cost for data protection. We may choose to deploy
encryption & data loss prevention tools to BYOD devices.
Step 5: Formulate policies
If yours is a large organization,we may wish to consider different policies for different populations of
users. For example, for the majority of our employees, we might wish to support simple applicationslike
email & just a small number of mobile devices, like Blackberry& Apple. For another population of users,
for example our sales organization, we might wish to additionallysupport a sales force automation
package, & we might wish to extend support to Android devices in addition to the Blackberry & Apple
devices. & for key executives, we will provide best effort support for other applications on these devices,
on a per-request basis. Analysts at Gartner are big proponents of this model, which is the opposite of
“one size fits all”. They call their model “managed diversity.”
When we decide on our policies, we need to strike a balance between user flexibility & security. The user
experience is important & must be taken into account in the new policies. However, user experience is
not the trump card. We cannot allow employees to dictate a path that causes the enterprise to accept too
much risk. Where applications & data will reside on personal devices, companies should set limits on
which personal platforms are supported & should be prepared to limit the types of information made
availableto personal devices.
Step 6: Decide how to protect our network
Now that we have a plan for which kinds of devices we are going to allow, & what kinds of applications we
are going to authorize on each device, our next step is to decide how to protect our network from
unauthorized devices, non-compliantdevices, rogue devices, & how we are going to limit network access.
The first decision we need to make is how automated we want to get. Some organizations aim for the
lowest possible investment in network security, which is a manual system. Essentially, we can manually
deploy 802.1X configurations& certificates to whichever devices we want to allow on the network, then
we tell our wireless network to block anything that is not correctly configured. If this is our choice, we
don’t need a separate network access control product, but we don’t gain the benefits of network access
control automation. The process of figuring out which devices should receive a certificate & an 802.1X
supplicant is manual, & it is static. If we change our mind in the future, for example we decide we want to
revoke network privilegesfor certain types of Android systems, then a manual system is very difficult to
work with.
29
31. A manual 802.1X system is also quite dumb. All it can really do is distinguish devices with certificates &
those without certificates. It can’t perform any sort of compliancecheck on the endpoint. So go back to
step 5: If our policy is to only allow certain types of devices, with certain types of configurations– for
example, a password if the device is a smartphone, & antivirus if the device is a PC – then we need a
network access control system that can enforce the complexitiesof our policy.
Another decision we will need to make is how many wireless networks we are going to deploy. If we have
a network access control system, we can probably get away with one wireless network, or maybe a two-
network scenario in which one wireless network is used for production & another wireless network is
used for open access to the internet. If we have chosen not to purchase a NAC system, then we may need
at least three wireless networks – one for corporate-owned devices, one for BYOD devices, & a third for
Internet access.
Step 7: Decide how to protect our data
In any BYOD project, we need to figure out a way to secure our data. Network access control will protect
data on our network from unauthorized devices & non-compliantdevices, but in this step we are trying to
figure out how to protect data on a mobile device. In this scenario, a device has been authenticated, &
the device is (or was) seen to be compliant with security policies, & we are going to let the user access
sensitive data on our network. SO how do we protect the data on that device?
There are two basic methods that we will need to choose from: The first method is to deploy a container
onto the mobile device. That container is some sort of mobile app, or maybe multipleapps each with its
own container. The container prevents data from moving from one app to another, & it typicallyincludes
encryption & data loss prevention controls built into the container. Often we will find that mobile device
management products include containers for data. The most popular containerized applicationis an email
app. If we deploy an email app with a strong container, we can force our users to use that email app for
all corporate email. That will ensure that corporate email does not get mixed with personal email, & it will
ensure that the device communicates to & through whatever data security products we have deployed at
our corporate gateway. For example, supposed we have implementeda content filteringsystem for all
inbound & outbound email to our organization.The containerizedemail app that we deploy onto mobile
devices will be forced to send & receive through this content filtering system. This means that our email
security controls will be consistently applied to all employees, no matter what type of device they are
using.
The container also helps we delete data whenever we need to, without fear of deleting the employee’s
valuable personal information. Separation of corporate data from personal data is the goal when we use
containers to protect data.
An alternative approach to protect data is to never let the data get onto the mobile device in the first
place. We can use a hosted virtual desktop product, for example something like Citrix, to allow the end-
user to interact with data, & to see data, but the data always remains firmlyon the corporate network.
The data itself never travels onto the mobile device, never gets stored onto the mobile device.
There are two significant drawbacks with this method: First, the user experience tends to be poor,
because the applicationstend to emulate a Windows environment. But the employee who is using an
iPhone does not want to interact with a Windows app on his small screen, he wants to interact with a
native iPhone app that has been optimizedfor his small format screen. The second drawback is the fact
that in this approach, the end-user needs to always have a live Internet connection. If we are on a plane
at 30,000 feet, this approach won’t work. Whatever productivity gains we were hoping to achieve from
the BYOD program, they pretty quickly fall to zero with this approach.
29
32. That said, BYOD is not only about smartphones, it is also about computers. So a hosted virtual desktop
approach might make perfect sense for employees that wiish to use their personal windows computers
for business purposes.
Step 8: Build a project plan
You will need a plan for implementingwhatever controls we want to implement, which might include
• remote device management
• application controls
• Policy compliance& audit reports
• Data & device encryption
• Augmenting cloud storage security
• Wiping devices when retired
• Revoking access to devices when end-user relationshipchanges from employee to guest
• Revoking access to devices when employees are terminated by the company
Step 9: Evaluate solutions
We will be happy to engage with our team & recommend the right solutions for our organization. When
we do evaluate a solution , make sure that we consider the impact on our existing network & how well
the solution will strike the right balance between cost, security, & user concerns. The most secure
solution is never the most usable solution, we need to strike a balance.
Step 10. Implement solutions
Begin with a pilot group from each of the stakeholders' departments
Expand pilot to departments based on our organizationalcriteria
Open BYOD program to all employees
29
42. I would like to go back to steps 6 & 7 & give we a little more detailed information about
the various types of enforcement solutions that are available.
39
43. I hope this has been valuable to you, to understand the different approaches that we
could take to enforce mobile security policies.
40