The document delves into the complexities of BYOD (Bring Your Own Device) policies, exploring psychological and organizational impacts, the necessity for comprehensive policies, and the associated security concerns. It underscores the need for collaboration across various departments within an organization for effective BYOD implementation, emphasizing data classification, user roles, and clear guidelines. Key takeaways include the importance of managing risks, ensuring compliance, and understanding the implications of allowing personal devices in the workplace.

1. BYOD:
Beating IT’s
Kobayashi Maru
(the workshop)

2. Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect
and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as
security architecture and best practices.
chubirka@postmodernsecurity.com
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/
@MrsYisWhy
www.linkedin.com/in/mchubirka/

3. Agenda
• Current State
• Arguing With Reality: The
Psychology Behind BYOD
• Creating a Project Team
• Policies
• Data Classification + User
Classification = Access Control
• Supported Applications and
Resource Matrix
• Tools and Supporting Technologies
• Panel Discussion
• Common Misconceptions
• Some Use Cases
• Takeaways

4. Our smartphones are among the most sacred and
personal of our possessions, rarely out of sight or mind.
… they are the first thing we touch when we wake in the
morning and the last thing we touch when we go to bed
at night.
They guard our secrets, connect us to the people and
pursuits we care about most; they promise that we never
need be alone, ignored, bored, unknowing, lost, without
a waiting audience to woo.
- Tom Chatfield, technology theorist and writer

5. Current State

6. Spiceworks “Weathering the Mobile Storm” survey, October 2014

7. Spiceworks “Weathering the Mobile Storm” survey, October 2014

8. Gartner Predicts by 2017, Half of
Employers will Require Employees to
Supply Their Own Device for Work
Purposes.
http://www.gartner.com/newsroom/id/2466615

9. Phones — The Most Popular BYOD Device
Which of the following devices you personally own have you used for work purposes in the last month?
23%
27%
22%
6%
11%
2%
5%
Mobile Phone
(78%)
Desktop or
Notebook PC
(62%)
Tablet
(29%)
Multiple Responses Allowed
N = 995
9
Gartner User Survey, December 2013

10. Key Findings, Gartner User Survey, 2013
• Nearly half of respondents spend more than one hour each day working
on private devices.
• 74% say their employer knows of the BYOD device, but 59% of
respondents have no formal agreement.
• According to respondents, 65% of employers permit the use of privately
owned Android-based devices for work purposes.
• 20% of respondents regularly connect private devices to their work
network via VPN.
• 1 in 4 users admitted to having a security issue on their private device in
2013.
• Only 27% felt obliged to report this to their employer.
10

11. Device Deployment
45
%
47
%
9%
Small Firms
< 100 employees
39
%
58
%
3%
51
%
46
%
3%
Medium-Sized Firms
100-499 employees
Large Firms
500+ employees
No BYOD Partial BYOD Full BYOD
Device Deployment
CompTIA’s 3rd Annual Trends in Enterprise Mobility study

12. Neuroscience,
Psychology
and BYOD:
How IT Gets it
Wrong

13. • A 2012 survey by Fortinet of 3,872 20-something workers
on BYOD policies found more than half view it as a right,
not a privilege.
• 1 out of 3 would violate a company's security policy that
forbids them using personal devices at work or for work
purposes.
• Research from Samsung found 29% of employees will use
their personal devices in the office without knowing
whether this is permitted by their employer's workplace
policy.
Shadow IT

14. Rogue IT In the News
• While Secretary of State, Hillary Clinton used a
personal email account to conduct government
business.
• Did not have a government email address during her
time in office.
• Secretary of State Colin L. Powell, who served from
2001 to 2005, also used a personal email address for
official communications.

15. BYON?
• Scott Gration, U.S. Ambassador to Kenya, refused to
use the embassy’s IT resources.
• Worked out of an embassy bathroom in Nairobi using
his own unsecured commercial Internet connection.
• Used his own computer and a personal Gmail account
to conduct business.
• When staffers had meetings with him, they would sit
on the toilet.

16. Who’s On Guest
Wireless?
Probably your staff.

17. Why BYOD Goes Bad

18. Homunculus Argument
A cognitive fallacy based upon the illusion of Cartesian
Theater: i.e. a little person or homunculus inside the head
watching sensory data on a screen.

19. Illusion of Cartesian Theater

20. Physical Boundaries of Mind
• Neuroscientist, V.S. Ramachandran, studies Phantom Limb
Syndrome.
• 60% to 80% of those with amputations experience
phantom sensations, including pain.
• While working with combat veteran amputees, he
discovered that they found relief when another person
massaged his own limb.

21. Extended Mind
“Consider two subjects carry out a mathematical task. The
first completes the task solely in her head, while the second
completes the task with the assistance of paper and pencil. …
as long as the cognitive results are the same there is no
reason to count the means employed by the two subjects as
different.…”
-Neurophilosopher, Andy Clark

22. The idea that mind is
limited to “skin and skull”
is arbitrary and false.

23. Beyond Neuroplasticity: The Hybrid Age
“The Hybrid Age is a new sociotechnical
era that is unfolding as technologies merge
with each other and humans merge with
technology …. Externally, technology no
longer simply processes our instructions on
a one-way street…. We don’t just use
technology; we absorb it.”
- Parag Khanna and Ayesha Khanna

25. Ubiquitous Computing
"The most profound technologies are those that disappear.
They weave themselves into the fabric of everyday life until
they are indistinguishable from it."
- Mark Weiser, Chief Scientist at Xerox PARC

26. The End of Ownership
• According to Drupal creator and co-founder of Acquia,
Dries Buytaert, industries now succeed by eliminating
production.
• Examples
– Open Source software
– Tesla releases patents
– Uber
– Airbnb
– Spotify and Pandora

27. Stop Arguing with Reality

28. BYOD’s Dirty Secrets
• Without an explicit BYOD policy, you have an implicit one,
which is too permissive.
• BYOD can change the profile of your network from “default
open” to “default closed” through onboarding procedures.
• Should really be called “Bring Your Own Compute, with
Caveats, i.e. we will watch what you do and control how you
do it on our network.”
• Like social media, you give up some privacy to get a resource
or an application.

29. Spiceworks “Weathering the Mobile Storm” survey, October 2014

30. The answer to BYOD cannot be, “No,”
but a qualified “Yes, and….”

31. How To Begin

32. BYOD Needs Buy-in Across the Organization
• BYOD will only be successful with input from multiple groups.
• HR could have concerns surrounding possible impact to the
status of non-exempt employees.
• Legal will worry about the protection of confidential material
and how to address the subpoena of a personal device.
• Audit and compliance teams will need assurance that
regulations such as PCI DSS or HIPAA are being followed and
enforced.
• Information Security will want to restrict and control device
access to minimize organizational risk.

33. Building the Project Team
Involve stakeholders from all areas of the business,
including; HR, Finance, Legal, Information Security

34. Good BYOD is found in
policies and
procedures.

35. Intel Peer Research Report, “Insights on the Current State of BYOD”

36. • Policy is like a donut
and technology
solutions are the
sprinkles.
• You can have a
donut without
sprinkles, but
sprinkles on their
own are pretty
useless.

38. What’s Missing?
• Does your organization have data
classification with handling
standards?
• Is there user classification with
some kind of identity management?
• Do you have an Acceptable Use
Policy (AUP)?
• How will you know what to protect
without these?

39. Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility
Slow Progress in Policy Creation
30%
37%
21%
10%
2%
24%
40%
18%
12%
6%
Currently have a formal policy
Currently building a policy
Only share best practices
No set policy or practices
Don't know status of policy
2014 2013
Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility study
Base: 400 U.S. end users

40. Taxonomy: Policy, Standards, Guidelines and Procedures

41. Definition: Policy
A course or principle of action adopted or proposed by a
government, party, business, or individual.
- Oxford Dictionary
This should be a high level statement.

42. Definition: Standards
Mandatory activities, actions or rules. Standards give a
policy its support and reinforcement in direction.
- CISSP Exam Guide, Shon Harris

43. Definition: Guidelines
Recommended actions and operational guides.
- CISSP Exam Guide, Shon Harris

44. Definitions: Procedure
A particular way of accomplishing something.
Detailed series of tasks. Instructions.

45. Policies + Standards = Requirements
You should have the following in place for BYOD:
– High-level BYOD Policy
– Acceptable Use Policy (AUP)
– End User Agreement (EUA)
– Access Control Policy
– Data Classification and Handling Standards
– Basic User Roles/Classification
– Supported Application and Device Lists
– Resource Matrix, aka Business and Technical Service Catalogs

46. BYOD Policy
• Leverage templates from Gartner, Corporate Executive Board,
Info~Tech or even the White House
(http://www.whitehouse.gov/digitalgov/bring-your-own-device).
• Learn from other organizations such as academia.
• Make sure to define terms clearly.
– Example: what’s a mobile device?
• Establishes the “rules of engagement” with users.
• Should align closely with your AUP.
• Include references to “supported” applications, operating
systems and devices itemized in a separate standards document.
• Describe categories of access based upon controls: container, full
management or internet-only.

47. AUP and EUA
• Agreements establish the boundaries between the organization
and the user community for how digital resources may be used.
• Protects the organization and the user by defining the
responsibilities of each party and the consequences to the user
for violation.
• Addresses security issues related to accessing the device in the
event of a malware or data breach.
• Establishes opt-in for device posturing or agent installation on
the users’ hardware.
• Defines privacy and confidentiality issues related to
organization’s vs. user’s data.

48. Sample AUP Template
https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

49. End User Agreement
Wisegate sample corporate mobile device acceptable use and security policy

50. Gartner Condensed User Agreement

51. Data Classification + User Classification = Access Control
• Data has value and should be organized according to
– Sensitivity to loss
– Disclosure
– Unavailability
• Appropriate application of controls creates the handling standards.
• User roles or personas determine privilege levels.
• Access controls are determined by the intersection of data
classification with user classification.
• If you don’t have full-fledged IAM, then you’ll need to perform some
basic user segmentation.

52. Sample Data Classification Matrix

53. Sample Data Handling Matrix

54. User Classification

55. “First thing we do, let's kill all the lawyers.”
• If you don’t have BYOD policies in place such as an EUA, you could run
into issues with state, federal and international laws such as the US
Computer Fraud and Abuse Act (CFAA).
• Possible criminal and civil penalties on individuals and companies that
“intentionally access a computer without authorization or exceed
authorization” to obtain “information from any protected computer.”
• CFAA also prohibits individuals and companies from “knowingly caus[ing]
the transmission of a program, information, code, or command, and as a
result of such conduct, intentionally caus[ing] damage without
authorization, to a protected computer.”
http://mi-worklaw.com/how-a-sandbox-can-shore-up-your-byod-program/

56. BYOD doesn’t start as a
technology problem,
but it quickly becomes one.

57. What Will You Support?
• Even though you don’t own
the device, what
applications will you license
and/or support on it?
• How will you communicate
and document this?
• Many support costs don’t go
away, they simply shift.
• Don’t try to support
everything.

58. TCO Comparisons
This research note is restricted to the personal use of sshah@aarp.org
owned devices. However, if users do not require reimbursement for the use of the tablet, the TCO of
user-owned devices can be as much as 64% lower than that of a fully managed, enterprise-owned
tablet.
Figure 2. TCO Comparison of Enterprise- and User-Owned Tablets
Source: Gartner (December 2014) SBC = Server Based Computing
HVD = Hosted Virtual Desktop

59. Supported
Application Matrix
Example

60. Resource Matrix
• Decide what enterprise
applications will be offered for
BYOD users.
• Base it on the data
classification and level of risk
the organization will accept.
• Build the matrix from existing
Business and Technical
Service catalogs.

61. Service
Catalog

62. Resource
Matrix

63. Device Management Categories
• Mobile Device
Management
• Mobile Application
Management
• Containers/Sandbox

64. Intel Peer Research Report, “Insights on the Current State of BYOD”

65. Container (Sandbox) Option
• Aka “dual persona”
• Provides a secure space for managed content on the
device.
• All resources, including proprietary applications,
business email, calendar and contacts reside here.
• Accomplished by installation or inclusion of an app.
• User retains full control of the device.
• Admin can wipe content in container.

66. Containers or Full Device Management
• Offer users choices based on type of data and access they want.
• By offering options, you improve adoption and compliance, but
more work on back-end.
• Containers address users’ privacy concerns and control issues
with BYOD, while still allowing the business to secure its data.
• Full device management is preferred by Information Security
teams.
• Containers not as user-friendly as “native” app experience.
• Sandboxing can be at application level or through creation of
device partition.

67. Is Your
Infrastructure
Ready for BYOD?

68. BYOD Infrastructure and Supporting Technologies
• RADIUS
• 802.1X and/or NAC
• LDAP
• Certificate Authority
• Mobile Device Management
(MDM) tools for onboarding
• Endpoint agents
• VDI/DaaS
• Other traditional security
controls

69. BYOD Infrastructure Technologies:
RADIUS, LDAP, Certificate Authority and 802.1X
• Remote Authentication Dial In User Service (RADIUS)
– Centralized Authentication, Authorization, and Accounting (AAA) for network services
– Free RADIUS, Radiator, Cisco ISE
• Lightweight Directory Access Protocol (LDAP)
– Based on X.500
– Distributed directory over IP network
– Active Directory most common implementation
• Certificate Authority
• 802.1X
– IEEE standard for port-based network access control
– Defines EAP (extensible authentication protocol)
– Frequently used in enterprise wireless

70. 802.1X Vs. NAC
• Not synonymous.
• 802.1X is an L2 standard and uses a built-in or 3rd
party supplicant to authenticate.
• Network Access Control (NAC) is a logical set of
controls that rely on multiple protocols.
• Can use an in-line L3 device for policy enforcement.
• Generally requires an agent for endpoint profiling.

71. 802.1X Process

72. Example: Cisco ISE

73. EAP-MD5* LEAP* EAP-TLS EAP-TTLS PEAP
Server
Authentication
None Password Hash Public Key
(Certificate)
Public Key
(Certificate)
Public Key
(Certificate)
Supplicant
Authentication
Password Hash Password Hash Public Key
(Certificate or
Smart Card)
CHAP, PAP, MS-
CHAP(v2), EAP
Any EAP, like EAP-
MS-CHAPv2 or
Public Key
Dynamic Key
Delivery
No Yes Yes Yes Yes
Security Risks Identity exposed,
Dictionary
attack, Man-
in-the-Middle
(MitM) attack,
Session
hijacking
Identity exposed,
Dictionary
attack
Identity exposed MitM attack MitM attack;
Identity
hidden in
Phase 2 but
potential
exposure in
Phase 1
EAP Comparison Chart
73
* Don’t use

74. BYOD Supporting Technologies: MDM and VDI
• Mobile Device Management (MDM)
– Jamf, Airwatch, Citrix, MobileIron, Good Technology
• Virtual Desktop Infrastructure (VDI) or Desktop as a
Service (DaaS)
– Citrix, VMware, Microsoft

75. Some MDM Support Examples
• Good Technology (containerization supports iOS, Android, Windows phone,
BlackBerry)
• Airwatch (containerization supports iOS, Android, Windows 8.x and phone, OSX)
• Samsung KNOX (DISA approved, only works on S4, but works with most MDM)
• Divide (Android, iOS)
• BlackBerry Balance and BES
• Mobile Iron (containerization supports Android, iOS, OSX, Windows Phone,
BlackBerry)
• MaaS360 (containerization supports iOS, Android, Windows phone and OS, OSX)
• JAMF Casper Suite (iOS, Android, Mac, no container option)
• Citrix XenMobile (containerization supports Android, iOS, Windows OS and phone,
BlackBerry)

76. Use Cases: What Worked and What Didn’t
• Academia: the original
BYOD environment
• PCI DSS service provider
• Non-profits
• Media company: implicit
BYOD

77. Banning iPads?

79. Sample Design

80. Don’t Rush to Production
• You’ll need to build a proof-of-concept and add a pilot
phase to your project.
• That’s when any weaknesses in your supporting
technologies, processes and procedures become
evident.
• The pilot will provide necessary feedback to adjust the
proposed implementation.

81. Common Misconceptions
• BYOD is less secure.
• I can say “no” to BYOD.
• BYOD will save us money.
• I have to buy expensive MDM solutions.
• I have to support everything, including
PCs.
• I have to reimburse users to force
adoption.
• We don’t need to consult HR or Legal.

82. Panel

83. Takeaways
• Controls should focus on data/resources, not technology.
• Policies become requirements, don’t jump to solutions. You’ll pay for
it later.
• Get executive buy-in on policies and sign-off on design. Otherwise
you’ll be redesigning later.
• Understand hidden costs: licensing and support.
• Start small, with a select number of supported devices.
• Training and end user support is critical.
• Offer options: full device management vs. containerization.
• BYOD is no longer optional.

84. Questions?

85. Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Star Trek before Star Wars.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
chubirka@postmodernsecurity.co
m