Parag Deodhar presented on securing mobile workplaces at the Enterprise Mobility Summit on May 9th, 2012 in Bengaluru. He discussed how mobility is changing how IT operates as data moves outside of corporate networks. This crossing of the "Lakshman Rekha" or corporate firewall poses security risks. He highlighted issues with bring your own device policies including difficulty securing and managing personal devices on the network. Deodhar argued that organizations need a mobile enterprise strategy including device management, updated security policies, training, and enforcement mechanisms to balance security and productivity in an increasingly mobile workplace.
More and more employees are bringing their own devices and preferred applications into the enterprise, creating what we call the BYODA (BYOD plus Applications) phenomenon. Workers’ behavior and expectations are contributing to the consumerization of IT, where lines of business and users themselves are having an enormous influence on the types of technologies and applications used. While employees expect anytime, anywhere access to their content to get their work done, their CIOs are now expected to support BYOD within their corporate environment.
See this slide deck from a wonderful "Beyond BYOD" presentation by Cisco's Scot Hull, which took place at Stalwart's 3rd Annual Executive Briefing and CIO Roundtable at the Grove Park Inn.
IT Consumerization – iPad’ing the Enterprise or BYO Malware?Barry Caplin
Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms BYOC and BYOD (like Bring Your Own Beer - Bring Your Own Computer/Device) have become mainstream technology terms. But what does BYOD mean for the enterprise? Can we mix personally owned devices and enterprise workstations/cellphones in our environment? How do we control configuration and data on personal devices? What about malware and other security concerns? What about improper disclosure of private data and intellectual property? And how will staff get work done when they are busy playing Angry Birds?
Is BYOD the flavor of the week or is the future of end-user hardware? Regardless of how security leaders may feel about the concept, we need to be prepared. We must understand what is driving BYOD, how it may, or may not, fit our environments, and have policy and tools ready.
In this interactive session we will discuss: What is IT Consumerization/BYOD? What are the benefits and concerns? Is there a cost savings? What are the Security concerns - BYOMalware? How do we protect data? And how can I start BYOD in my organization?
And yes, you can Bring Your Own Devices to this session!
Secure360 05-13-2013.
Building the Anytime, Anywhere Network -
Mobile technologies are opening enormous new
business opportunities. Capitalizing on them takes
a new approach to networking. To learn more, visit Juniper Networks at: http://juni.pr/CMlpCMPss
More and more employees are bringing their own devices and preferred applications into the enterprise, creating what we call the BYODA (BYOD plus Applications) phenomenon. Workers’ behavior and expectations are contributing to the consumerization of IT, where lines of business and users themselves are having an enormous influence on the types of technologies and applications used. While employees expect anytime, anywhere access to their content to get their work done, their CIOs are now expected to support BYOD within their corporate environment.
See this slide deck from a wonderful "Beyond BYOD" presentation by Cisco's Scot Hull, which took place at Stalwart's 3rd Annual Executive Briefing and CIO Roundtable at the Grove Park Inn.
IT Consumerization – iPad’ing the Enterprise or BYO Malware?Barry Caplin
Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms BYOC and BYOD (like Bring Your Own Beer - Bring Your Own Computer/Device) have become mainstream technology terms. But what does BYOD mean for the enterprise? Can we mix personally owned devices and enterprise workstations/cellphones in our environment? How do we control configuration and data on personal devices? What about malware and other security concerns? What about improper disclosure of private data and intellectual property? And how will staff get work done when they are busy playing Angry Birds?
Is BYOD the flavor of the week or is the future of end-user hardware? Regardless of how security leaders may feel about the concept, we need to be prepared. We must understand what is driving BYOD, how it may, or may not, fit our environments, and have policy and tools ready.
In this interactive session we will discuss: What is IT Consumerization/BYOD? What are the benefits and concerns? Is there a cost savings? What are the Security concerns - BYOMalware? How do we protect data? And how can I start BYOD in my organization?
And yes, you can Bring Your Own Devices to this session!
Secure360 05-13-2013.
Building the Anytime, Anywhere Network -
Mobile technologies are opening enormous new
business opportunities. Capitalizing on them takes
a new approach to networking. To learn more, visit Juniper Networks at: http://juni.pr/CMlpCMPss
Smarter Commerce Summit - IBM MobileFirst ServicesChris Pepin
IBM's industry-leading business and technology services for strategy/design and development/deployment of mobile applications, devices, communication and IT networks are an integral component of the IBM MobileFirst portfolio. Learn how we can help you begin, accelerate and manage your journey to becoming a mobile-first enterprise.
IBM Connect 2013 BP210 Using a Mobile ApproachGraham Acres
This session presents strategies to employ when planning to build a mobile application within an IBM Domino environment. Depending upon the need, whether it be mobilizing an existing Domino app, building a new Notes app with mobile components, or building an app that will support mobile first, we'll help you address the challenges that you will face in your project. What devices will I support? Does the business team understand mobile considerations when providing requirements? Does the admin team have the skills to support the mobile environment? Can I take advantage of my existing Domino infrastructure and skills? You'll leave with an understanding of the key considerations involved in building a mobile application strategy for your organization.
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...UL Transaction Security
At the ASUG Georgia Chapter Meeting in May 2014, SECUDE talks about mobility, the use of Bring Your Own Device (BYOD), and the myriad of security challenges businesses are facing, that are inherent to mobility.
Learn about threats to YOUR
Customer\'s privacy.
- Googling Your Corporate Privacy Away
- Tools and practices your users are already using that will compromise their privacy.
- Trends in Regulations
- Rules and regulations you need to know to stay current
- Trends in Financial Crimes - New crimes, old crimes with new tools and why your company is so attractive to attackers
- Effective Multicompliance - Tips, Techniques and lessons learned in staying compliant, while increasing profits and maintaining your sanity
BlackBerry Enterprise of Things presentation - Gartner IT ExpoBlackBerry
BlackBerry secures, connects, and mobilizes the enterprise by connecting people, devices, processes, and systems to fully realize a secure “Enterprise of Things.” BlackBerry is no longer about the smartphone, but the smart in the phone and in cars and containers, medical devices and wearables, consumer appliances and industrial machinery, and ultimately the entire enterprise. BlackBerry software secures the Enterprise of Things.
Bring Your Own Device 2014 TeamMate User Conference Palm Desert CaliforniaJim Kaplan CIA CFE
A presentation for the 2014 TeamMate User Conference as a guide for auditors on bring your own device and mobile device management – an important and timely topic for auditors in all organizations.
The continued expansion of file-based, business-critical information within extended enterprises is changing the storage dynamic in a wide range of industries and organizations. In a series of interviews with U.S. and European enterprises, IDC found that companies are increasing their file-based storage by 40% to 120% a year and place a high priority on boosting the efficiency and reliability of their management processes for file-based information. IDC research indicates that unstructured, filebased data drove a majority of new storage capacity in all organizations' datacenters in 2008 and projects this growth to accelerate, in spite of current economic conditions. By 2012, over 75% of new storage capacity shipped will be dedicated to the storage, organization, and protection of files.
Android in the Enterprise New Security Enhancements: Google and BlackBerry St...BlackBerry
BlackBerry and Google have worked together to enhance and simplify secure mobile productivity. The collaboration brings the leader in mobile security together with the world’s most popular mobility platform.
With enterprises rapidly embracing the Android platform to transform their workflows and processes through mobile innovation, Google has made a number of significant improvements in Android-specific security. These enhancements add to Google-provided security services, which are continuously updated to address both new and ongoing threats.
While security at the application and operating system level is critical, enterprises can go further by choosing the right mobility management platform. Building on Google’s security enhancements, BlackBerry Secure EMM Suites deliver the best Android security, productivity, and flexibility, to meet all enterprise use cases.
The complementary solutions delivered by BlackBerry and Google accelerate change while ensuring compliance with corporate security guidelines. This paper describes how these developments work together to keep enterprise Android users productive and protected.
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in organizations worldwide as components of a holistic data security strategy.
Keynote that was being held at API Days 2014 in Paris. It covers the rapid growth of IoT and how developers can start applying their APIs in order to be ready for this new era of connected hardware.
Smarter Commerce Summit - IBM MobileFirst ServicesChris Pepin
IBM's industry-leading business and technology services for strategy/design and development/deployment of mobile applications, devices, communication and IT networks are an integral component of the IBM MobileFirst portfolio. Learn how we can help you begin, accelerate and manage your journey to becoming a mobile-first enterprise.
IBM Connect 2013 BP210 Using a Mobile ApproachGraham Acres
This session presents strategies to employ when planning to build a mobile application within an IBM Domino environment. Depending upon the need, whether it be mobilizing an existing Domino app, building a new Notes app with mobile components, or building an app that will support mobile first, we'll help you address the challenges that you will face in your project. What devices will I support? Does the business team understand mobile considerations when providing requirements? Does the admin team have the skills to support the mobile environment? Can I take advantage of my existing Domino infrastructure and skills? You'll leave with an understanding of the key considerations involved in building a mobile application strategy for your organization.
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...UL Transaction Security
At the ASUG Georgia Chapter Meeting in May 2014, SECUDE talks about mobility, the use of Bring Your Own Device (BYOD), and the myriad of security challenges businesses are facing, that are inherent to mobility.
Learn about threats to YOUR
Customer\'s privacy.
- Googling Your Corporate Privacy Away
- Tools and practices your users are already using that will compromise their privacy.
- Trends in Regulations
- Rules and regulations you need to know to stay current
- Trends in Financial Crimes - New crimes, old crimes with new tools and why your company is so attractive to attackers
- Effective Multicompliance - Tips, Techniques and lessons learned in staying compliant, while increasing profits and maintaining your sanity
BlackBerry Enterprise of Things presentation - Gartner IT ExpoBlackBerry
BlackBerry secures, connects, and mobilizes the enterprise by connecting people, devices, processes, and systems to fully realize a secure “Enterprise of Things.” BlackBerry is no longer about the smartphone, but the smart in the phone and in cars and containers, medical devices and wearables, consumer appliances and industrial machinery, and ultimately the entire enterprise. BlackBerry software secures the Enterprise of Things.
Bring Your Own Device 2014 TeamMate User Conference Palm Desert CaliforniaJim Kaplan CIA CFE
A presentation for the 2014 TeamMate User Conference as a guide for auditors on bring your own device and mobile device management – an important and timely topic for auditors in all organizations.
The continued expansion of file-based, business-critical information within extended enterprises is changing the storage dynamic in a wide range of industries and organizations. In a series of interviews with U.S. and European enterprises, IDC found that companies are increasing their file-based storage by 40% to 120% a year and place a high priority on boosting the efficiency and reliability of their management processes for file-based information. IDC research indicates that unstructured, filebased data drove a majority of new storage capacity in all organizations' datacenters in 2008 and projects this growth to accelerate, in spite of current economic conditions. By 2012, over 75% of new storage capacity shipped will be dedicated to the storage, organization, and protection of files.
Android in the Enterprise New Security Enhancements: Google and BlackBerry St...BlackBerry
BlackBerry and Google have worked together to enhance and simplify secure mobile productivity. The collaboration brings the leader in mobile security together with the world’s most popular mobility platform.
With enterprises rapidly embracing the Android platform to transform their workflows and processes through mobile innovation, Google has made a number of significant improvements in Android-specific security. These enhancements add to Google-provided security services, which are continuously updated to address both new and ongoing threats.
While security at the application and operating system level is critical, enterprises can go further by choosing the right mobility management platform. Building on Google’s security enhancements, BlackBerry Secure EMM Suites deliver the best Android security, productivity, and flexibility, to meet all enterprise use cases.
The complementary solutions delivered by BlackBerry and Google accelerate change while ensuring compliance with corporate security guidelines. This paper describes how these developments work together to keep enterprise Android users productive and protected.
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in organizations worldwide as components of a holistic data security strategy.
Keynote that was being held at API Days 2014 in Paris. It covers the rapid growth of IoT and how developers can start applying their APIs in order to be ready for this new era of connected hardware.
The Connected Company - Event Anders VergaderenJoris Poelmans
66% of CIOs consider efficient collaboration to be essential for value creation. The majority of information worker's tasks also require collaboration across expertise domains and organisational units and even across companies. In this session we will examine some cases, pitfalls and best practices which drive collaboration in the new world of work.
THE FACES of the RAILWAY STATIONS / I VOLTI DELLE STAZIONI FERROVIARIEAlessio Cuccu
I VISITED 250 RAILWAY STATIONS, ITALIAN AND NOT. I DISCOVERED MANY NEW PLACES
LOOKING FOR THESE STATIONS. VISITING THESE STATIONS I MET PEOPLE AND
UNDERSTOOD ABOUT WHO IS ACTUALLY USING TRAIN TO MOVE.
I START NOW COLLECTING FEW SHOTS IN THIS FIRST CHAPTER ; OTHER CHAPTER WILL
FOLLOW SOON.
With employees demanding BYOD, enterprises are faced with crucial decisions regarding security for applications, devices, and network access. This session focuses on the critical path for controlling devices, data, applications, and network access in 2013 and the options available to organizations grappling with mobility security.
Best practices for mobile enterprise security and the importance of endpoint ...Chris Pepin
With the rapid growth of smartphones and tablets in the enterprise, CIOs are struggling to secure mobile devices and data across a wide range of mobile platforms. Attend this session to learn best practices around defining a mobile security policy, educating employees about safe computing practices, and deploying a secure technology framework. We'll discuss the benefits of endpoint management solutions like IBM Endpoint Manager in the context of a comprehensive enterprise deployment encompassing smartphones, tablets, PCs and servers.
Software Security for Project Managers: What Do You Need To Know?Denim Group
Application-level vulnerabilities have been responsible for a number of very public data breaches and are increasingly a target for a variety of types of attackers. This presentation demonstrates some of the security vulnerabilities that are often introduced during software development projects. It also looks at activities that can help identify these vulnerabilities as well as prevent them from being introduced in the first place. Attendees will take away from the presentation an understanding of software security risks as well as where assurance activities can be included in the project plan to help increase the security of software being developed with a minimum of impact to project schedules and budgets.
Danger has increased in these times when businesses are getting used to the so-called “New Normal” of work-from-home/work-from-office hybrid models.
Most dreaded terms for any business Data breaches can cause an organization to lose.
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
Most company systems do not have a mobile connection. The systems are only accessible within the organization from PCs locally or through VPNs. Sometimes these IT systems can only be accessed from special terminals.
Many companies need to bring important information directly to their coworkers everywhere. Since the employees can’t always be located in the company or be in front of their computer, they often need a mobile connection.
In this session, the focus will be on OWASP Top 10 mobile risks and prevention tips. Hackers’ exploitation of these most common mobile vulnerabilities will be demonstrated in the session.
Mobile trends and academic opportunities presented at Strathmore and JKUAT Un...Jeremy Siewert
You are invited to explore the recent developments and announcements of a new portfolio of mobile products and services called IBM MobileFirst. By incorporating mobile capabilities that range from analytics, cloud, security, device management, application development and industry expertise, IBM MobileFirst will help you use mobile in new and unique ways to be more productive and innovative. IBM MobileFirst offers an array of solutions that helps connect, secure, and manage and develop mobile networks, infrastructures, and applications.
Attend this session and learn more about:
The mobile marketplace - trends, insights, future direction
Taking a Mobile First approach - what is involved
Industry use cases
Demo of sample application
Q&A
1. “Crossing the Lakshman Rekha”
Mobile Workplace Risks
Enterprise Mobility Summit
9th May 2012, Bengaluru
Parag Deodhar
Chief Risk Officer
2. circa 5000 BC – Treta Yuga
One of the first recorded
Social Engineering & Spoofing
Attack takes place…
9 May 2012 Parag Deodhar 2
3. Raavan = RA.One
Sita = Data
Lakshman Rekha = CorporateDeodhar
9 May 2012 Parag Firewall & Security Measures
3
4. Crossing the Lakshman Rekha
• Mobility is reshaping business worldwide.
It's also reshaping how IT operates…
• As a CIO / CISO, you like to be in control.
• But mobile and wireless devices are
bringing an element of lawlessness to your
carefully designed architecture.
• Data goes outside the walls of the
enterprise, and the “Lakshman Rekha” you
have drawn – i.e. all the security measures
you have designed for your network.
9 May 2012 Parag Deodhar 4
5. Information Security
• Concerns are still the same
– Confidentiality
– Integrity
– Availability
• But the context has changed…
9 May 2012 Parag Deodhar 5
6. What are we talking about?
• 645 mn+ smart
phones*
• 100 mn+ tablets*
• 35 bn+ apps*
• 2G/3G/4G
internet
connectivity
* Data as of end 2011
9 May 2012 Parag Deodhar 6
8. Sounds familiar?
• CEO comes to the CIO with an “request” to
support his shiny new device.
• If the CIO chooses not to support the
device, well… (is that really a scenario?)
• If the CIO chooses to support the device
– He opens the floodgates to chaos:
COO, CFO, VPs, GMs, are in queue to use the same
device for personal use and work too.
– One strategy could be to isolate the CEO and his
device into a "test group" in order to buy time to
create a BYOD strategy and policy.
– But ideal strategy would be to bring to notice of
CEO - the impact and risks associated with allowing
a new device on the network.
9 May 2012 Parag Deodhar 8
9. Once the floodgates are open…
• There’s no controlling the demand for these
gadgets.
– Everyone wants a Wi-Fi-enabled laptop or
handheld so they can e-mail their colleagues
while sitting in the airport lounge or access
critical sales applications on their network
while meeting with customers.
– Everyone wants a smart phone, a converged
device that combines cell phone and handheld
functions.
– At worst, these gadgets are status symbols. At
best, they increase your workforce’s agility and
improve productivity.
– Can you say no?
9 May 2012 Parag Deodhar 9
10. New challenges…
• Consumerisation raises new and
significant challenges:
– How do we support these devices if we
don’t know what they are?
– How can we secure our networks and
data, if we can’t control the devices?
– How do we differentiate between corporate
and personal data on employee-owned
devices that are accessing the network?
9 May 2012 Parag Deodhar 10
12. B.Y.O.Ds.
• "Bring Your Own Device" trend is increasing by the day.
• Despite security concerns and manageability challenges, there
are positive effects associated with the BYOD trend.
• It supposedly lower costs, increases employee satisfaction and
brings about better business outcomes.
46% “policy has increased productivity among end users”.
“BYOD has improved employee attraction and retention”
"We have seen a change in morale"
“Increased job satisfaction”
“Increased satisfaction with central corporate IT's customer
service"
“Increased end users' ability to work from home” 47%
9 May 2012 Parag Deodhar 12
13. B.Y.O.D. Challenge
• BYOD blurs the lines between work life and
personal life. Context changes throughout the
day and sometimes during a single session on
Facebook.
• Compliance mandates such as PCI
DSS, HIPAA, or GLBA have certain requirements
related to information security and safeguarding
specific data. Those rules still must be followed
even if the data is on a laptop owned by an
employee.
• In the event that a worker is let go, or leaves the
company of their own accord, segregating and
retrieving company data can be a problem.
9 May 2012 Parag Deodhar 13
14. Concerns with mobile devices
• Access Control
– Who uses the device? At home?
• What is stored on the device? How?
– Stored in mobile devices, Cloud storage, sd cards, sim cards
– Is data encrypted?
– What happens if the device is lost?
– Can it be remotely deleted?
• How is the data accessed
– Is it through encrypted channel?
– Over GPRS, wifi, bluetooth…
• How is the data shared
– social networking on devices;
– requests to support new devices:
– consumer cloud storage – dropbox, skydrive
• Data Leakage Prevention (DLP) – does it work with mobile devices?
• Use of Jail-broken devices
• What apps are installed on the device? Are these apps certified, tested, malware free?
• Device end of life - An exec who sold his dead BlackBerry on eBay for $15.50 after he left the
company. Turns out the batteries had just run out, and the new owner found hundreds of
confidential e-mails still on the handheld.
9 May 2012 Parag Deodhar 14
15. Unknown risks…
What about RIM, bada, symbian – ignorance is bliss!
9 May 2012 Parag Deodhar 15
16. Do you have anti-virus on your mobile?
• Symantec says mobile vulnerabilities, almost exclusive to
Android, increased by more than 93 percent. More than half of all
Android threats collect device data or track users' activities.
• A quarter of the mobile threats identified were designed to make money
by sending premium SMS messages from infected phones, which could
be even more lucrative than stealing your credit card details.
Hacked Websites Deliver Android Malware
• Websites that have been hacked to deliver malicious software to devices
running Android, an apparent new attack vector crafted for the mobile
operating system.
• The style of attack is known as a drive-by download and is common on
the desktop: When someone visits a hacked website, malware can
transparently infect the computer if it doesn't have up-to-date patches.
• Numerous websites had been compromised to execute the attack.
• The malware will automatically start downloading if the hacked website
detects an Android device is visiting by looking at the web browser's
user-agent string, which specifies the device's operating system.
• The hacked websites have an hidden iframe, which is a window that
brings other content into the target Web site, at the bottom of a page.
The iframe causes the browser to pull content from two other malicious
websites hosting the malware.
9 May 2012 Parag Deodhar 16
17. We have content filtering!!!
• Religious Sites Carry More Malware Than Porn
Sites
– Religious and ideological websites can carry three
times more malware threats than pornography
sites, according to research from security firm
Symantec.
• Symantec found that the average number of
security threats on religious sites was around
115, while adult sites only carried around 25
threats per site
– a particularly notable discrepancy considering that
there are vastly more pornographic sites than
religious ones. Also, only 2.4 percent of adult sites
were found to be infected with malware, compared
to 20 percent of blogs.
9 May 2012 Parag Deodhar 17
20. You need strategy, policy, standards and enforcement
• Create a strategy for managing mobile and wireless
devices:
– identify if there’s a business need for a device
– segmenting your employees by job function and
requirements
– decide on list of devices that IT will (and will not)
support
– and devising a training plan for users and help desk
staffers
– enforcement mechanisms that will ensure device
security.
• Update your security policy and standards
– Include mobile device acceptable usage, security
standards, provisioning, de-provisioning – all chapters!
• Communicate and Train users
9 May 2012 Parag Deodhar 20
21. Enforcement mechanism
• Implement a Mobile Device Management solution
– Centralize management of mobile platforms
– Real-time visibility into mobile environment
– Administer consistent policies across devices
– Analyze and report critical device information
– Ensure compliance with regulations
– 2 factor authentication
– On BYOD – separate corporate and personal data – use sandbox /
containers
– Avoid copy / storage on device – if allowed shouldbe encrypted
– Install anti-malware
– Remote wipe / lock down devices
– VPN access
– DLP to include mobile devices
– Backup critical data
– Secure cloud storage
– Don’t forget app security
9 May 2012 Parag Deodhar 21
22. Balancing Act!
• As enterprise mobility increases… so
must security! But…
OR
• Security should be effective but as
transparent as possible – should not
hamper user experience and
productivity.
9 May 2012 Parag Deodhar 22