300 likes | 312 Views
This article explores the challenges and strategies for data protection in Bring Your Own Device (BYOD) environments, and provides a vendor comparison and recommended solution.
E N D
MSIT 458 – Information Security November 23, 2013 Techmasters - Rohit Gupta | Aman Sardana | Sean Saager | Xiaofeng Zhu | Zhenyu Zhang BYOD – Enterprise Mobile Data Protection 1
Agenda Introduction and Mobility Environments BYOD Data Challenges and Strategies Vendor Comparison and Recommendations The Proposed Solution 2
Introduction The Good Old Days of Mobility… • Fully integrated security, encryption and policy stacks. • Business Email, Calendar and Contacts only on BlackBerry. • IT command-and-control, no personal apps allowed. • Predictable and controlled 3
The New Enterprise Mobility Business End User “We need productive employees and maximum returns on mobility without sacrificing security and compliance!” “Give me the apps and data I need on the devices I want. Without restricting my personal use.” IT Organization “How do we protect our assets if we can’t trust or control the device? How do we manage compliance?” 4
BYOD Bring your own device “Bring your own device (BYOD) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications. 5
Protecting data from internal and external threats Data Requires protection on devices, In transmission and when taken outside the network. Mobile data protection is an important issue as many enterprise continue to address regulatory requirements and consequences from lost and stolen laptops and other mobile devices. 7
Risking data loss • The consequences can be • extreme • One office data breach can incur • Legal fees • Disclosure expenses • Consulting fees • Remediation expenses • One retail data breach can incur • Credit monitoring expenses • Legal settlements • Information control audits
Risking viruses & malware Mobile devices offer little protection with the risk from hackers and intrusions. Enter workplace via consumer devices. Access to other devices and data. Potential for company-wide infections.
Policy enforcement • IT is challenged by a BYOD workplace. • Creating device-specific policies is difficult • We’ve given up some direct control • Solutions for these mobile platforms are immature
Challenges to productivity Adopting & enforcing a BYOD strategy. Younger employees collaborate in new ways Employees want freedom to use mobile devices at work. Secure access solutions are necessary for empowering employees to work anywhere.
The Trust GAP – BYOD World Organizations and their employees are eager to reap the benefits of BYOD programs, but despite their desire to embrace the BYOD model, both groups have lingering concerns about BYOD. While businesses are mainly concerned with maintaining security, employees are worried about preserving the conveniencethey need in order to work from their mobile device, and the privacythey expect regarding the personal information on the device. 12
The Trust GAP (cont’d) 13 Source: The MobileIron Trust GAP Survey
The Trust GAP (cont’d) The Employees are confused about what employers can and can’t see on their mobile devices. PERCEPTION REALITY 14
STRATEGIES 15
BYOD Strategy A 5-step guide “BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades. The benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction, and reducing or avoiding costs.” Source: David Willis, vice president at Gartner, 2013 • Consider a Mobile Device Management tool • Create a BYOD Policy • Manage expectations, and manage applications • Update your IT department • Incorporate BYOD in your company’s HR strategy 16
BYOD Policy Policy = Simplicity Focusing on policy is the first step. Determine which devices are allowed to access the network. Determine which devices you will support. Do we require certain software on personal devices before it can join the network.
Manage Applications Protect corporate data with limit access using VPN For high-level protection, limit access to devices that support VPN connectivity and require a secure connection. Best practices and policy enforcement are essential Are you subject to controls such as HIPAA or PCI DSS? If a device is lost, can you wipe the data? Do employees know what rights they give up when using a mobile device?
Developing the Solution Many organizations want to support personally-owned mobile devices for business use to drive employee satisfaction and productivity (Bring Your Own Device or BYOD), while reducing mobile expenses. “A successful BYOD program requires a clear separation of corporate and personal information, apps, and content ad” 19
Solution Requirements Security • All devices should be enrolled into corporate network • Provisioning of mobile devices should be secure • Security policies should be targeted to right groups/employees • Restriction of some/all mobile applications • Complex/multi-character passwords required • Updates of mobile OS required • Encryption of all forms of corporate data • Tracking and inventory of all devices • Access control over corporate email system • Sanction and disconnect modified devices or rouge device • Selective/full remote wipe of device 20
Solutions Requirements (cont’d) • Storage Encryption • Focuses on protecting data at rest and stored on the • user’s device. • Network-level Traffic Encryption • It is implemented as a VPN. For personal devices allowed to connect to an enterprise network, such VPNs take the form of host-to-gateway architectures. • Application-level Encryption • Application-level traffic encryption can be used instead of a VPN when the traffic to be protected involves particular applications. • Multifactor Authentication • Involves two or more types of authentication factors. 21
Chosen solution Huawei Mobile Device Management Platform offers a good choice for enterprises to have a efficient security management system without worrying about mobile service deployment and helps enterprises improve the return on investment (ROI). 1 Provide E2E ability to guard against the disclosure of sensitive data while data is at a standstill, in motion, being used, or being stored. 2 Creates a secure zone where an enterprise environment and a personal environment are isolated from each and helps remove the “Trust Gap”. 3 Exercise deep security management and control of devices and applications. 4 Provide lifecycle-based mobile device management and a complete security management process covering Acquire, Deploy, Run, and Retire phases. 5 Provide a consistent, and secure access means for endpoints, and a unified security policy management platform. 23
Huawei Data Privacy • Data transmission • Data encryption to guarantee data confidentiality and security to prevent malicious data sniffing or tampering • Data security on the server side • Remote locking, remote data wipe, and data backup and restoration through interaction with a backend management system. • Anti-theft functions with such as global positioning system (GPS) and automatic alarms, ensure that data is not disclosed even when devices are lost
Huawei Architecture Huawei Solution Architecture Smart Mobile Access Client — AnyOffice Huawei BYOD security solution provides a unified secure mobile client known as the AnyOffice client. As a simple mobile client, the AnyOffice client provides unique interaction interfaces between users, networks, and applications. It enables management and maintenance to be much easier. • Secure Remote VPN Access • SSL VPN gateway is based on a Huawei high-reliability hardware platform and a dedicated real-time operating system. It has the following features: • Provides industry-leading system performance, security, and reliability. • Offers a flexible, secure, and controllable E2E link encryption mechanism for users. • Protects security during remote VPN access. Carrier-Class Mobile Threat Defense Firewalls integrates the cutting-edge intrusion prevention and antivirus technologies of Symantec, and an industry-leading deep packet inspection (DPI) technology. It also provides professional content security protection capability, including network antivirus (AV) function, intrusion prevention system (IPS), distributed denial of service (DDoS), and content filtering. Consistent Network Access Control SACG is a dedicated access control gateway developed based on a Huawei carrier-class firewall hardware platform. It cooperates with the AnyOffice client and an admission control server to provide unified network access control and guarantee consistent policy enforcement in different environments, such as corporate LANs, WLANs, or remote access environments. • Simple Platform for Releasing Mobile Enterprise Applications • Provides an industry-leading mobile enterprise application platform (MEAP) to smoothly migrate enterprise applications. It has the following features: • Provides a simple integrated development environment (IDE). • Supports HTML5, native, and hybrid applications, which can be developed in one step and released time and again across the platform, obviously reducing development complexity and saving costs for enterprises.
Cost Benefit Analysis • To measure the ROI of BYOD, the researchers recommended that companies do a cost-benefit analysis in six areas: • The cost of devices • Voice and data costs • Helpdesk costs • Mobile developer expenses • Mobility management software costs • Productivity gained 28
The ROI Advantage For employees, BYOD programs often improve productivity and increase job satisfaction. They can also save businesses money by allowing employees to use their personal mobile devices, but it also spends about an equal amount on Data protection software’s and employees’ monthly data plans. From an overall company standpoint, the Huawei solution will provide a good return on investment. The technology also protects the company from data breaches and possible lost business that could result from them. More important is the impact on your company reputation; you can’t put a price on that.” Ultimately, the company implemented BYOD not to save money but to give employees the flexibility to use devices of their choice. 29