320 likes | 445 Views
May 2012 Benjamin JH Ramduny. Bring Your Own Device Could you, would you should you. What is Bring Your Own Device ( BYOD)?. We say that:
E N D
May 2012 Benjamin JH Ramduny Bring Your Own DeviceCould you, would you should you
What is Bring Your Own Device (BYOD)? We say that: “BYOD describes an end user computing strategy supported by a set of policies and controls, which in conjunction with a technical solution provide a managed and secure framework for employees to access corporate data from their personal device whilst providing the enterprise with a level of control over both the device and the data it can access” Wikipedia has this to say: “Bring Your Own Device describes the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases”
Who is adopting BYOD Over four in five companies say they already allow BYOD or will do within the next 24 months and sixty per cent of employees claim they are already allowed to connect personally-owned devices to the corporate network. - BT CIO attitudes that showed 48% of companies would NEVER authorize employees to bring their own devices to the workplace. 57% of IT managers said that employees do it anyway. - Cisco 64% of IT managers surveyed thought it was too risky to let personal devices be integrated into the business network. However 52% of companies allowed some form of access. - Absolute Software
BYOD Options There are two main options when considering BYOD; augmentation or replacement Augmentation: You can augment your current end user computing by allowing your employees to bring in their own mobile devices, sometimes referred to a mobile/laptop consumerisation Opt in scheme for employees who are not entitled to a corporate phone to use their personal phone to access services such as email or corporate web apps. Opt in scheme for employees who are entitled to a corporate phone but also want to use their own handset Replacement: You replace your current end user computing with only employee owned devices. This strategy can cover desktop/laptop and mobile devices Opt in scheme for employees who are entitled to a corporate phone but want to use their own handset and contract (with stipend or expenses support for corporate call costs)
The BYOD Family Tree The BYOD policy must detail which items are allowed and the controls that will be applied. When defining the scope of any BYOD implementation consideration must be given to which end user devices* will be allowed. Each device type has its own set of risks and management issues. BYOD Mobile Device Desktop Device Hand Held Laptop Mobile Phone Tablet Apple Mac Windows Laptop * * Apple iPhone Android Mobile Windows Phone Apple iPad Android Tablet Blackberry Playbook * * * * * * Note: Desktops and Blackberries are not shown
Strategy and Policy • Strategy • Understanding the business reasons for adopting BYOD is crucial for a successful BYOD implementation • What devices will be subject to BYOD • What over arching method of resource access will be used for: • Hand held devices • Laptops • How will the solution and end users be supported • How will business units be charged for the service • Policy • Getting the policy right protects the business from the risks associated with BYOD • What devices makes and models will be allowed • How will Antivirus be handled • What actions does the company reserve the right to carry out on an employees personal device (e.g. remote wipe on loss) • How will leavers be handled • What access controls will be used (Certificate based authentication, Pin Number lengths)
A Quick Survey – Who has a some form of BYOD in their organisation?
Why Do It? • Increased user mobility • Increaseduser satisfaction • Help retain top performers • Increase productivity* • Reduce capital costs • Helps to attract younger talent*
Laptop ConsumerisationManagement Options • Service Access • Virtualisation (VDI) • Web Apps Only • Network Boot • MDM platform with Windows support • Desktop on a Pen Drive technologies • Access Control • NAC • PKI / Certificate based Authentication
Laptop ConsumerisationManagement Solutions USB Network Boot Virtualisation MDM • Pros: • Small and light weight • Works with any Hardware • Full desktop available • No Network dependence • Cons: • New emerging technology • Pros: • Secure • User gets complete desktop and application suite • Uses the full power of the hardware • Cons: • Requires network access • Its not here yet • Pros: • Leverages Windows inbuilt security • No Network dependence • Cons: • Users might not like you restricting their PC • Only a few vendors • Pros: • Secure • User gets complete desktop and application suite • Cons: • Expensive • Get it wrong and performance is slow
Mobile ConsumerisationMobile Device Options iPhone Android Windows Phone
Mobile ConsumerisationMobile Device Management • MDM products fall into 2 categories • Level of containerisation
Major Considerations Protection of Corporate Data Your data is as valuable as gold, and losing it can have a big impact on the business, from financial penalties if the DPA is breached to reputational damage. Letting users have corporate data on their personal device is a big risk, and so to reduce the risk to an acceptable level there are several controls that can be implemented. On a laptop you can virtualised either your corporate applications or the employees entire desktop. On a mobile device you can use an Mobile Device Management solution to enforce some security features on the device itself (e.g. Device encryption, remote wipe if the device is lost). Not all applications are suitable for virtualisation, and this must be carefully assessed before designing any solution Desktop virtualisation can offer the best form of security on a laptop, however there are drawbacks, mainly that many believe that they can use there super powerful personal laptop and get the benefits of using a powerful pc over their older work laptop. Unfortunately laptop power has little relevancy in a thin client/virtual desktop where most the processing is done server side. A second draw back of virtualisation is that the more users on the virtualised infrastructure the slower it gets. It is worth noting that network boot solutions are in the wings and will start to become prevalent in 2012 allowing the full power of the laptop to be utilise. Mobile devices can be secured to some extent through the use of an MDM tool. Our current view is that this market is still under development and all of the main vendors have weaknesses in their products which can lead to less control over the device than required. The biggest challenge is how to ensure there is no corporate data on a personal device that is no longer required by the user Reimbursement One of the benefits of a corporate liability mobile device over and personal liability device is that the corporate device is usually able to take advantage of a preferential call tariffs with the service provider. When adopting BYOD for mobile devices and when replacing corporate issued devices there must be careful consideration of how the increased data usage will affect the employee monthly bill and how the organization will reimburse this cost. An additional issue that should be considered when moving to an enforced BYOD model is the incentive for an employee to use their personal device, in order to compensate for the increased ware. Questions that need to be addressed are: Can the employee claim back line rental, or receive a stipend, how is the capped. Will the employee be given a benefit in kind to by the device, if so does this have an tax implications Legal Concerns If a MDM solution is being used to manage mobile devices and the BYOD policy states that a lost mobile device will be fully wiped (factory rest) then it is important that any employee who is using their personal device is clearly aware of this and that they have signed a EULA. If the employee is expected to travel as part of their role then the organization must consider if there are any legal implications of taking their device to a country that prohibits encrypted devices (assuming device encryption is being used)
Major Considerations The Cost of Moving to a BYOD Environment Adopting BYOD as a full strategy replacing all end user computing can be seen as having huge cost saving benefits, however indications from early adopters lead to the conclusion that the savings are not huge. For a secure desktop/laptop replacement project the virtualisation costs or web app development costs an be significant. In a virtualised desktop solution you will need a redundant set of servers. Licences will also be still need to be purchased for each virtual desktop and the software running on it. BYOD can be restricted to just handheld devices , but again to do this in a secure manner does required some form of Mobile Device Management tool, and all its associated hardware. Support Strategy In any organization support for the business critical infrastructure is a major concern and an organizations inability to support their infrastructure represents a significant business risk. When supporting a traditional corporate liability environment where all devices are owned by the organization, it is relatively easy to exert a level of control over the hardware and software to be used. Having a limited number of makes and models of laptops and desktops and a standard OS configuration enables a support function to become skilled in these systems. When BYOD is adopted there will be significant increase in the number of different types of hardware, drivers, OS configurations and applications that will be in use and so it is important to assess the existing support organizations capability to support the new devices. A BYOD policy must consider if personal devices will be supported and how much time will be spent tying to resolve an issue with a personal device. If you opt for a full BYOD strategy you will also always require a pool of spare laptops (and to some extent phones) to cover the occasions when an employees laptops or phone is damaged and sent for repair Vendor Selection When the decision has been made that BYOD fits with the end user computing strategy, and that the solution will be secured in some way then a vendor selection process needs to be carried out. Choosing the right MDM product is a difficult task due to the current immaturity of the market. Getting the vendors involved and seeing hands on demonstrations of the end to end solutions is essential. Getting hand on experiences is crucial to ensuring that any selected product meets your requirement for security and usability, since one can heavily impact on the other. Different vendors have very different strengths and researching which vendors product fits your requirements will be useful. Where possible agree for a vendor pilot before committing to deploying the full solution. There are numerous enterprises that have either delayed a full deployment or canned it altogether following a pilot. Define the scope BYOD can be as simple as allowing an employee to access corporate email on their personal mobile phone all the way to a full replacement BYOD implementation where all end user computing is swapped out for personal devices. Corporate email on a personal mobile device can be the easiest to deploy and depending on the classification of the data being sent over email can be relatively cheap to implement. Matching the scope to the business requirements will help to ensure that the right solution is chosen
Separation of Business and Personal Work life balance is important Using computing devices for both business and pleasure can lead to cross over between the two Guidelines and protections should be in place to protect employees free time and personal data Any tools or technologies must: Protect the business and Preserve the personal
Data Loss Not unique to Bring Your Own Device, but the risk is increased. Must be balanced with controls, policies and governance. Encryption should be mandatory.
Data Loss Mobile Device Management is crucial when allowing personal mobile phones to access corporate data Data Loss Headlines ‘Today’ Data Loss Headlines ‘Tomorrow’ • Walsall Council: 981 records ofresidents postal votes statements containing names, addresses, date of birth and signatures dumped in a skip • Council: 981 records ofresidents postal votes statements containing names, addresses, date of birth and signatures found on an iPhone sold on eBay • Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million records • Malicious app downloaded from the App Store compromised an employees iPad allowing the theft of an unknown number of credit cards at fifth largest credit card processor • Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million records • Malicious software/hack compromises unknown number of credit cards at fifth largest credit card processor • NHS: 2664 records lost due to personal laptop stolen from a staff members home containing name, address, date of birth, NHS numbers • NHS: 2664 records lost due to personal mobile phone stolen from a staff members home containing name, address, date of birth, NHS numbers
ISF survey A total of 53 different representatives from different Member environments. Respondents from the following areas: Australasia (2), Canada (3), Denmark (2), Finland (6), Francophone (1), India (1), Middle East (1), Norway (4), Benelux (5), Spain (1), Sweden (3), United Kingdom (12), United States (11) Respondents from the following areas: Electricity gas steam and air conditioning supply (2), Financial and insurance activities (16), Information and communication (8), Manufacturing (13), Mining and quarrying (3), Professional scientific and technical activities (2), Public administration and defence; compulsory social security (5), Transportation and storage (3), Wholesale and retail trade; repair of motor vehicles and motorcycles (1)
ISF Survey – Question 7 What is the most critical issue your organisation faces when trying to provide security for BYOD? As expected, leakage of business information was the number one answer, however many organisations have stated a different challenge to be their most critical issue for BYOD: • Maintaining the devices updated with the latest security fixes • Executive interference in the planning process • HR and Legal concerns • eDiscovery requirement for physical access to the device • Differing technical capabilities across the geographic spread of the company • Buy in • User acceptance of corporate fiddling with their own ‘personal’ device • Regulations, eg PCI compliance • Lack of good management tools • Business information left on personal devices sent for repair or disposal • Protecting the organisations intellectual property • Insecure mobile operating systems, discrepancies between different versions • Diversity of mobile platforms • Users are not aware of the risks • Device limitations prevent controls to be put in place • Separation of personal and business material • Cost of support • Network access control to the corporate network
ISF Survey – Question 8 Please share your top three misconceptions about your BYOD experience: Misconceptions included: • BYOD is easy and the demand for it is high (neither is particularly true) • Adding controls to BYOD makes it considerably less attractive to people who wanted it BYOD will affect productivity (either in a good or bad way) • BYOD cannot be secured • Required for attracting new employees, will increase user satisfaction • BYOD is a technology problem • Must be usable with every device • No need to invest in infrastructure It will be cheaper for the organisation • Lack of information security funding will prevent this from happening • User awareness is enough to prevent business information from being stored locally on the device • User awareness, user awareness, user awareness • User expectations of reduced need for support, no downtime • Mobile phones connected to the network will introduce viruses
ISF Survey – Question 9 Please share your top three tips regarding your BYOD approach: • Leverage other investments to enforce or improve security • Manage expectations with end users • Communicate with your user base in a 2 way manner • Do not treat everyone the same – not one size fits all • Define your service model early • Get a decent MDM and NAC Dual factor authentication • Consider laws (eg labour laws) that will mandate specific reimbursements to employees • Promote in-house secure App developments and open your own App store • Agree the organisation’s risk appetite before designing a solution • Security agreement with the end user, make them accountable – make sure the agreement / policy is reasonably strict but still workable • Apply a lot of personal attention to executives wanting to use BYOD, to make them aware and create best practice • Work on a mobility strategy • Pickup early with your architecture team to allow development of deployment strategy, as well as penetration testing teams to assess security Involve legal and HR early enough • Deploy in stages – most demand is related to iPhones, so start with one type of devices and be prepared to expand in the future
My experience Major battle between the business who wants it user friendly and Information Security who want it secure (or not at all) MDM’s, all of them, are immature, poorly coded and offer more security features than they deliver Getting the EULA right takes time Training is one of the most relied on controls, get it in place before go live, make sure its good, ensure every one takes it, repeat it regularly Engagement with the vendor can help drive product enhancement Minimum 6 digit Alphanumeric PINs
A Quick Survey – Has any one suffered a Security breach as a result of BYOD?
No is No Longer An Option BYOD is already in your organisation! There Here
Questions and Answers Questions 30
Thank you Benjamin JH Ramduny KPMG LLP +44 (0)7825 282556 ben.ramduny@kpmg.co.uk www.kpmg.co.uk Information is as valuable as goldyet it can slip through your fingers like water