390 likes | 582 Views
B.Y.O.D. Ryan Backus Taurean Boyd Kenneth Brenner Edison Bylyku.
E N D
B.Y.O.D. Ryan Backus Taurean Boyd Kenneth Brenner Edison Bylyku
To increase the efficiency of employees and reduce costs, companies have been merging personal and business devices. Today mobile devices pack impressive computing capabilities. This has allowed employees to conduct work remotely and take care of personal tasks on the same device. This is a cultural shift transition to accommodate the need for greater productivity, collaboration and a generation of early adapters of mobile technology. Typical user allocation is no longer a simple 1 to 1 computer to LAN connection (Holtsnider, 2012). Value creation should come from the acceptance of new business models in the workplace (Carruthers).
BYOD Readiness Assessment Let’s Have Some Fun Click on Graphic This is a high-level view to help begin the process of setting security policies. There are many product driven assessments FREE on the Internet.
What is NIST • Government Agency founded in 1901 • Mission • Solve science and technology challenges in support of U.S. industry • Develop testing and analyzing technical, physical, administrative and management standards and guidelines in support of cost-effective security and privacy of classified federal information
Mobile Devices – Defined by NIST It is important to recognize the nature of mobile devices and define the baseline of feature that make up a mobile device • Small Factor • Wireless Connectivity capable • Local Storage • Non Full-Fledged Desktop like OS • Third Party Application support • Syncing/synchronizing • NFC • GPS • Camera, Microphone
Mobile Device – Standards and Guidelines Must fulfill key security principles Security / Integrity / Availability With focus on: • Physical Security Controls • Application Layer • Access Controls Utilizing centralized mobile device management technologies to: • Mange Configuration and updating • Insure security settings and access control to internal network • Control and Segregate applications
Mobile Device – Recommended Key Guidelines • Develop system threat models for mobile devices and integrated systems • Implement information security measures at all levels: Policy / Encryption / Access Control / Application Management • Create controlled environments for Testing and Quality Assurance before Production • Insure through prestaging that mobile devices meet policy and standard requirements prior to deployment
Privacy and Security - Risks Mobile device features = Vulnerabilities • Small Factor – Higher risk of loss and theft • Easy Access – Prone to unauthorized access • Data Storage/Transfer – Malware and SPAM infection • Camera/Microphone – Can be used to eavesdrop through remote spy software
Privacy and Security - Perspective • Common API and SDK for mobile devices leads to malware developed for wide range of devices • BYOD methodology adds to privacy and security challenge • Segregation of Personal and work data and applications • Using only guidelines and consent forms to overcome privacy rights of BYOD users is not enough • Resolving privacy and security concerns of BYOD solutions is in the best interest of not just organizations but also end users
Acceptable Use Policy for BYOD • Although BYOD increases employee efficiency, it opens the door to data theft, loss, and improper use. An important mechanism for reducing these vulnerabilities is a formal Acceptable Use Policy (AUP) • The purpose of establishing an AUP is to provide guidelines for acceptable/unacceptable actions when using BYOD • Having an acceptable use policy promotes desirable device usage and effective security behaviors. Employees will be explicitly prohibited from misusing the devices, whether negligently or intentionally.
Acceptable Use Policy Goals • To make the AUP successful, it should adhere to four primary goals: • Ensuring the integrity, reliability, and security of the organization's assets • Ensuring the use of devices is consistent with the principles of the organization • Ensuring the devices are used for their intended purposes • Establishing guidelines for addressing violations and outline sanctions for violators
Goal 1 – Ensuring integrity, reliability, and security • Acceptable use of shared mobile devices will maintain the integrity, reliability, and security of the organization's assets. The assets are primarily the organization’s data and network • AUP will address security measures to be used for both the device’s software and the device itself • By following the guidelines for data storage/transmission, security updates, and physical device storage, employees will increase the integrity, reliability, and security of the organization and its data
Goal 2- Ensuring Device Use Aligns with Org’s Principles • The AUP needs to address areas such as downloading illegal material, hacking, and accessing pornography as prohibited • If the device use is not consistent with the principles of the organization, it can open the organization up to lawsuits
Goal 3 – Ensuring Devices Used for Intended Purposes • A high proportion of security incidents caused by employees are the results of malpractice and negligence. • To prevent this, the AUP must outline the intended purposes for using BYOD. • The AUP can also shield the organization from lawsuits over employee actions. If employees are fired for improper actions that were not documented as unacceptable, they could sue for false dismissal.
Goal 4 – Establishing AUP Violation Responses • The AUP not only outlines desirable device usage, it also guides the organization in responding to unacceptable use. • To deter employees from violations and ensure equality, the AUP will contain instructions on how to handle violations • The level of repercussions should align with the organization’s stance on employee misconduct.
Recommendations • To increase effectiveness, the AUP should have a clear articulation of its specific purpose, which is to promote acceptable use of BYOD. • Most organizational policies that deal with technology are too technically oriented. The AUP must also focus on issues such as trust, ethics, and integrity of employees • Creation of the AUP should be performed using multiple departments to increase the diversity of knowledge. This will also increase buy in for the policy
How does a corporation introduce BYOD? Mobile Device Management Software And Desktop Virtualization
What is Mobile Device Management? • The idea of extending existing policies, that are used to protect important information, to mobile devices. • Achieved by controlling the applications and configurations of these mobile devices to provide additional security measures.
How does it work? Answer: Client – Server Architecture Policies are created and stored in a centralized location (Mobile Device Management Server). Client applications are installed on the remote mobile devices via App Store or another method. Policies are distributed OTA (Over-The-Air) to the mobile devices and their client applications enforce the policies. Information about the device’s state is periodically sent back to the MDM server and used to generate reports.
What are the advantages of MDM? • Cloud-based, so updates are automatic and painless • Grants remote configuration and monitoring • Passwords, blacklists and other security policies can be enforced • Provides backup/restore functionality of corporate data • Provides for logging/reporting for compliance purposes • Remote disconnection or disabling of unauthorized devices and applications • Scalable, so new users and increasingly sophisticated devices can be accommodated easily
Who develops this software? Good Technology MobileIron Zenprise AirWatch
What is Desktop Virtualization? • The concept of generating an instance of an desktop environment for a user but storing it on a centralized server instead of having actual hardware. • The user can connect to that instance through various different devices seamlessly.
How does it work? For each user, a virtual desktop instance is created which has its own operating system and dedicated virtual storage and individual copies of applications. The user connects through their device to a virtual desktop manager server. The server checks for the user’s assigned virtual desktop instance and connects the user to that instance.
What are the advantages? • Provides scalability sinceprovisioning of new desktops is fairly easy • Lower cost of deploying new desktops and applications • Centralized desktops provide increased data security • Provides a secure remote access to an enterprise desktop environment
Who provides the service? VMWare Unidesk Cloudshare
USER COMPLIANCE • C.I.A • LEGAL • LEARNING THEORIES • TRAINING
Is this statement true? Maintaining security is more of a management function than a technological solution. How do you respond to this statement? Technology is a tool used or misused regardless of a strong security policy. Why is this? I found user adherence and training to be an underrepresented area in security management literature.
C – Ensure that transmitted and stored data cannot be ready by unauthorized parties. I – Detect any intentional or unintentional changes to transmitted data. A – Ensure that users can access resources using mobile devices whenever needed. • General Policy • Restrict user and application access to the built in web browser (i.e. Thin Client Solution) • Restrict user and application access to hardware (peripheral functions: camera, mic) • Manage WIFI and Bluetooth Interfaces • Automatically monitor, detect and report policy violations. • 2. Data Communications Storage • Encrypt – VPN • Remotely wipe device with 3rd party software (like thin client access to application server) • User and Device Authentication • Require domain authentication • Lockout enabled
LEGAL -Who owns device, manages and services? Should count towards ISO27001 Corporation Assets as a risk. Maintenance of device? Upgrades/patches, synch time logs, device access for forensics analysis. -Consent needed from employee for loading software on personal machines. -Security settings comply with manufacturer & warranty. -Integrate security policy with regulations i.e. HIPAA/FISMA/Sarbanes-Oxley. -
Keeping it Real….User Compliance -Users are smart. I just “jailbreak” my Kindle Fire essentially bypassing unwanted features. -I use my PDA for personal and work functions already with a company BYOD adoption. -How do I know a 3rd party app is trusted against a man in the middle attack. (IBM asked 400K employees to delete drop box as it was a known clouding breach.) -Device to device malware. Scan a QR code, device can act as a USB thumb drive, etc. -Lack of disclosure or incident reporting. -The more restrictions (white listing) the more false sense of security. -Likely workers can find a workaround in favor of greatest productivity. -Lack of ongoing monitoring and measuring to verify compliance.
Training doesn’t always transfer learned knowledge if not aligned with daily habits… Myer Briggs Indicator (MBI) can help determine impact of personality patterns and reduce conflict when collaborating with groups.
User Empowerment Inventory “Transference” Problem solving and tasks supports users comments and feedback based on a survey with soliciting cognitive processes and motivational awards. Problem Based Oriented Education Stimulate interaction with bots through a network management station which hosts a network application user centered tutoring approach. Process Oriented Training A functional employee specializing in a single task with a holistic understanding of organizational impact. Knowledge Management Transfer knowledge i.e. mentor-mentee program with evaluation tasks. Encourages: Peer learning, ownership and empowerment.
TRAINING -Training can be delivered In-house or Computer Based or Targeted. -Are guidelines and roles and responsibilities well communicated? -”Entrapment” is a popular approach – give employees the experience of a security audit failure which is direct user approach. -Is a 24/7 helpdesk available to users?
“…Human error is overwhelmingly stated as the greatest security weakness this year…86% of all incidents are from phishing attacks…unless robots replace the human workforce, human error is an issue that companies will continue to deal with.” Deliotte 2009 RSA, March 2011, attack began as a social network attack and manifested into “higher value attacks” …If only the users reported suspicious email and account lockouts…. Data loss has an average cost of 2-5% of total revenue.
Bib • http://en.wikipedia.org/wiki/Mobile_device_management • http://www.informationweek.com/mobility/business/byod-requires-mobile-device-management/229402912 • http://www.itworld.com/mobile-wireless/163465/how-mobile-device-management-works?page=0,3 • http://www.webroot.com/En_US/business/articles/mobile-device-management-do-you-need-it • http://etutorials.org/Mobile+devices/mobile+wireless+design/Part+Four+Beyond+Enterprise+Data/Chapter+16+Mobile+Information+Management/Mobile+Device+Management/ • http://web.ccsu.edu/neasc/selfstudy/virtual%20desktop%20infrastructure%20-%20vmware.htm • http://en.wikipedia.org/wiki/Desktop_virtualization
Alan, D. C. (2009). Whos watching your six in cyberspace?. Signal, 63(11), 42. • Berrong, S. (2009). Creative approaches to security awareness training. Security Management, 53(7), 40. • Doherty, N. F., Anastasakis, L., & Fulford, H. (2011). Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy. International journal of information management, 31(3), 201-209. • Herath, H. M. P. S., & Wijayanayake, W. M. J. I. (2009). Computer misuse in the workplace. Journal of Business Continuity & Emergency Planning, 3(3), 259–270. • Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end-user security behaviours. Computers & Security, 24(2), 124–133.
(2012). BYOD Implications. In B. Holtsnider, IT Managers Handbook. Carruthers, R. (n.d.). Certain Limitations of Reputation-based Schemes in Mobile Environments. Retrieved September 27, 2012 "Guidelines for Managing and Securing Mobile Devices on the Enterprise Network." NIST, July 2012. Web. 6 Dec. 2012. Le Vie, Jr. "Methods for Measuring Knowledge-transfer Effectiveness in User and Training Documentation." IEE, Sept. 1998. Web. 5 Dec. 2012. "Process-Oriented User Training for Enterprise Resource Planning Systems." IEEE Xplore. N.p., May 2009. Web. 05 Dec. 2012. Tracey Caldwell, Training – the weakest link, Computer Fraud & Security, Volume 2012, Issue 9, September 2012, Pages 8-14, ISSN 1361-3723, 10.1016/S1361-3723(12)70091-X. (http://www.sciencedirect.com/science/article/pii/S136137231270091X) Waly. "Improving Organisational Information Security Management: The Impact of Training and Awareness." IEEE Xplore. N.p., n.d. Web. 06 Dec. 2012. Yusof, A.N.M. "Quality and Effectiveness of Knowledge Management Transfer Using of Mentor-mentee Program and on Job Training in Work Place." IEEE Xplore. N.p., May 2012. Web. 05 Dec. 2012.