Bring Your Own Device - PowerPoint Presentation

Bring Your Own DeviceCould you, would you should you May 2012 Benjamin JH Ramduny

What is Bring Your Own Device ( BYOD)? We say that:“BYOD describes an end user computing strategy supported by a set of policies and controls, which in conjunction with a technical solution provide a managed and secure framework for employees to access corporate data from their personal device whilst providing the enterprise with a level of control over both the device and the data it can access” Wikipedia has this to say:“Bring Your Own Device describes the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases”

BYOD in the News

Who is adopting BYOD Over four in five companies say they already allow BYOD or will do within the next 24 months and sixty per cent of employees claim they are already allowed to connect personally-owned devices to the corporate network. - BT CIO attitudes that showed 48% of companies would NEVER authorize employees to bring their own devices to the workplace. 57% of IT managers said that employees do it anyway. - Cisco 64% of IT managers surveyed thought it was too risky to let personal devices be integrated into the business network. However 52% of companies allowed some form of access. - Absolute Software

Could you BYOD

BYOD Options There are two main options when considering BYOD; augmentation or replacement Augmentation: You can augment your current end user computing by allowing your employees to bring in their own mobile devices, sometimes referred to a mobile/laptop consumerisationOpt in scheme for employees who are not entitled to a corporate phone to use their personal phone to access services such as email or corporate web apps.Opt in scheme for employees who are entitled to a corporate phone but also want to use their own handset Replacement:You replace your current end user computing with only employee owned devices. This strategy can cover desktop/laptop and mobile devicesOpt in scheme for employees who are entitled to a corporate phone but want to use their own handset and contract (with stipend or expenses support for corporate call costs)

The BYOD Family Tree Apple iPhone Android Mobile Windows Phone Apple iPad Android Tablet Blackberry Playbook Mobile Phone Tablet Windows Laptop Apple Mac Hand Held Laptop Mobile Device Desktop Device BYOD Note: Desktops and Blackberries are not shown The BYOD policy must detail which items are allowed and the controls that will be applied. When defining the scope of any BYOD implementation consideration must be given to which end user devices * will be allowed. Each device type has its own set of risks and management issues. * * * * * * * *

Strategy and Policy What devices will be subject to BYOD What over arching method of resource access will be used for: Hand held devicesLaptopsHow will the solution and end users be supportedHow will business units be charged for the service Strategy Understanding the business reasons for adopting BYOD is crucial for a successful BYOD implementation Policy Getting the policy right protects the business from the risks associated with BYOD What devices makes and models will be allowed How will Antivirus be handled What actions does the company reserve the right to carry out on an employees personal device (e.g. remote wipe on loss) How will leavers be handled What access controls will be used (Certificate based authentication, Pin Number lengths)

A Quick Survey – Who has a some form of BYOD in their organisation?

Would you BYOD

Why Do It? Increased user mobility Increased user satisfactionHelp retain top performers Increase productivity* Reduce capital costs Helps to attract younger talent*

Laptop Consumerisation Management Options Service Access Virtualisation (VDI)Web Apps OnlyNetwork BootMDM platform with Windows support Desktop on a Pen Drive technologiesAccess ControlNAC PKI / Certificate based Authentication

Laptop Consumerisation Management Solutions Virtualisation Network Boot MDM USB Pros: Secure User gets complete desktop and application suite Cons: Expensive Get it wrong and performance is slow Pros: Secure User gets complete desktop and application suite Uses the full power of the hardware Cons: Requires network access Its not here yet Pros: Leverages Windows inbuilt security No Network dependence Cons: Users might not like you restricting their PC Only a few vendors Pros: Small and light weight Works with any Hardware Full desktop available No Network dependence Cons: New emerging technology

Operating System Security Considerations Enterprise Management Tools Virtualization Pre IOS 4.0 device encryption is weak. Apples iOS release cycles make interception of new versions easier than Android Enterprise management can be accomplished via the Apple iPhone Configuration Utility or by 3 rd party applications: Excitor, Sybase, and Good Technology, Excitor, Mobile Iron and AirWatch. Exchange support also through MS ActiveSync. Citrix Receiver / XenApp VMware through Wyse PocketCloud Pre Android 4.0 (ICS) the native email client does not support ActiveSync with certificate based authentication. Full device encryption weak before Android 3.0 Adhoc and fragmented development cycles makes intercepting new versions difficult Reliance on multiple vendors passing on new patches and OS versions means that many users do not receive the latest security patches and OS’s No native enterprise management tools. Enterprise management can be accomplished via 3 rd party: InnoPath, Good Technology, Excitor, Mobile Iron and AirWatch VMware MVP Citrix Receiver / XenApp (Q409?) Windows phone 7 email client does not support certificate based authentication Devices are not restricted from running unsigned code leaving them at a greater risk of malware attack Comprehensive enterprise management of devices through MS System Center Mobile Device Manager and via 3 rd parties such as: Good Technology, Excitor, Mobile Iron and AirWatch Citrix Receiver / XenApp VMware MVP Mobile Consumerisation Mobile Device Options iPhone Android Windows Phone

Mobile Consumerisation Mobile Device Management MDM products fall into 2 categories Level of containerisation

Mobile Consumerisation Gartner

Should You BYOD

Major Considerations

Major Considerations Protection of Corporate Data Your data is as valuable as gold, and losing it can have a big impact on the business, from financial penalties if the DPA is breached to reputational damage. Letting users have corporate data on their personal device is a big risk, and so to reduce the risk to an acceptable level there are several controls that can be implemented. On a laptop you can virtualised either your corporate applications or the employees entire desktop. On a mobile device you can use an Mobile Device Management solution to enforce some security features on the device itself (e.g. Device encryption, remote wipe if the device is lost). Not all applications are suitable for virtualisation, and this must be carefully assessed before designing any solutionDesktop virtualisation can offer the best form of security on a laptop, however there are drawbacks, mainly that many believe that they can use there super powerful personal laptop and get the benefits of using a powerful pc over their older work laptop. Unfortunately laptop power has little relevancy in a thin client/virtual desktop where most the processing is done server side. A second draw back of virtualisation is that the more users on the virtualised infrastructure the slower it gets. It is worth noting that network boot solutions are in the wings and will start to become prevalent in 2012 allowing the full power of the laptop to be utilise. Mobile devices can be secured to some extent through the use of an MDM tool. Our current view is that this market is still under development and all of the main vendors have weaknesses in their products which can lead to less control over the device than required. The biggest challenge is how to ensure there is no corporate data on a personal device that is no longer required by the user Reimbursement One of the benefits of a corporate liability mobile device over and personal liability device is that the corporate device is usually able to take advantage of a preferential call tariffs with the service provider. When adopting BYOD for mobile devices and when replacing corporate issued devices there must be careful consideration of how the increased data usage will affect the employee monthly bill and how the organization will reimburse this cost. An additional issue that should be considered when moving to an enforced BYOD model is the incentive for an employee to use their personal device, in order to compensate for the increased ware. Questions that need to be addressed are: Can the employee claim back line rental, or receive a stipend, how is the capped. Will the employee be given a benefit in kind to by the device, if so does this have an tax implications Legal Concerns If a MDM solution is being used to manage mobile devices and the BYOD policy states that a lost mobile device will be fully wiped (factory rest) then it is important that any employee who is using their personal device is clearly aware of this and that they have signed a EULA. If the employee is expected to travel as part of their role then the organization must consider if there are any legal implications of taking their device to a country that prohibits encrypted devices (assuming device encryption is being used)

Major Considerations Vendor Selection When the decision has been made that BYOD fits with the end user computing strategy, and that the solution will be secured in some way then a vendor selection process needs to be carried out. Choosing the right MDM product is a difficult task due to the current immaturity of the market. Getting the vendors involved and seeing hands on demonstrations of the end to end solutions is essential. Getting hand on experiences is crucial to ensuring that any selected product meets your requirement for security and usability, since one can heavily impact on the other. Different vendors have very different strengths and researching which vendors product fits your requirements will be useful.Where possible agree for a vendor pilot before committing to deploying the full solution. There are numerous enterprises that have either delayed a full deployment or canned it altogether following a pilot. Support Strategy In any organization support for the business critical infrastructure is a major concern and an organizations inability to support their infrastructure represents a significant business risk. When supporting a traditional corporate liability environment where all devices are owned by the organization, it is relatively easy to exert a level of control over the hardware and software to be used. Having a limited number of makes and models of laptops and desktops and a standard OS configuration enables a support function to become skilled in these systems. When BYOD is adopted there will be significant increase in the number of different types of hardware, drivers, OS configurations and applications that will be in use and so it is important to assess the existing support organizations capability to support the new devices. A BYOD policy must consider if personal devices will be supported and how much time will be spent tying to resolve an issue with a personal device. If you opt for a full BYOD strategy you will also always require a pool of spare laptops (and to some extent phones) to cover the occasions when an employees laptops or phone is damaged and sent for repair The Cost of Moving to a BYOD Environment Adopting BYOD as a full strategy replacing all end user computing can be seen as having huge cost saving benefits, however indications from early adopters lead to the conclusion that the savings are not huge. For a secure desktop/laptop replacement project the virtualisation costs or web app development costs an be significant. In a virtualised desktop solution you will need a redundant set of servers. Licences will also be still need to be purchased for each virtual desktop and the software running on it. BYOD can be restricted to just handheld devices , but again to do this in a secure manner does required some form of Mobile Device Management tool, and all its associated hardware. Define the scope BYOD can be as simple as allowing an employee to access corporate email on their personal mobile phone all the way to a full replacement BYOD implementation where all end user computing is swapped out for personal devices. Corporate email on a personal mobile device can be the easiest to deploy and depending on the classification of the data being sent over email can be relatively cheap to implement. Matching the scope to the business requirements will help to ensure that the right solution is chosen

Separation of Business and Personal Work life balance is important Using computing devices for both business and pleasure can lead to cross over between the two Guidelines and protections should be in place to protect employees free time and personal data Any tools or technologies must:Protect the business andPreserve the personal

Data Loss Not unique to Bring Your Own Device, but the risk is increased. Must be balanced with controls, policies and governance. Encryption should be mandatory.

Data Loss Walsall Council: 981 records of residents postal votes statements containing names, addresses, date of birth and signatures dumped in a skipHeartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million recordsMalicious software/hack compromises unknown number of credit cards at fifth largest credit card processorNHS: 2664 records lost due to personal laptop stolen from a staff members home containing name, address, date of birth, NHS numbers Data Loss Headlines ‘Today’Data Loss Headlines ‘Tomorrow’ Council: 981 records of residents postal votes statements containing names, addresses, date of birth and signatures found on an iPhone sold on eBay Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million records Malicious app downloaded from the App Store compromised an employees iPad allowing the theft of an unknown number of credit cards at fifth largest credit card processor NHS: 2664 records lost due to personal mobile phone stolen from a staff members home containing name, address, date of birth, NHS numbers Mobile Device Management is crucial when allowing personal mobile phones to access corporate data

ISF survey A total of 53 different representatives from different Member environments. Respondents from the following areas: Australasia (2), Canada (3), Denmark (2), Finland (6), Francophone (1), India (1), Middle East (1), Norway (4), Benelux (5), Spain (1), Sweden (3), United Kingdom (12), United States (11) Respondents from the following areas: Electricity gas steam and air conditioning supply (2), Financial and insurance activities (16), Information and communication (8), Manufacturing (13), Mining and quarrying (3), Professional scientific and technical activities (2), Public administration and defence; compulsory social security (5), Transportation and storage (3), Wholesale and retail trade; repair of motor vehicles and motorcycles (1)

ISF Survey – Question 7 What is the most critical issue your organisation faces when trying to provide security for BYOD? As expected, leakage of business information was the number one answer, however many organisations have stated a different challenge to be their most critical issue for BYOD: Business information left on personal devices sent for repair or disposal Protecting the organisations intellectual property Insecure mobile operating systems, discrepancies between different versions Diversity of mobile platformsUsers are not aware of the risks Device limitations prevent controls to be put in place Separation of personal and business material Cost of support Network access control to the corporate network Maintaining the devices updated with the latest security fixes Executive interference in the planning process HR and Legal concerns eDiscovery requirement for physical access to the device Differing technical capabilities across the geographic spread of the company Buy in User acceptance of corporate fiddling with their own ‘personal’ device Regulations, eg PCI compliance Lack of good management tools

ISF Survey – Question 8 Please share your top three misconceptions about your BYOD experience:Misconceptions included:No need to invest in infrastructure It will be cheaper for the organisationLack of information security funding will prevent this from happening User awareness is enough to prevent business information from being stored locally on the deviceUser awareness, user awareness, user awarenessUser expectations of reduced need for support, no downtime Mobile phones connected to the network will introduce viruses BYOD is easy and the demand for it is high (neither is particularly true) Adding controls to BYOD makes it considerably less attractive to people who wanted it BYOD will affect productivity (either in a good or bad way) BYOD cannot be secured Required for attracting new employees, will increase user satisfaction BYOD is a technology problem Must be usable with every device

ISF Survey – Question 9 Please share your top three tips regarding your BYOD approach: Agree the organisation’s risk appetite before designing a solution Security agreement with the end user, make them accountable – make sure the agreement / policy is reasonably strict but still workableApply a lot of personal attention to executives wanting to use BYOD, to make them aware and create best practice Work on a mobility strategyPickup early with your architecture team to allow development of deployment strategy, as well as penetration testing teams to assess security Involve legal and HR early enough Deploy in stages – most demand is related to iPhones, so start with one type of devices and be prepared to expand in the future Leverage other investments to enforce or improve security Manage expectations with end users Communicate with your user base in a 2 way manner Do not treat everyone the same – not one size fits all Define your service model early Get a decent MDM and NAC Dual factor authentication Consider laws (eg labour laws) that will mandate specific reimbursements to employees Promote in-house secure App developments and open your own App store

My experience Major battle between the business who wants it user friendly and Information Security who want it secure (or not at all) MDM’s, all of them, are immature, poorly coded and offer more security features than they deliver Getting the EULA right takes timeTraining is one of the most relied on controls, get it in place before go live, make sure its good, ensure every one takes it, repeat it regularlyEngagement with the vendor can help drive product enhancementMinimum 6 digit Alphanumeric PINs

A Quick Survey – Has any one suffered a Security breach as a result of BYOD?

No is No L onger An O ptionBYOD is already in your organisation!There Here

Questions and Answers Questions 30

Thank you Benjamin JH Ramduny KPMG LLP+44 (0)7825 282556ben.ramduny@kpmg.co.uk www.kpmg.co.ukInformation is as valuable as gold yet it can slip through your fingers like water