Post on 17-Jul-2015
BYOD: Beating IT’s Kobayashi Maru(the workshop)
Who Am I?
• Michele Chubirka, aka "Mrs. Y.,” Security Architect and professional contrarian.
• Analyst, blogger, B2B writer, podcaster.
• Researches and pontificates on topics such as security architecture and best practices.
chubirka@postmodernsecurity.com
http://postmodernsecurity.com
https://www.novainfosec.com/author/mrsy/@MrsYisWhy www.linkedin.com/in/mchubirka/
Agenda• Current State• Arguing With Reality: The
Psychology Behind BYOD• Creating a Project Team• Policies • Data Classification + User
Classification = Access Control• Supported Applications and
Resource Matrix• Tools and Supporting Technologies• Panel Discussion • Common Misconceptions• Some Use Cases• Takeaways
Our smartphones are among the most sacred and personal of our possessions, rarely out of sight or mind. … they are the first thing we touch when we wake in the morning and the last thing we touch when we go to bed at night.
They guard our secrets, connect us to the people and pursuits we care about most; they promise that we never need be alone, ignored, bored, unknowing, lost, without a waiting audience to woo.
- Tom Chatfield, technology theorist and writer
Current State
Spiceworks “Weathering the Mobile Storm” survey, October 2014
Spiceworks “Weathering the Mobile Storm” survey, October 2014
Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes.
http://www.gartner.com/newsroom/id/2466615
Phones — The Most Popular BYOD DeviceWhich of the following devices you personally own have you used for work purposes in the last month?
23%
27%
22%
6%
11%
2%
5%
Mobile Phone
(78%)
Desktop or
Notebook PC
(62%)
Tablet
(29%)
Multiple Responses Allowed
N = 9959
Gartner User Survey, December 2013
Key Findings, Gartner User Survey, 2013• Nearly half of respondents spend more than one hour each day working
on private devices.
• 74% say their employer knows of the BYOD device, but 59% of respondents have no formal agreement.
• According to respondents, 65% of employers permit the use of privately owned Android-based devices for work purposes.
• 20% of respondents regularly connect private devices to their work network via VPN.
• 1 in 4 users admitted to having a security issue on their private device in 2013.
• Only 27% felt obliged to report this to their employer.10
Device Deployment
45%
47%
9%
Small Firms < 100 employees
Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility study
Base: 161 small U.S. end users/120 medium U.S. end users/119 large U.S. end users
39%
58%
3%
51%
46%
3%
Medium-Sized Firms 100-499 employees
Large Firms 500+ employees
No BYOD Partial BYOD Full BYOD
Device Deployment CompTIA’s 3rd Annual Trends in Enterprise Mobility study
Neuroscience,
Psychology
and BYOD:
How IT Gets it
Wrong
• A 2012 survey by Fortinet of 3,872 20-something workers on BYOD policies found more than half view it as a right, not a privilege.
• 1 out of 3 would violate a company's security policy that forbids them using personal devices at work or for work purposes.
• Research from Samsung found 29% of employees will use their personal devices in the office without knowing whether this is permitted by their employer's workplace policy.
Shadow IT
Rogue IT In the News• While Secretary of State, Hillary Clinton used a
personal email account to conduct government business.
• Did not have a government email address during her time in office.
• Secretary of State Colin L. Powell, who served from 2001 to 2005, also used a personal email address for official communications.
BYON?
• Scott Gration, U.S. Ambassador to Kenya, refused to use the embassy’s IT resources.
• Worked out of an embassy bathroom in Nairobi using his own unsecured commercial Internet connection.
• Used his own computer and a personal Gmail account to conduct business.
• When staffers had meetings with him, they would sit on the toilet.
Who’s On Guest Wireless?
Probably your staff.
Why BYOD Goes Bad
Homunculus Argument
A cognitive fallacy based upon the illusion of Cartesian Theater: i.e. a little person or homunculus inside the head watching sensory data on a screen.
Illusion of Cartesian Theater
Physical Boundaries of Mind
• Neuroscientist, V.S. Ramachandran, studies Phantom Limb Syndrome.
• 60% to 80% of those with amputations experience phantom sensations, including pain.
• While working with combat veteran amputees, he discovered that they found relief when another person massaged his own limb.
Extended Mind
“Consider two subjects carry out a mathematical task. The first completes the task solely in her head, while the second completes the task with the assistance of paper and pencil. … as long as the cognitive results are the same there is no reason to count the means employed by the two subjects as different.…”
-Neurophilosopher, Andy Clark
The idea that mind is limited to “skin and skull”
is arbitrary and false.
Beyond Neuroplasticity: The Hybrid Age
“The Hybrid Age is a new sociotechnical era that is unfolding as technologies merge with each other and humans merge with technology …. Externally, technology no longer simply processes our instructions on a one-way street…. We don’t just use technology; we absorb it.”
- Parag Khanna and Ayesha Khanna
Ubiquitous Computing
"The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it."
- Mark Weiser, Chief Scientist at Xerox PARC
The End of Ownership
• According to Drupal creator and co-founder of Acquia, Dries Buytaert, industries now succeed by eliminating production.
• Examples
– Open Source software
– Tesla releases patents
– Uber
– Airbnb
– Spotify and Pandora
Stop Arguing with Reality
BYOD’s Dirty Secrets
• Without an explicit BYOD policy, you have an implicit one, which is too permissive.
• BYOD can change the profile of your network from “default open” to “default closed” through onboarding procedures.
• Should really be called “Bring Your Own Compute, with Caveats, i.e. we will watch what you do and control how you do it on our network.”
• Like social media, you give up some privacy to get a resource or an application.
Spiceworks “Weathering the Mobile Storm” survey, October 2014
The answer to BYOD cannot be, “No,” but a qualified “Yes, and….”
How To Begin
BYOD Needs Buy-in Across the Organization
• BYOD will only be successful with input from multiple groups.
• HR could have concerns surrounding possible impact to the status of non-exempt employees.
• Legal will worry about the protection of confidential material and how to address the subpoena of a personal device.
• Audit and compliance teams will need assurance that regulations such as PCI DSS or HIPAA are being followed and enforced.
• Information Security will want to restrict and control device access to minimize organizational risk.
Building the Project TeamInvolve stakeholders from all areas of the business, including; HR, Finance, Legal, Information Security
Good BYOD is found in policies and procedures.
Intel Peer Research Report, “Insights on the Current State of BYOD”
• Policy is like a donut and technology solutions are the sprinkles.
• You can have a donut without sprinkles, but sprinkles on their own are pretty useless.
What’s Missing?
• Does your organization have data classification with handling standards?
• Is there user classification with some kind of identity management?
• Do you have an Acceptable Use Policy (AUP)?
• How will you know what to protect without these?
Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility
Slow Progress in Policy Creation
30%
37%
21%
10%
2%
24%
40%
18%
12%
6%
Currently have a formal policy
Currently building a policy
Only share best practices
No set policy or practices
Don't know status of policy
2014 2013
Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility study
Base: 400 U.S. end users
Taxonomy: Policy, Standards, Guidelines and Procedures
Definition: Policy
A course or principle of action adopted or proposed by a government, party, business, or individual.
- Oxford Dictionary
This should be a high level statement.
Definition: Standards
Mandatory activities, actions or rules. Standards give a policy its support and reinforcement in direction.
- CISSP Exam Guide, Shon Harris
Definition: Guidelines
Recommended actions and operational guides.
- CISSP Exam Guide, Shon Harris
Definitions: Procedure
A particular way of accomplishing something. Detailed series of tasks. Instructions.
Policies + Standards = Requirements
You should have the following in place for BYOD:
– High-level BYOD Policy
– Acceptable Use Policy (AUP)
– End User Agreement (EUA)
– Access Control Policy
– Data Classification and Handling Standards
– Basic User Roles/Classification
– Supported Application and Device Lists
– Resource Matrix, aka Business and Technical Service Catalogs
BYOD Policy• Leverage templates from Gartner, Corporate Executive Board,
Info~Tech or even the White House (http://www.whitehouse.gov/digitalgov/bring-your-own-device).
• Learn from other organizations such as academia.• Make sure to define terms clearly.
– Example: what’s a mobile device?
• Establishes the “rules of engagement” with users. • Should align closely with your AUP. • Include references to “supported” applications, operating
systems and devices itemized in a separate standards document. • Describe categories of access based upon controls: container, full
management or internet-only.
AUP and EUA
• Agreements establish the boundaries between the organization and the user community for how digital resources may be used.
• Protects the organization and the user by defining the responsibilities of each party and the consequences to the user for violation.
• Addresses security issues related to accessing the device in the event of a malware or data breach.
• Establishes opt-in for device posturing or agent installation on the users’ hardware.
• Defines privacy and confidentiality issues related to organization’s vs. user’s data.
Sample AUP Template
https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
End User Agreement
Wisegate sample corporate mobile device acceptable use and security policy
Gartner Condensed User Agreement
Data Classification + User Classification = Access Control
• Data has value and should be organized according to
– Sensitivity to loss
– Disclosure
– Unavailability
• Appropriate application of controls creates the handling standards.
• User roles or personas determine privilege levels.
• Access controls are determined by the intersection of data classification with user classification.
• If you don’t have full-fledged IAM, then you’ll need to perform some basic user segmentation.
Sample Data Classification Matrix
Sample Data Handling Matrix
User Classification
“First thing we do, let's kill all the lawyers.”
• If you don’t have BYOD policies in place such as an EUA, you could run into issues with state, federal and international laws such as the US Computer Fraud and Abuse Act (CFAA).
• Possible criminal and civil penalties on individuals and companies that “intentionally access a computer without authorization or exceed authorization” to obtain “information from any protected computer.”
• CFAA also prohibits individuals and companies from “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.”
http://mi-worklaw.com/how-a-sandbox-can-shore-up-your-byod-program/
BYOD doesn’t start as a technology problem,
but it quickly becomes one.
What Will You Support?• Even though you don’t own
the device, what applications will you license and/or support on it?
• How will you communicate and document this?
• Many support costs don’t go away, they simply shift.
• Don’t try to support everything.
TCO ComparisonsThis research note is restricted to the personal use of sshah@aarp.org
This research note is restricted to the personal use of sshah@aarp.org
owned devices. However, if users do not require reimbursement for the use of the tablet, the TCO of
user-owned devices can be as much as 64% lower than that of a fully managed, enterprise-owned
tablet.
Figure 2. TCO Comparison of Enterprise- and User-Owned Tablets
Source: Gartner (December 2014)
If Windows applications are delivered to an iOS or Android tablet using server-based computing
(SBC) or hosted virtual desktop (HVD) technologies, the TCO increases, in some cases
substantially. Organizations need to understand whether this brings a significant benefit to the
users, sufficient to recover the investment. Extensive tests on the quality of the user experience will
help organizations gain such understanding.
The Economics of BYOPC Programs
BYOPC programs are relatively infrequent today. Users may welcome the opportunity to use their
own PCs for work reasons, but are not inclined to give up the enterprise PC, whereas organizations
looking into BYOPC often aim to replace corporate PCs with user-owned ones. Organizations are
reluctant to embrace BYOPC due to security, management and cost concerns. Securely delivering
and managing enterprise applications on user-owned PCs may require substantial infrastructure
investments, increases in IT labor costs, and can compromise users' experiences. Our TCO analysis
shows that BYOPC programs will not save money unless intangible benefits, such as increased
user satisfaction or improved business continuity, are considered.
Gartner, Inc. | G00271207 Page 3 of 6
SBC = Server Based Computing
HVD = Hosted Virtual Desktop
Supported Application Matrix
Example
Resource Matrix• Decide what enterprise
applications will be offered for BYOD users.
• Base it on the data classification and level of risk the organization will accept.
• Build the matrix from existing Business and Technical Service catalogs.
Service Catalog
Resource Matrix
Device Management Categories
• Mobile Device Management
• Mobile Application Management
• Containers/Sandbox
Intel Peer Research Report, “Insights on the Current State of BYOD”
Container (Sandbox) Option
• Aka “dual persona”
• Provides a secure space for managed content on the device.
• All resources, including proprietary applications, business email, calendar and contacts reside here.
• Accomplished by installation or inclusion of an app.
• User retains full control of the device.
• Admin can wipe content in container.
Containers or Full Device Management
• Offer users choices based on type of data and access they want.
• By offering options, you improve adoption and compliance, but more work on back-end.
• Containers address users’ privacy concerns and control issues with BYOD, while still allowing the business to secure its data.
• Full device management is preferred by Information Security teams.
• Containers not as user-friendly as “native” app experience.
• Sandboxing can be at application level or through creation of device partition.
Is Your Infrastructure
Ready for BYOD?
BYOD Infrastructure and Supporting Technologies
• RADIUS
• 802.1X and/or NAC
• LDAP
• Certificate Authority
• Mobile Device Management (MDM) tools for onboarding
• Endpoint agents
• VDI/DaaS
• Other traditional security controls
BYOD Infrastructure Technologies: RADIUS, LDAP, Certificate Authority and 802.1X
• Remote Authentication Dial In User Service (RADIUS)
– Centralized Authentication, Authorization, and Accounting (AAA) for network services
– Free RADIUS, Radiator, Cisco ISE
• Lightweight Directory Access Protocol (LDAP)
– Based on X.500
– Distributed directory over IP network
– Active Directory most common implementation
• Certificate Authority
• 802.1X
– IEEE standard for port-based network access control
– Defines EAP (extensible authentication protocol)
– Frequently used in enterprise wireless
802.1X Vs. NAC
• Not synonymous.
• 802.1X is an L2 standard and uses a built-in or 3rd
party supplicant to authenticate.
• Network Access Control (NAC) is a logical set of controls that rely on multiple protocols.
• Can use an in-line L3 device for policy enforcement.
• Generally requires an agent for endpoint profiling.
802.1X Process
Example: Cisco ISE
EAP-MD5* LEAP* EAP-TLS EAP-TTLS PEAP
ServerAuthentication
None Password Hash Public Key (Certificate)
Public Key (Certificate)
Public Key (Certificate)
SupplicantAuthentication
Password Hash Password Hash Public Key(Certificate or
Smart Card)
CHAP, PAP, MS-CHAP(v2), EAP
Any EAP, like EAP-MS-CHAPv2 or
Public Key
Dynamic Key Delivery
No Yes Yes Yes Yes
Security Risks Identity exposed, Dictionary
attack, Man-in-the-Middle (MitM) attack,
Session hijacking
Identity exposed, Dictionary
attack
Identity exposed MitM attack MitM attack; Identity
hidden in Phase 2 but
potential exposure in
Phase 1
EAP Comparison Chart
73* Don’t use
BYOD Supporting Technologies: MDM and VDI
• Mobile Device Management (MDM)
– Jamf, Airwatch, Citrix, MobileIron, Good Technology
• Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS)
– Citrix, VMware, Microsoft
Some MDM Support Examples• Good Technology (containerization supports iOS, Android, Windows phone,
BlackBerry)
• Airwatch (containerization supports iOS, Android, Windows 8.x and phone, OSX)
• Samsung KNOX (DISA approved, only works on S4, but works with most MDM)
• Divide (Android, iOS)
• BlackBerry Balance and BES
• Mobile Iron (containerization supports Android, iOS, OSX, Windows Phone, BlackBerry)
• MaaS360 (containerization supports iOS, Android, Windows phone and OS, OSX)
• JAMF Casper Suite (iOS, Android, Mac, no container option)
• Citrix XenMobile (containerization supports Android, iOS, Windows OS and phone, BlackBerry)
Use Cases: What Worked and What Didn’t
• Academia: the original BYOD environment
• PCI DSS service provider
• Non-profits
• Media company: implicit BYOD
Banning iPads?
Sample Design
Don’t Rush to Production
• You’ll need to build a proof-of-concept and add a pilot phase to your project.
• That’s when any weaknesses in your supporting technologies, processes and procedures become evident.
• The pilot will provide necessary feedback to adjust the proposed implementation.
Common Misconceptions• BYOD is less secure.
• I can say “no” to BYOD.
• BYOD will save us money.
• I have to buy expensive MDM solutions.
• I have to support everything, including PCs.
• I have to reimburse users to force adoption.
• We don’t need to consult HR or Legal.
Panel
Takeaways• Controls should focus on data/resources, not technology.
• Policies become requirements, don’t jump to solutions. You’ll pay for it later.
• Get executive buy-in on policies and sign-off on design. Otherwise you’ll be redesigning later.
• Understand hidden costs: licensing and support.
• Start small, with a select number of supported devices.
• Training and end user support is critical.
• Offer options: full device management vs. containerization.
• BYOD is no longer optional.
Questions?
Where Can You Find Me?
Michele Chubirka
Spending quality time in kernel
mode.
Star Trek before Star Wars.
http://postmodernsecurity.com
Twitter @MrsYisWhy
Google+ MrsYisWhy
chubirka@postmodernsecurity.co
m