BYOD: Beating IT’s Kobayashi Maru(the workshop)

Who Am I?

• Michele Chubirka, aka "Mrs. Y.,” Security Architect and professional contrarian.

• Analyst, blogger, B2B writer, podcaster.

• Researches and pontificates on topics such as security architecture and best practices.

chubirka@postmodernsecurity.com

http://postmodernsecurity.com

https://www.novainfosec.com/author/mrsy/@MrsYisWhy www.linkedin.com/in/mchubirka/

Agenda• Current State• Arguing With Reality: The

Psychology Behind BYOD• Creating a Project Team• Policies • Data Classification + User

Classification = Access Control• Supported Applications and

Resource Matrix• Tools and Supporting Technologies• Panel Discussion • Common Misconceptions• Some Use Cases• Takeaways

Our smartphones are among the most sacred and personal of our possessions, rarely out of sight or mind. … they are the first thing we touch when we wake in the morning and the last thing we touch when we go to bed at night.

They guard our secrets, connect us to the people and pursuits we care about most; they promise that we never need be alone, ignored, bored, unknowing, lost, without a waiting audience to woo.

- Tom Chatfield, technology theorist and writer

Current State

Spiceworks “Weathering the Mobile Storm” survey, October 2014

Spiceworks “Weathering the Mobile Storm” survey, October 2014

Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes.

http://www.gartner.com/newsroom/id/2466615

Phones — The Most Popular BYOD DeviceWhich of the following devices you personally own have you used for work purposes in the last month?

23%

27%

22%

6%

11%

2%

5%

Mobile Phone

(78%)

Desktop or

Notebook PC

(62%)

Tablet

(29%)

Multiple Responses Allowed

N = 9959

Gartner User Survey, December 2013

Key Findings, Gartner User Survey, 2013• Nearly half of respondents spend more than one hour each day working

on private devices.

• 74% say their employer knows of the BYOD device, but 59% of respondents have no formal agreement.

• According to respondents, 65% of employers permit the use of privately owned Android-based devices for work purposes.

• 20% of respondents regularly connect private devices to their work network via VPN.

• 1 in 4 users admitted to having a security issue on their private device in 2013.

• Only 27% felt obliged to report this to their employer.10

Device Deployment

45%

47%

9%

Small Firms < 100 employees

Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility study

Base: 161 small U.S. end users/120 medium U.S. end users/119 large U.S. end users

39%

58%

3%

51%

46%

3%

Medium-Sized Firms 100-499 employees

Large Firms 500+ employees

No BYOD Partial BYOD Full BYOD

Device Deployment CompTIA’s 3rd Annual Trends in Enterprise Mobility study

Neuroscience,

Psychology

and BYOD:

How IT Gets it

Wrong

• A 2012 survey by Fortinet of 3,872 20-something workers on BYOD policies found more than half view it as a right, not a privilege.

• 1 out of 3 would violate a company's security policy that forbids them using personal devices at work or for work purposes.

• Research from Samsung found 29% of employees will use their personal devices in the office without knowing whether this is permitted by their employer's workplace policy.

Shadow IT

Rogue IT In the News• While Secretary of State, Hillary Clinton used a

personal email account to conduct government business.

• Did not have a government email address during her time in office.

• Secretary of State Colin L. Powell, who served from 2001 to 2005, also used a personal email address for official communications.

BYON?

• Scott Gration, U.S. Ambassador to Kenya, refused to use the embassy’s IT resources.

• Worked out of an embassy bathroom in Nairobi using his own unsecured commercial Internet connection.

• Used his own computer and a personal Gmail account to conduct business.

• When staffers had meetings with him, they would sit on the toilet.

Who’s On Guest Wireless?

Probably your staff.

Why BYOD Goes Bad

Homunculus Argument

A cognitive fallacy based upon the illusion of Cartesian Theater: i.e. a little person or homunculus inside the head watching sensory data on a screen.

Illusion of Cartesian Theater

Physical Boundaries of Mind

• Neuroscientist, V.S. Ramachandran, studies Phantom Limb Syndrome.

• 60% to 80% of those with amputations experience phantom sensations, including pain.

• While working with combat veteran amputees, he discovered that they found relief when another person massaged his own limb.

Extended Mind

“Consider two subjects carry out a mathematical task. The first completes the task solely in her head, while the second completes the task with the assistance of paper and pencil. … as long as the cognitive results are the same there is no reason to count the means employed by the two subjects as different.…”

-Neurophilosopher, Andy Clark

The idea that mind is limited to “skin and skull”

is arbitrary and false.

Beyond Neuroplasticity: The Hybrid Age

“The Hybrid Age is a new sociotechnical era that is unfolding as technologies merge with each other and humans merge with technology …. Externally, technology no longer simply processes our instructions on a one-way street…. We don’t just use technology; we absorb it.”

- Parag Khanna and Ayesha Khanna

Ubiquitous Computing

"The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it."

- Mark Weiser, Chief Scientist at Xerox PARC

The End of Ownership

• According to Drupal creator and co-founder of Acquia, Dries Buytaert, industries now succeed by eliminating production.

• Examples

– Open Source software

– Tesla releases patents

– Uber

– Airbnb

– Spotify and Pandora

Stop Arguing with Reality

BYOD’s Dirty Secrets

• Without an explicit BYOD policy, you have an implicit one, which is too permissive.

• BYOD can change the profile of your network from “default open” to “default closed” through onboarding procedures.

• Should really be called “Bring Your Own Compute, with Caveats, i.e. we will watch what you do and control how you do it on our network.”

• Like social media, you give up some privacy to get a resource or an application.

Spiceworks “Weathering the Mobile Storm” survey, October 2014

The answer to BYOD cannot be, “No,” but a qualified “Yes, and….”

How To Begin

BYOD Needs Buy-in Across the Organization

• BYOD will only be successful with input from multiple groups.

• HR could have concerns surrounding possible impact to the status of non-exempt employees.

• Legal will worry about the protection of confidential material and how to address the subpoena of a personal device.

• Audit and compliance teams will need assurance that regulations such as PCI DSS or HIPAA are being followed and enforced.

• Information Security will want to restrict and control device access to minimize organizational risk.

Building the Project TeamInvolve stakeholders from all areas of the business, including; HR, Finance, Legal, Information Security

Good BYOD is found in policies and procedures.

Intel Peer Research Report, “Insights on the Current State of BYOD”

• Policy is like a donut and technology solutions are the sprinkles.

• You can have a donut without sprinkles, but sprinkles on their own are pretty useless.

What’s Missing?

• Does your organization have data classification with handling standards?

• Is there user classification with some kind of identity management?

• Do you have an Acceptable Use Policy (AUP)?

• How will you know what to protect without these?

Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility

Slow Progress in Policy Creation

30%

37%

21%

10%

2%

24%

40%

18%

12%

6%

Currently have a formal policy

Currently building a policy

Only share best practices

No set policy or practices

Don't know status of policy

2014 2013

Source: CompTIA’s 3rd Annual Trends in Enterprise Mobility study

Base: 400 U.S. end users

Taxonomy: Policy, Standards, Guidelines and Procedures

Definition: Policy

A course or principle of action adopted or proposed by a government, party, business, or individual.

- Oxford Dictionary

This should be a high level statement.

Definition: Standards

Mandatory activities, actions or rules. Standards give a policy its support and reinforcement in direction.

- CISSP Exam Guide, Shon Harris

Definition: Guidelines

Recommended actions and operational guides.

- CISSP Exam Guide, Shon Harris

Definitions: Procedure

A particular way of accomplishing something. Detailed series of tasks. Instructions.

Policies + Standards = Requirements

You should have the following in place for BYOD:

– High-level BYOD Policy

– Acceptable Use Policy (AUP)

– End User Agreement (EUA)

– Access Control Policy

– Data Classification and Handling Standards

– Basic User Roles/Classification

– Supported Application and Device Lists

– Resource Matrix, aka Business and Technical Service Catalogs

BYOD Policy• Leverage templates from Gartner, Corporate Executive Board,

Info~Tech or even the White House (http://www.whitehouse.gov/digitalgov/bring-your-own-device).

• Learn from other organizations such as academia.• Make sure to define terms clearly.

– Example: what’s a mobile device?

• Establishes the “rules of engagement” with users. • Should align closely with your AUP. • Include references to “supported” applications, operating

systems and devices itemized in a separate standards document. • Describe categories of access based upon controls: container, full

management or internet-only.

AUP and EUA

• Agreements establish the boundaries between the organization and the user community for how digital resources may be used.

• Protects the organization and the user by defining the responsibilities of each party and the consequences to the user for violation.

• Addresses security issues related to accessing the device in the event of a malware or data breach.

• Establishes opt-in for device posturing or agent installation on the users’ hardware.

• Defines privacy and confidentiality issues related to organization’s vs. user’s data.

Sample AUP Template

https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

End User Agreement

Wisegate sample corporate mobile device acceptable use and security policy

Gartner Condensed User Agreement

Data Classification + User Classification = Access Control

• Data has value and should be organized according to

– Sensitivity to loss

– Disclosure

– Unavailability

• Appropriate application of controls creates the handling standards.

• User roles or personas determine privilege levels.

• Access controls are determined by the intersection of data classification with user classification.

• If you don’t have full-fledged IAM, then you’ll need to perform some basic user segmentation.

Sample Data Classification Matrix

Sample Data Handling Matrix

User Classification

“First thing we do, let's kill all the lawyers.”

• If you don’t have BYOD policies in place such as an EUA, you could run into issues with state, federal and international laws such as the US Computer Fraud and Abuse Act (CFAA).

• Possible criminal and civil penalties on individuals and companies that “intentionally access a computer without authorization or exceed authorization” to obtain “information from any protected computer.”

• CFAA also prohibits individuals and companies from “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.”

http://mi-worklaw.com/how-a-sandbox-can-shore-up-your-byod-program/

BYOD doesn’t start as a technology problem,

but it quickly becomes one.

What Will You Support?• Even though you don’t own

the device, what applications will you license and/or support on it?

• How will you communicate and document this?

• Many support costs don’t go away, they simply shift.

• Don’t try to support everything.

TCO ComparisonsThis research note is restricted to the personal use of sshah@aarp.org

This research note is restricted to the personal use of sshah@aarp.org

owned devices. However, if users do not require reimbursement for the use of the tablet, the TCO of

user-owned devices can be as much as 64% lower than that of a fully managed, enterprise-owned

tablet.

Figure 2. TCO Comparison of Enterprise- and User-Owned Tablets

Source: Gartner (December 2014)

If Windows applications are delivered to an iOS or Android tablet using server-based computing

(SBC) or hosted virtual desktop (HVD) technologies, the TCO increases, in some cases

substantially. Organizations need to understand whether this brings a significant benefit to the

users, sufficient to recover the investment. Extensive tests on the quality of the user experience will

help organizations gain such understanding.

The Economics of BYOPC Programs

BYOPC programs are relatively infrequent today. Users may welcome the opportunity to use their

own PCs for work reasons, but are not inclined to give up the enterprise PC, whereas organizations

looking into BYOPC often aim to replace corporate PCs with user-owned ones. Organizations are

reluctant to embrace BYOPC due to security, management and cost concerns. Securely delivering

and managing enterprise applications on user-owned PCs may require substantial infrastructure

investments, increases in IT labor costs, and can compromise users' experiences. Our TCO analysis

shows that BYOPC programs will not save money unless intangible benefits, such as increased

user satisfaction or improved business continuity, are considered.

Gartner, Inc. | G00271207 Page 3 of 6

SBC = Server Based Computing

HVD = Hosted Virtual Desktop

Supported Application Matrix

Example

Resource Matrix• Decide what enterprise

applications will be offered for BYOD users.

• Base it on the data classification and level of risk the organization will accept.

• Build the matrix from existing Business and Technical Service catalogs.

Service Catalog

Resource Matrix

Device Management Categories

• Mobile Device Management

• Mobile Application Management

• Containers/Sandbox

Intel Peer Research Report, “Insights on the Current State of BYOD”

Container (Sandbox) Option

• Aka “dual persona”

• Provides a secure space for managed content on the device.

• All resources, including proprietary applications, business email, calendar and contacts reside here.

• Accomplished by installation or inclusion of an app.

• User retains full control of the device.

• Admin can wipe content in container.

Containers or Full Device Management

• Offer users choices based on type of data and access they want.

• By offering options, you improve adoption and compliance, but more work on back-end.

• Containers address users’ privacy concerns and control issues with BYOD, while still allowing the business to secure its data.

• Full device management is preferred by Information Security teams.

• Containers not as user-friendly as “native” app experience.

• Sandboxing can be at application level or through creation of device partition.

Is Your Infrastructure

Ready for BYOD?

BYOD Infrastructure and Supporting Technologies

• RADIUS

• 802.1X and/or NAC

• LDAP

• Certificate Authority

• Mobile Device Management (MDM) tools for onboarding

• Endpoint agents

• VDI/DaaS

• Other traditional security controls

BYOD Infrastructure Technologies: RADIUS, LDAP, Certificate Authority and 802.1X

• Remote Authentication Dial In User Service (RADIUS)

– Centralized Authentication, Authorization, and Accounting (AAA) for network services

– Free RADIUS, Radiator, Cisco ISE

• Lightweight Directory Access Protocol (LDAP)

– Based on X.500

– Distributed directory over IP network

– Active Directory most common implementation

• Certificate Authority

• 802.1X

– IEEE standard for port-based network access control

– Defines EAP (extensible authentication protocol)

– Frequently used in enterprise wireless

802.1X Vs. NAC

• Not synonymous.

• 802.1X is an L2 standard and uses a built-in or 3rd

party supplicant to authenticate.

• Network Access Control (NAC) is a logical set of controls that rely on multiple protocols.

• Can use an in-line L3 device for policy enforcement.

• Generally requires an agent for endpoint profiling.

802.1X Process

Example: Cisco ISE

EAP-MD5* LEAP* EAP-TLS EAP-TTLS PEAP

ServerAuthentication

None Password Hash Public Key (Certificate)

Public Key (Certificate)

Public Key (Certificate)

SupplicantAuthentication

Password Hash Password Hash Public Key(Certificate or

Smart Card)

CHAP, PAP, MS-CHAP(v2), EAP

Any EAP, like EAP-MS-CHAPv2 or

Public Key

Dynamic Key Delivery

No Yes Yes Yes Yes

Security Risks Identity exposed, Dictionary

attack, Man-in-the-Middle (MitM) attack,

Session hijacking

Identity exposed, Dictionary

attack

Identity exposed MitM attack MitM attack; Identity

hidden in Phase 2 but

potential exposure in

Phase 1

EAP Comparison Chart

73* Don’t use

BYOD Supporting Technologies: MDM and VDI

• Mobile Device Management (MDM)

– Jamf, Airwatch, Citrix, MobileIron, Good Technology

• Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS)

– Citrix, VMware, Microsoft

Some MDM Support Examples• Good Technology (containerization supports iOS, Android, Windows phone,

BlackBerry)

• Airwatch (containerization supports iOS, Android, Windows 8.x and phone, OSX)

• Samsung KNOX (DISA approved, only works on S4, but works with most MDM)

• Divide (Android, iOS)

• BlackBerry Balance and BES

• Mobile Iron (containerization supports Android, iOS, OSX, Windows Phone, BlackBerry)

• MaaS360 (containerization supports iOS, Android, Windows phone and OS, OSX)

• JAMF Casper Suite (iOS, Android, Mac, no container option)

• Citrix XenMobile (containerization supports Android, iOS, Windows OS and phone, BlackBerry)

Use Cases: What Worked and What Didn’t

• Academia: the original BYOD environment

• PCI DSS service provider

• Non-profits

• Media company: implicit BYOD

Banning iPads?

Sample Design

Don’t Rush to Production

• You’ll need to build a proof-of-concept and add a pilot phase to your project.

• That’s when any weaknesses in your supporting technologies, processes and procedures become evident.

• The pilot will provide necessary feedback to adjust the proposed implementation.

Common Misconceptions• BYOD is less secure.

• I can say “no” to BYOD.

• BYOD will save us money.

• I have to buy expensive MDM solutions.

• I have to support everything, including PCs.

• I have to reimburse users to force adoption.

• We don’t need to consult HR or Legal.

Panel

Takeaways• Controls should focus on data/resources, not technology.

• Policies become requirements, don’t jump to solutions. You’ll pay for it later.

• Get executive buy-in on policies and sign-off on design. Otherwise you’ll be redesigning later.

• Understand hidden costs: licensing and support.

• Start small, with a select number of supported devices.

• Training and end user support is critical.

• Offer options: full device management vs. containerization.

• BYOD is no longer optional.

Questions?

Where Can You Find Me?

Michele Chubirka

Spending quality time in kernel

mode.

Star Trek before Star Wars.

http://postmodernsecurity.com

Twitter @MrsYisWhy

Google+ MrsYisWhy

chubirka@postmodernsecurity.co

m