Paul Whitton
▶ Senior IT Security Specialist within ESISS▶ TigerScheme and Crest accredited.▶ Been working at Loughborough University since
2001 in variety of teams.▶ Labs▶ Staff Desktop▶ Systems Services▶ Networks and Security▶ Now ESISS
About ESISS
▶ ESISS is the Education Shared Information Security Service.
▶ A collaboration with the eight universities within
the East Midlands region.
▶ A genuine requirement for shared security
service was identified.
▶ HEFCE pump primed for first year.
▶ Launched in August 2009, now used by over 50
UK institutions and growing
About the ESISS team
▶ Contract awarded to Loughborough University.
▶ Dedicated team providing the services.
▶ Information Security Assurance:
CISSP, Tiger Scheme QSTM, CCNP, CCSP,
Crest Registered Tester, etc.
▶ Trusted Introducer Accredited procedures
Technical Challenges
▶ Which device types/operating systems are allowed
▶ What apps may be installed and used▶ What IT systems maybe accessed▶ How data is stored on the device▶ How data is transferred to/from the device▶ Blurring of business and personal use
Security considerations
▶ Data privacy - personal and corporate data on the same device. This works both ways.
▶ Data privacy/remote wipe for lost/stolen devices▶ What to do if the person who owns the device
leaves the company.▶ Copyright Infringement from the device.
How to address these issues
What the Data Protection Act 1998 says:▶ Appropriate technical and organisational
measures shall be taken against accidental loss or destruction of, or damage to, personal data.
▶ All of the previous mentioned issues can be mitigated to some extent with a suitable/effective BYOD policy.
Designing a BYOD Policy
Must meet the needs of both IT and employees
E.g.:▶ Secure corporate data▶ Minimise cost to implement and enforce▶ Preserve user experience▶ Keep up with user technology and preferences.
What to consider
▶ JANET AUP already covers a fair amount of the responsibilities
▶ Maybe a need to create a social media policy▶ Regular checks for compliance.
Device settings
Best practise indicated by Gartner and elsewhere suggests devices supported should be able to support:
▶ Device Lock code▶ Automatic device lock on idle▶ Remote device wipe function▶ Device data encryption
Mobile Device Management
▶ Investigate remote locate and wipe facilities▶ Appropriate process to remove rights to
lost/stolen devices.▶ Approved devices only▶ Educate users about untrusted apps and data
protection▶ Segregation of corporate and personal data
(Mobile Application Management)
Exchange ActiveSync Policy
▶ Exchange allows admins to define a policy for any clients connecting.
▶ This can include remote wipe, enforce encryption, etc.
Virtual Desktop/Thin Client
▶ Some places are implementing virtual desktop infrastructure.
▶ This allows BYOD clients to access a normal corporate desktop by running an application
▶ Segregates corporate data from the BYOD
Type of Network Access
▶ Clients are typically wireless devices.
▶ Expect to be able to just turn wireless on and it works with minimal or no configuration
Wireless Access and Auditing
▶ eduroam
▶ Captive portal style wireless networks.
▶ Consideration for BYOD network access to main network.
eduroam
▶ Based on 802.1X standard and a hierarchy of RADIUS proxy servers.
▶ Role of the RADIUS hierarchy is to forward the users' credentials to the users' home institution, where they can be verified and validated.
▶ Can allow visitors from a participating sites to use your wireless/wired networks, but segregate them from your main network and vice versa.
eduroam
Pros:
Secure wireless configuration.
Device only needs to be configured once for all sites
Supports wireless and wired.
Internationally available.
Cons:
Maybe complicated to setup/configure/maintain for small FE sites with small numbers of network staff.
Open guest network
Pros:
Easy to setup/maintain.
Cons:
Users can see other peoples traffic. (Mitigated to an extent by forcing the use of SSL web proxy).
Requires user to configure their wireless settings for each site they visit.
Further Information
▶ http://www.eduroam.org
▶ www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Practical_application/ico_bring_your_own_device_byod_guidance.ashx
Any Questions?
Thank you for listening
https://www.esiss.ac.uk/