Upload
troy-fulton
View
279
Download
4
Tags:
Embed Size (px)
DESCRIPTION
You already know BYOD is here to stay. How can you give employees the flexibility they demand? Prevent BYOD from becoming BYOT (threat)? Ensure a uniform trust model for device provisioning? Mitigate the risks for applications, network access and data security? This webinar provides a policy framework for BYOD enablement: • Risk and vulnerability assessment • Security and access policies • Key success factors • Trigger response policies • Prevent data loss at both the application and device level • Shared device security policies • Options for achieving your security requirements and end-user expectations
Citation preview
© 2013 Tangoe, Inc.
BYOD Risk Management Best Practices
Presented by:
Troy Fulton, Director, Product Marketing
May 22 & 23, 2013
© 2013 Tangoe, Inc.
Today’s Speaker
2
Troy Fulton
Director, Product Marketing
• 20+ years in high-tech and communications devices
• Senior product marketing and management positions with global
corporations including Motorola Mobility, Nokia, and Compaq
• MBA from The College of William and Mary; BA from Boston
College
© 2013 Tangoe, Inc.
Agenda
• BYOD Trends
• Concerns and Risks
• Segmentation
• Mistakes to avoid
• Security and Access Management
• Best Practices
• Critical Success Factors
• Shared Control
© 2013 Tangoe, Inc.
A Radical Shift is Occurring
4
© 2013 Tangoe, Inc.
Gartner: The BYO Trend is Clear
5
• Over 60% of employees report
using a personal device for work
• US and APAC lead, EU lags
• 2/3 of consumers report that work
influences what they buy for
personal devices
• By 2015, emphasis will shift
toward cost-reduction through
mandatory BYO programs
• PC BYOD lags smartphones and
tablets (<8% of companies) but
will accelerate in 2014+
© 2013 Tangoe, Inc.
Concerns and Risks
• Not surprising drivers and concerns
• 55%: employee satisfaction = productivity (Source: Information Security Group survey 4/2013)
• 54%: need for increased employee mobility
• 51%: increased employee productivity
• Favorite devices: iOS (72%), followed by Android, Blackberry, Microsoft
• Concerns
• 70% stated security as top criteria for success
• Loss of company or client data, unauthorized access and malware infections
• Lack the resources necessary to address security concerns
• 33% stated they do not have even a basic BYOD policy in place
• 78% of security professionals believe BYOD is a significant risk (Source: Frost and Sullivan)
• Unknown level of exposure
• Where is our data?
• Who has access to what resources?
• Who else has, or could have, access to our data and resources?
• Is BYOD strategic?
6
© 2013 Tangoe, Inc.
Segment Employees and Security Profiles
7
Under the Radar
Minimal BYOD
Formal BYOD
Corporate Liable
• Employee owned
device without
corporate support or
awareness
• No trust, no access
• Employee owned
device with usage
policy enforcement for
selected applications
and data
• Event trigger-based
policy enforcement
• Minimal access / trust
• No support
• IT approved device
• Senior execs and
knowledge workers to
replace corporate-
supplied devices
and/or protect
strategic IP and data
• Event trigger-based
policy enforcement
• Full network access
• Strong authentication
• Minimal support
• IT approved device
• MDM client required
•
• Corporate supplied
device and formal
processes to enforce
compliance respective
to role and location.
• Fully trusted
• Event trigger-based
policy enforcement
• Full network access
• Strong authentication
• Full support
• IT approved device
• MDM client required
© 2013 Tangoe, Inc.
From “Under the Radar” to “Over the Dam”
• No management results in BYOD happening without you
• Easy connect into company systems and store business data
• No identification, tracking or management.
• Microsoft EAS does not help
• Does not identify and remediate a jailbroken or rotted device
• No enforcement of device, OS or app version controls.
• “Free and easy“ was not tolerated for company or personal laptops
• In the real world…
• Easy for devices to connect to company systems – no alerts
• No lifecycle management
• Apps, data, and network access credentials are not removed
• Unmanaged (unknown) devices remain fully active until passwords expire.
• Best practices:
• No access to email, LAN, VPN, Wi-Fi or other services without authentication
• Users are limited to 2 devices
8
© 2013 Tangoe, Inc.
Getting Started: Policy Strategy Questions
• Who qualifies?
• What devices are allowed?
• Who buys/owns the device?
• \What service expenses will be covered, and how?
• What is supported, at what level?
• What does the employee have to do?
• Enterprise security, data usage and privacy restrictions
• Employee privacy issues
• Labor implications of after-hours support
• Liability issues (E-discovery)
• Limitations on reimbursement (what is the strategy?)
• Penalties for noncompliance (and enforcement?
• Data and phone number transition at termination
• Support policies and liability issues must be reviewed by the corporate legal department, the
executive board, HR and business unit managers.
9
© 2013 Tangoe, Inc.
Minimal Acceptable Usage Policy Guidelines
• All devices
• Device will lock your account after 10 failed login attempts.
• Device will lock every 30 minutes requiring reentry of your password.
• Password rotation every 90 days with minimal strength
• Remote wipe:
• Lose the device; terminate employment; IT detects data or policy breach or virus
• Minimum device level: iPhone 4, iOS 5.0x, Android 3.x
• Company-administered MDM
• No jailbreak & no rooting policies
• Certificates for any and all access: email, apps, networks
• Application and data encryption at all times
• Personal devices
• Limit device enrollments at company discretion
• Filter sensitive data at company discretion
• Accept company lock/wipe decisions
• Require end-user acceptable-use policy agreement
10
© 2013 Tangoe, Inc.
Mistakes to Avoid: Inconsistent Security Policies
• Focus on business requirements first and devices second
• Policy gaps are the origins of most mobile security failures
• Determine approved platform options for BYOD
• Get cross-departmental buy-in
• Business information requirements may be overly broad and difficult to fulfill
across mobile platforms
• Security policies need to account for OS limitations
• Adapt data and application policies accordingly, and document your policies
• All mobile devices are work platforms, irrespective of liability model
• Anticipate that mobile work platform loss could result in data breach event
• May require disclosure
• Know and track your device, application, and data inventory
11
© 2013 Tangoe, Inc.
Mistakes to Avoid: Data Leakage
• DLP has low visibility
• Security managers report these events tend to be ignored by decision makers
• Pervasive data fragmentation
• Send, save and mingle
• Difficult to trace or audit
• Consider data container solutions
• Options range from email encryption to content management
• Prioritize based on employee role, data sensitivity and access method
• Unsafe device sharing
• Tablets for business will end up playing “Barney” reruns or sports research at a BBQ
• Built-in (and reliable) biometric security…not on the immediate horizon
• Lost devices…be proactive
• Mitigate risks
• Strong authentication for connectivity
• Credentials that expire after a period of time
• Dual persona containerization
12
© 2013 Tangoe, Inc.
Mistakes to Avoid: Click First, Worry Later
• Applications want your data
• iOS and Android apps are designed to be sandboxed
• End-users are not aware of risks from apps obtaining data from other apps
• Includes: contacts, location (current and history), Facebook friends, purchases
• Data is tracked and sold
• Example: unapproved email application obtains login credentials
• Malware
• iOS has low risk
• Android has experienced more malware incidents
• Best practices
• App AUPs for employee devices
• Control limits of app installation on iOS and Android vs. Windows and Blackberry
• Mitigate on the device via containerization or virtualization
• Protect network resources via web application firewall
• Android has unique risks
• Unapproved OS versions available
• Applications from unofficial sources 13
© 2013 Tangoe, Inc.
BYOD Security and Access Best Practices
• Mobility is not a traditional IT silo
• Cross-functional governance
• Core team: business, apps, I&O, policy
• Create semi-annual strategy
• Report to CIO
• IT governance council includes mobile
• Automated trigger-based responses
• Out of compliance real time monitoring
• Notifications and alerts
• Feature and function changes
• Out of compliance
• Device OS is out of date
• No password = no encryption
• Applications requiring a patch
• Jailbroken and rooted detection
• Baseline resource access to resources
• Liability model and AUPs
• Audit installed apps for non-compliance
• Perform background app inventory analysis
• Risk management
• Process for compliance enforcement
• Work across organizational structure
• Define use cases and app strategy
• Pitfalls to avoid
• Approaching mobility as tactical and not
strategic
• Choosing technology first
© 2013 Tangoe, Inc.
• Create an access baseline
• Determine who has access
• Identify access control gaps
• Tie access controls to environment
• Segregate access by role and liability
model
• Best practice what works best for your
company
• Check applicable regulations
• Policy of “least access”
• Regulators want doctrine of “least
privilege” applied
• Enable specific security roles to enforce
security and access management
policies
• Automate device provisioning
• Pre-configure AUP liability models
• Integrate with TEM procurement
• Terminate unused accounts
• Prevent access to resources
• Consider a device recycle program
• Proactively monitor for unusual activity
• Monitor high volume of SMS or data
• Control remote access to apps and
databases
• Mobility and cloud computing expand the
enterprise operational perimeter
• NAC is becoming a baseline requirement
BYOD Security and Access Critical Success Factors
© 2013 Tangoe, Inc.
Tactics to Share (Not Gain) Control
• Consumerisation is not a uni-direction highway
• Successful BYOD is a true win-win
• Shared accountability
• Make (sustainable) choices
• No strategy, no hope for control
• Segmentation is key
• Trust, liability, users, approved devices and applications, data management
• Cross-discipline buy-in
• One approach (aka PC) will not fly
• Security enforcement consistency across segments
• Know what employees need now vs. next year
• Guide business leaders
• Revisit application architectures & tools
• Thinner = lower cost and more device neutral
• BYOD benefits
• Innovation, employee satisfaction, and cost optimization
16
© 2013 Tangoe, Inc.
Questions and Contacts
Troy Fulton
Director Product Marketing
Tangoe
203.859.9300
www.tangoe.com