BYOD risk management best practices

© 2013 Tangoe, Inc.

BYOD Risk Management Best Practices

Presented by:

Troy Fulton, Director, Product Marketing

May 22 & 23, 2013


Today’s Speaker

2

Troy Fulton

Director, Product Marketing

• 20+ years in high-tech and communications devices

• Senior product marketing and management positions with global

corporations including Motorola Mobility, Nokia, and Compaq

• MBA from The College of William and Mary; BA from Boston

College


Agenda

• BYOD Trends

• Concerns and Risks

• Segmentation

• Mistakes to avoid

• Security and Access Management

• Best Practices

• Critical Success Factors

• Shared Control


A Radical Shift is Occurring

4


Gartner: The BYO Trend is Clear

5

• Over 60% of employees report

using a personal device for work

• US and APAC lead, EU lags

• 2/3 of consumers report that work

influences what they buy for

personal devices

• By 2015, emphasis will shift

toward cost-reduction through

mandatory BYO programs

• PC BYOD lags smartphones and

tablets (<8% of companies) but

will accelerate in 2014+


Concerns and Risks

• Not surprising drivers and concerns

• 55%: employee satisfaction = productivity (Source: Information Security Group survey 4/2013)

• 54%: need for increased employee mobility

• 51%: increased employee productivity

• Favorite devices: iOS (72%), followed by Android, Blackberry, Microsoft

• Concerns

• 70% stated security as top criteria for success

• Loss of company or client data, unauthorized access and malware infections

• Lack the resources necessary to address security concerns

• 33% stated they do not have even a basic BYOD policy in place

• 78% of security professionals believe BYOD is a significant risk (Source: Frost and Sullivan)

• Unknown level of exposure

• Where is our data?

• Who has access to what resources?

• Who else has, or could have, access to our data and resources?

• Is BYOD strategic?

6


Segment Employees and Security Profiles

7

Under the Radar

Minimal BYOD

Formal BYOD

Corporate Liable

• Employee owned

device without

corporate support or

awareness

• No trust, no access

• Employee owned

device with usage

policy enforcement for

selected applications

and data

• Event trigger-based

policy enforcement

• Minimal access / trust

• No support

• IT approved device

• Senior execs and

knowledge workers to

replace corporate-

supplied devices

and/or protect

strategic IP and data


policy enforcement

• Full network access

• Strong authentication

• Minimal support


• MDM client required

•

• Corporate supplied

device and formal

processes to enforce

compliance respective

to role and location.

• Fully trusted


policy enforcement

• Full network access

• Strong authentication

• Full support


• MDM client required


From “Under the Radar” to “Over the Dam”

• No management results in BYOD happening without you

• Easy connect into company systems and store business data

• No identification, tracking or management.

• Microsoft EAS does not help

• Does not identify and remediate a jailbroken or rotted device

• No enforcement of device, OS or app version controls.

• “Free and easy“ was not tolerated for company or personal laptops

• In the real world…

• Easy for devices to connect to company systems – no alerts

• No lifecycle management

• Apps, data, and network access credentials are not removed

• Unmanaged (unknown) devices remain fully active until passwords expire.

• Best practices:

• No access to email, LAN, VPN, Wi-Fi or other services without authentication

• Users are limited to 2 devices

8


Getting Started: Policy Strategy Questions

• Who qualifies?

• What devices are allowed?

• Who buys/owns the device?

• \What service expenses will be covered, and how?

• What is supported, at what level?

• What does the employee have to do?

• Enterprise security, data usage and privacy restrictions

• Employee privacy issues

• Labor implications of after-hours support

• Liability issues (E-discovery)

• Limitations on reimbursement (what is the strategy?)

• Penalties for noncompliance (and enforcement?

• Data and phone number transition at termination

• Support policies and liability issues must be reviewed by the corporate legal department, the

executive board, HR and business unit managers.

9


Minimal Acceptable Usage Policy Guidelines

• All devices

• Device will lock your account after 10 failed login attempts.

• Device will lock every 30 minutes requiring reentry of your password.

• Password rotation every 90 days with minimal strength

• Remote wipe:

• Lose the device; terminate employment; IT detects data or policy breach or virus

• Minimum device level: iPhone 4, iOS 5.0x, Android 3.x

• Company-administered MDM

• No jailbreak & no rooting policies

• Certificates for any and all access: email, apps, networks

• Application and data encryption at all times

• Personal devices

• Limit device enrollments at company discretion

• Filter sensitive data at company discretion

• Accept company lock/wipe decisions

• Require end-user acceptable-use policy agreement

10


Mistakes to Avoid: Inconsistent Security Policies

• Focus on business requirements first and devices second

• Policy gaps are the origins of most mobile security failures

• Determine approved platform options for BYOD

• Get cross-departmental buy-in

• Business information requirements may be overly broad and difficult to fulfill

across mobile platforms

• Security policies need to account for OS limitations

• Adapt data and application policies accordingly, and document your policies

• All mobile devices are work platforms, irrespective of liability model

• Anticipate that mobile work platform loss could result in data breach event

• May require disclosure

• Know and track your device, application, and data inventory

11


Mistakes to Avoid: Data Leakage

• DLP has low visibility

• Security managers report these events tend to be ignored by decision makers

• Pervasive data fragmentation

• Send, save and mingle

• Difficult to trace or audit

• Consider data container solutions

• Options range from email encryption to content management

• Prioritize based on employee role, data sensitivity and access method

• Unsafe device sharing

• Tablets for business will end up playing “Barney” reruns or sports research at a BBQ

• Built-in (and reliable) biometric security…not on the immediate horizon

• Lost devices…be proactive

• Mitigate risks

• Strong authentication for connectivity

• Credentials that expire after a period of time

• Dual persona containerization

12


Mistakes to Avoid: Click First, Worry Later

• Applications want your data

• iOS and Android apps are designed to be sandboxed

• End-users are not aware of risks from apps obtaining data from other apps

• Includes: contacts, location (current and history), Facebook friends, purchases

• Data is tracked and sold

• Example: unapproved email application obtains login credentials

• Malware

• iOS has low risk

• Android has experienced more malware incidents

• Best practices

• App AUPs for employee devices

• Control limits of app installation on iOS and Android vs. Windows and Blackberry

• Mitigate on the device via containerization or virtualization

• Protect network resources via web application firewall

• Android has unique risks

• Unapproved OS versions available

• Applications from unofficial sources 13


BYOD Security and Access Best Practices

• Mobility is not a traditional IT silo

• Cross-functional governance

• Core team: business, apps, I&O, policy

• Create semi-annual strategy

• Report to CIO

• IT governance council includes mobile

• Automated trigger-based responses

• Out of compliance real time monitoring

• Notifications and alerts

• Feature and function changes

• Out of compliance

• Device OS is out of date

• No password = no encryption

• Applications requiring a patch

• Jailbroken and rooted detection

• Baseline resource access to resources

• Liability model and AUPs

• Audit installed apps for non-compliance

• Perform background app inventory analysis

• Risk management

• Process for compliance enforcement

• Work across organizational structure

• Define use cases and app strategy

• Pitfalls to avoid

• Approaching mobility as tactical and not

strategic

• Choosing technology first


• Create an access baseline

• Determine who has access

• Identify access control gaps

• Tie access controls to environment

• Segregate access by role and liability

model

• Best practice what works best for your

company

• Check applicable regulations

• Policy of “least access”

• Regulators want doctrine of “least

privilege” applied

• Enable specific security roles to enforce

security and access management

policies

• Automate device provisioning

• Pre-configure AUP liability models

• Integrate with TEM procurement

• Terminate unused accounts

• Prevent access to resources

• Consider a device recycle program

• Proactively monitor for unusual activity

• Monitor high volume of SMS or data

• Control remote access to apps and

databases

• Mobility and cloud computing expand the

enterprise operational perimeter

• NAC is becoming a baseline requirement

BYOD Security and Access Critical Success Factors


Tactics to Share (Not Gain) Control

• Consumerisation is not a uni-direction highway

• Successful BYOD is a true win-win

• Shared accountability

• Make (sustainable) choices

• No strategy, no hope for control

• Segmentation is key

• Trust, liability, users, approved devices and applications, data management

• Cross-discipline buy-in

• One approach (aka PC) will not fly

• Security enforcement consistency across segments

• Know what employees need now vs. next year

• Guide business leaders

• Revisit application architectures & tools

• Thinner = lower cost and more device neutral

• BYOD benefits

• Innovation, employee satisfaction, and cost optimization

16


Questions and Contacts

Troy Fulton

Director Product Marketing

[email protected]

Tangoe

203.859.9300

[email protected]

www.tangoe.com

mailto:[email protected]

Technology

BYOD risk management best practices