BYOD in practice KPMG case study 13 March 2013. © 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent

BYOD in practice

KPMG case study

13 March 2013

© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

2

Agenda

Aurelia Costache

CIO KPMG Romania

Tel: + 40 744

655 830

[email protected]

Page

BYOD – why? 2

Business Case for Mobile devices 5

Implications 7

Challenges 11

Summary and lessons learnt 13

BYOD – Why?

Trend or necessity?


4

900

1,000

600

540

330

650680

260

1,160

25.039.0

9.9

5.9

2.3

18.0

30.0

6.3

29.0

Global wireless subscriber base and net additions (Q1 2012)

Global telecom sector: An overview

Source: Ericsson; Informa Research

6.2 billiontotal mobile

subscriptions as of March 2012

170 millionnet additions in the first quarter ending

March 2012

2010 2011 2012F 2013F 2014F

74% 71% 68% 65% 63%

26% 29% 32% 35% 37%

Global Mobile Services Revenues (US$ billion)

Voice

Data

966 1,014 1,054 1,087 1,114

Growing subscriber base: Mobile subscriptions at 6.2 billion in Q1 2012, ( ~87 percent penetration). Adjusted active subscriptions 4.2 billion

Sharp decline in revenue growth – down from double-digit increases between 2005 and 2008 to just 5 percent in 2011

■ Mobile service revenue to grow at CAGR 3.2 percent during 2011-14

■ Data to drive revenue growth – CAGR 12.3 percent during 2011-14, only partly offsetting the decline of voice revenues


5

BYOD – What’s the buzz?

History

Blackberry served the corporate world

As of 2007 major growth market share of smartphones (iPhone, Android)

Recent years

Explosion of smartphone penetration

Emergence of tablets

Corporate and private phones get mixed:

“Bring your own device”

Main Drivers

Intuitive/Usable interface

Internet/cloud integration

Affordable pricing November 2012 U.S. Mobile Subscriber Market ShareSource: comScore MobiLens

Android; 54%iOS; 35%

BB; 7%

Microsoft, 3% Symbian; 1%

BYOD in KPMG

Business Case


7

Main elements

Analysis of national and roaming traffic data

Estimation of new traffic requirements for BYOD (national and roaming)

The used fleet was almost 2 years old and replacement had to be planned

CAPEX is lower (less devices acquired by KPMG)

OPEX is higher (more admin staff to support the new users, MDM licenses, additional traffic)

KPMG people (they can select the smart-phone they want)

Staff need for mobility (business efficiency by accessing KPMG resources on mobile devices)

The Business Case

BYOD in KPMG

Implications


9

Implications – Broader then expected

Implications

KPMG Global Standards

Technology

SecurityLegal

Data Privacy


10

KPMG Global Standards, Technology and Security

Main concerns

Ensure the necessary security features to protect corporate data and prevent data loss as well comply with KPMG Global Standards –

Security Requirements for Mobile Devices.

What happens

KPMG Approach

KPMG limited the BYOD program to main OS on the market: Android and iOS and implemented dedicated MDM solutions:

How will these security

features be deployed?

What happens when a device is

lost or stolen?

when the wrong PIN / password is entered

too many times?

What happens

happens when a device is infected

with malware?

What

What happens with the data saved to local backup or

iCloud?

GOOD for Android FAMOC for iOS


11

Legal and Data Privacy

Main concerns

MDM features may include activity monitoring, tracking, and remote lock & wipe.

Employees must give explicit and fully-informed consent for any organization to access and process their personal data.

Employee consent is also required should a business wish to install a MDM application on their device.

KPMG Approach

KPMG implemented a BYOD policy:• addresses the above concerns• formally communicated and acknowledged by all participants.

Policies configurations enforced using the MDM were carefully reviewed to ensure compliance with legal and Data Privacy requirements.

Poza

BYOD in KPMG

Challenges


13

BYOD – Challenges

Security testing phase

..included MDM solution’s Internet facing components as well the client application installed on mobile devices:

1. Application security testing (web specific attacks, application logic attacks) Testing the network communication between clients and serverData encryption / protection MITM, spoofing, etc

2. Testing the client application (agent) JailbreakPolicy bypassing Local data storage / recovery Static application analysis, etc

Vulnerabilities identified

..for all components of the solution:

for web applications’ front-end interface

for client installed on smartphones.

operational/ functional vulnerabilities (eg the application did not detect that a phone is subject to jailbreak)

Operational challenges

Complete testing & configuring of the MDM solutions

Plan the enrollment: centralize all demands trough service desk application, increase of the data traffic

Enroll all devices at the same time: activate the data services, install the MDM application on the device, configure the user account on the email server and synchronize the KPMG data account.

BYOD in KPMG

Summary & lessons learnt


15

Summary of BYOD in KPMG Romania

Summary of 2012 BYOD program allowing employees to use their own smart phones to access relevant corporate data:

In the past...

Around 150 BB used by Managers and above

Mainly used for corporate email access

Cloud based services (private cloud)

Expensive solution, especially in roaming

Drivers for change

Proliferation of smart devices

KPMG people

Need for mobility

Cost management

Today

260 smart devices (phones and tablets) activated

Traffic volume increased by 30%, costs reduced by 10%

After 6 months review the business case was confirmed

Legal and Data Privacy aspects considered and formalized in a BYOD policy

MDM solution implemented but processes are complex and need time to stabilize

Initiative well received by KPMG staff (user satisfaction increased)

Behavior changed (efficiency & innovation)

Iphone 4S35%

iPad11%

Samsung Galaxy SII

50%

Samsung Tab 10.12%

Other (Android)1%


16

Lessons learnt

Enrolling mobile devices results in new risks

Broader then expected, e.g. legal, technology, integration, backups

Security controls work differently on mobile devices

Technical Solutions

Different security architectures to reduce risks of mobile devices

No technical solution fixes it all, mitigate risks by people, processes and technology

How to continue

Perform risk assessment before implementation

Consult with relevant experts

Implement security controls for people, process and technology

Test effectiveness of security controls

Stay up-to-date with recent developments

Structured approach, phase by phase

Unexpectedly well received by users!

© 2013 KPMG Romania, a Romanian member firm and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (“KPMG International”).

Documents

BYOD in practice KPMG case study 13 March 2013. © 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent