Embed Size (px)
BYOD @ Cisco
David Bell
Cisco InfoSec
October 7th, 2014
Cisco Secure 2014
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda
Introductions
Changing landscape(s)
Trusted Device
Differentiated Network Access
Witam
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introductions
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Project Manager – Cisco InfoSec (Architecture Team)
Work scope focused on Cisco IT infrastructure projects
Sometimes projects from InfoSec
Most times from IT (or through IT from sales, engineering, services, etc)
Role focused on driving security initiatives through IT partnership
Insure InfoSec requirements are included in non-InfoSec projects
Align InfoSec priorities with the changing IT landscape
Balance security goals w/ the experience and features IT desire
[email protected] http://www.linkedin.com/in/llebevad
David Bell
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Reports to our Chief Operating Officer (COO)
Generally* doesn’t operate security infrastructure
Major organizations:
Architecture (BYOD aligns here)
Data Governance
Hosted Services – WebEx, Cisco Web Security, IronPort, Cisco Cloud Services
Incident Response
PKI
Security Operations – Audit, PenTest, Assessments, Service Mgmt
Cisco InfoSec
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Systems
• Worldwide leader in networking for the Internet
• Founded in 1984
• $108+ billion market capitalization
• $46+ billion cash/cash equivalents
• $5.8 billion a year in R&D
• 140+ acquisitions
• 650+ active suppliers
• 86% of products distributed via channel
• 100,000+ employees and contractors
• 24,000+ engineers in 1800+ labs worldwide
• 8,000+ patents issued to Cisco inventors
• Global presence in 165 countries
Best in the World, Best for the World
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Changing Landscapes
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
2010-2011
Tablet Support
AnyConnect on Trusted Devices
WebEx and Jabber
2012
Cisco AppStores
MacBook Air
Mobile Apps
Desktop Optimization and Go Native Strategy
2013+
Pilot for non-Cisco laptops
eStore for mobile
Cloud Services
2003-2008
Corporate-Paid Devices
Good Mobile
Windows XP
Cisco IT – AnyDevice Growth
2009
Mobile BYOD Mandate
Mobile Mail and Wi-Fi on iPhone, BlackBerry, Android, etc.
MacBook Pro
+61%2 years
Cisco
Mobile Devices
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco IT – AnyDevice Management
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT Client Environment
Desktop Apps
Mobile Apps
Responsive Web
Trusted Cloud Public Cloud
EDM & Search
Corporate PC
Mobile devices Hybrid devices
New Appliances
Wearables
Softw
are
Hard
ware
eStore
Suppo
rt
Cloud Connectors
Cloud
services and
native apps
Secure
access to
files stored
in the Cloud
Multiple
Devices
(Corporate &
BYOD)
Simplified
device on-
boarding &
refresh
Simplified &
optimized
device
experience
Seamless
transition
between
devices
Personalised
& proactive
support
Silent
security that
follows the
userUntrusted Devices
Untrusted Apps & Services
Security
Personalisation Identity Compliance
Tru
sted
Dev
ice
Dat
a P
rote
ctio
n
Man
agem
ent
Ant
i-mal
war
e
Hel
p D
esk
Pro
activ
e S
uppo
rt
Sel
f Sup
port
Tra
inin
g &
FA
Q’s
ConnectivityWired & wireless Cost management
Apps
DaaS
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Culture Has Changed, and So Must Our Approach
Perspectives about security have changed It’s a roadblock It enables the business
It’s not my problem Everyone needs to own security
Technology metamorphoses Disjointed point solutions Integrated architectural play
Physical infrastructure – slow to change Virtual infrastructure – flexible, dynamic, change-ready
The office contains all my stuff My mobile devices are my office (Data, Apps, Voice, Video)
Architecture approach has changed Perimeters as the control point Identity is the new perimeter
Focus on protecting the infrastructure Focus on protecting the data
Capabilities not tightly aligned Services, Service Categories, Service Offerings
The threats have changed Individuals Organized criminals/hacktivists
Disparate groups Nation State
Capture individual users data Gain access to your Data (and your customer ‘s data)
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
What are the threats for the endpoints?
• Phishing and Data Exfiltration
• Network attacks
• Malware/Exploits (RansomWare: Cryptolocker)
• Advanced Persistent Threats (APTs) - Foreign threats that are highly targeted and financially motivated to retrieve intellectual property.
• Lost/Stolen Device
How are they addressed
• Data Protection: Encryption (Lost/Stolen desktops)
• Known Threats: VirusScan (file scanning)
• Unknown Threats/Exploits: HIPS (IPS/behaviour scanning + Firewall)
• Global Threat Intelligence: Cloud-based protection
Security Models
Trusted Device components
Defense in Depth components
Device Security LandscapeExtend Full Security
Capabilities Cross-Platform,
Mobile, and Cloud
1
Shift to proactive
defense against most
dangerous attack vectors
2
Drive Adoption and
Enforcement of new
capabilities
3
Evolve Sec Ops
Risk and Problem
Management
4
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Collaboration
Mobility
LegalLocal
Laws Cost
Management
Internet of
Everything
User
Experience
Identity
Data Protection
Biometrics
Interoperability
Business
need?
Passwords
Data
Sovereignty
Cloud
Consumption
Public
Hybrid
On the platform
In the
appLeft
behind
New
Platforms
Chasing the
endpoint
IPV6
Parity
Simple
Privacy
AttacksPrivate
Nation
State
Organized
Crime
Targeted
Hacktivist
Drive
bySeamless
Role
Based
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trusted Device
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Policy
Physical Security
Network Security
Computer Hardening
Application Security
Data Security
Antivirus software, Host Intrusion-Prevention
System (HIPS), Encryption, Firewall, Minimum
OS, Software Patching, PW and Screen-Lock,
Device Registration and Inventory, Remote
Wipe
Computer Hardening
InfoSec Trusted Device Policy:
Set of security capabilities, by platform, required
to access the corporate network.
Policy
Change Management, Dual Authentication, and
Restrictive Access
Device Access Hardening
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Code of Business Conduct
Corporate Information
Security Policies
Network Access Policy
Trusted Device Standard
Policy Hierarchy
COBC: “I agree to comply with InfoSec Policy”
InfoSec Policy: “Network Access defines rules for accessing Corporate resources”
Network Access: “Only devices meeting Trusted Device will be allowed to access Corporate resources”
Trusted Device: “All devices must have these security controls in place”
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Device Registration
Anti-Malware
Encryption (Cisco Data)
Minimum OS
Software Patching
Rooted Device Detection *
Remote wipe (Cisco Data) *
Password/Screen-lock Enforcement
Hardware/Software Inventory
* Mobile device only
Policy: Trusted Device Requirements
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Fragmented solutions
are complex to manage
for both Operations and
User Experience
Extending Security
Capabilities and
support to multiple
Platforms
Managed base security
requirements and
focused on main
platforms
Add hardened security
capabilities: Device
Posture, DLP, and
Forensics
Leverage a Go Native
Strategy to improve
User ExperienceMaintain Native strategy
AND leverage Cisco Tools
Extending Security
Capabilities and
support to multiple
Platforms
Enabled base security
requirements and
focused on main
platforms
Leverage a Go Native
Strategy to improve
User Experience
Encryption
Device Naming
10 min PIN / Screenlock
Altiris Script
Inventory + Patching
Then
Minimum Access
Policy
Policy aligns to user demand,
minimal requirements
AntiMalware
McAfee AV + HIPS
Encryption + Device Naming + PIN + Inventory + Patch
Management + Remote Wipe + Minimum OS
Native Controls + DM:
SCCM/Casper/Afaria
Posture + Differentiated Ntwk Access
ISE
Data Loss Protection
Symantec
Encryption + Device Naming + PIN + Inventory + Patch
Management + Remote Wipe + Minimum OS
SCCM/Casper/Afaria
Trusted Device
Go Native. Scale access and
services cross platform.
Antivirus + Forensics
SourceFire + CWS
AntiMalware
CSA HIPS
AntiMalware
Then TodayFY13 FY14 FY15/16
Browser Hardening
Trusted Device +
Network Enforcement
Access based on device posture
leveraging Cisco TrustSec
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trusted Device Quadrants
Cisco Managed• Full Network Access
• Cisco, Employee or 3rd party
owned
• Corporate Policy Applied
• Device Management
• Cisco Confidential Access
Internet Only• Internet \ Public Cloud Only
• Virtualization for Confidential
• Extranet, Vendor
Remediation
Requirede.g. out of date DAT's, patches
Trusted
Managed
Trusted
Unmanaged
Untrusted
Managed
Untrusted
Unmanaged
Non-Cisco Managed• Full Network Access
• Cisco, Employee or 3rd party
owned
• Corporate Policy Applied
• Self \ Partner Managed
• Cisco Confidential Access
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Access
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Code of Business Conduct
Corporate Information
Security Policies
Network Access Policy
Trusted Device Standard
Policy Hierarchy
COBC: “I agree to comply with InfoSec Policy”
InfoSec Policy: “Network Access defines rules for accessing Corporate resources”
Network Access: “Only devices meeting Trusted Device will be allowed to access Corporate resources”
Trusted Device: “All devices must have these security controls in place”
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Covers all devices – personal, Corporate, partner
PCs and Infrastructure
From anywhere – on-campus, remote, wired/wireless, partner sites
Right to Audit and Monitor
References requirement to meet the Trusted Device Standard
“Devices that fail to comply are not entitled to full access to the network and may receive only limited network access”
Policy: Network Access
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT will deliver multiple capabilities with ISE
Access ControlAuthentication on
wired & wireless
networks
BYODSupport Trusted
Device Standard and
enable BYOD
ProfilingAbility to identify
users and devices
on our network
Endpoint
ProtectionProtect the network
from infected devices
Guest AccessRestrict unauthorized
devices & users to
Internet access only
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Internet Only
Access
Full access
No restrictions
Limited Access
Corporate Owed
Trusted devices
Manager
Employee owned
Untrusted devices
IT Analyst
At Starbucks
Engineer/Coder
Employee owned
Semi-trusted devicesPolicy
Decision Point
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Access Model
Only Trusted devices will have direct access to the core network
Untrusted devices will be limited to the Internet Only Network or Public Cloud
Different services will be enabled at each layer depending on security requirements
If required Untrusted devices can access the Core network by using a VXI session or virtualized applications
Core
Network
Internet Only
Network
Public Cloud
Trusted
Devices
Untrusted
Devices
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trusted Device and Differentiated Access thru Cisco ISE
Core
Network
Internet Only
Network
Public Cloud
Trusted
Devices
Trusted
Applications
Differentiated Network
AccessAccess based on device posture leveraging
Cisco ISE
Trusted Device
More controls needed to
scale access and services
Remote Wipe (Cisco Data)
Anti-Malware
Encryption (Cisco Data)
Minimum OS
Software Patching
Rooted Device Detection (Mobile
Devices Only)
Device Registration
Password/Screen-lock Enforcement
Hardware/Software Inventory
Tiered
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Identity of a device on the network
• Quantify the risk
1. Profiling
• User and end device attribution
• Identification of end points on Wireless connections
2. Authentication
•Device security posture assessment
•Allows for better policy & security decisions
•Reactive control (EPS)
3. Posture
• Ability to enforce policy decisions based on context
• Untrusted devices have restricted access
4. Enforcement
ISE Capability Phasing
FY13/14 FY14 FY15/16FY15
ISE 1.2 ION
Profiling
ISE 1.2 Wireless Authentication
Monitor Mode for Wired
ISE 1.3 MDM integration
Global EPS
ISE 2.0NAC and ACS parity
“Four Stages of a Secure Network”
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Challenges?
I don’t need your Security
My app “x” requires XP
I don’t want you see my personal data
Security controls impact my productivity
Dziękuję
Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
