BYOD @ Cisco Secure... · BYOD @ Cisco David Bell Cisco InfoSec October 7th, 2014 Cisco Secure 2014

BYOD @ Cisco

David Bell

Cisco InfoSec

October 7th, 2014

Cisco Secure 2014

Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Agenda

Introductions

Changing landscape(s)

Trusted Device

Differentiated Network Access

Witam


Introductions


Project Manager – Cisco InfoSec (Architecture Team)

Work scope focused on Cisco IT infrastructure projects

Sometimes projects from InfoSec

Most times from IT (or through IT from sales, engineering, services, etc)

Role focused on driving security initiatives through IT partnership

Insure InfoSec requirements are included in non-InfoSec projects

Align InfoSec priorities with the changing IT landscape

Balance security goals w/ the experience and features IT desire

[email protected] http://www.linkedin.com/in/llebevad

David Bell

mailto:[email protected]

http://www.linkedin.com/llebevad


Reports to our Chief Operating Officer (COO)

Generally* doesn’t operate security infrastructure

Major organizations:

Architecture (BYOD aligns here)

Data Governance

Hosted Services – WebEx, Cisco Web Security, IronPort, Cisco Cloud Services

Incident Response

PKI

Security Operations – Audit, PenTest, Assessments, Service Mgmt

Cisco InfoSec


Cisco Systems

• Worldwide leader in networking for the Internet

• Founded in 1984

• $108+ billion market capitalization

• $46+ billion cash/cash equivalents

• $5.8 billion a year in R&D

• 140+ acquisitions

• 650+ active suppliers

• 86% of products distributed via channel

• 100,000+ employees and contractors

• 24,000+ engineers in 1800+ labs worldwide

• 8,000+ patents issued to Cisco inventors

• Global presence in 165 countries

Best in the World, Best for the World


Changing Landscapes


2010-2011

Tablet Support

AnyConnect on Trusted Devices

WebEx and Jabber

2012

Cisco AppStores

MacBook Air

Mobile Apps

Desktop Optimization and Go Native Strategy

2013+

Pilot for non-Cisco laptops

eStore for mobile

Cloud Services

2003-2008

Corporate-Paid Devices

Good Mobile

Windows XP

Cisco IT – AnyDevice Growth

2009

Mobile BYOD Mandate

Mobile Mail and Wi-Fi on iPhone, BlackBerry, Android, etc.

MacBook Pro

+61%2 years

Cisco

Mobile Devices


Cisco IT – AnyDevice Management


IT Client Environment

Desktop Apps

Mobile Apps

Responsive Web

Trusted Cloud Public Cloud

Email

EDM & Search

Corporate PC

Mobile devices Hybrid devices

New Appliances

Wearables

Softw

are

Hard

ware

eStore

Suppo

rt

Cloud Connectors

Cloud

services and

native apps

Secure

access to

files stored

in the Cloud

Multiple

Devices

(Corporate &

BYOD)

Simplified

device on-

boarding &

refresh

Simplified &

optimized

device

experience

Seamless

transition

between

devices

Personalised

& proactive

support

Silent

security that

follows the

userUntrusted Devices

Untrusted Apps & Services

Security

Personalisation Identity Compliance

Tru

sted

Dev

ice

Dat

a P

rote

ctio

n

Man

agem

ent

Ant

i-mal

war

e

Hel

p D

esk

Pro

activ

e S

uppo

rt

Sel

f Sup

port

Tra

inin

g &

FA

Q’s

ConnectivityWired & wireless Cost management

Apps

DaaS


The Culture Has Changed, and So Must Our Approach

Perspectives about security have changed It’s a roadblock It enables the business

It’s not my problem Everyone needs to own security

Technology metamorphoses Disjointed point solutions Integrated architectural play

Physical infrastructure – slow to change Virtual infrastructure – flexible, dynamic, change-ready

The office contains all my stuff My mobile devices are my office (Data, Apps, Voice, Video)

Architecture approach has changed Perimeters as the control point Identity is the new perimeter

Focus on protecting the infrastructure Focus on protecting the data

Capabilities not tightly aligned Services, Service Categories, Service Offerings

The threats have changed Individuals Organized criminals/hacktivists

Disparate groups Nation State

Capture individual users data Gain access to your Data (and your customer ‘s data)


What are the threats for the endpoints?

• Phishing and Data Exfiltration

• Network attacks

• Malware/Exploits (RansomWare: Cryptolocker)

• Advanced Persistent Threats (APTs) - Foreign threats that are highly targeted and financially motivated to retrieve intellectual property.

• Lost/Stolen Device

How are they addressed

• Data Protection: Encryption (Lost/Stolen desktops)

• Known Threats: VirusScan (file scanning)

• Unknown Threats/Exploits: HIPS (IPS/behaviour scanning + Firewall)

• Global Threat Intelligence: Cloud-based protection

Security Models

Trusted Device components

Defense in Depth components

Device Security LandscapeExtend Full Security

Capabilities Cross-Platform,

Mobile, and Cloud

1

Shift to proactive

defense against most

dangerous attack vectors

2

Drive Adoption and

Enforcement of new

capabilities

3

Evolve Sec Ops

Risk and Problem

Management

4


Collaboration

Mobility

LegalLocal

Laws Cost

Management

Internet of

Everything

User

Experience

Identity

Data Protection

Biometrics

Interoperability

Business

need?

Passwords

Data

Sovereignty

Cloud

Consumption

Public

Hybrid

On the platform

In the

appLeft

behind

New

Platforms

Chasing the

endpoint

IPV6

Parity

Simple

Privacy

AttacksPrivate

Nation

State

Organized

Crime

Targeted

Hacktivist

Drive

bySeamless

Role

Based


Trusted Device


Policy

Physical Security

Network Security

Computer Hardening

Application Security

Data Security

Antivirus software, Host Intrusion-Prevention

System (HIPS), Encryption, Firewall, Minimum

OS, Software Patching, PW and Screen-Lock,

Device Registration and Inventory, Remote

Wipe

Computer Hardening

InfoSec Trusted Device Policy:

Set of security capabilities, by platform, required

to access the corporate network.

Policy

Change Management, Dual Authentication, and

Restrictive Access

Device Access Hardening


Code of Business Conduct

Corporate Information

Security Policies

Network Access Policy

Trusted Device Standard

Policy Hierarchy

COBC: “I agree to comply with InfoSec Policy”

InfoSec Policy: “Network Access defines rules for accessing Corporate resources”

Network Access: “Only devices meeting Trusted Device will be allowed to access Corporate resources”

Trusted Device: “All devices must have these security controls in place”


Device Registration

Anti-Malware

Encryption (Cisco Data)

Minimum OS

Software Patching

Rooted Device Detection *

Remote wipe (Cisco Data) *

Password/Screen-lock Enforcement

Hardware/Software Inventory

* Mobile device only

Policy: Trusted Device Requirements


Fragmented solutions

are complex to manage

for both Operations and

User Experience

Extending Security

Capabilities and

support to multiple

Platforms

Managed base security

requirements and

focused on main

platforms

Add hardened security

capabilities: Device

Posture, DLP, and

Forensics

Leverage a Go Native

Strategy to improve

User ExperienceMaintain Native strategy

AND leverage Cisco Tools

Extending Security

Capabilities and

support to multiple

Platforms

Enabled base security

requirements and

focused on main

platforms

Leverage a Go Native

Strategy to improve

User Experience

Encryption

Device Naming

10 min PIN / Screenlock

Altiris Script

Inventory + Patching

Then

Minimum Access

Policy

Policy aligns to user demand,

minimal requirements

AntiMalware

McAfee AV + HIPS

Encryption + Device Naming + PIN + Inventory + Patch

Management + Remote Wipe + Minimum OS

Native Controls + DM:

SCCM/Casper/Afaria

Posture + Differentiated Ntwk Access

ISE

Data Loss Protection

Symantec

Encryption + Device Naming + PIN + Inventory + Patch

Management + Remote Wipe + Minimum OS

SCCM/Casper/Afaria

Trusted Device

Go Native. Scale access and

services cross platform.

Antivirus + Forensics

SourceFire + CWS

AntiMalware

CSA HIPS

AntiMalware

Then TodayFY13 FY14 FY15/16

Browser Hardening

Trusted Device +

Network Enforcement

Access based on device posture

leveraging Cisco TrustSec


Trusted Device Quadrants

Cisco Managed• Full Network Access

• Cisco, Employee or 3rd party

owned

• Corporate Policy Applied

• Device Management

• Cisco Confidential Access

Internet Only• Internet \ Public Cloud Only

• Virtualization for Confidential

• Extranet, Vendor

Remediation

Requirede.g. out of date DAT's, patches

Trusted

Managed

Trusted

Unmanaged

Untrusted

Managed

Untrusted

Unmanaged

Non-Cisco Managed• Full Network Access

• Cisco, Employee or 3rd party

owned

• Corporate Policy Applied

• Self \ Partner Managed

• Cisco Confidential Access


Network Access


Code of Business Conduct

Corporate Information

Security Policies

Network Access Policy

Trusted Device Standard

Policy Hierarchy

COBC: “I agree to comply with InfoSec Policy”

InfoSec Policy: “Network Access defines rules for accessing Corporate resources”

Network Access: “Only devices meeting Trusted Device will be allowed to access Corporate resources”

Trusted Device: “All devices must have these security controls in place”


Covers all devices – personal, Corporate, partner

PCs and Infrastructure

From anywhere – on-campus, remote, wired/wireless, partner sites

Right to Audit and Monitor

References requirement to meet the Trusted Device Standard

“Devices that fail to comply are not entitled to full access to the network and may receive only limited network access”

Policy: Network Access


IT will deliver multiple capabilities with ISE

Access ControlAuthentication on

wired & wireless

networks

BYODSupport Trusted

Device Standard and

enable BYOD

ProfilingAbility to identify

users and devices

on our network

Endpoint

ProtectionProtect the network

from infected devices

Guest AccessRestrict unauthorized

devices & users to

Internet access only


Internet Only

Access

Full access

No restrictions

Limited Access

Corporate Owed

Trusted devices

Manager

Employee owned

Untrusted devices

IT Analyst

At Starbucks

Engineer/Coder

Employee owned

Semi-trusted devicesPolicy

Decision Point


Access Model

Only Trusted devices will have direct access to the core network

Untrusted devices will be limited to the Internet Only Network or Public Cloud

Different services will be enabled at each layer depending on security requirements

If required Untrusted devices can access the Core network by using a VXI session or virtualized applications

Core

Network

Internet Only

Network

Public Cloud

Trusted

Devices

Untrusted

Devices


Trusted Device and Differentiated Access thru Cisco ISE

Core

Network

Internet Only

Network

Public Cloud

Trusted

Devices

Trusted

Applications

Differentiated Network

AccessAccess based on device posture leveraging

Cisco ISE

Trusted Device

More controls needed to

scale access and services

Remote Wipe (Cisco Data)

Anti-Malware

Encryption (Cisco Data)

Minimum OS

Software Patching

Rooted Device Detection (Mobile

Devices Only)

Device Registration

Password/Screen-lock Enforcement

Hardware/Software Inventory

Tiered


• Identity of a device on the network

• Quantify the risk

1. Profiling

• User and end device attribution

• Identification of end points on Wireless connections

2. Authentication

•Device security posture assessment

•Allows for better policy & security decisions

•Reactive control (EPS)

3. Posture

• Ability to enforce policy decisions based on context

• Untrusted devices have restricted access

4. Enforcement

ISE Capability Phasing

FY13/14 FY14 FY15/16FY15

ISE 1.2 ION

Profiling

ISE 1.2 Wireless Authentication

Monitor Mode for Wired

ISE 1.3 MDM integration

Global EPS

ISE 2.0NAC and ACS parity

“Four Stages of a Secure Network”


Challenges?

I don’t need your Security

My app “x” requires XP

I don’t want you see my personal data

Security controls impact my productivity

Dziękuję


Documents

BYOD @ Cisco Secure... · BYOD @ Cisco David Bell Cisco InfoSec October 7th, 2014 Cisco Secure 2014