Embed Size (px)
Citation preview
BYOD Transformation
April 3, 2013
Joe Leonard
Director, Secure Networks
Agenda
Joe Leonard Introduction
CIO Top 10 Tech Priorities
What is BYOD?
BYOD Trends
BYOD Threats
Security Best Practices
HIPAA Security Rule
BYOD Business Challenges
BYOD Architecture
Q&A
3
Joe Leonard Introduction
CIO
TOP 10 TECH
PRIORITIES
Wireless and BYOD
Cloud Computing & Data Center
Virtualization
Unified Communications, Web
Based Collaboration & Video
Core Network Infrastructures, Virtual
Infrastructure, ITaaS Models
Managed Services, Network
Management, Cloud Orchestration
Data Center Virtualization
Security
Analytics & Business Intelligence 1
Mobile Technologies 2
Cloud Computing (SaaS, IaaS, PaaS)
Collaboration technologies
(workflow) 4
Legacy Modernization 5
IT Management 6
CRM 7
Virtualization
Security
3
8
9
1. Analytics and Business Intelligence
2. Mobile Technologies
3. Cloud Computing (Iaas, PaaS, SaaS)
4. Collaboration Technologies (workflow)
5. Legacy Modernization
6. IT Management
7. CRM
8. Virtualization
9. ERP Applications
10.Security
*According to Gartner research combined reports 2012
CIO Top 10 Technology Priorities
WHAT
IS
BYOD?
WHAT DOES BYOD
MEAN TO YOU?
BYOD
TRENDS
MORE THAN 3 CONNECTED
2014 DEVICES PER PERSON
How Fast is Mobile Internet Growing?
THE INTERNET OF THINGS
is evolving to
THE INTERNET OF EVERYTHING
Connected World is Changing Business
1 EXABYTE EQUALS
36,000 YEARS OF
HD-TV VIDEO
OR 1 BILLION GB
TOTAL GLOBAL
IP TRAFFIC
.9 EB in 2012
1.6 EB in 2013
11.2 EB in 2017
Global Mobile Data Forecast by Region
Mobile Devices Traffic Growth
Mobile Video Traffic
BYOD
THREATS
Bring Your Own Device (BYOD)
• 75 percent of companies allow
employee-owned smartphones and/or
tablets to be used at work – Aberdeen
Study. Gartner predicts that this number
will rise to 90 percent by 2014.
• Less that 10% of respondents felt
completely aware of all mobile devices
accessing their enterprise infrastructure
– SANS BYOD Survey 2012
• The BYOD movement has significant
productivity, convenience and cost
benefits, but it is leading to serious
challenges for IT security and privacy.
17
2012 Mobile Landscape
Source: F-Secure Mobile Threat Report Q4 2012
2012 Mobile Threat Families
Source: F-Secure Mobile Threat Report Q4 2012
Threat Families 2010-2012
Source: F-Secure Mobile Threat Report Q4 2012
Malware Threats
Source: Kaspersky
21
Mobile Threats by Type
Source: F-Secure Mobile Threat Report Q4 2012
Malware Threat Report
Source: FireEye Threat Report – 2H 2011
Malware Attacks
• Malware
– Android
• DroidDream malware
• 50 apps pulled
– Rogue apps
– Upgrade attack
Top 5 Mobile Threats
1. Lost or stolen device
2. Mobile malware – data leakage
3. Wi-Fi hotspots
4. Vulnerabilities – phone OS and
applications
5. Proximity–based hacking
25
Cell-phone insurance provider Asurion reports that 60 million
smartphones are lost, stolen or damaged each year. In dollar terms,
according to a report conducted by mobile security firm Lookout,
Americans lost $30 billion dollars worth of smartphones in 2011.
Symantec conducted an experiment earlier this year, where they
"lost" 50 phones on purpose (msnbc.com):
• 43 percent of finders clicked on an app labeled "online banking."
• 53 percent clicked on a filed named "HR salaries."
• 57 percent opened a file named "saved passwords“.
• 60 percent checked Social networking tools and personal e-mail.
• 72 percent tempted a folder labeled "private photos“.
• 89 percent clicked on something they probably shouldn’t have.
• 50 percent of the phones were returned.
SECURITY
BEST
PRACTICES
SANS Consensus Audit Guidelines (CAG)
http://www.sans.org/critical-security-controls/
# Guidelines
1 Inventory of authorized and
unauthorized devices
2 Inventory of authorized and
unauthorized software
3 Secure configurations for hardware
software (Laptop and Server)
4 Continuous vulnerability assessment
and remediation
5 Malware defenses
6 Application software security
7 Wireless device control
8 Data recovery capability (validated
manually)
9 Security skills assessment and
training to fill gaps
10 Secure configurations for network
devices (Firewall, Router and Switch)
# Guidelines
11 Limitation and control of network
ports and services
12 Controlled use of administration
privileges
13 Boundary defense
14 Maintenance, monitoring and
analysis of audit logs
15 Controlled access based or need to
know
16 Access monitoring and control
17 Data Loss Prevention (DLP)
18 Incident response capability
19 Secure networking engineering
20 Penetration tests and red team
exercises
HIPAA
SECURITY
RULE
History of HIPAA
HIPAA Security Rule – What do we check?
• Administration Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Safeguards
• Documentation Requirements
30
Administration Safeguards
§164.308 (a) (1) Standard: Security management
§164.308 (a) (2) Standard: Assigned security responsibility
§164.308 (a) (3) Standard: Workforce security
§164.308 (a) (4) Standard: Information access management
§164.308 (a) (5) Standard: Security awareness and training
§164.308 (a) (6) Standard: Security incident procedures
§164.308 (a) (7) Standard: Contingency plan
§164.308 (a) (8) Standard: Evaluation
§164.308 (b) (9) Standard: Business associate contracts and
other arrangements
Physical Safeguards
§ 164.310 (a) (1) Standard: Facility access controls
§ 164.310 (b) Standard: Workstation use
§ 164.310 (c) Standard: Workstation security
§ 164.310 (d) Standard: Device and media controls
Technical Safeguards
§ 164.312 (a) Standard: Access control
§ 164.312 (b) Standard: Audit controls
§ 164.312 (c) (1) Standard: Integrity
§ 164.312 (d) Standard: Person or entity authentication
§ 164.312 (e) Standard: Transmission security
Organizational Safeguards
§ 164.314 (a) (1) Standard: Business associate contracts
or other arrangements
§ 164.314 (b) (1) Standard: Requirements for Group Health
Plans
Documentation Requirements
§ 164.316 (a) Standard: Policies and Procedures
§ 164.316 (b) (1) Standard: Documentation
NIST 800-53 – Management Controls
Identifier Checks Family
CA 7 Security Assessment and Authorization
PL 6 Planning
RA 5 Risk Assessment
SA 14 System and Services Acquisition
PM 11 Program Management
NIST 800-53 – Operational Controls
Identifier Checks Family
AT 5 Awareness and Training
CM 9 Configuration Management
CP 10 Contingency Planning
IR 8 Incident Response
MA 6 Maintenance
MP 6 Media Protection
PE 19 Physical and Environmental Protection
PS 8 Personnel Security
SI 13 System and Information Integrity
NIST 800-53 – Technical Controls
Identifier Checks Family
AC 22 Access Controls
AU 14 Audit and Accountability
IA 8 Identification and Authentication
SC 34 System and Communication Protection
HIPAA Security Rule + NIST 800-53 Example
Security Controls Mapping
AC-1 Access Control Policy and
Procedures
AC-3 Access Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
HHS Office of Civil Rights (OCR) Audits
• Massachusetts Eye and Ear $1.5M
– Laptop with patient data stolen
• Alaska Department of Health $1.7M
– One USB drive
BYOD
BUSINESS
CHALLENGES
APPLYING
BYOD
PRACTICAL
THINKING
NOT JUST
TECHNOLOGY
Transformation
VIRTUALIZATION NEXT GENERATIKON
WORKFORCE DEVICE
PROLIFERATION
DEVICE PROLIFERATION
15 Billion Devices
by 2015 that Will Be
Connecting to Your Network
On Average Every Person Has
3–4 Devices On Them that Connect to the Network
75% of Staff Are Bringing
Their Own Devices to Work
BYOD Transformation
VIRTUALIZATION NEXT GENERATIKON
WORKFORCE DEVICE
PROLIFERATION
NEXT GENERATION WORKFORCE
Work Is No Longer a
Place You Go to Work
People Are Willing to Take a
Pay Cut as Long as They
Are Able to Work from Home
70% percent of end users
admit to breaking IT policy
to make their lives easier
Need Anywhere, Anytime, Any Device Access
BYOD Transformation
VIRTUALIZATION NEXT GENERATIKON
WORKFORCE DEVICE
PROLIFERATION
VIRTUALIZATION
“60% of server workloads will
be virtualized by 2013”
“20% of professional PCs will be
managed under a hosted virtual
desktop model by 2013.”
Datacenters are evolving, Applications
are now objects moving through the
network
BYOD Transformation
Top of Mind Concerns
The Burden Falls on IT
DEVICE PROLIFERATION
• How do I ensure consistent experience on all devices?
• How do I implement multiple security policies per user and device?
• How and What do I support?
• How do I manage the risk of employees bringing their own devices?
Top of Mind Concerns
The Burden Falls on IT
• Am I hindering my workforce from being competitive?
• How do I retain top talent?
• How do I ensure compliance with HIPAA and PCI?
• Can I handle partners, consultants, guest appropriately?
CHANGING WORKFORCE
Market Transition
Video Mobility Workplace Experience
7 Billion New
Wireless Devices
by 2015
Mobile Devices
IT Resources
Blurring the Borders Consumer ↔ Workforce
Employee ↔ Partner
Physical ↔ Virtual
Changing the
Way We Work Video projected to
quadruple IP traffic by
2014 to 767 exabytes
Anyone, Anywhere, Anytime
BYOD
ARCHITECTURE
Hospital extends
wireless access to
employees for
corporate devices
(laptop, iPad,
smartphone)
• Visibility to who/what
is on network
• Restrict access to
only corporate
issued devices
Environment Requires
Tight Controls
Business Policy
Device Types
BYOD Policy Considerations
LIMIT BASIC ENHANCED ADVANCED
Hospital
(Example)
IT Requirements
Corp Only Device
Hospital extends
wireless access to
employees for
corporate devices
(laptop, iPad,
smartphone)
• Visibility to who/what
is on network
• Restrict access to
only corporate
issued devices
Environment Requires
Tight Controls
Focus on Basic Services,
Easy Access
Business Policy
Device Types
BYOD Policy Considerations
LIMIT BASIC ENHANCED ADVANCED
Hospital
(Example)
IT Requirements
Corp Only Device Broader Device Types but
Internet Only
Simple Guest
Hospital provides
guest access to
patients
• Restrict personal
devices to public
internet
• Restricted access
to internal sites
Hospital extends
wireless access to
employees for
corporate devices
(laptop, iPad,
smartphone)
• Visibility to who/what
is on network
• Restrict access to
only corporate
issued devices
Environment Requires
Tight Controls
Focus on Basic Services,
Easy Access
Secure Access to Business
Applications Onsite/Offsite
Business Policy
Device Types
BYOD Policy Considerations
LIMIT BASIC ENHANCED ADVANCED
Hospital
(Example)
IT Requirements
Corp Only Device Broader Device Types but
Internet Only
Simple Guest
Multiple Device Types +
Access Methods
Early BYOD Commercial Adopters
Hospital provides
guest access to
patients
• Restrict personal
devices to public
internet
• Restricted access
to internal sites
Doctor uses personal
device in hospital and
offsite on the train
with access to some
hospital applications
• Allow granular onsite
and offsite access to
network/applications
for personal and
company devices
Hospital extends
wireless access to
employees for
corporate devices
(laptop, iPad,
smartphone)
• Visibility to who/what
is on network
• Restrict access to
only corporate
issued devices
Environment Requires
Tight Controls
Focus on Basic Services,
Easy Access
Secure Access to Business
Applications Onsite/Offsite
All Key
Applications, New Services,
Full Control
Business Policy
Device Types
BYOD Policy Considerations
LIMIT BASIC ENHANCED ADVANCED
Hospital
(Example)
IT Requirements
Corp Only Device Broader Device Types but
Internet Only
Simple Guest
Multiple Device Types +
Access Methods
Early BYOD Commercial Adopters
Any Device, Any Ownership
Innovative Organizations
Hospital provides
guest access to
patients
• Restrict personal
devices to public
internet
• Restricted access
to internal sites
Doctor uses personal
device in hospital and
offsite on the train
with access to some
hospital applications
• Allow granular onsite
and offsite access to
network/applications
for personal and
company devices
Hospital administrator
is granted full
network access to
applications with new
collaboration services
• Enable a full
mobile and
collaboration
experience
Presidio BYOD Architecture
Mobile User
Mobile Device
Management
• Device Management
• Selective and Full Wipe
• Security Enforcement
• Access Control
• Certificate Management
• Application Management
and Distribution
• Content Management
Content Security
• Malware Defense
• Data Security
• Acceptable Use
Controls
IPS
Malware
(Control)
Switch
Firewall
(Control)
Redirect
Wireless
SSL VPN
Internet
IPS-Malware
• Malware/Spyware
• Malicious Software
• DDoS Attacks
• Reconnaissance
Attacks
Policy
• 802.1x Authentication
• Authorization
• Profiling Device Type
• Posture Assessment
• Remediation
• Guest Services
• High Availability Design
• Mobile Onboarding
• Comprehensive
Reporting
SIEM
• Logging
• Correlation
• Reporting
Mobile Device Management – MDM (Control)
Content
Security
(Control) 2
1
3 5
6
4
Security Information Event Management - SIEM (Control)
Firewall
• Access Control
• Remote Access VPN
• Dynamic Access
Policies
54
VPN
(Control)
Policy
Wireless
(Control)
Summary
• BYOD is transforming how we work.
• BYOD is a layered architecture
• BYOD Transformation requires a clearly defined policy.
• Bandwidth requirements are increasing.
http://www.presidio.com/technologies-trends/trends/byod
Q&A
Practical thinking for a connected world.
THANK YOU.
