OC CIO BYOD

Copyright 2013 The Word & Brown Companies

BYOD(and other acronyms of interest)

Orange County CIO Roundtable

September 12, 2013

Jeff Hecht, Chief Compliance & Security Officer

The Word & Brown Companies

Two competing desires are increasingly at odds with each other: expanding mobility to leverage productivity gains—and controlling

mobility to combat significant risks….

AgendaBYOD basic issuesHow widespread is it?What are the risks?How are enterprises dealing with it?What categories of tools are or soon will be available to manage BYOD?How can we develop an acceptable approach for BYOD that balances access and security?


BYOD Challenges and Opportunities

There is a growing demand from employees to use their own electronic devices at work to access corporate assets.

Employees argue they are more productive on devices they’ve chosen and mastered. High level business executives often are part of this demand. Younger employees in particular find the idea of a small list of corporate devices

unacceptable.

Some studies suggest employees are more likely to work more hours and in more places when they can do it on their device of choice.

Many of these devices may be unsupported by IT departments. The versions change quickly as employees bring in the latest and greatest devices and upgrade on their schedule not their employer’s.


BYOD Challenges and Opportunities

The expense of always providing the latest and greatest devices is too much for most enterprises, so having the employee provide their own device appears attractive financially.

The devices offer instant connectivity to the Internet and cloud services that can easily evade traditional control measures an IT department uses with corporate assets.

Concerns about data security, device control, data ownership, patching, backups and other issues generally handled for corporate devices are not fully resolved for most IT Departments on personally owned devices. Keeping corporate data secure is largely at odds with the idea of “my device” and ubiquitous access.

Employee don’t always trust their employer with their own information, particularly geo-location data and may be reluctant to follow some policies.



Major Security Concerns and Controls


Moving Ahead Regardless

SC Magazine


Moving Ahead Regardless

SC Magazine

There’s plenty of hype

Many vendors have products positioned to “solve” the “BYOD problem”.

It’s unclear how big the issues are and equally unclear how effectively the current product sets address the issues.

Each organization needs to assess what their exposure is and how best to control it. Factors such as regulations, the specific type of data held and exactly what is exposed to mobile connections are key.

Many of these issues have similar concerns regardless of whether the device is owned by the organization or the employee, but they are magnified with BYOD.



Fast Growth


Really?


Policies are evolving


Policies are evolving


More devices are owned by employees

The Goals


The Goals

Enable employee choice and flexibility

Prohibit unauthorized access, control where corporate data goes

Manage threats and vulnerabilities

Ensure network availability and performance. Deliver predictable user experience

Understand and control the true costs (and benefits)



Alphabet Soup

BYOD – Bring Your Own Device also sometimes called BYOT (Technology)This is the blanket term for the trend and the industry that’s springing up around controlling the access. Generally BYOD means an employee owns the device and the service contract for it’s connectivity. Sometimes the employer may provide a stipend to offset some of the costs but often the employee bears the whole cost.

MBYOD – Managed Bring Your Own DeviceMore of a marketing term than an actual category, there are various levels and ways the device can be controlled in a corporate environment. (More on this in the balance of the presentation).

CYOD – Choose Your Own DeviceThe employee can choose a device from a list of either specific models or levels of operating system. Depending on the program the employer may purchase and own the device (sometimes referred to as COPE Company Owned Personally Enabled) or the employee buys the device and service but must choose a device from the approved list to get connectivity to corporate resources.


Alphabet Soup

BYOA – Bring Your Own ApplicationBYOA intersects two of the most visible trends in technology today – mobility and cloud computing – where employees use a public application for work. The app itself could be a mobile app, a Web-based cloud app, or a combination both access methods. The app might be free or paid-for and can be “brought” into the workplace on a mobile device or through a company PC’s Web browser. Enterprises will invariably be faced with managing data in public apps. A similar idea is BYOS or Bring Your Own Service

MDM – Mobile Device Management The general category of tools to control access from mobile devices regardless of their ownership. They have some method of device registration, monitoring and remote wipe in case of loss or theft. Usually they can enforce password rules and require device encryption. More advanced versions of these management suites include the ability to create separate, encrypted data partitions to store and access corporate data. Some include basic data leakage prevention systems (DLP). These tools are primarily device centric – that is you are registering a physical device and the specific controls are applied to that device.


Alphabet Soup

MAM – Mobile Application Management/MIM Mobile Information ManagementWhere MDM is device centric MAM/MIM are application and data centric. There are several approaches to controlling what corporate applications and data can be accessed. These can be white/black listed applications and what can or cannot be connected to remotely. Containerization may be used to segregate and control data, although this sometimes impacts the user experience. Perhaps the most promising is the use of virtualization to provide access to data without actually allowing it to be transferred to mobile devices.

MDSM – Mobile Device Security ManagementSimilar to a security suite for PCs (but not yet so comprehensive) including malware scanning and protection, enforcement of iPSec VPNs for connection to company resources, IPS, content filtering and firewalls. These tools are in their infancy and many MDM vendors claim their products provide device security, but most are very limited in what they can really do.

MDDCA – Mobile Device Detection/contextual awarenessMDDCA is an attempt to enforce context based policy management. This might be geographic (you can’t access Facebook from within the company facility but can from home), method of access related (your iPad will connect to full company resources on the company WiFi but only to the email server from another connection point) or day of the week or time related. Some tools can segregate down to the individual access point (ok on the IT floor, not ok in a public area).


Spectrum of Control

Things To Consider With A BYOD Program

Recognize these devices are going to be in your environment (no doubt already are) so figure out your position.Are you trying to prohibit them? Embrace them? Control them? Do you have money to spend on tools to do this or do you have to rely on what you already have and policy enforcement. Engage business management to understand and shape their positions. Identify the company data you want to provide access to – email access may be quite a different risk than the corporate accounting system.

Specify What Devices Are Permitted.Decide exactly what you mean when you say "bring your own device." Should you really be saying, bring your own iPhone but not your own Android phone or only your Android with an OS 4.0 or later?

Decide What Apps Will Be Allowed or Banned.Can users download, install and use an application that presents security or legal risk on devices that have access to sensitive corporate resources? Can you control it? The technology for preventing downloads of questionable apps or copyright-infringing music and media on personal phones is immature at best, but that doesn’t mean you shouldn’t have policy against it.



Identify which employees will be allowed to use their own devices.Is this everyone? Mangers? Sales people? Only those you would have otherwise given corporate equipment? Figure out who and why, you’ll be expected to defend the decisions.

Establish a clear security requirements for all Devices.For example, If your users want to use their devices with your systems, then they'll have to accept a complex password attached to their devices at all times just as they do on the company owned equipment. They also may have to agree to a device wipe policy, timeout limit and device encryption. You almost surely want to restrict jail broken or rooted devices.

Make It Clear Who Owns What Apps and DataAt a some point devices will be lost or stolen and data will have to be wiped. While some devices support selective data wipes it is always possible that all content on the phone may be erased, including personal pictures, music and applications that the individual, not the company, may have paid for. It may be impossible to replace these items. Be sure you make it clear that you assert the right to wipe these devices. Provide guidance on how employees can secure their own content and back it up so they can restore personal information if phone device has to be wiped or replaced. Can you control where they might back up the company data on the device?


Figure out what level of support you can provide. Will you provide support for broken devices?

Is your support basically a "wipe and reconfigure" operation?

How quickly and efficiently can you respond to lost device situations?

Are users on their own after initial set up?

Define ahead of time an Employee Exit Strategy.What will happen when employees with devices on your BYOD platform leave the company? How do you enforce the removal of access tokens, e-mail access, data and other proprietary applications and information?

It's not as simple as having the employee return the corporate-issued phone. You may need to perform a wipe of the BYOD-enabled device as a mandatory exit strategy and make it clear that you reserve the right to issue a wipe command if the employee hasn't made alternate arrangement with your IT department prior to exit time.



Write it all down and communicate it.There was never a more important time to have a clear detailed written policy and be prepared to revise and update it regularly as unforeseen situations change the landscape.

Have your users sign an acknowledgement that they’ve read and agreed to the conditions you decide to impose.

Invest in training BYOD users on the policy and the specific security threats associated with mobile access.

Integrate Your BYOD Plan With Your Acceptable Use Policy.Allowing personal devices to connect to your VPN introduces some doubt about what activities may and may not be permitted.

If you set up a VPN tunnel on a personally owned device and then post to Facebook, is this a violation?

What if your employees browse objectionable websites while on their device's VPN?

What if they transmit inappropriate material over your network, even though they're using a device they own personally? Are there sanctions for such activity?

What monitoring strategies and tools are available to enforce such policies?

What rights do you have to set up rules in this arena?




One approach to a process

QuestionsAnd

Discussion
