BYOD to the Cloud May 28, 2013

Transcription

1 BYOD to the Cloud May 28, 2013 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London 1

2 2 Generously sponsored by:

3 Welcome Conference Moderator Matt Mosley Northern Virginia, USA Chapter ISSA Web Conference Committee 3

4 Agenda Speakers Roy Wattanasin Information Security Officer, MITM David Willson Attorney/Security Consultant, Titan Info Security Group, LLC & OnlineIntell, LLC K. Scott Morrison Chief Technology Officer, Layer 7 Technologies Open Panel with Audience Q&A Closing Remarks 4

5 BYOD to the Cloud Roy Wattanasin New England, USA Chapter Information Security Officer MITM 5

6 Agenda Introduction The Cloud History of the Cloud Cloud Security Considerations Bring Your Own Device (BYOD) BYOD Policy Ideas Key Points Conclusion 6

7 Introduction 95 percent of organizations now allow employeeowned devices in the workplace Very simple for employees and users to store documents for free 7

8 The Cloud What is the cloud? 8

9 History of the Cloud New concept or not? Also known as JCR American computer scientist and psychologist First to foresee modern interactive computing 9

10 Cloud Security Considerations (1 of 2) Are security standards appropriate? How much data will you be storing? Is your data encrypted when being uploaded or download? 10

11 Cloud Security Considerations (2 of 2) Is your data encrypted when stored? How much access is shared in the cloud? What are you options if your cloud provider should be hacked (loss of data)? 11

12 Bring Your Own Device (BYOD) (1 of 3) By 2016, there will be 1.4 mobile devices per capita Mobile network connection speeds will increase 9 fold by

13 Bring Your Own Device (BYOD) (2 of 3) 13

14 Bring Your Own Device (BYOD) (3 of 3) 14

15 BYOD Policy Ideas Policies should include All eligibility requirements Any device support limitations Employee risks and responsibilities Applications and data access limitations Any processes for obtaining approval 15

16 Key Points (1 of 2) Find out what do you want to protect (Assessment) Encrypt data (if possible) Patching Penetration Testing Policies Development Vulnerability Management Training and Security Awareness 16

17 Key Points (2 of 2) Encourage secure development practices Blacklisting and whitelisting applications Flexibility / Improvements and Lessons Learned Reviewing Services Hardening Incident Response More training and security awareness 17

18 Resources SANS Mobile Security Policy Templates mhimss Mobile Security Toolkit security.asp 18

19 Question and Answer Roy Wattanasin New England, USA Chapter Information Security Officer MITM Contact: wr0 websecr at gmail dot com 27 19

20 BYOD and Cloud Present Legal Challenges. Combine Them and You Have a Nightmare. David Willson Colorado Springs, USA Chapter Attorney/Security Consultant Titan Info Security Group, LLC & OnlineIntell, LLC 20

21 Who Am I? David Willson, Esq. CISSP, Security + Titan Info Security Group, LLC or OnlineIntell, LLC 21

22 Cloud v. BYOD Both the Cloud and BYOD raise a lot of legal and security issues. Depending on whether you are the provider or customer or management or employee, the issues may include: privacy, who owns the data, who controls the data, how is the data kept secure, what happens when there is a breach (of the device or the Cloud), and many more. What can you do to better protect yourself? 22

23 Cloud It s convenient It may save money You can get you stuff wherever you are It s cool and we all have to have the latest cool stuff, right? 23

24 Cloud Legal Issues Is your data encrypted? Does the service include a VPN? Who holds your data/ is there a third party? Where is your data physically? What if the provider goes bankrupt? Is there live support? 24

25 Cloud Legal Issues cont. What happens if the provider experiences a data breach? Will the provider share audit/security assessment results? Is your data commingled? Can the provider s employees see your data; can others? Does this violate privacy; ethical requirements (e.g. bar assoc.)? 25

26 BYOD It s convenient It may save money It may improve productivity It s cool and we all want the latest cool stuff, right? 26

27 BYOD Legal Issues Company Owned Installed Security Automatic patching Little to no personal info. Policy controlled Remote tracking Remote wipe Employee Owned Security? Patching? A lot of personal info. Policies controlled? Remote tracking? Remote wipe? 27

28 BYOD Legal Issues cont. Can you keep company data off the device? Employee lets friends/family use device Employee loses the device or its stolen Can you track where device is even if no issue of lost or stolen? If lost or stolen, at what point can you wipe? Right away or do you have to make a concerted effort to find? What about all of the personal info? What if its found a week later and all is now wiped? 28

29 BYOD Legal Issues cont. What if there is an ediscovery issue? Does the employee have to turn over their personal device? What if your company has a monitoring policy: Can you monitor personal devices? What if security App conflicts with other services on the device? 29

30 Issues common to both Cloud & BYOD Cloud Privacy Data Breach Control of Data Who owns data? How secured? BYOD Privacy Data Breach Control of Data Who owns data? How secured? 30

31 Some Solutions SLA, SLA, SLA Negotiate Cloud Think through various scenarios BYOD Policy, Policy, Policy Negotiate Think through various scenarios Never Ready Always Prepared! 31

32 David Willson Attorney at Law CISSP, Security Titan Info Security Group, LLC ( & OnlineIntell, LLC ( 32

33 Question and Answer David Willson Colorado Springs, USA Chapter Attorney/Security Consultant Titan Info Security Group, LLC & OnlineIntell, LLC

34 Identity Sits at the Intersection of Cloud and Mobile K. Scott Morrison Chief Technology Officer Layer 7 Technologies 36

35 The Old Enterprise Formal and structured security & connectivity VPNs & prop. Protocols for thick clients HTTP(s) for browsers SOAP+WS-* for B2B Firewall Line of business servers Road Warriors with VPN VPN Enterprise Network SSL WS-S Browser Clients Formal Trading Partners

36 The New Hybrid Enterprise Highly agile security & connectivity REST, OAuth, OpenID Connect, SCIM, UMA Line of business servers Firewall Mobile Devices Enterprise Network Clouds Informal, API-driven integrations

37 A Fundamental Shift is Occurring The Old Enterprise The New Hybrid Enterprise This is the secret to achieve scale and agile federation

38 OAuth is an enabler of this Client Resource Owner (RO) Authorization Server (AS) Resource Server (RS) (a.k.a., the User)

39 Example: Let Twitter Post Tweets To Your Facebook Wall Client Resource Owner (RO) 1. User posts new tweet 2. Twitter posts tweet to Facebook on user s behalf Authorization Server (AS) Resource Server (RS) (a.k.a., the User)

40 1. No Authorization to post to Facebook 2. Sign on to Facebook and authorize Twitter to post to wall 3. Now authorized to post to Facebook

41 OAuth Really Breaks Down to Simple Components Acquire Token Authorization Server Client Resource Owner Use Token Resource Server

42 A Similar Pattern Applies to Mobile Authorization Server (AS) Client Resource Server (RS)

43 Comprehensive REST Access Control Needs: OAuth Clients Provisioning Approval Flow Persistence Querying Metrics Analytics Reports Monitoring SLAs Alerting OAuth Tokens Persistence Querying Metrics Revocation Refresh OAuth Autz server Policy Modeling OAuth Protocol Identity integration Token issuing Token refresh SLA enforcement *all of this* Prot Res Server Policy Modeling Token validation Bearer, MAC, SAML Identity integration Integrity check API proxying SLA enforcement

44 Where Does OpenID Connect & JWT Fit? Get User Info OpenID Connect endpoint with access to attributes

45 What about SCIM? Provisioning & Managing Identities Enterprise

46 Summary Identity is shifting from centralized management to user self-service Think of this as the consumer-centric enterprise The technology underpinning this is OAuth, OpenID Connect, and SCIM OAuth handles authentication and authorization OpenID Connect allows controlled sharing of attributes SCIM is about identity provisioning and mgmt Together they are the glue between mobile, cloud and the modern enterprise 46

47 Question and Answer K. Scott Morrison Chief Technology Officer Layer 7 Technologies 47

48 Open Panel with Audience Q&A Roy Wattanasin Information Security Officer, MITM David Willson Attorney/Security Consultant, Titan Info Security Group, LLC & OnlineIntell, LLC K. Scott Morrison Chief Technology Officer, Layer 7 Technologies 48

49 Closing Remarks Thank you to our Sponsor Thank you to Citrix for donating this Webcast service Online Meetings Made Easy 49

50 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link: Conference-BYOD-to-the-Cloud-May