Hands on, field experiences with BYOD. BYOD Seminar

Similar documents
Vision on Mobile Security and BYOD BYOD Seminar

Guideline on Safe BYOD Management

BYOD: End-to-End Security

Chris Boykin VP of Professional Services

Kony Mobile Application Management (MAM)

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

Securing Corporate on Personal Mobile Devices

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Mobile Device Management for CFAES

The ForeScout Difference

Data Protection Act Bring your own device (BYOD)

BYOD Guidance: BlackBerry Secure Work Space

How To Protect Your Mobile Devices From Security Threats

IT Resource Management vs. User Empowerment

Cisco Mobile Collaboration Management Service

Windows Phone 8.1 in the Enterprise

IBM Endpoint Manager for Mobile Devices

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

Choosing an MDM Platform

IT Resource Management & Mobile Data Protection vs. User Empowerment

ForeScout MDM Enterprise

Tom Schauer TrustCC cell

Symantec Mobile Management 7.1

CHOOSING AN MDM PLATFORM

Athena Mobile Device Management from Symantec

ADDING STRONGER AUTHENTICATION for VPN Access Control

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Symantec Mobile Management 7.1

Mobile Device Management

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

EOH Cloud Mobile Device Management. EOH Cloud Services - EOH Cloud Mobile Device Management

Feature List for Kaspersky Security for Mobile

IBM United States Software Announcement , dated February 3, 2015

White Paper. Data Security. The Top Threat Facing Enterprises Today

Mobile Devices in Healthcare: Managing Risk. June 2012

What We Do: Simplify Enterprise Mobility

BYOD Policy for [AGENCY]

BYOD THE SMALL BUSINESS GUIDE TO BRING YOUR OWN DEVICE

Workplace-as-a-Service BYOD Management

Securing Remote Vendor Access with Privileged Account Security

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

If you can't beat them - secure them

BYOD BEST PRACTICES GUIDE

BYOD in the Enterprise

When enterprise mobility strategies are discussed, security is usually one of the first topics

Security and Compliance challenges in Mobile environment

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Data Security on the Move. Mark Bloemsma, Sr. Sales Engineer Websense

How To Write A Mobile Device Policy

Mobile Security & BYOD Policy

BlackBerry 10.3 Work and Personal Corporate

Symantec Mobile Management for Configuration Manager 7.2

How To Manage A Mobile Device Management (Mdm) Solution

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Symantec Mobile Management 7.2

Supplier Information Security Addendum for GE Restricted Data

Use of tablet devices in NHS environments: Good Practice Guideline

Mobile Devices Policy

CA Enterprise Mobility Management MSO

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

Codeproof Mobile Security & SaaS MDM Platform

Mobile First Government

Managing and Securing the Mobile Device Invasion IBM Corporation

Mobile Device Security Information for IT Managers

Systems Manager Cloud-Based Enterprise Mobility Management

IBM MobileFirst Managed Mobility

Get Tough with Mobile Device Management

Total Enterprise Mobility. Norbert Elek

Bring Your Own Devices (BYOD) Information Governance Guidance

Google Identity Services for work

IT Self Service and BYOD Markku A Suistola

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

Mobility Challenges & Trends The Financial Services Point Of View

Total Enterprise Mobility

Transcription:

Hands on, field experiences with BYOD. BYOD Seminar Brussel, 25 september 2012

Agenda Challenges RIsks Strategy

Before We Begin Thom Schiltmans Deloitte Risk Services Security & Privacy Amstelveen tschiltmans@deloitte.nl +31 610 999 199 2

Personal note The mobile (smart phones and tablets) devices are still not frequently used or are unmanaged. Many companies don't trust external devices and most of IT managers don't want to implement BYOD (the proper awareness is missing). Most of companies don't have clear vision about usage, benefits and controls over mobile devices. They don't know where it can save money. Most of them also think they can adopt either company managed devices or BYOD - implement both based on data characteristics or type of usage has not been really evaluated. The only massive implementation was remarked in global companies 3

Enterprise Applications Extended to Mobile Devices New opportunities for sales enablement, customer & partner interaction, employee productivity, business process acceleration, & instant access to key analytics. Email Approvals Dashboards Top Management Contacts Workflow Middle Management Calendars Reports Scheduling & Dispatch Time & Expense Operations Transactions 4

Challenges Risks Strategy 5

Bring Your Own Device Employees increasingly want to use their favorite mobile device for personal and business use. They want to store personal data and install Internet games on devices they are also using to access enterprise applications and data. If employees purchase their own device and plan, this can reduce telecomm costs, however it creates several business challenges and security risks. BYO Rationale User Perspective: Desire for one device and phone number, not two Desire to fully own the decision process when selecting a personal device Desire for the latest gadget (especially younger workers) Local store offers better selection than the IT department Company Perspective: Increased staff productivity due to better morale & hardware Potential to reduce hardware, monthly service, provisioning and ongoing support costs IT Department Perspective: Potential for reduced IT staff workload as users move off employer provided devices and onto BYO devices BYO Challenges Security Enterprise data confidentiality, integrity and availability Liability for personal data (wipe, central storage) Defining and enforcing the security perimeter Application Splintering Impact of heterogeneous device environment on application development and support requirements Support Device certification, provisioning and management Cost Potential loss of corporate-level volume discounts because of personal purchase. Enterprises should align user expectations, IT capabilities and security policy. Failure to act may increase security risk as unmanaged mobile devices continue to connect to the enterprise network. 6

Mobile Device Security Challenges Area Challenges Additional BYOD Challenges Governance/ Policies, Acceptable usage, Monitoring, Policy Non-compliance Mobile Apps Unauthorized apps, Data Leakage, App vulnerabilities, Weak authentication Mobile OS Jailbreaking, App distribution, Cloud Storage/Sync Mobile Device Lost/stolen devices, Weak authentication, Malware, Inappropriate usage Wireless Network Eavesdropping Policy enforcement, Monitoring Rogue apps causing corporate data leakage Data storage Remote wipe Children/family accessing corporate data Enforcement of security baselines Core Network Rogue devices, Eavesdropping, Unauthorized access Management Rapid change of technology, Lack of expertise, Life Cycle Management Decommissioning of devices with corporate data Operations Integration in IT support processes, Support Providing diagnostics/support Legal/Regulatory Privacy, Auditing Policy enforcement, Auditing 7

Challenges Risks Strategy 8

Mobile OS Security Features ios Android Windows Phone 7 BlackBerry Screen Lock Password Password, Swipe, Facial Password Password Encryption App Approval Process App Isolation Full Device (can be hacked) Strict app approval process Execution privilege levels Full Device (3.0, 4.0) Less Strict, 3 rd Party App Stores Permissions ios handles User-accepted before install No on-device Strict app approval process Virtual Machine Execution privilege levels Some usergranted Full Device Strict app approval process Virtual Machine User can grant/deny Malware Some A lot Not much yet Some 9

Mobile Device Security Risks High-level mobile device security risks are not different from traditional IT security risks. The real challenge is that mobile devices introduce new vulnerabilities and attack vectors for traditional risk areas. Topic Governance Information Security Privacy / Data Protection Business Continuity Management Change Management Risks No clear governance framework Lack of understanding of risk Ineffective access controls - mobile devices and 3 rd party partners Prevention of malicious attacks (incl. cyber) Ineffective processes for malware/security updates Lack of monitoring processes to respond to ongoing threats Unauthorized access to personal data Compliance with cross border laws, offshore storage Data leakage Inability to recover data Availability of critical resources Change control processes Testing prior to implementation Access to the production environment 10

Research by NSA The new generation of smartphones is more resistant to some types of cyber attacks that have proven extremely damaging, such as spearphishing and user-installed malicious software. At the same time, their use involves acceptance of other risks such as attacks via the cellular network, and a greater likelihood of data loss due to lost or stolen devices. Overall, vast numbers of obsolete desktops are likely to continue to be attackers front door to networks, although smartphones do permit highly motivated adversaries to carry out highly-targeted attacks against senior leaders. NSA continues to partner with industry to develop technological enhancements that prevent and detect such attacks. 11

Managing Bring Your Own Device Risks 1. Minimize the amount of stored data on the device 2. Use virtualization or sandbox solutions 3. Establish a policy and end user acceptance agreement: Appropriate use Surrender Wipe policy and risks Monitoring and data archiving Minimum configuration requirements Minimum security requirements Disposal 4. Keep unauthorized devices off the network (network monitoring tools) 5. Continuous and effective user awareness education 12

Challenges Risks Strategy 13

Mobility Security Framework Mobile security risks include device loss or theft, data loss, data compromise, credentials theft, malware, unauthorized network access and direct attacks on devices and exposed application servers. To protect your organization, you must extend your enterprise security policy, security strategy and core security objectives (confidentiality, integrity, availability) to each layer of the mobility stack. Mobile security solutions have a technology, process, and human resource component. Policies C o n f i d e n t i a l i t y I n t e g r i t y A v a i l a b i l i t y Mobile Data Mobile Applications Mobile OS Mobile Device Wireless Network Application and Database Servers Core Network Operations Management Legal Regulatory Cloud 14

Addressing Mobile Security Triggers Security Management Privacy BYO App Security End Point Security & MDM Training & Awareness Triggers Lack of clear governance framework Rapid introduction of mobile devices Complying with local & international legal requirements Auditing corporate/personal devices Corporate liability Managing the device lifecycle Enforcing the security perimeter Data leakage prevention Malware and insecure apps Security update process Preventing unauthorized access Managing different devices Enforcing policies & baselines Compliance with security policies Awareness initiatives to effect behavioral change Solutions Create mobile strategy & governance model, involving all stakeholders Develop appropriate use & security policies Privacy Impact Assessment (PIA) Define mobile device management and data protection requirements Conduct audit on BYO strategy Develop app configuration baselines Business app store assessments Perform secure code reviews Create device configuration baselines Conduct end point security audit Perform device security assessments Develop & conduct security awareness program with organizational change initiatives 15

Mobile Device Management Mobile device management provides full life cycle support for mobile devices, mobile applications and associated data stores to help ensure: Applications, patches, security agents, etc. are properly provisioned Data is automatically backed up and protected at all times (at rest and in transit) Devices are configured correctly and protected from threats IT can remotely correct problems, wipe data and disable the device This requires systems, defined processes and skilled resources in multiple areas: Provisioning Asset & Configuration Management Initial mobile device & mobile apps request Map user & device to a user group & mobile applications Wireless service provisioning Network access controls provisioning Image the mobile device (apps, settings and security agents) Application distribution On-device isolation of user apps/data from enterprise apps/data Physical asset tracking & accounting Software license/app download accounting & management Hardware repair/replace & warranty issues End user data backup Mobile data plan expense management Device configuration management De-provisioning apps, devices and accounts Security User authentication Device, mobile app and enterprise app access control Stored data encryption and end-to-end encryption Application whitelist/blacklist Content filtering and malware protection Security event monitoring, logging and response Data leak protection & removable storage control 16 User Support Password reset Remote troubleshooting Device/app/data restore Device support roadmap Trouble ticketing and support knowledge database Trend analysis Help desk training on devices and apps

Deloitte MDM Solutions Review Product X Pro s Management ease of management, and configuration Ability to wipe devices remotely Jail break/rooting detection when Product X application is on the device Reporting capabilities on device that have been enrolled in Product X such as inventory and package tracking Multi-Tenant functionality available (at an extra cost) Web enroller that does not require Product X app Device administrator can send a command to allow end users to reset their passcode if they forgot Con s End user can remove policies No support for Windows Phone Limited Android Support Cannot remote wipe or encrypt SD cards on Android Able to remove control, but no partial wipe of the device is available. Complex enrollment process Ownership tracking not accurate if configured by IT Web console is slow and cumbersome, updates scheduled for early next year Possible for any person can enroll a rogue device once the enrollment code is provided and possibly gain access to corporate information No app store functionality Device lock feature is of no use since the end user will know the passcode Cannot push a background image or other data 17

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information