BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

BYOD and Mobile Device Security Shirley Erp, CISSP CISA November 28, 2012

Session is currently being recorded, and will be available on our website at http://www.utsystem.edu/compliance/swcacademy.html. If you wish to ask questions: Click on the Raise Hand button. The webinar administrator will unmute you at the appropriate time. Note: Remember to turn down your speaker volume to avoid feedback. Questions may also be typed in the GoToWebinar Question panel. CPE credit is available for this webinar for attendees who attend the live webinar. Please request credit by sending an email to the UT Systemwide Compliance Office at systemwidecomp@utsystem.edu. Please provide your feedback in the post session survey.

Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011 2016 1 EB = 1,000,000,000 gigabytes or 1,000,000 terabytes http://www.cisco.com/en/us/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11 520862.html

Why? = Savings: BYOD (Bring Your Own Device) No product purchases, management, or maintenance No training, replacement, or support headaches Employee satisfaction with freedom to choose Device consolidation (work cell + personal cell + work ipad + etc.) Work and communication flexibility 24x7

BYOD (Bring Your Own Device) User Considerations: Privacy personal phone is like a wallet Device ownership and service expenses Numerous applications and malware Insecure habits Unencrypted sensitive university data

It Is The Way We Live

Work

Eat

And Play

March 1, 2012 Article From BYOD is a Security Problem Summary: More of us are bringing our smartphones and tablets to work, but very few enable even the most basic security measures. 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 51% 38% 15% 1/3 1/4 1/10 Laptop Smartphone Tablet Personal Devices Used for Work Unprotected Use Auto Lock http://www.zdnet.com/blog/mobile gadgeteer/byod security problem less than 10 of tablet owners use auto lock/5536

Assume Owners are Zombies

Mobile Data Risks Key findings from Symantec s Smartphone Honey Stick Project 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 50% 70% 83% 89% 96% General Access Accessed Personal Accessed Business Accessed Personal and Business Owner Contacted http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=symantec-smartphone-honey-stick-project

Default Configuration After Configuration

Default Configuration After Configuration

Default Configuration After Configuration

What is MDM? MDM (Mobile Device Management) Enterprise software that secures, monitors, manages and supports various mobile devices Devices include: mobile phones, tablets, laptops, etc. May be a managed Cloud service or a company run technology A server component with web enabled remote management Agent or Agentless

MDM (Mobile Device Management) What Can It Do? Central management functions may include: Encryption Policy management and enforcement Separation of personal vs. business data Software/application management Firmware updates Backup and restores Network usage and support Asset tracking and management Remote lock and selective wipes Troubleshooting and diagnostics tools Logging and reporting Remote administration, configuration, and provisioning

ActiveSync vs. MDM ActiveSync is a data synchronization technology and protocol integrated into Exchange, which provides: Synchronization of email, calendar, contacts, and tasks Supports various mobile platforms Supports basic security policies limited to those ActiveSync features integrated into the mobile device ActiveSync has no way of identifying which mailboxes have a mobile device paired with it ActiveSync cannot identify the number of mobile devices or type of mobile devices paired with a mailbox

ActiveSync vs. MDM ActiveSync Security Features Include: Transmission Encryption SSL Two factor authentication Remote wipe erases all data from the mobile phone Device password policies include several options: 1) Minimum password length 2) Require alphanumeric password 3) Inactivity time lockup 4) Enforce password history 5) Enable password recovery 6) Wipe device after failed attempts Device Encryption Policies include: 1) Requiring encryption on device 2) Require encryption on storage cards

MDM Security Decisions Security Requirements? Formal Policy Email Calendar Contacts Attachments Browsing Passwords Secure Connection Secure Bluetooth Encryption stored and in transit Protections Jailbroken, malware, etc. Compliance requirements HIPAA, FISMA, etc.

MDM Considerations Enterprise Needs: Platforms iphone, Android, tablet, laptop, etc. Location mobility BYOD Bring your own device Ease of use and deployment Assistance help desk or self service Staff resources Enterprise Applications SharePoint, Web apps Administration inside and outside Travel to Foreign Countries Carrier cost for enterprise agents Total Cost of Ownership (TCO)

INSIDE Architecture? OUTSIDE Enterprise Apps MDM Server? BYOD

A Perspective Must Haves: Support device diversity Not allow jail broken devices (must be able to detect) Support auto password locking features Encrypt institution s data (both data at rest and in transit) Support containerization Be user friendly and intuitive Remotely lock devices Support automated agent software updates Be affordable and scalable Wipe university data remotely (controlled wipe) Support controls for access to enterprise assets Auto clean devices that have not access the network over a specified period of time Have the ability to manage attachments (i.e. read only, not allowing.exe)

A Perspective Nice To Haves: Antivirus where needed and available Software and version standards and requirements prior to access Register and vet users with an Active Directory association with the university Administrative control and viewing of activity and tagging for stolen devices Password and encrypt strength controls Grouping and role capabilities that allow for varying configurations up to and including FISMA standards Reporting, monitoring, and inventory management Easy user registration with auto network identity integration checks Support/service channels within the product

. MDM Project Plan Initiate BYOD plan Risk assessment MDM research Desired features Identify stakeholders Designate sponsor Funding source Business case Preliminary budget estimate Plan Scope MDM Requirements Product testing Product selection Architecture Procurement Resource staffing Schedule Budget Carrier requirements Decide performance metrics Implement Mobile Policy Carrier and service needs awareness User agreements Security standards Training Communication Support structure Phased roll out Performance tracking Reporting Maintain Monitor Troubleshoot Update product Update agents User Instructions FAQs, Tips, Q&As Self service options User support Device management and retirement Assess new features Review risks

Example BYOD Policy

Example BYOD Policy continued

Example Standards All mobile devices will: Support certificates for registration and authentication Must run the latest operating systems available and within a month of being released Be locked with a PIN containing a minimum length of 6 characters Run university approved and required anti virus software, where possible Access enterprise applications using the provided VPN client, SSL or IPSec Change their PIN annually or immediately after exposure Use the encryption container for storing sensitive university data on the device Have the device wiped after a maximum of 15 failed attempts Set the auto lock feature or idle time out to 5 minutes Not allow peer to peer (P2P) file sharing applications Not install unapproved cloud based applications for use with university data Not utilize instant messaging applications for university information Not utilize unapproved third party applications for university data or business etc.

Requirements: MDM User Agreements Make known the security vs. privacy tradeoffs Avoid bill shock awareness of the usage implications If employer stipends are available Communicate security configuration requirements and IT actions: wiping data tracking locations removing applications restricting attachments deploying agents Monitoring User responsibilities legal mandates, open records, audits device purchases, service charges, accessories Employer notification (lost, stolen, replacements)

Example BYOD User Agreement I understand and will abide by the following: 1. I understand by using my mobile device(s) for university business, there are some privacy and usability tradeoffs due to technology constraints or required security controls. 2. By using my personal mobile device(s) for university business, I understand it is my responsibility to help protect university data located on my mobile device(s) and protect the information on any backup systems. 3. I am responsible for providing and maintaining my mobile device(s), cellular service plan(s), associated equipment, and accessories. 4. I am solely responsible for any and all expenses incurred from the use, damage, loss and/or theft of my mobile device(s) and the university has no financial or legal liability. 5. I shall observe all applicable local, state, and federal laws for my mobile device(s), which are used for university purposes. 6. I understand a university product agent will be installed on my mobile device to provide security and remote management for protecting university data. 7. I understand the university reserves the right to wipe some or all data from my mobile device(s) in the event that I separate, opt out, or loose/replace the mobile device. Where possible, reasonable measures will be taken to preserve personal data. 8. If my mobile device(s) is placed on legal hold, I must surrender it immediately to the university if requested and all relevant files may be copied and used in a university legal matter. 9. I understand my mobile device(s) are subject to open records requests or audit processes, where I must cooperate by providing the university data stored on my mobile device(s) in a verifiable manner. 10. The password on the mobile device(s) must be maintained at all times and must only be known to me. 11. I understand university administrators own and manage the agent on my mobile device(s) and I also give them permission to manage my mobile device(s) according to the university mobile device configuration standard. 12. I understand the university has the right, at any time and without notice, to suspend or deny access to university resources. 13. I have the right to opt out of the university BYOD mobile device program; however, all university owned data will be removed. I am also responsible for removing any university data from all other locations where it has been copied. 14. The university has a right to change or terminate stipend programs at any time upon thirty (60) days advance notice without further reimbursement obligation. 15. I have read and will abide by all university policies. Printed Name Signature Date

Discussion Policy BYOD Direction Resources Technologies Priorities