Mobile Security & BYOD Policy Sarkis Daglian Assistant Manager, Desktop Support Office of Information Technology Isaac Straley UCI Information Security Officer Office of Information Technology
Speakers Sarkis Daglian Sarkis Daglian has been with UC Irvine since 2005 and is the assistant manager of OIT s Desktop Support Services. He has been lead of OIT s mobile support effort for the past two years defining usage on the campus, making recommendations that empower the mobile user, and coordinated the effort to bring the Airwatch mobile device management system to the campus. Isaac Straley Isaac Straley has been with UC Irvine since 2005 and is the campus Information Security Officer. He is the lead for information security and privacy, data risk management, data breach incident response, and security/privacy compliance. He has been recognized for his work in information security, including receiving the 2008 3rd place Award for Excellence in Criminal Investigations from the International Associations of Chiefs of Police. In addition to his work on campus, he actively participates in UC-wide and EDU-wide security initiatives, such as recently serving as Chair of the UC IT Policy and Security committee.
Assumptions More people will use mobile devices Cisco predicts more mobile devices than people on Earth by end of 2012 Connectivity will soon be near ubiquitous We use mobile for work and our personal lives Applications and data storage will continue to be abstracted to the cloud.
What to do about BYOD? Bring Your Own Device 94% of users would be very frustrated if their company wiped their personal data off of their mobile device 43% would be very unwilling to give up the user of dataintensive apps such as Pandora or Spotify on their personal devices in exchange for access to corporate information 64% of users would be very frustrated to have to enter an enterprise password every time they wanted to access their favorite apps, such as Facebook 49% of users would not opt for enterprise access if they had to give up icloud or Android Backup Manager for their personal device Source: bitzer mobile infographic based on Forrester, Gartner research last accessed August 30, 2012
Bring Your Own Device (BYOD) PRO User flexibility Less devices for users More advanced devices on the network Devices upgraded more frequently that organization cycle CON Less control of devices Data security compliance Who owns the data? How will you recover data if someone leaves?
It s already here. BYOD is not the Question How do we secure personal devices? How do we secure the data? The policies go with the data and the risk, not the device
Defining Terms: Mobility Data Data can travel with the device Data can be accessed from a variety of endpoints Data may be stored in a variety of places Connectivity Anytime and anywhere Unsecured wireless networks Remote access
Defining Terms: Security Confidentiality: Only authorized users can access the data Integrity: The data are what they are Availability: The data are available and accessible when we need them to be
The Mobile Landscape The Dominant Players - ios - Android The Other Guys - Windows Mobile - Blackberry
Mobile Device OS Market Share
Apple vs. Android Ecosystem Closed vs. Open - Apple tests and must approve every application posted on their app store - Android allows any application to be available for installation without vetting. Keeps platform truly open. Cloud computing
Cloud Storage icloud Google Dropbox The Mobile Landscape Far Reaching Digital Footprint Beyond Storage Privacy: Social media, Geolocation Other Apps: Notes, project management, videos
Why this matters to developers Need to understand the possible environments and potential consequences Example: Storage What happens if data are cached locally? If dev is using third-party storage, do you know where it is being stored (e.g., continental U.S.?) Example: Authentication Integrate authentication so user has reasonable access limits Too much auth is just as bad as too little
Laptop theft SF Police video Examples of Breaches Apple-Amazon hack / Gizmodo journalist Android Malware Linked In Breach
So how do I protect my mobile data?
Security & Privacy Guiding Principles Stewardship and Accountability Everyone has a responsibility to protect information and individuals are held accountable. Risk Management Information must not be stored without understanding and formally mitigating or accepting the risk. Business Ownership Information security is owned by all levels of the organization, not just IT. Senior managers are involved in determining and accepting information security risk. Privacy Privacy and security is not a "zero-sum game." All aspects of privacy, including academic freedom, are weighed and incorporated into security practices.
Architecture Principles Defense In Depth Least Privilege Access Segmentation Segregation of Duties Accountability Do Not Trust Services Simplicity Reuse Secure Default
How to Manage Risk Assess likelihood and impact Implement protective controls Identify Vulnerabilities Approve risk Identify Threats Risk Management Measure control effectiveness
Levels of Risk Low: Any data should have some protection on it Medium: Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University's reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University. High: Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UCmanaged national laboratories where federal programs may employ a different classification scheme.
Mobile Device Best Practices Ensure your device s operating system is up to date Set up a passcode lock or pattern. The more complex the better Set an auto-lock time Set your device to auto-erase its contents after too many unsuccessful password attempts Only install applications from trusted sources Use GPS tracking software Optional Steps Enable mobile browser fraud warnings Forget wifi networks to prevent automatic rejoin Keep Bluetooth turned off when not in use http://www.oit.uci.edu/telephone/smartphone/security.html
What are the best policies for BYOD? Protecting the data is everyone s responsibility The policy goes with data, not with the device Security is not a binary state Manage the risk and apply reasonable protections Involve stakeholders in making risk determination
How to Enforce BYOD Controls Rely on users to make determination Easy to implement, low level of assurance Tell users requirements, ask for attestation Good for many risk scenarios, joint effort between data owner, IT, and users Use technical controls to enforce For higher risk situations, attestation is not enough
What are we trying to accomplish? User and Device Provisioning Policies Backup/Restore Updates Diagnostics Software Installation / Restrictions Asset tracking and management User support Remote wipe and remote lock GPS tracking? Exception process
UCI Airwatch Implementation Medical Center Bradford Networks appliance and Airwatch Devices at Med Center register with Bradford NAC, which authenticates a user and places them in the appropriate group and minimum security configuration. Those requirements are then pushed from Airwatch. Main campus Airwatch Devices under Athletics IT must enroll in Airwatch to have security protocols enforced on them to be NCAA and HIPPA compliant. Desktop support clients are also using Airwatch as a means to enforce data security guidelines
Take Aways The world is now mobile and BYOD is here Professional and personal data now reside and are accessible on the same device Protect the data, not just the device or the application Involve everyone! Assess the risk Set guidelines, policies, and procedures to govern levels of security required for different types of data Determine how to enforce security requirements, using an MDM when appropriate
Questions?