How We Deployed BYOD Using Mobile Device Management Providing mobile access to company resources safely and securely by Frank Grogan and Robert Dalrymple
Table of Contents 1. Introduction 2. Understanding the Threat Landscape 3. Vendor Selection Approach 4. Bake-Off 5. Proof of Concept 6. Implementation 7. Governance 8. Lessons Learned 9. Q&A 2
Introductions One of the largest pediatric clinical care providers in the country 847,998 patient visits in 2012 Served 346,356 children from all 159 counties in Georgia in 2012 3 world-class pediatric hospitals (529 beds), 20 neighborhood locations, physician group practices, and other related facilities Children's is the pediatric physician teaching site for Emory University School of Medicine and Morehouse School of Medicine Over 8,400 employees, 1,700 pediatric physicians, and 6,500 volunteers Mission: To make kids better today and healthier tomorrow Vision: Best care... healthier kids 3
Introduction Robert Dalrymple, MBA, CISA, CISSP Information Security Manager with 13 years experience in Healthcare Information Security. Frank Grogan Information Security Administrator with 7 years experience in Healthcare Information Security. 4
Objective To provide Children s employees with flexibility in choosing their mobile device, while ensuring appropriate security protocols are and remain in place to protect Children s Resources and patient data. 5
Why did we do this? Provide flexibility to those who are approved to use their personal devices to access the Children s Resources Provide secure means of accessing data electronically Protect Children's from risk of a potential data breach Separate the user s personal data from Children s data Address regulations as it relates to mobile device security 6
Research (understanding the landscape) Things to investigate: Device types Manufacturers OS Versions Known Vulnerabilities Jailbreaking/Rooting Connection Methods Compatibility with Infrastructure 7
Governance Resources NIST Special Publication 800-53 A Rev1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans NIST Special Publication 800-124 Rev 1 (Final) Jun 2013 Guidelines for Managing the Security of Mobile Devices in the Enterprise NIST Special Publication 800-164 DRAFT Oct 2012 Guidelines on Hardware-Rooted Security in Mobile Devices NIST Special Publication 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations http://csrc.nist.gov/publications/pubssps.html 8
Risk Assessment Consider scenarios outside the scope of the project Document risks no matter how obscure Evaluate connection methods Apply findings to a Risk Management Framework Continuous and Frequent Re-Assessment 9
Vendor Selection (approach) Vendor Identification Vendor Elimination Vendor Exclusion Vendor Evaluation Final Selection Industry Knowledge and Experience Gartner Magic Quadrant Position Gartner Critical Capabilities Forrester Report Determine Children s Requirements Combined Requirements with Critical Capabilities Developed Scoring Criteria Selected the 5 Vendors / 4 Solutions that Scored Above 85% Assembled Core IS&T Team Sent RFI Requesting Info Evaluated RFI Responses Developed Demo Scoring Sheet Held On-Site Demos Scored Demo Compiled Scoring Discussed Results and Reached Consensus Selected 2 Finalists Invited Finalists to Proof of Concept (Bake- Off) Determined Hardware Requirements Built Test Environment Installed and Configured Solutions for Testing Tested Solutions Documented Findings Held Vendor Demos for Stakeholders Sent RFQ to Finalists Assembled Sideby-Side Comparison Reviewed RFQ Responses Reviewed Sideby-Side Comparison Made Recommendation to Stakeholders Stakeholders Reached a Consensus 10
Defining Requirements Consider: What access will users be granted to the various available resources Permitted device types Supported operating system(s) Deadlines 11
Defining Requirements (cont.) Required level and type of reporting Self-Service functions Collecting device information Preservation of the Native Experience 12
Vendor Identification Perform vendor research based on pre-defined company requirements Ask your security colleagues for their experiences Gartner Magic Quadrant Gartner Critical Capabilities Forrester Report 13
Narrowing Down the Choices Assemble a core team of IT professionals Combine Company Requirements with Critical Capabilities Develop Scoring Criteria for Demos Host Vendor Demos Compile and Discuss Results 14
Bake-Off 15
Infrastructure Options / Requirements Suggestions: Request Vendor Requirements Virtual vs. Physical Servers Vendor Owned Appliances Consider Final Implementation 3 rd Party Certifications External DNS Naming Convention 16
Configuration and Testing First: Acquire a good variety of test devices Then: Test enrollment across all device types and allowed OS versions Test basic functionality (Email, Contacts, Calendar) Configure basic security policy requirements Document everything step-by-step Note any inconsistencies 17
Comparisons Side-By-Side comparisons are your best friend Enrollment Comparison Example 18
Comparisons (cont.) Passcode/Password Comparison Example Criteria Vendor 1 Vendor 2 Device Passcode Required Optional 4 Character Passcode Supported Supported Email Access Not Required Required Contacts/Calendar Access Not Required Not Required Attachments Access Optional Not Required Secure Documents** Secure Web Browser Requires Children s Username & Password or Certificate to access [optional] (e.g. [username] P@55w0rd) Requires Children s Username & Password or Certificate Does not require Children s Username & Password or Certificate to access Does not require Children s Username & Password or Certificate 19
Comparisons (cont.) UX Comparison Vendor 1 Vendor 2 20
Proof of Concept 21
On Premise vs. SaaS Solution Decision Criteria Infrastructure Considerations Hardware Costs Support Security Considerations Confidentiality Integrity Availability Speed of Deployment Cost Considerations Cost Breakdown Costs Analysis Recommendation - Analysis 22
Comparisons Infrastructure Cost Comparison Example Criteria On-Premise Single Tenant Cloud Multi-Tenant Cloud Hardware Costs 4-6 VM Instances 2 x Database 2 x Application Server 2 x Gateway Optional ~$$$$$ With High Availability Up to 5000 Devices One Time Expense 2-4 VM Instances 2 x Server 2 x Gateway Optional ~$ - $$ With High Availability Up to 5000 Devices One Time Expense 23
Comparisons (cont.) Availability Comparison Example Criteria Children s Data Center Outage On-Premise Single Tenant Cloud Multi-Tenant Cloud Able to enroll devices? No No Able to administer accounts through MDM Tool? No Yes (Remote) Access to Email / Contacts / Calendar? Yes Yes Updates to Email / Contacts / Calendar? No No Disaster Recovery / Business Continuity Optional Yes 24
Comparisons (cont.) Speed of Deployment Comparison Example Criteria On-Premise Single Tenant Cloud Multi-Tenant Cloud Speed of Deployment Hardware & Software Licenses Estimated at 45 days Hardware Procurement Servers Software Procurement Hardware and Software Installations Installing MDM Solution Install and Maintain licenses for Infrastructure and MDM Solution Estimated at 10 days Hardware Procurement for up to 4 servers on-site connecters Installing MDM Software connectors Vendor will maintain licensing as part of the subscription 25
Implementation 26
Internal Testing Test, Test, Test 27
Pilot Limit the scope to get focused feedback Select individuals who will actively engage and provide good feedback Include representatives from key stakeholder groups 28
Configuration Define Compliance Requirements: Passwords Character Types Complexity Change Frequency Encryption Container Whole Device External SD Card VPN Sync Settings Device Types and OS Version Minimums 29
Phased Deployment MDM Enrollment by Device Type Group I Group II Group III Group IV Children s Owned BlackBerries and iphones Personal iphones Personal Windows Phones ipads Android Devices MDM Features Timeline Q1 Q2 Q3 Q4 Email, Contacts, and Calendars Secure Attachments Secure Text Messaging VPN Sharepoint Network Drives
Policies and Standards Mobile Device Acceptable Use Policy Handling of ephi on Mobile Devices Standard Approved Access Method Standard 31
Terms of Service What We Did Copy / Paste Mobile Device AUP as Terms or Service Things to Consider Absolve the company of any liability Document what can be done vs. what is being done Changes to be made at anytime Refer to the Mobile Device Acceptable Use Policy Be consistent with over arching InfoSec AUP Have your legal department review and update 32
Lessons Learned 33
Lessons Learned Test Test Test 34
Q&A 35