Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Bring Your Own Device

BYOD in practice
KPMG case study
13 March 2013
Agenda
Aurelia Costache
CIO KPMG Romania
Page
Tel: + 40 744 655 830
acostache@kpmg.com
BYOD – why?
2
Business Case for Mobile devices
5
Implications
7
Challenges
11
Summary and lessons learnt
13
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
1
BYOD – Why?
Trend or necessity?
Global telecom sector: An overview
Global wireless subscriber base and net additions (Q1 2012)
Global Mobile Services Revenues
(US$ billion)
30.0
966
1,054
1,087
1,114
6.3
18.0
Data
680
650
2.3
1,014
26%
29%
32%
35%
37%
74%
71%
68%
65%
63%
2012F
2013F
2014F
260
330
5.9
540
9.9
6.2 billion
total mobile
subscriptions as of
March 2012
1,160
29.0
2010
2011
Voice
600
900
1,000
 Growing subscriber base: Mobile subscriptions at 6.2 billion in Q1 2012,
25.0
39.0
( ~87 percent penetration). Adjusted active subscriptions 4.2 billion
 Sharp decline in revenue growth – down from double-digit increases
between 2005 and 2008 to just 5 percent in 2011
■ Mobile service revenue to grow at CAGR 3.2 percent during 2011-14
170 million
net additions in the
first quarter ending
March 2012
■ Data to drive revenue growth – CAGR 12.3 percent during 2011-14,
only partly offsetting the decline of voice revenues
Source: Ericsson; Informa Research
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
3
BYOD – What’s the buzz?
Microsoft,
3%
History
Symbian,
1%
BB, 7%
 Blackberry served the corporate world
 As of 2007 major growth market share of smartphones (iPhone,
Android)
Recent years
 Explosion of smartphone penetration
 Emergence of tablets
iOS, 35%
Android,
54%
 Corporate and private phones get mixed:
“Bring your own device”
Main Drivers
 Intuitive/Usable interface
 Internet/cloud integration
 Affordable pricing
November 2012 U.S. Mobile Subscriber Market Share
Source: comScore MobiLens
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
4
BYOD in KPMG
Business Case
The Business Case
Main elements
 Analysis of national and roaming traffic data
 Estimation of new traffic requirements for BYOD (national and roaming)
 The used fleet was almost 2 years old and replacement had to be planned
 CAPEX is lower (less devices acquired by KPMG)
 OPEX is higher (more admin staff to support the new users, MDM licenses,
additional traffic)
 KPMG people (they can select the smart-phone they want)
 Staff need for mobility (business efficiency by accessing KPMG resources on
mobile devices)
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
6
BYOD in KPMG
Implications
Implications – Broader then expected
KPMG
Global
Standards
Data
Privacy
Technology
Implications
Legal
Security
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
8
KPMG Global Standards, Technology and Security
Main concerns
Ensure the necessary security features to protect corporate data and
prevent data loss as well comply with KPMG Global Standards –
Security Requirements for Mobile Devices.
What
How will these
What happens
security
when
a device is
happens
features be
lost or stolen?
deployed?
What happens with
the data saved to
local backup or
iCloud?
What
happens when a
device is infected
with malware?
What
happens
when the wrong PIN /
password is entered
too many times?
KPMG Approach
KPMG limited the BYOD program to main OS on the market: Android and iOS and implemented dedicated MDM solutions:
 FAMOC for iOS
 GOOD for Android
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
9
Legal and Data Privacy
Main concerns
 MDM features may include activity monitoring, tracking, and remote
lock & wipe.
 Employees must give explicit and fully-informed consent for any
organization to access and process their personal data.
 Employee consent is also required should a business wish to install a
MDM application on their device.
KPMG Approach
KPMG implemented a BYOD policy:
•addresses the above concerns
•formally communicated and acknowledged by all participants.
Policies configurations enforced using the MDM were carefully reviewed to ensure compliance with legal and
Data Privacy requirements.
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
10
BYOD in KPMG
Challenges
BYOD – Challenges
Operational challenges
 Complete testing & configuring of the MDM solutions
 Plan the enrollment: centralize all demands trough service desk application, increase of the data traffic
 Enroll all devices at the same time: activate the data services, install the MDM application on the device,
configure the user account on the email server and synchronize the KPMG data account.
Security testing phase
Vulnerabilities identified
..included MDM solution’s Internet facing components as well the client
application installed on mobile devices:
1.
2.
Application security testing (web specific attacks, application logic attacks)
 Testing the network communication between clients and server
 Data encryption / protection
 MITM, spoofing, etc
Testing the client application (agent)
 Jailbreak
 Policy bypassing
 Local data storage / recovery
 Static application analysis, etc
..for all components of the solution:
 for web applications’ front-end interface
 for client installed on smartphones.
 operational/ functional vulnerabilities (eg the
application did not detect that a phone is
subject to jailbreak)
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
12
BYOD in KPMG
Summary & lessons learnt
Summary of BYOD in KPMG Romania
Summary of 2012 BYOD program allowing employees to use their own smart phones to access relevant
corporate data:
In the past...
Drivers for change
 Around 150 BB used by Managers and above
 Proliferation of smart devices
 Mainly used for corporate email access
 KPMG people
 Cloud based services (private cloud)
 Need for mobility
 Expensive solution, especially in roaming
 Cost management
Today
 260 smart devices (phones and tablets) activated
 Traffic volume increased by 30%, costs reduced by 10%
Samsung
Tab 10.1
2%
Other
(Android)
1%
 After 6 months review the business case was confirmed
 Legal and Data Privacy
formalized in a BYOD policy
aspects
considered
and
 MDM solution implemented but processes are complex
and need time to stabilize
 Initiative well received by KPMG staff (user satisfaction
increased)
 Behavior changed (efficiency & innovation)
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
Iphone 4S
36%
Samsung
Galaxy SII
50%
iPad
11%
14
Lessons learnt
Enrolling mobile devices results in new risks

Broader then expected, e.g. legal, technology, integration, backups

Security controls work differently on mobile devices
Technical Solutions

Different security architectures to reduce risks of mobile devices

No technical solution fixes it all, mitigate risks by people, processes and technology
How to continue

Perform risk assessment before implementation

Consult with relevant experts

Implement security controls for people, process and technology

Test effectiveness of security controls

Stay up-to-date with recent developments

Structured approach, phase by phase
Unexpectedly well received by users!
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
15
© 2013 KPMG Romania, a Romanian member firm and a member firm of the
KPMG network of independent member firms affiliated with KPMG
International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered
trademarks or trademarks of KPMG International Cooperative (“KPMG
International”).
Related documents
See slides
See slides
Slide pack - WTC Twente
Slide pack - WTC Twente
smcgahan Bio_9-16
smcgahan Bio_9-16
Flash International Executive Alert
Flash International Executive Alert
Mr. Simon Topping - AHK Greater China
Mr. Simon Topping - AHK Greater China
Professor Hilary Thomas - Healthcare Businesswomen`s Association
Professor Hilary Thomas - Healthcare Businesswomen`s Association
Financial Times MBA 2014
Financial Times MBA 2014
ETF 222 - Revised Savings Directive
ETF 222 - Revised Savings Directive
Download