BYOD – Enterprise Mobile Data Protection MSIT 458 – Information Security November 23, 2013 Techmasters - Rohit Gupta | Aman Sardana | Sean Saager | Xiaofeng Zhu | Zhenyu Zhang 1 Agenda Introduction and Mobility Environments BYOD Data Challenges and Strategies Vendor Comparison and Recommendations The Proposed Solution 2 Introduction The Good Old Days of Mobility… Fully integrated security, encryption and policy stacks. Business Email, Calendar and Contacts only on BlackBerry. IT command-and-control, no personal apps allowed. Predictable and controlled 3 The New Enterprise Mobility Business End User “Give me the apps and data I need on the devices I want. Without restricting my personal use.” 4 IT Organization “We need productive employees and maximum returns on mobility without sacrificing security and compliance!” “How do we protect our assets if we can’t trust or control the device? How do we manage compliance?” BYOD Bring your own device “Bring your own device (BYOD) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications. 5 DATA CHALLENGES 6 Protecting data from internal and external threats Data Requires protection on devices, In transmission and when taken outside the network. Mobile data protection is an important issue as many enterprise continue to address regulatory requirements and consequences from lost and stolen laptops and other mobile devices. 7 Risking data loss The consequences can be extreme One office data breach can incur Legal fees Disclosure expenses Consulting fees Remediation expenses One retail data breach can incur 8 Credit monitoring expenses Legal settlements Information control audits Risking viruses & malware Mobile devices offer little protection with the risk from hackers and intrusions. Enter workplace via consumer devices. Access to other devices and data. Potential for company-wide infections. 9 Policy enforcement IT is challenged by a BYOD workplace. Creating device-specific policies is difficult We’ve given up some direct control Solutions for these mobile platforms are immature 10 Challenges to productivity Adopting & enforcing a BYOD strategy. Younger employees collaborate in new ways Employees want freedom to use mobile devices at work. Secure access solutions are necessary for empowering employees to work anywhere. 11 The Trust GAP – BYOD World Organizations and their employees are eager to reap the benefits of BYOD programs, but despite their desire to embrace the BYOD model, both groups have lingering concerns about BYOD. While businesses are mainly concerned with maintaining security, employees are worried about preserving the convenience they need in order to work from their mobile device, and the privacy they expect regarding the personal information on the device. 12 The Trust GAP (cont’d) 13 Source: The MobileIron Trust GAP Survey The Trust GAP (cont’d) The Employees are confused about what employers can and can’t see on their mobile devices. PERCEPTION 14 REALITY STRATEGIES 15 BYOD Strategy A 5-step guide “BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades. The benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction, and reducing or avoiding costs.” Source: David Willis, vice president at Gartner, 2013 1. Consider a Mobile Device Management tool 2. Create a BYOD Policy 3. Manage expectations, and manage applications 4. Update your IT department 5. Incorporate BYOD in your company’s HR strategy 16 BYOD Policy Policy = Simplicity Focusing on policy is the first step. Determine which devices are allowed to access the network. Determine which devices you will support. Do we require certain software on personal devices before it can join the network. 17 Manage Applications Protect corporate data with limit access using VPN For high-level protection, limit access to devices that support VPN connectivity and require a secure connection. Best practices and policy enforcement are essential Are you subject to controls such as HIPAA or PCI DSS? If a device is lost, can you wipe the data? Do employees know what rights they give up when using a mobile device? 18 Developing the Solution Many organizations want to support personally-owned mobile devices for business use to drive employee satisfaction and productivity (Bring Your Own Device or BYOD), while reducing mobile expenses. “A successful BYOD program requires a clear separation of corporate and personal information, apps, and content ad” 19 Solution Requirements Security All devices should be enrolled into corporate network Provisioning of mobile devices should be secure Security policies should be targeted to right groups/employees Restriction of some/all mobile applications Complex/multi-character passwords required Updates of mobile OS required Encryption of all forms of corporate data Tracking and inventory of all devices Access control over corporate email system Sanction and disconnect modified devices or rouge device 20 Selective/full remote wipe of device Solutions Requirements (cont’d) Storage Encryption Focuses on protecting data at rest and stored on the user’s device. Network-level Traffic Encryption It is implemented as a VPN. For personal devices allowed to connect to an enterprise network, such VPNs take the form of host-to-gateway architectures. Application-level Encryption Application-level traffic encryption can be used instead of a VPN when the traffic to be protected involves particular applications. 21 Multifactor Authentication Involves two or more types of authentication factors. Vendor selection/comparison 22 Huawei Samsumg Knox MobileIron Symantec Platform Supported Android, iOS, Windows Android only Android, iOS, Windows iOS, Android, Windows and Blackberry devices Remote locking Yes Yes Yes No SIM Card change notification Yes No Yes No Remote data wipe Yes Yes Yes Yes GPS Positioning Yes No Yes Yes Data backup and Restoration Yes Yes No yes File Encryption Yes Yes Yes Yes Virtual Private Network Yes Yes Yes Yes Chosen solution Huawei Mobile Device Management Platform offers a good choice for enterprises to have a efficient security management system without worrying about mobile service deployment and helps enterprises improve the return on investment (ROI). 23 1 Provide E2E ability to guard against the disclosure of sensitive data while data is at a standstill, in motion, being used, or being stored. 2 Creates a secure zone where an enterprise environment and a personal environment are isolated from each and helps remove the “Trust Gap”. 3 Exercise deep security management and control of devices and applications. 4 Provide lifecycle-based mobile device management and a complete security management process covering Acquire, Deploy, Run, and Retire phases. 5 Provide a consistent, and secure access means for endpoints, and a unified security policy management platform. Huawei supported client platforms 24 Device iPhone 3G/3Gs iPhone 4/4s iPad Android (such as Huawei & Samsung) Windows Windows Phone Platform Version iOS 3.1.3 or above iOS 4.0 or above iOS 3.2.2 or above Android 2.2 or above XP, Vista, Windows 7 Windows Phone 8 Huawei Data Privacy Data transmission Data encryption to guarantee data confidentiality and security to prevent malicious data sniffing or tampering Data security on the server side Remote locking, remote data wipe, and data backup and restoration through interaction with a backend management system. Anti-theft functions with such as global positioning system (GPS) and automatic alarms, ensure that data is not disclosed even when devices are lost Huawei Solution Architecture Huawei Architecture Smart Carrier-Class Mobile Secure Remote Access Mobile Client VPN Threat Access — Defense AnyOffice Consistent Network Access Control Simple Platform for Releasing Mobile Enterprise Applications Huawei SSL Firewalls VPN integrates security is based the solution cutting-edge on a Huawei provides intrusion high-reliability a unified prevention secure hardware mobile and antivirus platform client known technologies and asmoothly dedicated the of SACG is BYOD agateway dedicated access control gateway developed based on a Huawei carrier-class Provides an industry-leading mobile enterprise application platform (MEAP) toas AnyOffice real-time Symantec, operating client. and anAsplatform. industry-leading asystem. simpleItmobile hasIt the deep client, following the AnyOffice features: inspection client (DPI) provides technology. unique It also interaction provides firewall hardware cooperates with the AnyOffice client and an admission control migrate enterprise applications. has thepacket following features: interfaces •professional Provides between content users, security networks, system protection and performance, capability, applications. security, including It enables and network reliability. management antivirusand (AV) server to provide unified network access control and guarantee consistent aindustry-leading simple integrated development environment (IDE). maintenance •function, Offers intrusion a flexible, to be prevention much secure, easier. and system controllable (IPS), distributed E2E linkaswhich encryption denial mechanism service (DDoS), for users. and content policy enforcement in different environments, such corporate LANs, WLANs, remote Supports HTML5, native, and hybrid applications, canofbe developed inor one step •filtering. Protects security remote VPNthe access. access environments. and released timeduring and again across platform, obviously reducing development complexity and saving costs for enterprises. Privacy – AnyOffice Client Cost Benefit Analysis To measure the ROI of BYOD, the researchers recommended that companies do a cost-benefit analysis in six areas: 28 The cost of devices Voice and data costs Helpdesk costs Mobile developer expenses Mobility management software costs Productivity gained The ROI Advantage For employees, BYOD programs often improve productivity and increase job satisfaction. They can also save businesses money by allowing employees to use their personal mobile devices, but it also spends about an equal amount on Data protection software’s and employees’ monthly data plans. From an overall company standpoint, the Huawei solution will provide a good return on investment. The technology also protects the company from data breaches and possible lost business that could result from them. More important is the impact on your company reputation; you can’t put a price on that.” 29 Ultimately, the company implemented BYOD not to save money but to give employees the flexibility to use devices of their choice. Thank You 30