Mobile Data Protection

advertisement
BYOD – Enterprise Mobile Data Protection
MSIT 458 – Information Security
November 23, 2013
Techmasters - Rohit Gupta | Aman Sardana | Sean Saager | Xiaofeng Zhu | Zhenyu Zhang
1
Agenda
Introduction and Mobility Environments
BYOD Data Challenges and Strategies
Vendor Comparison and Recommendations
The Proposed Solution
2
Introduction
The Good Old Days of Mobility…
 Fully integrated security, encryption
and policy stacks.
 Business Email, Calendar and Contacts
only on BlackBerry.
 IT command-and-control, no personal
apps allowed.
 Predictable and controlled
3
The New Enterprise Mobility
Business
End User
“Give me the apps and
data I need on the devices I
want. Without restricting my
personal use.”
4
IT Organization
“We need productive
employees and maximum
returns on mobility without
sacrificing security and
compliance!”
“How do we protect our assets if we can’t trust or control the
device? How do we manage compliance?”
BYOD
Bring your own device
“Bring your own device (BYOD) means the policy of permitting
employees to bring personally owned mobile devices (laptops,
tablets, and smart phones) to their workplace, and use those
devices to access privileged company information and applications.
5
DATA CHALLENGES
6
Protecting data from internal and external threats
Data Requires protection on devices, In transmission and when
taken outside the network.
Mobile data protection is an important issue as many enterprise
continue to address regulatory requirements and consequences
from lost and stolen laptops and other mobile devices.
7
Risking data loss
The consequences can be
extreme
One office data breach can incur




Legal fees
Disclosure expenses
Consulting fees
Remediation expenses
One retail data breach can incur
8
 Credit monitoring expenses
 Legal settlements
 Information control audits
Risking viruses & malware
Mobile devices offer little protection with the risk from
hackers and intrusions.
 Enter workplace via consumer devices.
 Access to other devices and data.
 Potential for company-wide infections.
9
Policy enforcement
IT is challenged by a BYOD workplace.
 Creating device-specific policies is difficult
 We’ve given up some direct control
 Solutions for these mobile platforms are immature
10
Challenges to productivity
Adopting & enforcing a BYOD strategy.
 Younger employees collaborate in new ways
 Employees want freedom to use mobile
devices at work.
 Secure access solutions are necessary for
empowering employees to work anywhere.
11
The Trust GAP – BYOD World
Organizations and their employees are
eager to reap the benefits of BYOD
programs, but despite their desire to
embrace the BYOD model, both groups
have lingering concerns about BYOD.
While businesses are mainly concerned
with maintaining security, employees
are worried about preserving the
convenience they need in order to work
from their mobile device, and the
privacy they expect regarding the
personal information on the device.
12
The Trust GAP (cont’d)
13
Source: The MobileIron Trust GAP Survey
The Trust GAP (cont’d)
The Employees are confused about what employers can and can’t
see on their mobile devices.
PERCEPTION
14
REALITY
STRATEGIES
15
BYOD Strategy A 5-step guide
“BYOD strategies are the most radical change to the economics and
the culture of client computing in business in decades. The benefits
of BYOD include creating new mobile workforce opportunities,
increasing employee satisfaction, and reducing or avoiding costs.”
Source: David Willis, vice president at Gartner, 2013
1. Consider a Mobile Device Management tool
2. Create a BYOD Policy
3. Manage expectations, and manage applications
4. Update your IT department
5. Incorporate BYOD in your company’s HR strategy
16
BYOD Policy
Policy = Simplicity
Focusing on policy is the first step.
 Determine which devices are allowed to access the network.
 Determine which devices you will support.
 Do we require certain software on personal devices before it can
join the network.
17
Manage Applications
Protect corporate data with limit access using VPN
For high-level protection, limit access to devices that support
VPN connectivity and require a secure connection.
Best practices and policy enforcement are essential
 Are you subject to controls such as HIPAA or PCI DSS?
 If a device is lost, can you wipe the data?
 Do employees know what rights they give up when using
a mobile device?
18
Developing the Solution
Many organizations want to support personally-owned mobile
devices for business use to drive employee satisfaction and
productivity (Bring Your Own Device or BYOD), while reducing mobile
expenses.
“A successful BYOD program requires a clear separation of
corporate and personal information, apps, and content ad”
19
Solution Requirements
Security
 All devices should be enrolled into corporate network
 Provisioning of mobile devices should be secure
 Security policies should be targeted to right groups/employees
 Restriction of some/all mobile applications
 Complex/multi-character passwords required
 Updates of mobile OS required
 Encryption of all forms of corporate data
 Tracking and inventory of all devices
 Access control over corporate email system
 Sanction and disconnect modified devices or rouge device
20
 Selective/full remote wipe of device
Solutions Requirements (cont’d)
 Storage Encryption
Focuses on protecting data at rest and stored on the
user’s device.
 Network-level Traffic Encryption
It is implemented as a VPN. For personal devices allowed to
connect to an enterprise network, such VPNs take the form
of host-to-gateway architectures.
 Application-level Encryption
Application-level traffic encryption can be used instead of a
VPN when the traffic to be protected involves particular
applications.
21
 Multifactor Authentication
Involves two or more types of authentication factors.
Vendor selection/comparison
22
Huawei
Samsumg
Knox
MobileIron
Symantec
Platform Supported
Android,
iOS,
Windows
Android only
Android,
iOS,
Windows
iOS, Android,
Windows and
Blackberry devices
Remote locking
Yes
Yes
Yes
No
SIM Card change notification
Yes
No
Yes
No
Remote data wipe
Yes
Yes
Yes
Yes
GPS Positioning
Yes
No
Yes
Yes
Data backup and Restoration
Yes
Yes
No
yes
File Encryption
Yes
Yes
Yes
Yes
Virtual Private Network
Yes
Yes
Yes
Yes
Chosen solution
Huawei Mobile Device Management Platform offers a good choice for
enterprises to have a efficient security management system without worrying
about mobile service deployment and helps enterprises improve the return on
investment (ROI).
23
1
Provide E2E ability to guard against the disclosure of sensitive data while data is at
a standstill, in motion, being used, or being stored.
2
Creates a secure zone where an enterprise environment and a personal
environment are isolated from each and helps remove the “Trust Gap”.
3
Exercise deep security management and control of devices and applications.
4
Provide lifecycle-based mobile device management and a complete security
management process covering Acquire, Deploy, Run, and Retire phases.
5
Provide a consistent, and secure access means for endpoints, and a unified security
policy management platform.
Huawei supported client platforms
24
Device
iPhone 3G/3Gs
iPhone 4/4s
iPad
Android (such as Huawei &
Samsung)
Windows
Windows Phone
Platform Version
iOS 3.1.3 or above
iOS 4.0 or above
iOS 3.2.2 or above
Android 2.2 or above
XP, Vista, Windows 7
Windows Phone 8
Huawei Data Privacy
 Data transmission
Data encryption to guarantee data confidentiality and
security to prevent malicious data sniffing or tampering
 Data security on the server side
Remote locking, remote data wipe, and data backup and
restoration through interaction with a backend management
system.
Anti-theft functions with such as global positioning system
(GPS) and automatic alarms, ensure that data is not disclosed
even when devices are lost
Huawei
Solution
Architecture
Huawei
Architecture
Smart
Carrier-Class
Mobile
Secure
Remote
Access
Mobile
Client
VPN
Threat
Access
— Defense
AnyOffice
Consistent
Network
Access
Control
Simple Platform
for
Releasing
Mobile
Enterprise
Applications
Huawei
SSL
Firewalls
VPN
integrates
security
is based
the
solution
cutting-edge
on
a Huawei
provides
intrusion
high-reliability
a unified
prevention
secure
hardware
mobile
and
antivirus
platform
client
known
technologies
and
asmoothly
dedicated
the of
SACG
is BYOD
agateway
dedicated
access
control
gateway
developed
based
on
a Huawei
carrier-class
Provides
an
industry-leading
mobile
enterprise
application
platform
(MEAP)
toas
AnyOffice
real-time
Symantec,
operating
client.
and anAsplatform.
industry-leading
asystem.
simpleItmobile
hasIt the
deep
client,
following
the AnyOffice
features:
inspection
client
(DPI)
provides
technology.
unique
It also
interaction
provides
firewall
hardware
cooperates
with
the
AnyOffice
client
and an
admission
control
migrate
enterprise
applications.
has
thepacket
following
features:
interfaces
•professional
Provides
between
content
users,
security
networks,
system
protection
and
performance,
capability,
applications.
security,
including
It enables
and
network
reliability.
management
antivirusand
(AV)
server
to provide
unified
network
access
control
and
guarantee
consistent
aindustry-leading
simple
integrated
development
environment
(IDE).
maintenance
•function,
Offers
intrusion
a flexible,
to be prevention
much
secure,
easier.
and
system
controllable
(IPS),
distributed
E2E
linkaswhich
encryption
denial
mechanism
service
(DDoS),
for
users.
and
content
policy
enforcement
in
different
environments,
such
corporate
LANs,
WLANs,
remote
Supports
HTML5,
native,
and
hybrid
applications,
canofbe
developed
inor
one
step
•filtering.
Protects
security
remote
VPNthe
access.
access
environments.
and
released
timeduring
and again
across
platform, obviously reducing development
complexity and saving costs for enterprises.
Privacy – AnyOffice Client
Cost Benefit Analysis
To measure the ROI of BYOD, the researchers recommended that
companies do a cost-benefit analysis in six areas:
28






The cost of devices
Voice and data costs
Helpdesk costs
Mobile developer expenses
Mobility management software costs
Productivity gained
The ROI Advantage
For employees, BYOD programs often improve productivity and
increase job satisfaction. They can also save businesses money by
allowing employees to use their personal mobile devices, but it also
spends about an equal amount on Data protection software’s and
employees’ monthly data plans.
From an overall company standpoint, the Huawei solution will
provide a good return on investment. The technology also protects
the company from data breaches and possible lost business that
could result from them.
More important is the impact on your company reputation; you
can’t put a price on that.”
29
Ultimately, the company implemented BYOD not to save money but
to give employees the flexibility to use devices of their choice.
Thank You
30
Download