How We Deployed BYOD Using
Mobile Device Management
Providing mobile access to company resources
safely and securely
by Frank Grogan and Robert Dalrymple
Table of Contents
1.
2.
3.
4.
5.
6.
7.
8.
9.
Introduction
Understanding the Threat Landscape
Vendor Selection Approach
Bake-Off
Proof of Concept
Implementation
Governance
Lessons Learned
Q&A
Children’s Healthcare of Atlanta
2
Introductions
•
•
•
•
One of the largest pediatric clinical care providers in the country
847,998 patient visits in 2012
Served 346,356 children from all 159 counties in Georgia in 2012
3 world-class pediatric hospitals (529 beds), 20 neighborhood locations,
physician group practices, and other related facilities
• Children's is the pediatric physician teaching site for Emory University
School of Medicine and Morehouse School of Medicine
• Over 8,400 employees, 1,700 pediatric physicians, and 6,500 volunteers
Mission: To make kids better
today and healthier tomorrow
Vision: Best care ...
healthier kids
Children’s Healthcare of Atlanta
3
Introduction
Robert Dalrymple, MBA, CISA, CISSP
Information Security Manager with 13 years experience in
Healthcare Information Security.
Frank Grogan
Information Security Administrator with 7 years experience
in Healthcare Information Security.
Children’s Healthcare of Atlanta
4
Objective
To provide Children’s employees with flexibility in
choosing their mobile device, while ensuring
appropriate security protocols are and remain in place
to protect Children’s Resources and patient data.
Children’s Healthcare of Atlanta
5
Why did we do this?
• Provide flexibility to those who are approved to use
their personal devices to access the Children’s
Resources
• Provide secure means of accessing data electronically
• Protect Children's from risk of a potential data breach
• Separate the user’s personal data from Children’s data
• Address regulations as it relates to mobile device
security
Children’s Healthcare of Atlanta
6
Research
(understanding the landscape)
Things to investigate:
• Device types
• Manufacturers
• OS Versions
• Known Vulnerabilities
• Jailbreaking/Rooting
• Connection Methods
• Compatibility with Infrastructure
Children’s Healthcare of Atlanta
7
Governance Resources
NIST Special Publication 800-53 A Rev1
Guide for Assessing the Security Controls in Federal Information Systems and
Organizations, Building Effective Security Assessment Plans
NIST Special Publication 800-124 Rev 1 (Final) Jun 2013
Guidelines for Managing the Security of Mobile Devices in the Enterprise
NIST Special Publication 800-164 DRAFT Oct 2012
Guidelines on Hardware-Rooted Security in Mobile Devices
NIST Special Publication 800-53 Rev 4
Security and Privacy Controls for Federal Information Systems and Organizations
http://csrc.nist.gov/publications/PubsSPs.html
Children’s Healthcare of Atlanta
8
Risk Assessment
•
•
•
•
•
Consider scenarios outside the scope of the project
Document risks no matter how obscure
Evaluate connection methods
Apply findings to a Risk Management Framework
Continuous and Frequent Re-Assessment
Children’s Healthcare of Atlanta
9
Vendor Selection (approach)
Vendor
Identification
Vendor
Elimination
Vendor
Exclusion
Vendor
Evaluation
Final
Selection
• Industry
Knowledge and
Experience
• Gartner Magic
Quadrant
Position
• Gartner Critical
Capabilities
• Forrester Report
• Determine
Children’s
Requirements
• Combined
Requirements
with Critical
Capabilities
• Developed
Scoring Criteria
• Selected the 5
Vendors / 4
Solutions that
Scored Above
85%
• Assembled Core
IS&T Team
• Sent RFI
Requesting Info
• Evaluated RFI
Responses
• Developed
Demo Scoring
Sheet
• Held On-Site
Demos
• Scored Demo
• Compiled
Scoring
• Discussed Results
and Reached
Consensus
• Selected 2
Finalists
• Invited Finalists
to Proof of
Concept (BakeOff)
• Determined
Hardware
Requirements
• Built Test
Environment
• Installed and
Configured
Solutions for
Testing
• Tested Solutions
• Documented
Findings
• Held Vendor
Demos for
Stakeholders
• Sent RFQ to
Finalists
• Assembled Sideby-Side
Comparison
• Reviewed RFQ
Responses
• Reviewed Sideby-Side
Comparison
• Made
Recommendation
to Stakeholders
• Stakeholders
Reached a
Consensus
Children’s Healthcare of Atlanta
10
Defining Requirements
Consider:
• What access will users be granted to the various
available resources
• Permitted device types
• Supported operating system(s)
• Deadlines
Children’s Healthcare of Atlanta
11
Defining Requirements (cont.)
•
•
•
•
Required level and type of reporting
Self-Service functions
Collecting device information
Preservation of the “Native Experience”
Children’s Healthcare of Atlanta
12
Vendor Identification
• Perform vendor research based on pre-defined
company requirements
• Ask your security colleagues for their experiences
• Gartner Magic Quadrant
• Gartner Critical Capabilities
• Forrester Report
Children’s Healthcare of Atlanta
13
Narrowing Down the Choices
• Assemble a core team of IT professionals
• Combine Company Requirements with Critical
Capabilities
• Develop Scoring Criteria for Demos
• Host Vendor Demos
• Compile and Discuss Results
Children’s Healthcare of Atlanta
14
Bake-Off
Children’s Healthcare of Atlanta
15
Infrastructure Options / Requirements
Suggestions:
• Request Vendor Requirements
• Virtual vs. Physical Servers
• Vendor Owned Appliances
• Consider Final Implementation
• 3rd Party Certifications
• External DNS Naming Convention
Children’s Healthcare of Atlanta
16
Configuration and Testing
First:
• Acquire a good variety of test devices
Then:
• Test enrollment across all device types and allowed
OS versions
• Test basic functionality (Email, Contacts, Calendar)
• Configure basic security policy requirements
• Document everything step-by-step
• Note any inconsistencies
Children’s Healthcare of Atlanta
17
Comparisons
Side-By-Side comparisons are your best friend
• Enrollment Comparison Example
Children’s Healthcare of Atlanta
18
Comparisons (cont.)
• Passcode/Password Comparison Example
Vendor 1
Criteria
Vendor 2
Device Passcode
Required
Optional
4 Character Passcode
Supported
Supported
Email Access
Not Required
Required
Contacts/Calendar Access
Not Required
Not Required
Attachments Access
Optional
Not Required
Secure Documents**
Requires Children’s Username
& Password or Certificate to
access [optional]
(e.g. [username]|
P@55w0rd)
Does not require Children’s
Username & Password or Certificate
to access
Secure Web Browser
Requires Children’s Username
& Password or Certificate
Does not require Children’s
Username & Password or Certificate
Children’s Healthcare of Atlanta
19
Comparisons (cont.)
• UX Comparison
Vendor 1
Vendor 2
Children’s Healthcare of Atlanta
20
Proof of Concept
Children’s Healthcare of Atlanta
21
On Premise vs. SaaS Solution
Decision Criteria
• Infrastructure Considerations
– Hardware Costs
– Support
• Security Considerations
– Confidentiality
– Integrity
– Availability
• Speed of Deployment
• Cost Considerations
– Cost Breakdown
– Costs Analysis
• Recommendation - Analysis
Children’s Healthcare of Atlanta
22
Comparisons
• Infrastructure Cost Comparison Example
Criteria
On-Premise
• 4 - 6 VM Instances
• 2 x Database
• 2 x Application
Server
• 2 x Gateway
Hardware Costs
 Optional
• ~$$$$$
• With High Availability
• Up to 5000 Devices
• One Time Expense
Single Tenant
Cloud
Multi-Tenant
Cloud
• 2 - 4 VM Instances
• 2 x Server
• 2 x Gateway
 Optional
• ~$ - $$
• With High Availability
• Up to 5000 Devices
• One Time Expense
Children’s Healthcare of Atlanta
23
Comparisons (cont.)
• Availability Comparison Example
Criteria
Children’s Data Center Outage
On-Premise
Single
Tenant
Cloud
Multi-Tenant
Cloud
Able to enroll devices?
No
No
Able to administer accounts through MDM
Tool?
No
Yes (Remote)
Access to Email / Contacts / Calendar?
Yes
Yes
Updates to Email / Contacts / Calendar?
No
No
Optional
Yes
Disaster Recovery / Business Continuity
Children’s Healthcare of Atlanta
24
Comparisons (cont.)
• Speed of Deployment Comparison Example
Criteria
On-Premise
Single Tenant
Cloud
Multi-Tenant
Cloud
Speed of
Deployment
Estimated at 45 days
Estimated at 10 days
Hardware &
Software
• Hardware Procurement
• Servers Software
Procurement
• Hardware and Software
Installations
• Installing MDM Solution
• Hardware Procurement for up to 4 servers
on-site connecters
• Installing MDM Software connectors
Licenses
Install and Maintain licenses
for Infrastructure and MDM
Solution
Vendor will maintain licensing as part of the
subscription
Children’s Healthcare of Atlanta
25
Implementation
Children’s Healthcare of Atlanta
26
Internal Testing
Test, Test, Test
Children’s Healthcare of Atlanta
27
Pilot
• Limit the scope to get focused feedback
• Select individuals who will actively engage and
provide good feedback
• Include representatives from key stakeholder groups
Children’s Healthcare of Atlanta
28
Configuration
Define Compliance Requirements:
• Passwords
– Character Types
– Complexity
– Change Frequency
• Encryption
– Container
– Whole Device
– External SD Card
• VPN
• Sync Settings
• Device Types and OS Version Minimums
Children’s Healthcare of Atlanta
29
Phased Deployment
MDM Enrollment by Device Type
Group
I
• Children’s Owned
BlackBerries and
iPhones
Group
II
Group
III
• Personal iPhones
• Personal Windows
Phones
• iPads
Group
IV
• Android Devices
MDM Features Timeline
Q1
• Email, Contacts,
and Calendars
Q2
• Secure Attachments
Q3
• Secure Text
Messaging
Q4
• VPN
• Sharepoint
• Network Drives
Children’s Healthcare of Atlanta
Policies and Standards
• Mobile Device Acceptable Use Policy
• Handling of ePHI on Mobile Devices Standard
• Approved Access Method Standard
Children’s Healthcare of Atlanta
31
Terms of Service
What We Did
• Copy / Paste Mobile Device AUP as Terms or Service
Things to Consider
• Absolve the company of any liability
• Document what can be done vs. what is being done
• Changes to be made at anytime
• Refer to the Mobile Device Acceptable Use Policy
• Be consistent with over arching InfoSec AUP
• Have your legal department review and update
Children’s Healthcare of Atlanta
32
Lessons Learned
Children’s Healthcare of Atlanta
33
Lessons Learned
Test
Test
Test
Children’s Healthcare of Atlanta
34
Q&A
Children’s Healthcare of Atlanta
35