The OWASP Foundation
http://www.owasp.org
Bring Your Own Device
Could you, would you should you
May 2012
Benjamin JH
Ramduny
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
What is Bring Your Own Device
(BYOD)?
Wikipedia has this to say:
“Bring Your Own Device
describes the recent trend of
employees bringing
personally-owned
mobile devices to their place of
work, and using
those
devices to access
privileged company
resources such as email,
file servers, and databases”
http://www.owasp.org
We say that:
“BYOD describes an end user computing
strategy supported by a set of
policies and controls, which in conjunction
with a technical solution provide a
managed and secure framework
for employees to access corporate data from
their personal device whilst
providing
the enterprise with a level of control over
both the device and the data it can
access”
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
BYOD in the News
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
http://www.owasp.org
The OWASP Foundation
Who is adopting BYOD
http://www.owasp.org
Over four in five companies say they already allow BYOD or will do within the next 24 months and
sixty per cent of employees claim they are already allowed to connect personally-owned devices to the
corporate network. - BT
CIO attitudes that showed 48% of companies would NEVER authorize employees to bring their own
devices to the workplace. 57% of IT managers said that employees do it anyway. - Cisco
64% of IT managers surveyed thought it was too risky to let personal devices be integrated into the
business network. However 52% of companies allowed some form of access. - Absolute Software
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Could you BYOD
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
BYOD Options
There are two main options when
considering BYOD; augmentation
or replacement
Augmentation:
Replacement:
You can augment your current end user computing by
allowing your employees to bring in their own mobile
devices, sometimes referred to a mobile/laptop
consumerisation
You replace your current end user computing
with only employee owned devices. This
strategy can cover desktop/laptop and mobile
devices
Opt in scheme for employees who are not entitled to a
corporate phone to use their personal phone to access
services such as email or corporate web apps.
Opt in scheme for employees who are entitled to a
corporate phone but also want to use their own
handset
Opt in scheme for employees who are
entitled to a corporate phone but want to use
their own handset and contract (with stipend
or expenses support for corporate call costs)
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
The BYOD Family Tree
The BYOD policy must detail
which items are allowed and
the controls that will be
applied.
When defining the scope of
any BYOD implementation
consideration must be given
to which end user devices*
will be allowed.
Each device type has its own
set of risks and management
issues.
BYOD
Mobile
Device
Desktop
Device
Hand Held
Laptop
Mobile
Phone
Tablet
Windows
Laptop
Apple Mac
*
Android
Mobile
Apple iPhone
*
Windows
Phone
*
Android
Tablet
Apple iPad
*
*
*
Blackberry
Playbook
*
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
*
Note: Desktops and Blackberries are not shown
The OWASP Foundation
http://www.owasp.org
Strategy and Policy
Strategy
Understanding the business
reasons for adopting BYOD is
crucial for a successful BYOD
implementation
 What devices will be subject to BYOD
 What over arching method of resource access will be used for:
 Hand held devices
 Laptops
 How will the solution and end users be supported
 How will business units be charged for the service
Policy
Getting the policy right
protects the business from
the risks associated with
BYOD
 What devices makes and models will be allowed
 How will Antivirus be handled
 What actions does the company reserve the right to carry
out on an employees personal device (e.g. remote wipe on
loss)
 How will leavers be handled
 What access controls will be used (Certificate based
authentication, Pin Number lengths)
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
A Quick Survey – Who has a some
form of BYOD in their organisation?
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Would you BYOD
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Why Do It?
 Increased
user mobility
 Increased
user satisfaction
 Help
retain top performers
 Increase
 Reduce
 Helps
productivity*
capital costs
to attract younger talent*
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
Laptop Consumerisation
Management Options
 Service
Access
 Virtualisation
 Web
 MDM
(VDI)
Apps Only
 Network
Boot
platform with Windows support
 Desktop
 Access
http://www.owasp.org
on a Pen Drive technologies
Control
 NAC
 PKI
/ Certificate based Authentication
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
Laptop Consumerisation
Management Solutions
Virtualisation
Pros:
•Secure
•User gets complete
desktop and
application suite
Cons:
•Expensive
•Get it wrong and
performance is slow
http://www.owasp.org
Network Boot
Pros:
•Secure
•User gets complete
desktop and
application suite
•Uses the full power
of the hardware
Cons:
•Requires network
access
•Its not here yet
MDM
Pros:
•Leverages Windows
inbuilt security
•No Network
dependence
Cons:
•Users might not like
you restricting their
PC
•Only a few vendors
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
USB
Pros:
•Small and light
weight
•Works with any
Hardware
•Full desktop
available
•No Network
dependence
Cons:
•New emerging
technology
The OWASP Foundation
Mobile Consumerisation
Mobile Device Options
Operating System
Security Considerations
Pre IOS 4.0 device encryption is weak.
iPhone
Apples iOS release cycles make interception
of new versions easier than Android
http://www.owasp.org
Enterprise Management Tools
Enterprise management can be
accomplished via the Apple iPhone
Configuration Utility or by 3rd party
applications: Excitor, Sybase, and Good
Technology, Excitor, Mobile Iron and
AirWatch. Exchange support also through
MS ActiveSync.
Virtualization
• Citrix Receiver / XenApp
• VMware through Wyse
PocketCloud
Pre Android 4.0 (ICS) the native email client
does not support ActiveSync with certificate
based authentication.
Android
Full device encryption weak before Android
3.0
Adhoc and fragmented development cycles
makes intercepting new versions difficult
No native enterprise management tools.
Enterprise management can be
accomplished via 3rd party: InnoPath, Good
Technology, Excitor, Mobile Iron and
AirWatch
• VMware MVP
• Citrix Receiver / XenApp
(Q409?)
Reliance on multiple vendors passing on new
patches and OS versions means that many
users do not receive the latest security
patches and OS’s
Windows
Phone
Windows phone 7 email client does not
support certificate based authentication
Devices are not restricted from running
unsigned code leaving them at a greater risk
of malware attack
Comprehensive enterprise management of
devices through MS System Center
Mobile Device Manager and via 3rd
parties such as: Good Technology, Excitor,
Mobile Iron and AirWatch
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
• Citrix Receiver / XenApp
• VMware MVP
Mobile Consumerisation
Mobile Device Management
 MDM
The OWASP Foundation
http://www.owasp.org
products fall into 2 categories
MDM
Native MDM
Level of containerisation
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Containerised
Mobile Consumerisation
Gartner
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Should You BYOD
The OWASP Foundation
http://www.owasp.org
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Major Considerations
Protection of Corporate Data
Reimbursement
Legal Concerns
Support Strategy
The Cost of Moving to a BYOD Environment
Scope Definition
Vendor Selection
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Major Considerations
Protection of Corporate Data
Reimbursement
Your data is as valuable as gold, and losing it can have a big impact on the
business, from financial penalties if the DPA is breached to reputational
damage.
One of the benefits of a corporate liability mobile device over and personal
liability device is that the corporate device is usually able to take advantage
of a preferential call tariffs with the service provider.
Letting users have corporate data on their personal device is a big risk, and
so to reduce the risk to an acceptable level there are several controls that
can be implemented. On a laptop you can virtualised either your corporate
applications or the employees entire desktop. On a mobile device you can
use an Mobile Device Management solution to enforce some security
features on the device itself (e.g. Device encryption, remote wipe if the
device is lost).
When adopting BYOD for mobile devices and when replacing corporate
issued devices there must be careful consideration of how the increased data
usage will affect the employee monthly bill and how the organization will
reimburse this cost.
Not all applications are suitable for virtualisation, and this must be carefully
assessed before designing any solution
Desktop virtualisation can offer the best form of security on a laptop, however
there are drawbacks, mainly that many believe that they can use there super
powerful personal laptop and get the benefits of using a powerful pc over
their older work laptop. Unfortunately laptop power has little relevancy in a
thin client/virtual desktop where most the processing is done server side. A
second draw back of virtualisation is that the more users on the virtualised
infrastructure the slower it gets.
It is worth noting that network boot solutions are in the wings and will start to
become prevalent in 2012 allowing the full power of the laptop to be utilise.
Mobile devices can be secured to some extent through the use of an MDM
tool. Our current view is that this market is still under development and all of
the main vendors have weaknesses in their products which can lead to less
control over the device than required.
The biggest challenge is how to ensure there is no corporate data on a
personal device that is no longer required by the user
An additional issue that should be considered when moving to an enforced
BYOD model is the incentive for an employee to use their personal device, in
order to compensate for the increased ware.
Questions that need to be addressed are:
Can the employee claim back line rental, or receive a stipend, how is the
capped.
Will the employee be given a benefit in kind to by the device, if so does this
have an tax implications
Legal Concerns
If a MDM solution is being used to manage mobile devices and the BYOD
policy states that a lost mobile device will be fully wiped (factory rest) then it
is important that any employee who is using their personal device is clearly
aware of this and that they have signed a EULA.
If the employee is expected to travel as part of their role then the organization
must consider if there are any legal implications of taking their device to a
country that prohibits encrypted devices (assuming device encryption is
being used)
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Major Considerations
Support Strategy
The Cost of Moving to a BYOD Environment
In any organization support for the business critical infrastructure is a major
concern and an organizations inability to support their infrastructure
represents a significant business risk.
Adopting BYOD as a full strategy replacing all end user computing can be
seen as having huge cost saving benefits, however indications from early
adopters lead to the conclusion that the savings are not huge.
When supporting a traditional corporate liability environment where all
devices are owned by the organization, it is relatively easy to exert a level of
control over the hardware and software to be used. Having a limited number
of makes and models of laptops and desktops and a standard OS
configuration enables a support function to become skilled in these systems.
For a secure desktop/laptop replacement project the virtualisation costs or
web app development costs an be significant. In a virtualised desktop
solution you will need a redundant set of servers. Licences will also be still
need to be purchased for each virtual desktop and the software running on it.
When BYOD is adopted there will be significant increase in the number of
different types of hardware, drivers, OS configurations and applications that
will be in use and so it is important to assess the existing support
organizations capability to support the new devices.
A BYOD policy must consider if personal devices will be supported and how
much time will be spent tying to resolve an issue with a personal device.
If you opt for a full BYOD strategy you will also always require a pool of spare
laptops (and to some extent phones) to cover the occasions when an
employees laptops or phone is damaged and sent for repair
Define the scope
BYOD can be as simple as allowing an employee to access corporate email
on their personal mobile phone all the way to a full replacement BYOD
implementation where all end user computing is swapped out for personal
devices.
Corporate email on a personal mobile device can be the easiest to deploy
and depending on the classification of the data being sent over email can be
relatively cheap to implement.
BYOD can be restricted to just handheld devices , but again to do this in a
secure manner does required some form of Mobile Device Management tool,
and all its associated hardware.
Vendor Selection
When the decision has been made that BYOD fits with the end user
computing strategy, and that the solution will be secured in some way then a
vendor selection process needs to be carried out.
Choosing the right MDM product is a difficult task due to the current
immaturity of the market. Getting the vendors involved and seeing hands on
demonstrations of the end to end solutions is essential. Getting hand on
experiences is crucial to ensuring that any selected product meets your
requirement for security and usability, since one can heavily impact on the
other.
Different vendors have very different strengths and researching which
vendors product fits your requirements will be useful.
Where possible agree for a vendor pilot before committing to deploying the
full solution. There are numerous enterprises that have either delayed a full
deployment or canned it altogether following a pilot.
Matching the scope to the business requirements will help to ensure that the
right solution is chosen
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Separation of Business and
Personal
• Work life balance is important
• Using computing devices for both
business and pleasure can lead
to cross over between the two
• Guidelines and protections should
be in place to protect employees
free time and personal data
• Any tools or technologies must:
•Protect the business
and
•Preserve the personal
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
The OWASP Foundation
Data Loss
http://www.owasp.org
Not unique to Bring Your Own Device, but the risk is
increased.
Must be balanced with controls, policies and governance.
Encryption should be mandatory.
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Data Loss
Mobile Device Management is crucial when allowing
personal mobile phones to access corporate data
Data Loss Headlines ‘Today’
Data Loss Headlines ‘Tomorrow’
Walsall Council: 981 records of residents
Council: 981 records of residents postal votes
postal votes statements containing names, addresses, date
of birth and signatures dumped in a skip
statements containing names, addresses, date of birth and
Heartland Payment Systems, Tower
Federal Credit Union, Beverly National
Bank (US) : 130 Million records
Heartland Payment Systems, Tower
Federal Credit Union, Beverly National
Bank (US) : 130 Million records
signatures found on an
iPhone sold on eBay
Malicious software/hack compromises unknown number of Malicious app downloaded from the App Store
iPad
credit cards at fifth largest credit card processor
compromised an employees
allowing the theft of an
unknown number of credit cards at fifth largest credit card processor
NHS: 2664 records lost due to personal
NHS: 2664 records lost due to personal
mobile phone stolen from a staff members
laptop stolen from a staff members home
containing name, address, date of birth, NHS
numbers
home containing name, address, date of birth,
NHS numbers
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
ISF survey
http://www.owasp.org
A total of 53 different representatives from different Member environments.
Respondents from the following areas: Australasia (2), Canada (3),
Denmark (2), Finland (6), Francophone (1), India (1), Middle East (1),
Norway (4), Benelux (5), Spain (1), Sweden (3), United Kingdom (12),
United States (11)
Respondents from the following areas: Electricity gas steam and air
conditioning supply (2), Financial and insurance activities (16), Information
and communication (8), Manufacturing (13), Mining and quarrying (3),
Professional scientific and technical activities (2), Public administration and
defence; compulsory social security (5), Transportation and storage (3),
Wholesale and retail trade; repair of motor vehicles and motorcycles (1)
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
ISF Survey – Question 7
What is the most critical issue your organisation faces when trying to provide security for
BYOD?
As expected, leakage of business information was the number one answer, however many
organisations have stated a different challenge to be their most critical issue for BYOD:




Protecting the organisations intellectual property

Executive interference in the planning process
Insecure mobile operating systems, discrepancies
between different versions

HR and Legal concerns


Diversity of mobile platforms

Users are not aware of the risks

Device limitations prevent controls to be put in
place


Separation of personal and business material


Cost of support

Network access control to the corporate network

Maintaining the devices updated with the latest
security fixes
Business information left on personal devices sent
for repair or disposal
eDiscovery requirement for physical access to the
device
Differing technical capabilities across the
geographic spread of the company
Buy in
User acceptance of corporate fiddling with their
own ‘personal’ device

Regulations, eg PCI compliance

Lack of good management tools
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
ISF Survey – Question 8
Please share your top three misconceptions about your BYOD experience:
Misconceptions included:






No need to invest in infrastructure It will be
cheaper for the organisation

Lack of information security funding will prevent
this from happening

BYOD is easy and the demand for it is high (neither
is particularly true)
Adding controls to BYOD makes it considerably less
attractive to people who wanted it BYOD will affect
productivity (either in a good or bad way)
User awareness is enough to prevent business
information from being stored locally on the device

User awareness, user awareness, user awareness

User expectations of reduced need for support, no
downtime

BYOD is a technology problem

Must be usable with every device
Mobile phones connected to the network will
introduce viruses
BYOD cannot be secured
Required for attracting new employees, will
increase user satisfaction
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
ISF Survey – Question 9
Please share your top three tips regarding your BYOD approach:






Agree the organisation’s risk appetite before
designing a solution

Security agreement with the end user, make them
accountable – make sure the agreement / policy is
reasonably strict but still workable

Apply a lot of personal attention to executives
wanting to use BYOD, to make them aware and
create best practice
Work on a mobility strategy
Pickup early with your architecture team to allow
development of deployment strategy, as well as
penetration testing teams to assess security Involve
legal and HR early enough
Deploy in stages – most demand is related to
iPhones, so start with one type of devices and be
prepared to expand in the future






Leverage other investments to enforce or improve
security
Manage expectations with end users
Communicate with your user base in a 2 way
manner
Do not treat everyone the same – not one size fits
all
Define your service model early
Get a decent MDM and NAC Dual factor
authentication
Consider laws (eg labour laws) that will mandate
specific reimbursements to employees
Promote in-house secure App developments and
open your own App store
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
My experience
http://www.owasp.org
1. Major battle between the business who wants it user friendly
and Information Security who want it secure (or not at all)
2. MDM’s, all of them, are immature, poorly coded and offer
more security features than they deliver
3. Getting the EULA right takes time
4. Training is one of the most relied on controls, get it in place
before go live, make sure its good, ensure every one takes it,
repeat it regularly
5. Engagement with the vendor can help drive product
enhancement
6. Minimum 6 digit Alphanumeric PINs
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
A Quick Survey – Has any one
suffered a Security breach as a
result of BYOD?
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
The OWASP Foundation
No is No Longer An Option
http://www.owasp.org
There Here
BYOD is already in your
organisation!
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Questions and Answers
Questions
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
3
Information is as valuable as gold
yet it can slip through your fingers like water
Thank you
Benjamin JH Ramduny
KPMG LLP
+44 (0)7825 282556
ben.ramduny@kpmg.co.uk
www.kpmg.co.uk
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org