The OWASP Foundation http://www.owasp.org Bring Your Own Device Could you, would you should you May 2012 Benjamin JH Ramduny Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation What is Bring Your Own Device (BYOD)? Wikipedia has this to say: “Bring Your Own Device describes the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers, and databases” http://www.owasp.org We say that: “BYOD describes an end user computing strategy supported by a set of policies and controls, which in conjunction with a technical solution provide a managed and secure framework for employees to access corporate data from their personal device whilst providing the enterprise with a level of control over both the device and the data it can access” Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation BYOD in the News Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. http://www.owasp.org The OWASP Foundation Who is adopting BYOD http://www.owasp.org Over four in five companies say they already allow BYOD or will do within the next 24 months and sixty per cent of employees claim they are already allowed to connect personally-owned devices to the corporate network. - BT CIO attitudes that showed 48% of companies would NEVER authorize employees to bring their own devices to the workplace. 57% of IT managers said that employees do it anyway. - Cisco 64% of IT managers surveyed thought it was too risky to let personal devices be integrated into the business network. However 52% of companies allowed some form of access. - Absolute Software Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Could you BYOD The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org BYOD Options There are two main options when considering BYOD; augmentation or replacement Augmentation: Replacement: You can augment your current end user computing by allowing your employees to bring in their own mobile devices, sometimes referred to a mobile/laptop consumerisation You replace your current end user computing with only employee owned devices. This strategy can cover desktop/laptop and mobile devices Opt in scheme for employees who are not entitled to a corporate phone to use their personal phone to access services such as email or corporate web apps. Opt in scheme for employees who are entitled to a corporate phone but also want to use their own handset Opt in scheme for employees who are entitled to a corporate phone but want to use their own handset and contract (with stipend or expenses support for corporate call costs) Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org The BYOD Family Tree The BYOD policy must detail which items are allowed and the controls that will be applied. When defining the scope of any BYOD implementation consideration must be given to which end user devices* will be allowed. Each device type has its own set of risks and management issues. BYOD Mobile Device Desktop Device Hand Held Laptop Mobile Phone Tablet Windows Laptop Apple Mac * Android Mobile Apple iPhone * Windows Phone * Android Tablet Apple iPad * * * Blackberry Playbook * Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. * Note: Desktops and Blackberries are not shown The OWASP Foundation http://www.owasp.org Strategy and Policy Strategy Understanding the business reasons for adopting BYOD is crucial for a successful BYOD implementation What devices will be subject to BYOD What over arching method of resource access will be used for: Hand held devices Laptops How will the solution and end users be supported How will business units be charged for the service Policy Getting the policy right protects the business from the risks associated with BYOD What devices makes and models will be allowed How will Antivirus be handled What actions does the company reserve the right to carry out on an employees personal device (e.g. remote wipe on loss) How will leavers be handled What access controls will be used (Certificate based authentication, Pin Number lengths) Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. A Quick Survey – Who has a some form of BYOD in their organisation? Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Would you BYOD The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Why Do It? Increased user mobility Increased user satisfaction Help retain top performers Increase Reduce Helps productivity* capital costs to attract younger talent* Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation Laptop Consumerisation Management Options Service Access Virtualisation Web MDM (VDI) Apps Only Network Boot platform with Windows support Desktop Access http://www.owasp.org on a Pen Drive technologies Control NAC PKI / Certificate based Authentication Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation Laptop Consumerisation Management Solutions Virtualisation Pros: •Secure •User gets complete desktop and application suite Cons: •Expensive •Get it wrong and performance is slow http://www.owasp.org Network Boot Pros: •Secure •User gets complete desktop and application suite •Uses the full power of the hardware Cons: •Requires network access •Its not here yet MDM Pros: •Leverages Windows inbuilt security •No Network dependence Cons: •Users might not like you restricting their PC •Only a few vendors Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. USB Pros: •Small and light weight •Works with any Hardware •Full desktop available •No Network dependence Cons: •New emerging technology The OWASP Foundation Mobile Consumerisation Mobile Device Options Operating System Security Considerations Pre IOS 4.0 device encryption is weak. iPhone Apples iOS release cycles make interception of new versions easier than Android http://www.owasp.org Enterprise Management Tools Enterprise management can be accomplished via the Apple iPhone Configuration Utility or by 3rd party applications: Excitor, Sybase, and Good Technology, Excitor, Mobile Iron and AirWatch. Exchange support also through MS ActiveSync. Virtualization • Citrix Receiver / XenApp • VMware through Wyse PocketCloud Pre Android 4.0 (ICS) the native email client does not support ActiveSync with certificate based authentication. Android Full device encryption weak before Android 3.0 Adhoc and fragmented development cycles makes intercepting new versions difficult No native enterprise management tools. Enterprise management can be accomplished via 3rd party: InnoPath, Good Technology, Excitor, Mobile Iron and AirWatch • VMware MVP • Citrix Receiver / XenApp (Q409?) Reliance on multiple vendors passing on new patches and OS versions means that many users do not receive the latest security patches and OS’s Windows Phone Windows phone 7 email client does not support certificate based authentication Devices are not restricted from running unsigned code leaving them at a greater risk of malware attack Comprehensive enterprise management of devices through MS System Center Mobile Device Manager and via 3rd parties such as: Good Technology, Excitor, Mobile Iron and AirWatch Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. • Citrix Receiver / XenApp • VMware MVP Mobile Consumerisation Mobile Device Management MDM The OWASP Foundation http://www.owasp.org products fall into 2 categories MDM Native MDM Level of containerisation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Containerised Mobile Consumerisation Gartner Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Should You BYOD The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Major Considerations Protection of Corporate Data Reimbursement Legal Concerns Support Strategy The Cost of Moving to a BYOD Environment Scope Definition Vendor Selection Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Major Considerations Protection of Corporate Data Reimbursement Your data is as valuable as gold, and losing it can have a big impact on the business, from financial penalties if the DPA is breached to reputational damage. One of the benefits of a corporate liability mobile device over and personal liability device is that the corporate device is usually able to take advantage of a preferential call tariffs with the service provider. Letting users have corporate data on their personal device is a big risk, and so to reduce the risk to an acceptable level there are several controls that can be implemented. On a laptop you can virtualised either your corporate applications or the employees entire desktop. On a mobile device you can use an Mobile Device Management solution to enforce some security features on the device itself (e.g. Device encryption, remote wipe if the device is lost). When adopting BYOD for mobile devices and when replacing corporate issued devices there must be careful consideration of how the increased data usage will affect the employee monthly bill and how the organization will reimburse this cost. Not all applications are suitable for virtualisation, and this must be carefully assessed before designing any solution Desktop virtualisation can offer the best form of security on a laptop, however there are drawbacks, mainly that many believe that they can use there super powerful personal laptop and get the benefits of using a powerful pc over their older work laptop. Unfortunately laptop power has little relevancy in a thin client/virtual desktop where most the processing is done server side. A second draw back of virtualisation is that the more users on the virtualised infrastructure the slower it gets. It is worth noting that network boot solutions are in the wings and will start to become prevalent in 2012 allowing the full power of the laptop to be utilise. Mobile devices can be secured to some extent through the use of an MDM tool. Our current view is that this market is still under development and all of the main vendors have weaknesses in their products which can lead to less control over the device than required. The biggest challenge is how to ensure there is no corporate data on a personal device that is no longer required by the user An additional issue that should be considered when moving to an enforced BYOD model is the incentive for an employee to use their personal device, in order to compensate for the increased ware. Questions that need to be addressed are: Can the employee claim back line rental, or receive a stipend, how is the capped. Will the employee be given a benefit in kind to by the device, if so does this have an tax implications Legal Concerns If a MDM solution is being used to manage mobile devices and the BYOD policy states that a lost mobile device will be fully wiped (factory rest) then it is important that any employee who is using their personal device is clearly aware of this and that they have signed a EULA. If the employee is expected to travel as part of their role then the organization must consider if there are any legal implications of taking their device to a country that prohibits encrypted devices (assuming device encryption is being used) Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Major Considerations Support Strategy The Cost of Moving to a BYOD Environment In any organization support for the business critical infrastructure is a major concern and an organizations inability to support their infrastructure represents a significant business risk. Adopting BYOD as a full strategy replacing all end user computing can be seen as having huge cost saving benefits, however indications from early adopters lead to the conclusion that the savings are not huge. When supporting a traditional corporate liability environment where all devices are owned by the organization, it is relatively easy to exert a level of control over the hardware and software to be used. Having a limited number of makes and models of laptops and desktops and a standard OS configuration enables a support function to become skilled in these systems. For a secure desktop/laptop replacement project the virtualisation costs or web app development costs an be significant. In a virtualised desktop solution you will need a redundant set of servers. Licences will also be still need to be purchased for each virtual desktop and the software running on it. When BYOD is adopted there will be significant increase in the number of different types of hardware, drivers, OS configurations and applications that will be in use and so it is important to assess the existing support organizations capability to support the new devices. A BYOD policy must consider if personal devices will be supported and how much time will be spent tying to resolve an issue with a personal device. If you opt for a full BYOD strategy you will also always require a pool of spare laptops (and to some extent phones) to cover the occasions when an employees laptops or phone is damaged and sent for repair Define the scope BYOD can be as simple as allowing an employee to access corporate email on their personal mobile phone all the way to a full replacement BYOD implementation where all end user computing is swapped out for personal devices. Corporate email on a personal mobile device can be the easiest to deploy and depending on the classification of the data being sent over email can be relatively cheap to implement. BYOD can be restricted to just handheld devices , but again to do this in a secure manner does required some form of Mobile Device Management tool, and all its associated hardware. Vendor Selection When the decision has been made that BYOD fits with the end user computing strategy, and that the solution will be secured in some way then a vendor selection process needs to be carried out. Choosing the right MDM product is a difficult task due to the current immaturity of the market. Getting the vendors involved and seeing hands on demonstrations of the end to end solutions is essential. Getting hand on experiences is crucial to ensuring that any selected product meets your requirement for security and usability, since one can heavily impact on the other. Different vendors have very different strengths and researching which vendors product fits your requirements will be useful. Where possible agree for a vendor pilot before committing to deploying the full solution. There are numerous enterprises that have either delayed a full deployment or canned it altogether following a pilot. Matching the scope to the business requirements will help to ensure that the right solution is chosen Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Separation of Business and Personal • Work life balance is important • Using computing devices for both business and pleasure can lead to cross over between the two • Guidelines and protections should be in place to protect employees free time and personal data • Any tools or technologies must: •Protect the business and •Preserve the personal Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org The OWASP Foundation Data Loss http://www.owasp.org Not unique to Bring Your Own Device, but the risk is increased. Must be balanced with controls, policies and governance. Encryption should be mandatory. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Data Loss Mobile Device Management is crucial when allowing personal mobile phones to access corporate data Data Loss Headlines ‘Today’ Data Loss Headlines ‘Tomorrow’ Walsall Council: 981 records of residents Council: 981 records of residents postal votes postal votes statements containing names, addresses, date of birth and signatures dumped in a skip statements containing names, addresses, date of birth and Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million records Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank (US) : 130 Million records signatures found on an iPhone sold on eBay Malicious software/hack compromises unknown number of Malicious app downloaded from the App Store iPad credit cards at fifth largest credit card processor compromised an employees allowing the theft of an unknown number of credit cards at fifth largest credit card processor NHS: 2664 records lost due to personal NHS: 2664 records lost due to personal mobile phone stolen from a staff members laptop stolen from a staff members home containing name, address, date of birth, NHS numbers home containing name, address, date of birth, NHS numbers Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation ISF survey http://www.owasp.org A total of 53 different representatives from different Member environments. Respondents from the following areas: Australasia (2), Canada (3), Denmark (2), Finland (6), Francophone (1), India (1), Middle East (1), Norway (4), Benelux (5), Spain (1), Sweden (3), United Kingdom (12), United States (11) Respondents from the following areas: Electricity gas steam and air conditioning supply (2), Financial and insurance activities (16), Information and communication (8), Manufacturing (13), Mining and quarrying (3), Professional scientific and technical activities (2), Public administration and defence; compulsory social security (5), Transportation and storage (3), Wholesale and retail trade; repair of motor vehicles and motorcycles (1) Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org ISF Survey – Question 7 What is the most critical issue your organisation faces when trying to provide security for BYOD? As expected, leakage of business information was the number one answer, however many organisations have stated a different challenge to be their most critical issue for BYOD: Protecting the organisations intellectual property Executive interference in the planning process Insecure mobile operating systems, discrepancies between different versions HR and Legal concerns Diversity of mobile platforms Users are not aware of the risks Device limitations prevent controls to be put in place Separation of personal and business material Cost of support Network access control to the corporate network Maintaining the devices updated with the latest security fixes Business information left on personal devices sent for repair or disposal eDiscovery requirement for physical access to the device Differing technical capabilities across the geographic spread of the company Buy in User acceptance of corporate fiddling with their own ‘personal’ device Regulations, eg PCI compliance Lack of good management tools Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org ISF Survey – Question 8 Please share your top three misconceptions about your BYOD experience: Misconceptions included: No need to invest in infrastructure It will be cheaper for the organisation Lack of information security funding will prevent this from happening BYOD is easy and the demand for it is high (neither is particularly true) Adding controls to BYOD makes it considerably less attractive to people who wanted it BYOD will affect productivity (either in a good or bad way) User awareness is enough to prevent business information from being stored locally on the device User awareness, user awareness, user awareness User expectations of reduced need for support, no downtime BYOD is a technology problem Must be usable with every device Mobile phones connected to the network will introduce viruses BYOD cannot be secured Required for attracting new employees, will increase user satisfaction Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org ISF Survey – Question 9 Please share your top three tips regarding your BYOD approach: Agree the organisation’s risk appetite before designing a solution Security agreement with the end user, make them accountable – make sure the agreement / policy is reasonably strict but still workable Apply a lot of personal attention to executives wanting to use BYOD, to make them aware and create best practice Work on a mobility strategy Pickup early with your architecture team to allow development of deployment strategy, as well as penetration testing teams to assess security Involve legal and HR early enough Deploy in stages – most demand is related to iPhones, so start with one type of devices and be prepared to expand in the future Leverage other investments to enforce or improve security Manage expectations with end users Communicate with your user base in a 2 way manner Do not treat everyone the same – not one size fits all Define your service model early Get a decent MDM and NAC Dual factor authentication Consider laws (eg labour laws) that will mandate specific reimbursements to employees Promote in-house secure App developments and open your own App store Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation My experience http://www.owasp.org 1. Major battle between the business who wants it user friendly and Information Security who want it secure (or not at all) 2. MDM’s, all of them, are immature, poorly coded and offer more security features than they deliver 3. Getting the EULA right takes time 4. Training is one of the most relied on controls, get it in place before go live, make sure its good, ensure every one takes it, repeat it regularly 5. Engagement with the vendor can help drive product enhancement 6. Minimum 6 digit Alphanumeric PINs Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. A Quick Survey – Has any one suffered a Security breach as a result of BYOD? Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org The OWASP Foundation No is No Longer An Option http://www.owasp.org There Here BYOD is already in your organisation! Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Questions and Answers Questions Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. 3 Information is as valuable as gold yet it can slip through your fingers like water Thank you Benjamin JH Ramduny KPMG LLP +44 (0)7825 282556 ben.ramduny@kpmg.co.uk www.kpmg.co.uk Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org