byod / mobile-device security guidelines for cxo's

Mobile-Device Trends, BYOD Guidelines and Security-Recommendations for CxO’s

Patrick Angel, Asst CISO / Enterprise IT Security – CISSP® CRISC® CISM® CISA®

BYOD / Mobile-Devices at Work - topics (productivity gains possible – but what about the Risk…?)

• Brief History of Mobile-Devices and Smart-Phones

• What are the RISKS to the Company (data) with BYOD?

• Do you know WHO your BYOD Users are?

• What Services do you Provide via BYOD-Access ?

• What are the Challenges to ensuring Mobile-Device Security ?

• Many Vendors – likely Merging / Buyouts (e.g. Boxtone/Good)…

• Must-have BYOD-Management platform features

• Minimum Standards and Mobile-Vendors’ Market-Share,

• Is your Org’s Security-Leader given enough Authority …?

• Key Considerations for Preventing problems relating to Mobile-Devices

• How do you Measure / Demonstrate BYOD / Mobility (security) ROI…?

• How do you Enforce BYOD equipment Rules (and org data) ?

• Are Automated methods to Control BYOD (and company data) enough..?

• Mobile-Device / BYOD Trends and Future-Direction

• Rate your own Company’s BYOD Maturity (ability to secure)

• SPECIFIC RECOMMENDATIONS for allowing BYOD at workplace

For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®

End-user ease-of-use quickly dominated over Device-Management

• Gen 1 – Direct-Connect (circa 2004) – required direct (e.g. cable) connectivity to host system for application install, features configuration, etc. Little memory / storage available.

• Gen 2 – (2009) Local-Appl direct Install (by hand), restrictive

• Gen 3 – (today) Wireless devices, Appl-Store download, Remote-Mgmt / Config, Implement and Enforce Policy, high Memory / large Storage, expandable (via MicroSD card, etc.),

• Gen 4 – (the Future…) – ‘Geo-Fencing’ – enabling security policies / features with actual Device-

location (GPS), other features to-be-developed.

– ‘Mobile-Payment’ – like iPhone Pay® to allow customers to use their smart-phone as financial tool

History of Mobile-Devices (1/2)


History of Smart-Phones (2/2) (early Leaders did not end up Dominating…)

• Blackberry – first to deliver “smart-phone” & SMS-text / data-transfer, failed to keep-up / meet consumer needs,

• Palm – early copycat hardware gained significant market-share, but lack of innovation led to demise,

• iPhone – quickly innovated, listed to customers, planned-out future of smart-phone design, offered / integrated much-desired phone / data features with other end-user ‘apps’ (e.g. music),

• Android – primary team (and skills) behind Apple’s iOS software, launched own O/S, then able to challenge the market-leader,

• Windows – new player, leader in desktop platform, little experience in phones, but large market-share and high-capitalization facilitate quick market-growth,

• 3G vs 4G – phone networks upgraded both hardware and software for faster data-speed (and throughput) to facilitate more features, data, and video,

• Applications – booming # of end-user applications from many, Int’l Vendors. New apps are now integrating with some (back-office) Business-functionality.


• Data-Leaks – Sales staff loading volumes of data onto device(s)… • Malware introduced / Lack of control for Patching, updates, • Fraudulent Transactions from unknown (un-trackable) devices, • Possible exposure of sensitive Emails (like SONY ‘the Interview’ movie

hack) • Inability to Track Users / maintain Inventory of Devices, • Exposure of Internal Security-Specifics (e.g. Passwords, security-

standards) • CLOUD-Based (auto) Storage (data-transfer) – e.g. iCloud®, DropBox®, • Lost / Stolen-Devices - unable to locate, or even identify, • Rogue, unidentified users on Company-network, or Jail-Broken devices, • Theft of Highly-Sensitive Information (e.g. Contracts, sales schedules) • Other – Risk from Not Supporting BYOD in your Company:

– appearing ‘outdated’ to Customers / Partners, unable to ‘keep up’ – Giving up possible ‘competitive edge’ from leveraging staff’s devices – Losing Key-Talent (younger staff) with innovative ideas and skills

Major Risks due to BYOD


Can you control the Risks to create positive value / Benefits ?

BYOD Users – Who are They..? (Do you know Who has Access to Company-data, on their own Device…?)

• CxO Management – needing access to highly-sensitive data across Multiple Platforms, possibly out-of-office…,

• Partners (Business) – with different needs / levels of Access,

• Sales / Road-Warriors – Pros working remotely,

• 3rd Party / Consultants – needing minimal, but consistent and secure access,

• Support-Staff – internal, trusted, technical employees that provide support off-site, off-hours.


What level of Risk will your data be exposed to…?


What Services / Data do you Provide via BYOD ?

Company Email, and attachments,

Productivity Software – Word-Processing, Spreadsheet, -Shared-documents, etc.

Company-specific Applications (Sales / Marketing info, Business-Intelligence, etc.),

Collaboration / SharePoint / File-Sharing,

HR Applications (Benefits, Investments, personal Vacation-schedule, etc.).

Maturity of Mobile-Device Security is Low

What’s (current) Biggest Challenge to Ensuring Mobile-Device/BYOD Security ?

As of 2013 - 30% of Companies forbid BYOD – 60% have No BYOD Program

Inventory of (internal and external) Users.

Regulatory Compliance (HIPAA / PCI, etc),

Data-Privacy / Application-Security,

Device-Management / Lack of Platform / Support,

Identification of Groups and Key Users’ Needs,

Lack of Identity-Management (IDM) / Role-Based Access Control (RBAC) technology,

Monitor / Police Rogue Users / Devices,

Awareness / Security Training,


Major Players in MDM Market (sampling of current Vendors, no particular order)

Implement ‘most-needed’ / Common Functions 1st – biggest ‘bang’

• Airwatch • Good (formerly BoxTone)

• Centrify

• CITRIX

• FancyFon

• IBM

• ..many others…

9 For customers of Random Access Technologies, Inc. - Patrick Angel, CISSP® CISM® CRISC® CISA®

Must-have BYOD Features and Criteria (what are most the important functions for my org)

"Containerization" - is about securely separating corporate and business data and apps. Also known as "workspaces" or "sandboxing," containers provide a cleaner separation on a mobile device between work and play. So even in the case that the device itself has no unlock passcode ,etc, the secure container of business apps on the phone cannot be accessed unless a passcode is entered. And inside the container the user can share data btw business apps (e.g. copy / paste from email into CRM record).

Platforms supported – iOS and Android (and …?) – see Minimum (O/S) Standards slide, MDM / EMM – Mobile-Device Mgt / Enterprise Mobility-Mgmt – 3rd Party Appl that

monitors / controls device, data, and implements security-policies / standards, Remote ‘Wipe’ - able to control the ‘life’ of company data on the device with ability to

remotely ‘Wipe’ all enterprise-data completely off the device in case of loss/theft, Scalability / Admin-console / Profile Mgmt – important when rolling out at

Enterprise-Level, remote / Global locations, Device-Support – password-reset, device-location (if lost / stolen), etc. LDAP (and A/D) Connectivity / Integration / On-Demand features – validate users’

access through company-directory already available, upgrade access ‘on-the-fly’, (Mass) Enrollment / Maintenance / Mobile-Configuration – minimize admin costs, Licensing / Cost – initial-cost will be high and ongoing cost must be re-validated, Data-Export (and protection) – need to protect Company-data, Other Key Controls – prevent USB-storage copying, printing, screen-print images, etc.


• Must support Apple’s® iOS ® Operating System (market-leader) and should also,

• Support ANDROID ® Operating System (close 2nd in market-share), and …

• Support for Windows ® is optional (for now..?), but seriously consider w/their growing market-share (& Desktops)

11

MINIMUM Standards & Market-Share (platform)


• Recommend consider supporting Blackberry ® O/S as well (market much smaller < 25%, but many CxO’s still carry them).

Security-Leader – How much authority (confidence) has your Org given them..?

Is there a VP-Level / CISO Officer for the company?

Does Security-leader have (bottom-line) authority over the Security-Budget..? Or….

Is the Security-Leader a Major Stakeholder over Budget / Program ?

Does the Security-Leader have some Influence over Budget / Program ?

Security-Leader is available to consult / advise on Budget / Program ?

Security-Leader exists in Title, but has No Real Authority / Influence (we don’t take Security seriously)…


Key Considerations for Preventing problems relating to Mobile-Devices

Provide ‘Guidance’ to Users, before Security becomes a Problem…

• Need a Company Policy regarding Mobile-Devices (minimum security-config, ownership, etc.),

• Need documented Procedures on how to Administer device(s) and Provision (grant) and Remove Access,

• Awareness-Training for End-Users regarding general Usage and handling of Security-Incidents (e.g. loss / theft / sharing with Family),

• Require (complex) Passwords on Devices,


Between 26-40% of BYOD / Corporate Devices do not use Passwords

Only 53% of Users report that a 4-5 digit PIN is needed to access corp-data

(How) Do you Measure / Demonstrate the ROI of Mobility (and Security) Investments ?

Visible Benefits make supporting the Technology easier…


• Show Efficiencies gained from enabling Mobile-Access (and Security),

• Cost-Savings from Staff using own Devices (and Data-Plans / Warranty) for Meetings, Sales-Calls, etc.

• Measure / Demonstrate Business-Gains related to BYOD (and Security) via Metrics – (e.g. New Contracts, Sales-calls, Shared Demo’s),

• Show Effectiveness of (Security) Controls at preventing / detecting Incidents & Breaches,

• Measure / Report increased employee Job-Satisfaction and/or increased Job-Engagement,

How do you ‘Enforce’ security on BYOD Equipment (Mobile-Devices) ?

Controls without enforcement are almost useless

• Reporting activity to company-management..?

• Disciplining ‘repeat-offenders’.. (documented guidelines - up to Termination / Criminal-Prosecution…?)

• Regular Audits on devices and usage?

• Does a Company Policy exist…?


• Lack of Enforcement can be (legally) Equal to ‘Approval’ of security-violations and Acceptance of risk / consequences…

(data-breaches, leak of IUO info, etc.)

• Can you afford Not Enforcing Security on Mobile-Devices?

ESI - (electronically-stored info)

Are Automated Methods to Control Mobile Devices enough..?

The mobile device market is the “hottest place for malware & every kind of access risk,”

• Standard (basic) Mobile-Device Management…?,

• Individual Mobile-Application Wrapper..

• Ongoing Scan/Detect Jail-Break Devices…

• Secure File-Share / File-Sync area…?

• Virtualization of Desktops / Applications,

• Secure Mobile-Browser…

• VPN or some Multi-Factor option (SSO)

• Mobile-Appl Vulnerability-Scanning… or

• Full Enterprise-Level Mobility-Mgt Solution ?


Mobile-Device Trends / Future-Direction (what’s the future…? where is the Market going…?)

• Many Players – likely Merging / Buyouts (e.g. Boxtone/Good)…

• 100+ Vendors – features becoming concentric in key areas

• Corp-Data Lock-down and End-User Privacy becoming major Focus

• ‘Hot-Spots’ – Internet / Network access-points provided via Employee’s Device, allowing others to connect via single-device,

• ‘GEO-Fencing’ – combining Policy-Standards with Users-Location (e.g. disable Cameras in High-Risk areas within Company, or LOCK device if reported Lost/Stolen),

• Payment-Integration – use smart-phone as Payment Method (e.g. iPhone Pay® ), already common in Europe. Latin-America, India,

• Corporate Must-Haves to Managed-BYOD (full list on slide 21) – Policies and Procedures relating to BYOD and Social-Media

– Security-Awareness (and responsibility) Training Program

– Effective and proven MDM Software installed and running on device

– Technical ‘Controls’ over the device, despite individual ownership


Rate your Company’s ability (maturity) to Secure & Monitor Mobile-Devices

Does your company have the Tools / Skills / Staff to Monitor & Secure…?

Superior (no problem at all….)

Above Average (mostly confident, can improve)

Average (hmm – probably.., but not sure)

Below Average (probably not…. incomplete)

Incomplete (no game plan yet, just starting..?)

Unable to Monitor / Measure (rolling the dice)


Take the initiative and provide guidance / rules before things get out of hand…

Company Policy – create one, which ID’s both allowed and prohibited behavior, – Specify the Terms of usage – allowed / prohibited usage per primary Company-Policy

– List specific Consequences of Violations (discipline, warning(s), termination, prosecution),

– Device-Configuration must meet / exceed Company’s security-standard (A/V, Patching…)

– Make it clear that although Device belongs to employee, the DATA belongs to Company,

– Employee-SIGNOFF PAGE, acknowledging Policy, Usage, Standards, Consequences, etc.

Require MDM Software Install and Remote-Wipe of Device / Co. Data (if needed),

Require Anti-Virus software, Patching enabled, Encryption, to match Co. standard,

Create End-User Awareness Training to help guide inexperienced users,

Inventory Device(s) – raise Accountability, easier to track Lost Devices (and Data),

Disable USB Connectivity while *any* Company data stored on Device,

Require Auto-Lock and 2nd-Level, complex Password for accessing Company-Data,

Consider ‘GEO-Fencing’ – combining Policy-Standards with Users-Location,

Consider requiring connection via VPN (2-factor) connectivity for greater security,

Prohibit CLOUD-Based (automatic) Storage – like iTunes®, DropBox®,

Prohibit Rogue, unidentified users or Jail-Broken devices,

Specific Recommendations / Best Practices to implement BYOD at the Company Level


Patrick Angel

Roles: Asst CISO / Global I/T Security-Architect IT Director / Sr. Security Program Manager

Areas: Mobile-Appl Testing & Deploy/ ISO-27001 Controls Testing / Enterprise Risk-Evaluation

Education

Bachelors in IT/Software Development (MIS)

Masters in IT Business Administration (MBA)

Years of Experience

20+ years in Information Systems

15+ years of IT Security, Secure-SDLC, Risk and Compliance

Hands-on Software Developer, Application-Testing, I-T Auditing

Note – Certifications shown represent individual achievements / memberships, not endorsements by ISACA, ISC2, or other groups.

Get Started Now… ‘…Chance favors the prepared Mind’

www.RandomAccessTechnology.com (214) 826-3812
