![Page 1: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/1.jpg)
Session ID: xxx-xxxx
Session Classification: xxxxxxxxxxxx
John Whaley
CTO, MokaFive
BYOC: Securing Untrusted, Employee-Owned Desktops
![Page 2: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/2.jpg)
Agenda
2
What is BYOC?
Techniques for BYOC
BYOC Security Considerations
Keys to a Successful BYOC Deployment
![Page 3: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/3.jpg)
3
BYOC: Securing Untrusted, Employee-Owned Desktops
![Page 4: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/4.jpg)
What is BYOC?
� BYOC = “Bring your own Computer”
� a.k.a. BYOPC, BYOL
� Three models:
1. Employer provides a stipend for the employee to purchase their laptop of choice, which will then be owned by the employee.
2. Employee chooses laptop from a list of pre-approved machines.
3. Employee is given instructions on how to connect to corporate resources, but can use any machine.
4
![Page 5: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/5.jpg)
Why BYOC?
� User demand
� Choice computing
� “Executive bling”
� Extension of smartphones
� New generation – “millennials”
� Business demand
� Reduce hardware assets
� Part-time workers, contractors
� Enable work from anywhere
� Happy employees = productive employees
� Bottom line: Users are doing it, with or without IT…
5
![Page 6: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/6.jpg)
What you can apply from this session
� At the end of this session, you will be able to:� Understand the predominant models for BYOC and
their relative strengths and weaknesses
� Evaluate the security of a BYOC solution
� Avoid common pitfalls in BYOC
� Plan a successful BYOC deployment
6
![Page 7: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/7.jpg)
Users vs IT
7
![Page 8: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/8.jpg)
Example: Citrix BYOC Program
� $2100 stipend (taxable)
� About 50% employees opt in to program
� 40% of those in the program chose Macs
� Employees often chipped in their own money to get a
better machine
� After a three month pilot in US, rolled out globally
8
![Page 9: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/9.jpg)
How to deliver services?
� Technique 1: Provide essential services via web applications
� Technique 2: Provide a remote desktop (VDI or TS) session
� Technique 3: Provide virtualized applications that run locally
� Technique 4: Provide managed corporate virtual machine to run locally
9
![Page 10: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/10.jpg)
Technique 1: Port everything to the web
10
Good: Access from any deviceBad: Takes a long time to rewrite all your apps,
no offline access
![Page 11: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/11.jpg)
Technique 2: Remote Desktop to VDI or TS
11
� Good:
� Access from many devices
� Bad:
� Requires major server infrastructure
� Can’t run offline
� Bad interactive performance
![Page 12: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/12.jpg)
Technique 3: Application Virtualization
12
� Good: Can run locally, but managed centrally
� Bad: Not cross-platform,not very secure
![Page 13: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/13.jpg)
Technique 4: Client-side Virtual Machine
13
� Good: Secure, personalized, offline access, cross-platform, local execution, easy recovery
� Bad: Minimum HW requirement
![Page 14: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/14.jpg)
Securing the endpoint device
14
� Need to treat BYOC as an untrusted
device
� No VPN
� DLP
� Host checker
� Two-factor authentication
� Keyloggers, screen scrapers
� Encryption of data-at-rest
� Domain join and group policies
� Access control, remote management of corporate data
� Security policy enforcement
![Page 15: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/15.jpg)
Threat Models
15
� Malicious employees
� Malware infections
� Screen scrapers or keyloggers
� Generic viruses/worms
� Targeted malware
� Lost or stolen laptops, “borrowed” machines
� Targeted attacks and espionage
![Page 16: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/16.jpg)
Dealing with Infected Endpoint Devices
16
� Anti-virus and anti-malware
� OS patch level
� Network quarantine
� Keyloggers and screen-scrapers
� Data loss prevention
![Page 17: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/17.jpg)
Enterprise-Level Layered Security
17
7 Layers of Security
• Anti-virus scan of host PC
• Full virtual machine encapsulation
• AES-256 encryption
• Tamper resistance and copy protection
• AD and two-factor authentication
• Granular security policies
• Remote kill
![Page 18: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/18.jpg)
Anti-virus scan of host PC
18
� Protects against most known attacks/malware
� Policy enforcement:� Maximum age of signature file
� Periodic scan frequency
� Automatic keyboard/screen lock until scan completes
![Page 19: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/19.jpg)
Full virtual machine encapsulation
19
� Protects against non-targeted attacks
� Run on a separate, locked-down operating system
� Rejuvenate to latest golden system disk on every boot
� Out-of-band updates of golden system disk
� Device passthrough of keyboard/mouse and video card foils most keyloggers/screen scrapers
� Hardware support for encapsulation (VT-x, VT-d)
![Page 20: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/20.jpg)
AES-256 encryption
20
� Encryption of data-at-rest protects against lost/stolen laptops� Key escrow
� Dealing with lost/changed passwords
� Administrator unlock without user password
� Don’t forget swap space!
![Page 21: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/21.jpg)
Tamper resistance and copy protection
21
� Protect against copying data to another device
� Tie the virtual machine to physical hardware identifiers and/or TPM
� HMAC of all data to detect tampering
![Page 22: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/22.jpg)
AD and two-factor authentication
22
� Use RSA SecurID or other second-factor authentication
� Protects against lost password, lost device; limits exposure window
![Page 23: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/23.jpg)
Security policies
23
� Targeting security policies by AD group� Offline lease time: Maximum time a user can run
without checking in
� Auto-kill: Self-destruct after a given time
� Version enforcement: Ensure users have latest security patches
� Peripheral restrictions: USB devices, microphone, printing, CD/DVD, etc.
� AD group policies: Use existing AD policy sets
![Page 24: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/24.jpg)
Remote kill
24
� Can mark a device as lost or stolen
� Device receives a “kill pill”, securely zeroes all data and sends back confirmation
� Mitigates risk from a lost device or rogue employee/contractor
![Page 25: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/25.jpg)
More Challenges to BYOC
25
� Supporting diverse platforms (Mac,etc.)
� Offline access
� Legal
� Organizational / Political
![Page 26: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/26.jpg)
Supporting Diverse Platforms
26
� Mac support
� Data shows Macs require much less support
� No mature, robust management tools for OSX hosts yet
� Best: Provide corporate Windows environment for Mac users
� Windows 7 support
� Can provide virtual Windows XP environment for now, upgrade to Win7 once corp standardizes on it
� Hardware support
� Give minimum hardware specs for BYOPC
� Require support package from vendor
![Page 27: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/27.jpg)
Legal Challenges
27
� Who owns the hardware? Who owns the software? Who owns the data?
� Mixing corporate and personal on the same device
� Liability concerns
� Software licensing
� What to do when someone is terminated or leaves the company?
� Not much different than BYO Smartphone, work-from-home
� One solution: Put corporate environment on separate USB or SD card
� Need a way to reclaim licenses, erase corporate data (“poison pill”)
![Page 28: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/28.jpg)
Organizational and Political Challenges
28
� Most common: Business wants it done, but IT dragging feet
� Refocusing IT staff to focus on services, not hardware
� Education: “You are making me buy my own machine?”
![Page 29: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/29.jpg)
Results
29
� Significant proportion choose Macs
� Increased machine usage
� More work on weekends and after hours
� Fewer support calls
� Users more tolerant and responsible, willing to learn
� Fewer lost devices
� Take better care because they are invested in it
![Page 30: RSA Conference 2011 Presentation: BYOC: Securing Untrusted, Employee-Owned Desktops](https://reader033.vdocuments.net/reader033/viewer/2022060108/554f489ab4c905524c8b47cd/html5/thumbnails/30.jpg)
Key Takeaways
30
1. Focus on securing the data, not the device
2. Good security practices are essential, with or without BYOC
3. BYOC can save money, reduce support calls, and lead to happier users