1 / 57

Toni Buhrke, MBA, CISSP - Senior Security Solutions Architect

Toni Buhrke, MBA, CISSP - Senior Security Solutions Architect. Addressing the BYOD Challenge. The BYOD Phenomenon. “40.7 % of devices used by information workers to access business applications are ones they own themselves, including laptops, smartphones, and tablets such as Apple’s iPad.”

maalik
Download Presentation

Toni Buhrke, MBA, CISSP - Senior Security Solutions Architect

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Toni Buhrke, MBA, CISSP - Senior Security Solutions Architect Addressing the BYOD Challenge

  2. The BYOD Phenomenon “40.7% of devices used by information workers to access business applications are ones they own themselves, including laptops, smartphones, and tablets such as Apple’s iPad.” “IT organizations underestimate the number of personal mobile devices on their network by 50%.” 1 1IDC Research, Consumerization of IT study – Closing IT Consumerization Gap, July 2011

  3. 2010 Mobile Access Survey

  4. Fight or Embrace? “The rise of "bring your own device" programs is the single most radical shift in the economics of client computing for business since PCs invaded the workplace.” - Gartner1 1 Gartner “Bring Your Own Device: New Opportunities, New Challenges”, August 16, 2012

  5. Embrace is Winning 77% • Already said yes to BYOD Base: 872 IT executives in enterprises in the US, the UK and Germany Source: http://newsroom.trendmicro.com/index.php?s=43&news_item=990&type=archived&year=2012 http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_decisive-analytics-consumerization-surveys.pdf

  6. IT Security Managers’ Concerns Boston Research Group, ForeScout Sponsored Mobile Security Study, January 2012 365 North American IT Security Professionals in Companies of 1,000+ Employees

  7. The Dilemma How can organizations embrace the use of personal devices without compromising security?

  8. Case Study – Large Financial Institution • In 2010, a large financial services company realized that it needed a strategy for supporting personally owned devices in the workplace. • The company has more than 100,000 endpoint devices distributed over 200 locations worldwide, and it anticipated that it would soon need to support approximately 10,000 employee-owned smartphones, tablets and personally owned laptops. • The company's risk and compliance management team led the project and was responsible for establishing the BYOD policies.

  9. 8 Steps to BYOD Implementation • Form a committee • Multiple IT departments • Users across departments

  10. 8 Steps to BYOD Implementation • Form a committee • Gather data • Devices in use? • Ownership of devices? • Applications in use? • Entry paths?

  11. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Which applications? • Which users? Role? • Offline use? • Sensitivity of data?

  12. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Which corporate applications? • Which users? • How will data be secured? • Who will be responsible for BYOD support? • What happens if the device is lost or stolen? • How will the endpoint device be updated? • Acceptable use policies?

  13. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Network controls? • Device controls? • Data controls?

  14. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Remote device management? • Cloud storage? • Wipe devices when employees are terminated?

  15. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Evaluate solutions • Ease of implementation? • Cost? • Security? • Usability?

  16. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Evaluate solutions • Implement solutions • Network controls? • Device controls? • Data controls?

  17. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Evaluate solutions • Implement solutions

  18. Case Study – BYOD Use Case Employee Owned Smartphone • The company decided that an MDM agent is required for the device to gain access to a wireless BYOD network. • Employees can use any device that supports the MDM agent, including Apple, Android, Windows and BlackBerry. • If the MDM agent is detected, the device is granted access to a separate wireless BYOD network. • Citrix Systems' Receiver agent is used to grant access to a subset of applications on the corporate network, based on the user's profile, thereby creating a limited-access zone.

  19. Case Study – BYOD PolicyEmployee Owned Smartphone • If the MDM agent is not detected, the device is positioned on the guest network and is limited to Internet access only. (The user must register at the guest Web portal to gain Internet access). • JailbrokeniOS devices and rootkitted Android and Windows devices are denied access to the network, including the guest network. The MDM agent determines if the device has been jailbroken or rootkitted.

  20. Case Study – BYOD Use Case Employee Owned Windows Laptop • Up-to-date patches are required. • Up-to-date antivirus signatures are required (employees can select from an approved list of solutions at the company's expense, per corporate licensing agreements). • Disk encryption is required (employees can select from an approved list). • Specific ports must be blocked via a personal firewall (such as Telnet/SSH). • Vontu's data loss prevention (DLP) agent is required.

  21. Case Study – BYOD PolicyEmployee Owned Windows Laptop • If the Windows laptop is compliant with all six of the policy criteria, it is granted full access to the corporate network. • If the Windows laptop is noncompliant with one or more of the policies, it is positioned on the guest network and is limited to Internet access only. (The user must first register at the guest Web portal.)

  22. Case Study – BYOD Case StudyEmployee Owned MacBook • It must be running OS 10.5 or later. • Vontu DLP agent is required.

  23. Case Study – BYOD PolicyEmployee Owned MacBook • If the MacBook is compliant with all three of the policy criteria, it is granted full access to the corporate network. • If the MacBook is noncompliant with one or more of the policies, it is positioned on the guest network and is limited to Internet access only. (The user must first register at the guest Web portal.)

  24. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Evaluate solutions • Implement solutions

  25. What Are Your BYOD Solution Options? SOLUTION CHARACTERISTICS

  26. What Are Your BYOD Solution Options? SOLUTION CHARACTERISTICS

  27. What Are Your BYOD Solution Options? SOLUTION CHARACTERISTICS

  28. What Are Your BYOD Solution Options? SOLUTION CHARACTERISTICS

  29. What Are Your BYOD Solution Options? SOLUTION CHARACTERISTICS

  30. What Are Your BYOD Solution Options? SOLUTION CHARACTERISTICS

  31. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Evaluate solutions • Implement solutions

  32. Multiple Security Choices LIMIT EXTEND NAC NAC VDI MDM ForeScout CounterACT NAC BLOCK FULL NAC ForeScout Mobile WAP/NAC VDI MEAM/MDM ForeScout MDM

  33. The NAC Solution “Although approaches such as server-based computing and virtualization will also be used to deal with consumerization, NAC provides the flexibility that enterprises need in a BYOD environment, while providing the controls that enable network and security managers to retain control over the network.” Gartner, “Strategic Road Map for Network Access Control”, Lawrence Orans and John Pescatore,11 October 2011, ID number G00219087

  34. ForeScout CounterACT and ForeScout Mobile • Provides extensive BYOD flexibility • One security console for centralized visibility and enforcement • Dual protection • Network; real-time visibility, access control, block threats • Device; compliance, remote wipe/lock • All managed and personal devices; PCs and mobile • Flexible mobile control 1. ForeScout CounterACT: basic visibility and access control 2. ForeScout Mobile Security Module: native security for iOS / Android 3. ForeScout MDM: full cloud and device-based mobile device management with comprehensive device, application and data security 4. ForeScout Mobile Integration Module: broader mobile platformvisibility and security enforcement leveraging 3rd party MDM integration

  35. ForeScout CounterACT for Network Access Control Deploy in one day Physical or virtual appliance Out-of-band Works with your existing infrastructure See and control everything on your network

  36. ForeScout CounterACT for Network Access Control Who and what is on your network? Assess credentials and security posture Allow, limit or block See and control everything on your network

  37. ForeScout CounterACT for Network Access Control Who and what is on your network? Assess credentials and security posture Allow, limit or block See and control everything on your network Web Email CRM Sales Employee Guest Guest

  38. Advanced Security and Operational Integration ForeScout Security Policy Engine VPN Wi-Fi Dir, Database SIEM VA Antivirus Windows (WSUS, SCCM) MDM McAfee ePO and ESM Switch

  39. ForeScout Mobile • Mobile Visibility • Complete, cross-vendor mobile inventory: Apps, users, OS, settings… • Tactical map tracking where, how, what and who connects – in real time • Mobile Control • Manage Corporate/Guest network access • Quarantine unknown/unauthorized mobile devices • Mobile Compliance • Health assessment via white/black listing of installed/running apps • Alert and remediate gaps like: apps not installed, roaming charge, etc. • Mobile Security • Restrict application usage (e.g. camera, video, audio recorder, IM, facebook, twitter) • Block malicious mobile users from connecting

  40. MDM Integration Exchange AD/LDAP Lotus BES Certs • 100% visibility • Unified reporting • Automated MDM enrollment • On-access assessment • Block malicious activity ForeScout CounterACT

  41. Automated MDM Enrollment With ForeScout: Automation Device accesses network ForeScout discovers and categorizes device, authenticates user ForeScout automates MDM enrollment decision and provides information to user User enrolls device in MDM Without ForeScout: Manual Effort User contacts help desk Help desk asks questions, determines device type and ownership Help desk denies request or sends user appropriate MDM enrollment information Helpdesk asks networking team set policy exception allowing internet access to get the MDM app User enrolls device in MDM Helpdesk asks networking team to reset the policy exception

  42. ForeScout MDM – Full Featured SaaS for rapid implementation & easy management Mobile App Management Easy Administration Secure Document Sharing

  43. ForeScout CounterACT: Basic Visibility and Control Mobile devices are identified and categorized

  44. ForeScout Mobile: Detailed Visibility and Control Search the inventory for mobile apps and versions across the enterprise

  45. ForeScout Mobile: Block Jailbroken

  46. Unified Reporting

  47. ForeScout Mobile: Remediation • A variety of actions are available to manage, remediate and restrict mobile devices • Multiple actions can be stacked together to provide even more control

  48. The Benefits of ForeScout Integration ?   Automated Registration • Device connects to network • Classify type • Check for mobile agent • If agent is missing • Quarantine • Install agent • When agent is activated • Check compliance • Allow access • Continue monitoring ForeScout CounterACT  ForeScout MDMPowered by MaaS360  Your Enterprise Network ) ) ) ) ) ) )

  49. 8 Steps to BYOD Implementation • Form a committee • Gather data • Identify use cases • Formulate policies • Decide how to enforce policies • Build a project plan • Evaluate solutions • Implement solutions

  50. Case Study – Project Phases • A pilot project, in which 200 IT staffers brought personally owned devices to work. This phase lasted for six months, during which time the project team refined the Web registration portal and addressed early minor product rollout issues. • The project team broadened the program with the goal of supporting 1,000 employee-owned devices. • Employees in the information risk management, and the risk and compliance departments were chosen to be part of this phase. • The primary focus of Phase 2 was to assess the end-user experience and the overall performance of the solution. • A secondary goal was to define and monitor role-based access.

More Related