Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy

transcript

Developing and Enforcing a Bring-Your-

Own-Device (BYOD) Policy

SANS Analysts: Tony DeLaGrange, Senior Security ConsultantSecure IdeasBen Wright, SANS Instructor, Attorney, Technology Law Expert/Author

Lee Howarth, Senior Product Manager

Oracle Corporation

Tony DeLaGrange

• Security Consultant at Secure Ideas• Over 25 Years IT Experience

– 15 Years in financial services– Over decade in IT Security

• Co-author of SEC571– Mobile Device Security

• Open Source Project Lead– MobiSec & SH5ARK

• Co-chair of SANS first Mobile Device Security Summit

Topics Today

• Mobility Security Survey

• Mobile Security Policies

• Top 3 Security Practices

• Conclusions

Mobility Survey

• Full results here: www.sans.org/reading_room/analysts_program

• Focused on policies and controls• Survey ran in the 3rd quarter

of 2012• More than 650 people responded

– From a wide range of organizations

Criticality of Mobile Policies

• It starts withthe policies– 97% believe

it's important• Yet so many don't

have mobile policies– Improvement from

last year (58%)

Ends of the Spectrum

• Most stringent– 24% do not permit personal devices to

access company resources• Most lenient

– Besides no policy at all – 14% let employees secure their own

mobile devices• Somewhere in between

– 21% manage employees' devices– 27% use mobile sync with minimal

device management controls

Top 3 Mobile Security Practices

• Authentication to corporate resources

• Access to corporate information

• Protect corporate data on devices

Authenticating Mobile Users

Controlling Access to Resources

Challenges

• How should companies implement authentication and access controls?– User credentials?– Location?– Device type?– Applications?

• Where should organizations "touch" employee devices?– Device?– Applications?

Protecting Corporate Data

Challenges

• How should employers ensure protection of data on lost/stolen devices?– Wipe sensitive data?– Wipe entire device?– Locate the device?– Lock/Disable the device?

• How should fraud controls be implemented?

Conclusions

• Policies are important– 37% still don't have them– Many are developing policies after

building their controls• Companies are most interested in

– Authentication– Access to resources– Data protection

• Challenges with BYOD– Finding a balance in controls– While not upsetting employees too much

Tony DeLaGrangetony@secureideas.com

904-639-6709

Q@SANS.org

Bring Your Own Device (BYOD) Policy

Benjamin WrightAttorney & SANS Institute Instructorbenjaminwright.usThis is education, not legal advice.

Bring Your Own Device (BYOD)

• Rules for employees using own laptop, tablet, smartphone, webmail services for business

• Controversial topic; no perfect policy exists

• See discussions: http://goo.gl/txlCU, http://goo.gl/7bEAQ, http://goo.gl/QX6Uz, http://goo.gl/edSFF

Subpoena for Employee’s Home Hard Drive

• Local government employment dispute

• Plaintiff able to subpoena hard drive of manager’s home computer

• Wood v. Town of Warsaw, N.C., No. 7:10-CV-00219-D, 2011 WL 6748797 (E.D.N.C. Dec. 22, 2011)

Employer Liability for Security

• Massachusetts 201 CMR 17.00: PII on mobile devices must be encrypted

• Cal SB 1386 - many breach notices because of stolen, unencrypted laptops (e.g. Guin v. Brazos Higher Education)

$1.5 Million Fine + Costly Security Upgrades

• Unencrypted patient data• stolen laptop• Massachusetts Eye and Ear

Infirmary (hospital) • HIPAA penalties imposed by Dept.

Health and Human Service• http://goo.gl/acnRE

Employer Incentives

• Device and service monitoring• Data wiping (selective or whole

device)• Encryption• Confiscation if monitoring

identifies device or service as a risk or threat

Policy/Agreement Challenges

• Warning employees• Getting employee consent• Employee privacy• Liability for damage to employee

data, device or service

BYOD Policy – Sample Language

• http://goo.gl/19idt• Workable policy will come from

negotiations among stakeholders• This language tilts toward needs

of employer

"Employees are informed that when they create

electronic records or work product in the course

of their work for the Company, the records and

work product belong to the Company."

BYOD Policy

"When an employee uses his or her own device, such as

a computer, a digital tablet or a smartphone, to connect

to Company information resources, then the Company

reserves the right to take security measures relative to

the device, including but not limited to inspect the device

and . . ."

BYOD Policy Continued

Employees are informed, and employees agree, as follows: If the Company

takes control or possession of a Device or Service, or takes security

measures relative to it, then:

(a) the Company might not return the Device or Service;

(b) the employee is entitled to no compensation for loss of use, control or

possession of the Device or Service;

(c) the Device or Service could be damaged, the employee could lose data

and the employee’s data could be disclosed to others. The Company will not

be liable or responsible for such damage, loss or disclosure.

BYOD Continued

"As a matter of honor and reputation -- but not as a

matter of legal liability or obligation – the Company

aspires to be forthcoming with employees as a whole

about the practical impact of this Policy on employees

over time."

BYOD Policy Continued

Blogs: benjaminwright.us

This presentation is not legal advice for any particular situation. If you need legal advice, you should consult the lawyer who advises your organization.

Any person may reuse this material freely.

Enforcing your BYOD Mobile Access Policies

with Oracle Access Management

Lee HowarthSenior Principal Product ManagerOracle

• Establish Mobile Access Policies– Monitor and Enforce usage

• Extend Enterprise Access to Mobile Devices– Integrates native mobile apps, mobile web with

corporate systems & information– Access management, authorizations, API

security, and fraud detection– Device context based fine-grained authorization

• Enable Mobile Device Security Elements– Support for native security– Device security – jailbreak detection at login– Device lifecycle – white-list/blacklist/lost device

management– Device fingerprinting

Mobile Access Roadmap

Mobile device connection methods

• The native web browser on the device

• Native mobile device clients acting as a web browser

• Native mobile device clients connecting to gateways or applications

• Mobile Security Platform– Authentication and SSO– Strong authentication, device

fingerprinting and risk-based access

– Mobile SDK

• Internet / Social Integration

• REST/Cloud interfaces

Mobile Requirements

Extend Enterprise Access

Mobile AuthenticationFlexible options for devices, applications and users

Mobile Single Sign-on

Many applications, one sign-on, global logout

Mobile Security Architecture

Native AppNative App

Web AppWeb App

Authorization

Authentication

User Profile

Authorization

Authentication

User Profile

REST REST

Oracle

Security AppSecurity App

Access ManagementAccess Management

OAAM ServiceOAAM Service

OAM ServiceOAM Service Device RegistrationDevice Registration

Lost & Stolen DevicesLost & Stolen Devices

GPS/WIFI Location AwarenessGPS/WIFI Location Awareness

Device Fingerprinting & TrackingDevice Fingerprinting & Tracking

Risk-based KBA & OTPRisk-based KBA & OTP

Transactional risk analysisTransactional risk analysis

Directory ServicesDirectory Services

Platform Security Services

(OPSS)

Platform Security Services

(OPSS)

User Profile ServicesUser Profile Services

API API

White Pages applicationsWhite Pages applications

User Self Registration/Self ServiceUser Self Registration/Self Service

API API

Mobile Device Mobile Interfaces IDM Infrastructure Features

OPSS ServiceOPSS Service

API API

White & Black ListsWhite & Black Lists

Get Account Information:

John, Doe

Irvine, CA 92602

Has he accessed between 00:00 –

03:00 in the last two months?

Has he used this device more than 20%

in the last three months?

Behavioral Patterns

Does subject live in same

geography as requestor?

Does he usually perform account

lookups?

Context Aware Access Management

Valid Credentials given from outside

network, but already logged in from

inside network.

Which session is really who we think it

Account Detail Request

Mobile Authorization & Data Redaction

- getCustomerDetail

- updateCustomer

- deleteCustomer…

Customer Service

Response

isAuthorized(user = Bob Doe, Acme Corp

Device = iOS 5.0, non-registered

Location = 37.53043790,-122.26648800

customerId = 99999

action = getCustomerDetail)

Oracle Entitlements Server

Oracle Enterprise Gateway

{ “CustomerDetailResponse“:

{ “customerID”: “99999”

“name”: “Sally Smith”

“phone”: “555-1234567”

“SSN”: “***********“

“creditCardNo”: ”@^*%&@$#%!“

“purchaseHistory”: “…”

Request

Detailed Mobile Visibility

Realtime and historic device and user access attempts and risk scores

Device characteristics analysis, including OS and SDK versions

Oracle Mobile Access Technology

• Oracle Enterprise Gateway– Enables Mobile Application REST API’s and protects API’s,

webservices, and SOA infrastructure from external threats and invalid / suspicious requests

– Extends Access Management with authentication, authorization, audit to REST API’s, web services

• Oracle Access Management Suite+– Mobile Identity and Access– Authentication, Registration, and User Profile Services for Mobile– Last mile security for an organizations backend web services

and SOA infrastructure– Device Fingerprinting and Registration Database– Risk-Based Authentication that Factors Mobile Context– Make Authorization Decisions and Redact Data based on User,

Mobile, or any other Context– Externalize Authorization Policies from Application Code

Oracle Mobile Access Management Summary

Bridges the gap between mobile devices and

enterprise IDM systems

Provides context-driven, risk-aware access

management

Simplifies developer access to IDM

Supports BYOD

Provides visibility and control

MOBILE ACCESS

MANAGEMENT

REST-ful

Interfaces

Single

Sign-on

Location

Device

Registration

Device

Context

If we don’t answer your question during the webcast, we will

post a follow up on:

http://blogs.oracle.com/oracleidm

Thank You!

Associated Paper:

http://www.sans.org/reading_room/analy

sts_program/SANS-survey-mobility.pdf