Welcome, my name is Caston Thomas, with InterWorks

We’re all struggling with this BYoD/IoT phenomenon.

It’s become the rule rather than the exception. Although it may be a convenience to

users, we need to think about its impact on our organizations – from a risk standpoint

but also from a cultural standpoint as well.

Today, I’m going to talk about the risks & rewards of BYOD, the cloud, mobile and the

“Internet of Things”.

We’ll discuss how we can adapt to this fast changing world while preserving the

investments you’ve already made into security, applications, Infrastructure, processes,

HR procedures, etc.

1

When I talk about these things, let’s take “BYOD” as the example, the first thing I do is to look at

the subject through the same prism. From my standpoint, there are three ways to look at

BYoD. And similar perspectives on IoT & cloud hold true as well.

We’re talking about the single greatest evolution that IT has ever had to grapple with these

days. It is a transformation of not only the device types, but who owns thm, who manages

them, who supports them, who pays for them. And the worst part, there’s no “line of

demarkation”. It’s a world of gray and I don’t expect that to change any time soon, just

because of how fast things are changing.

Option 1… personal vs corporate data

Option 2…who pays?

Option 3… fundamental shift in culture and the relationships that IT & management have with

our end users, contractors, guests, & even trading partners

BYOD encompasses smartphones, tablets, BlackBerrys, as well as traditional notebook

computers. Moving forward it will include things like personal health devices & monitoring

equipment, google glass, Apple TV, and new technologies that will sit on our network that

provide new information creation points as well as security exposures. Get ready, because here

it comes. The last ten years was a cakewalk compared with where we’re headed the next ten

years!

& it is not just about the devices, it is also about the software & services that will be used --

cloud services & other tools on the web.

2

I won’t be telling we anything we don’t already know.

I hope to put it into a perspective and then a framework that allows we to prepare &

adapt.

The role of IT will change. Budget battles will change. IT operations might slip into

irrelevance if LOB can buy its ERP/MRP/CRM from the cloud. But even if that extreme

view did occur, the strategic relevance of IT becomes even more instrumental.

New turf… new battles… new opportunities… new risks….

3

So we are an IT security manager, we might be wondering, should we fight or embrace

the trends?

Many analysts have spoken out on this issue, such as Gartner & Forrester. They think

fighting the tide is impossible, & not only that, it’s not even a sensible decision when

we look at all the dimensions of the issue.

4

Other analysts have stated that BYOD & IoT will be huge cost-savers, if it is done right.

Either way, it’s going to transform our organizations, for better… or worse.

5

Questions arise…Internal threatsIncident responseChange management

If we don’t change some fundamental assumptions and our ways of thinking, things will get even worse. Today, on average, there’s a 2.5 day gap between identifying a security breech and fixing it.

We have to change!!! Just one example, we as IT & IT security professionals have a fundamental flaw in how we’ve approached network security. This is it. Everything we’ve done until now has been under the assumption that we must detect and then respond, remediate, fix the vulnerability. We think… “no matter what we do, the bad guys will find a way to get what they want. We’re always on our heels. We’re always on defense.

It not part of this presentation, but there are exciting, revolutionary technologies & processes that have been developed. They’re starting to come onto the market and will be mainstream soon. I won’t go into it now, but here’s my challenge to you… What if we stop thinking about detecting & responding, and start thinking about PREVENTING!?!

Obviously, mobile devices, & more specifically personally owned mobile devices, opens we up to all kinds of bad stuff on our network. The most pressing concern is data loss. What happens when the device is stolen, or jailbroken. What happens when an unauthorized user or device downloads or uploads data from our network.

Malware: In 2013, 80% of organizations with BYOD policies have seen botnet compromises increase by 100 percent inside their networks.

And of course, compliance. The number & type of endpoint devices is multiplying rapidly, & yet we as an IT security manager are tasked with compliance issues. How do we do it? It gets much harder if the endpoint is not one that we own, as is the case with BYOD. & besides mobile devices, there are other issues, such as an employee trying to work around IT by installing their own wireless access point, or using iCloud or Dropbox which we might not want.

6

Comprehensive approach solves different exposures to how different end users need

data. It’s how we create a structure for addressing flexibility AND control. We’ve got to

stop being “the guys who only say NO”!

So let’s talk about the most common security controls for this new world, & I will

describe the characteristics of each type of control.

7

When we think about “mobile”, we tend to think about tablets & phones. But we need to think

of it more as mobile data, NOT mobile devices. When we think mobile data, we think also

about he data on laptops, on home computers, portable storage, maybe even sites like box &

dropbox – and certainly those new classes of devices that will come onto our networks in the

future.

We think about MDM in a generic sense, but that primarily manages the devices. MDM as we

know ti today doesn’t do the DLP, or malware, or document classification. There ahs to be

more… and there is!

--- old notes ----

you could try to manage all the devices on our network. The first iteration of this we know as

“Mobile Device Management”, or MDM. This approach has gained a lot of traction, & it allows

to lock down parts of the device itself – assuming the device has actually been enrolled in the

MDM system & has an agent installed. But MDM usually does not support all the mobile

devices that employees are bringing into the office, for example it doesn’t help we secure

personally-owned MacBooks & windows PCs. Another problem is the fact that MDM is usually

installed as a separate system, with a separate management console, not integrated with

anything else. & MDM does nothing to protect our network from unauthorized devices, or

devices that are not yet enrolled into the MDM system.

8

Limits of this use case is when the users is disconnected, poor user interface, and a few other

minor things. The important part of this is that it goes far in protecting the DATA!

--- old presentation ---

Your second option, we could restrict the data so that it never gets onto mobile devices. The

data never gets copied down to the device. This is very strong data protection, but it does not

provide a good user experience for owners of phones & tablets. The form-factor is wrong.

These are small-screen devices, & the users are not going to want to use a Windows interface

on their iPhone. Moreover, VDI does not work if we don’t have a live Internet connection. So

for large populations of mobile users who work on airplanes & taxis, this is a non-starter.

Some people think that if we user VDI, we don’t have to worry about the security of the

endpoint, but Gartner says this is not the case. They say that “Network access control (NAC) &

Network Access Protection (NAP) solutions, including Secure Sockets Layer (SSL) VPN, become

vital, allowing policy engines to check that endpoint devices meet minimum specifications

before accessing their VDI session (including OS patch levels, presence of an antivirus [AV]

solution, up-to-date AV signature files & an acceptable network context).”

9

Wrapper approach, or the mobile application specific VPN

In most cases, this needs to still operating side by side with an MDM, but this is really

about application control and a degree of data security. IT doesn’t take care of email,

calendaring, address books, etc.

--- old presentation ---

The third option is that we can control the applications that mobile users run. We can

build our own enterprise applications using a mobile enterprise application platform

(MEAM), or we can use a mobile application wrapper (MAW) from vendors like Mocana

& Nukona. These application wrappers help we encrypt & contain the data that the

applications use. These approaches are fairly new, it is a niche market. We would

probably need some in-house development expertise to roll it out. It looks like a

promising approach. But even this approach is not a panacea, because if we read the

whitepapers written by these vendors, you’ll see that they rely on we having a

distribution mechanism like MDM to distribute & manage the apps. & they don’t

necessarily work with email, which is the most common application.

10

A lot of organizations are moving to NAC… Start thinking about the next evolution of

NAC. It’s not about “access control”. Change our thinking to “policy enforcement”.

Again, a slightly different approach that makes a HUGE difference. Let’s start thinking in

terms of “network access policy enforcement”! In doing so, we start to create

congruence between security policy (compliance, governance, framework &

architecture) and SecOps!

Another change… A single “point of policy” should cover all access methods, whether

wired, wireless, VPN or mobile.

--- old presentation ---

Lastly, we can control network access in a very intelligent way. I’m not talking about

“blocking all personal devices” from the network, that was solution #1, I’m talking

about granting specific network access on the basis of who the user is & what the user

has, & how secure that device is. This too is not a panacea, but it’s simple, it’s future-

proof. Get 100% visibility & control over everything on our network, & we won’t need

any software agents. NAC doesn’t protect the device itself, so if we decide to allow

mobile devices onto our network, & we decide to allow data onto the mobile devices

(or unbeknownst to you, data winds up on the mobile device), you’ll need something

else to protect that data. For example, MDM.

11

I agree with Gartner that two of these controls are especially useful. NAC is

foundational to any BYOD strategy, & MDM is also a very popular & useful approach. &

these technologies can work together. We can mix-and-match technologies, because in

the area of BYOD, a single control is probably not sufficient.

In fact, depending on what we are trying to do, different controls are appropriate. Let

me explain.

12

Here’s the way I look at the our options.

One of our first decisions will have to be to what extent we want to

mobilize our workforce. & our choice might be different for different

populations of users. For some users, we want to support mobile devices in

a limited way, say with just email. But for other users we might choose to

fully mobilize them & extend sales force automation systems or home-

grown business applications to these users.

So think in terms of a range of choices, as shown on this diagram. What are

the appropriate security controls for each choice?

*** There’s a fundamental process in doing this. We can go through this

process for each use case, each user group or role, and/or each

application. ***

13

Going back to the issue of NAC. There’s a low cost BYoD/NAC approach. And

that’s what I call WAP-NAC. Built into wifi vendors Aerohive, Meraki, &

Rukus/Meru (to a lessor degree) are NAC-like capabilities. This gives a good

solution for wifi only access, and can be a good interim solution. On all these

solutions, there is no additional license charge above the base cost.

A slightly different approach could include a guest access/802.1X/certificate

approach. There are certainly places where this can (or should) be done, but it’s

clearly not a long-term, strategic, unified solution.

If we choose to block mobile devices completely, the most common approach is

to lock down the wifi and implement MDM restrictions. We can use the built-in

mechanisms from the wifi, such as requiring certs on every endpoint that

connects to the wireless access point.

*** New malware exposures are opening a new issue on personal devices.

Hackers are going after their ability to turn on mic’s, camera, GPS tracking

etcetera. The problem is that “high value conversations” (board meetings,

planning sessions, preparation for negotiations, or personal conversations with

loved ones can expose individuals, but also corporate assets.

14

If we want to be more flexible, we want to let mobile devices get onto our

wireless network, but we want to limit access with more granularity. NAC

can do this, & in fact they allow us to provide different levels of access for

different people, groups, roles, and/or device types..

Reiterate a single policy for ALL access.

15

If we want to more aggressively extend mobile applications & out to our

users, or to certain classes of users, on top of NAC we should think about

combinations of NAC, VDI & MDM systems.

Multiple levels of security. TO complete this, we need to add endpoint

posture & endpoint tools. Some NAC systems can do posture without a

dedicated client.

802.1X can’t do this alone.

16

This is where we want to end up. Even if we do this over a couple of

budget cycles, we should create the vision now. There’s a lot of “feature

overlap” so having a plan is absolutely required. (This is one good place

where InterWorks can help. There are some framing questions that can

make the entire process much more linear.)

This is a good place to talk about market consolidation… emergence of

VDI/MDM convergence vs document classification. Good point for

discussion/dialogue, if time.

=== old presentation ===

And if we want to fully mobilize our workforce, we should be thinking

about a mobile enterprise application management system & ways to push

out the applications, update the applications, push out data, secure the

data, etc.

17

When security comes face-to-face with business, rule #1 is “Business

always win!” Security vs. agility…

And if we want to fully mobilize our workforce, we have to be thinking

about onboarding, offboarding, mobile enterprise application

management system, ways to push out the applications, update the

applications, push out data, secure the data, etc.

So what do NAC and these other technologies look like with implemented?

What is the ultimate approach to all of this look like?

18

19

CAN’T SECURE WHAT WE CAN’T SEE!!Grant access vs. limit access approachRemediation vs. preventionAgility vs securityDon’t just find the gaps, fill them!Don’t just find the problems, fix them!Orders of magnitude faster filling of gaps. If time, discuss the changing landscape of technology integration.

=== old presentation ===The key problem to address – is how to balance “access agility” with security.

[click]

What I mean when I say “access agility” is the ability to have all kinds of people, & all kinds of devices such as smartphones, connecting to our network through many different types of connections. This is what is happening today, it is the road warrior experience, ant it is driving increases in productivity.

[click]

Of course we have to be concerned about security. We lose a laptop or a smartphone that has corporate data on it, we have a data loss event. Are all the many devices like iPads running antivirus? We bet they are not, & we don’t control those devices anyway, so this is a potential threat vector. What does all this mean with respect to regulations & compliance? It is a concern, because many of these mobile devices are devices that we do not control. Yet we remain responsible for network security.

[click twice]

To manage these risks & enable the business benefits of accessibility requires a solution that provides visibility & control which is seamless to the end user & highly automated for IT.

Now …. Let me expand on the idea of comprehensive visibility. Because it is extremely important. We can’t secure what we can’t see. Let me illustrate what gaps we might have today.

20

21

===ADD ===

Continually inspect the device, the traffic, the posture, the “state”…

Let’s see how this cycle works…

1. visibility into what is on our network. “see” everything. what is on our network, with deep

information about security posture & who is logged into the device.

2. grant network access as per our security policy. Be flexible, for example if we prefer to

grant access very liberally & only block access to computers that are seriously infected.

This is the stage where we can limit access to just portions of our network, or maybe just

grant Internet access.

3. The fourth step is Remediation. not only find security gaps, fix them.

4. continuously inspect the traffic from ever network device to protect our network against

attacks.

Let me show we details of how this entire cycle works. Let’s start with “see”.

– in real time – what is on our network.

[click]

detect endpoints, network devices, users & applications.

22

The next step is to grant network access.

Have a range of actions ranging from gentle actions such as sending alerts to the

administrator, educational actions such as telling the user that they are violating a

policy, or more assertive actions such as restricting network access.

If we don’t want unauthorized devices or people on our network…[click]

remove them. Automatically.

So those unauthorized devices are now gone from our network. But we still might have

some problems with the authorized endpoints themselves. That is where our second

level of automated enforcement comes into play. Automated endpoint remediation.

23

We help we find & fix problems with our endpoints.

[click]

Update the operating system.

[click]

Disable USB memory sticks.

[click]

Kill applications we don’t want running.

Automated, saving time & money.

24

Talk about the “range of enforcement” -> gentle actions versus assertive

Even though unauthorized devices are gone, my still have significant exposures

Good endpoint goes bad

Automate the process

Zeroday??? What to do? What to do!?!

built-in threat prevention that has the smarts to detect when an otherwise “good”

endpoint has gone bad due to some sort of infection or compromise. zero-day

protection against like Conficker, Zeus, Stuxnet.

25

Let’ revisit the range of actions, from gentle to assertive.

26

directly remediate Apple iOS devices. Some of the actions are shown here – we can lock

the device, set the password, wipe the data, etc.

27

If you’d like to download a complementary whitepaper from the SANS institute, or from

IDC, drop me an email & I’ll be happy to forward we links.

28

Step 1: Form a committee

The BYOD program will fail if it does not meet the needs of all the constituencies. So we will need a team which includes members from different IT departments (e.g., security, network, endpoint & application) plus a representative sample of users in our organization.

It’s important to discuss who is actually accountable for the success of the BYOD program, & who will be accountable for the enforcement of whatever security policies we decide on. An example of why a committee is important is that in our experience, the IT department should not be held accountable for

enforcement, because that puts IT in a bad position, & the wrong position. The employee works for his business unit, for his manager, & the employee usually has a dotted line relationship usually to HR. Whatever BYOD policy that our committee develops needs to be an agreement between the employee &

his manager, or between the employee & HR. So if the employee does something against policy, & we have an IT control that discovers the violation, & the IT control revokes the ability for the device to access the network – we want the business unit & the HR department to be the primary stakeholders that

are responsible for that situation between the employee & the organization.

Step 2: Gather data

You need to document the status quo. Review current policies, & make note of the prevailing attitudes toward security &

management. Is it supportive, antagonistic or

Indifferent? Identify which departments/groups/individuals have been most active in developing policies in the past.

Gather data about our status quo including

• Counts of devices in use by platform, OS version, company-owned, personally owned or in the hands of non-

company personnel, such as contractors

• Assessment of data currently passing onto & through mobile devices

• Mobile device applications in use, app ownership & app security profiles

• All entry paths used by mobile devices, such as cellular, Wi-Fi, bridge to workstation or VPN

Step 3: Identify & Prioritize Use Cases via Workforce Analysis

To be effective, mobile device policies must be context-oriented to match the reality of a company's use cases. We will

need to plan out:

• How will mobile devices be used?

• Which mobile applications need to be used offline such as on airplanes & in elevators?

• What information will be accessible through mobile devices?

• What information will be stored on the mobile devices?

Step 4: Create an economic model

Step 4 is the point where we can start to create an economic model. We won’t finish it in step 4, because subsequent steps

are going to feed into that moel, but this is the right place to start the process.

29

The jury is out as to whether BYOD programs save money or not. Some organizations say they do, some

organizations say they don’t. Even if BYOD does not save we money, it still might be a great thing for our

organization because it will result in productivity gains & employee satisfaction gains. If our company’s

success depends on our ability to hire bright 20-year-olds, & if we are competing for talent, then having a

BYOD program might be an essential element in our corporate strategy.

Some of the costs are shown here – we have device costs & data connectivity costs. We may or may not

choose to give our employees a stipend to cover either. Some companies decide to cover the data plans

for their employees, achieve economies of scale, & not have to worry about hassling with expense

reports. We may with to provide our employees with 3G or 4G data access for their laptop computers –

turn them into road warriors. Then we have the cost of software licenses. Keeping track of software that

we own, but which is installed on personally owned computers, might be challenging. You’ll need a

tracking system for that. Last on this list are infrastructure costs. We will likely need additional security &

management systems for BYOD. We may choose to deploy a mobile device management system. They

are not cheap. Some strategies for providing network access involve putting the mobile devices directly

on the wireless LAN, some strategies involve putting the mobile devices on the Internet & routing them

back into the network via a VPN. The latter is a much more expensive route to take, & we need to account

for it if that is what we choose to do. Last is the cost for data protection. We may choose to deploy

encryption & data loss prevention tools to BYOD devices.

Step 5: Formulate policies

If yours is a large organization, we may wish to consider different policies for different populations of

users. For example, for the majority of our employees, we might wish to support simple applications like

email & just a small number of mobile devices, like Blackberry & Apple. For another population of users,

for example our sales organization, we might wish to additionally support a sales force automation

package, & we might wish to extend support to Android devices in addition to the Blackberry & Apple

devices. & for key executives, we will provide best effort support for other applications on these devices,

on a per-request basis. Analysts at Gartner are big proponents of this model, which is the opposite of

“one size fits all”. They call their model “managed diversity.”

When we decide on our policies, we need to strike a balance between user flexibility & security. The user

experience is important & must be taken into account in the new policies. However, user experience is

not the trump card. We cannot allow employees to dictate a path that causes the enterprise to accept too

much risk. Where applications & data will reside on personal devices, companies should set limits on

which personal platforms are supported & should be prepared to limit the types of information made

available to personal devices.

Step 6: Decide how to protect our network

Now that we have a plan for which kinds of devices we are going to allow, & what kinds of applications we

are going to authorize on each device, our next step is to decide how to protect our network from

unauthorized devices, non-compliant devices, rogue devices, & how we are going to limit network access.

The first decision we need to make is how automated we want to get. Some organizations aim for the

lowest possible investment in network security, which is a manual system. Essentially, we can manually

deploy 802.1X configurations & certificates to whichever devices we want to allow on the network, then

we tell our wireless network to block anything that is not correctly configured. If this is our choice, we

don’t need a separate network access control product, but we don’t gain the benefits of network access

control automation. The process of figuring out which devices should receive a certificate & an 802.1X

supplicant is manual, & it is static. If we change our mind in the future, for example we decide we want to

revoke network privileges for certain types of Android systems, then a manual system is very difficult to

work with.

29

A manual 802.1X system is also quite dumb. All it can really do is distinguish devices with certificates &

those without certificates. It can’t perform any sort of compliance check on the endpoint. So go back to

step 5: If our policy is to only allow certain types of devices, with certain types of configurations – for

example, a password if the device is a smartphone, & antivirus if the device is a PC – then we need a

network access control system that can enforce the complexities of our policy.

Another decision we will need to make is how many wireless networks we are going to deploy. If we have

a network access control system, we can probably get away with one wireless network, or maybe a two-

network scenario in which one wireless network is used for production & another wireless network is

used for open access to the internet. If we have chosen not to purchase a NAC system, then we may need

at least three wireless networks – one for corporate-owned devices, one for BYOD devices, & a third for

Internet access.

Step 7: Decide how to protect our data

In any BYOD project, we need to figure out a way to secure our data. Network access control will protect

data on our network from unauthorized devices & non-compliant devices, but in this step we are trying to

figure out how to protect data on a mobile device. In this scenario, a device has been authenticated, &

the device is (or was) seen to be compliant with security policies, & we are going to let the user access

sensitive data on our network. SO how do we protect the data on that device?

There are two basic methods that we will need to choose from: The first method is to deploy a container

onto the mobile device. That container is some sort of mobile app, or maybe multiple apps each with its

own container. The container prevents data from moving from one app to another, & it typically includes

encryption & data loss prevention controls built into the container. Often we will find that mobile device

management products include containers for data. The most popular containerized application is an email

app. If we deploy an email app with a strong container, we can force our users to use that email app for

all corporate email. That will ensure that corporate email does not get mixed with personal email, & it will

ensure that the device communicates to & through whatever data security products we have deployed at

our corporate gateway. For example, supposed we have implemented a content filtering system for all

inbound & outbound email to our organization. The containerized email app that we deploy onto mobile

devices will be forced to send & receive through this content filtering system. This means that our email

security controls will be consistently applied to all employees, no matter what type of device they are

using.

The container also helps we delete data whenever we need to, without fear of deleting the employee’s

valuable personal information. Separation of corporate data from personal data is the goal when we use

containers to protect data.

An alternative approach to protect data is to never let the data get onto the mobile device in the first

place. We can use a hosted virtual desktop product, for example something like Citrix, to allow the end-

user to interact with data, & to see data, but the data always remains firmly on the corporate network.

The data itself never travels onto the mobile device, never gets stored onto the mobile device.

There are two significant drawbacks with this method: First, the user experience tends to be poor,

because the applications tend to emulate a Windows environment. But the employee who is using an

iPhone does not want to interact with a Windows app on his small screen, he wants to interact with a

native iPhone app that has been optimized for his small format screen. The second drawback is the fact

that in this approach, the end-user needs to always have a live Internet connection. If we are on a plane

at 30,000 feet, this approach won’t work. Whatever productivity gains we were hoping to achieve from

the BYOD program, they pretty quickly fall to zero with this approach.

29

That said, BYOD is not only about smartphones, it is also about computers. So a hosted virtual desktop

approach might make perfect sense for employees that wiish to use their personal windows computers

for business purposes.

Step 8: Build a project plan

You will need a plan for implementing whatever controls we want to implement, which might include

• remote device management

• application controls

• Policy compliance & audit reports

• Data & device encryption

• Augmenting cloud storage security

• Wiping devices when retired

• Revoking access to devices when end-user relationship changes from employee to guest

• Revoking access to devices when employees are terminated by the company

Step 9: Evaluate solutions

We will be happy to engage with our team & recommend the right solutions for our organization. When

we do evaluate a solution , make sure that we consider the impact on our existing network & how well

the solution will strike the right balance between cost, security, & user concerns. The most secure

solution is never the most usable solution, we need to strike a balance.

Step 10. Implement solutions

Begin with a pilot group from each of the stakeholders' departments

Expand pilot to departments based on our organizational criteria

Open BYOD program to all employees

29

30

31

32

33

34

35

36

37

38

I would like to go back to steps 6 & 7 & give we a little more detailed information aboutthe various types of enforcement solutions that are available.

39

I hope this has been valuable to you, to understand the different approaches that we

could take to enforce mobile security policies.

40