Now? Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCI SPYRUS, Inc. Michael F. Angelo, CSA NetIQ Corporation

Transcription

1 Bring Your Own Computer To Title Work of - Presentation What Now? Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCI SPYRUS, Inc Michael F. Angelo, CSA NetIQ Corporation

2 Bring your own computer BYOC is Consumerization of IT How It Happens Organizational Benefits and Impact Action Today, Tomorrow, Future 2

3 Bring your own computer Summary Questions Pop Down to the Pub x 3

4 BYOC is Consumerization of IT 4

5 Changing the Face of Work What Is Consumerization? Consumer-based Social Media for advertising Consumer-based Financial Services for accounts receivable Use of consumer or Free Software for sustaining corporate infrastructure And What we are going to focus on: Use of personal equipment in the corporate environment 5

6 Evolution Consumerization of IT Mice Keyboards Monitors Home equipment for remote access Mobile Phone Wi-Fi Card Flash Drive PDA Music Player Smart Phone Desktop / Laptop Use of employee owned resources for company work 6

7 HOW WIDESPREAD IS consumerization? Employee Purchased Primary Machine Laptop PDA Mobile Phone Smart Phone Source:In-Stat 7

8 How It Happens 8

9 How It Happens Don t want to use your Pentium III with 256mb RAM & 60gb HD Don t want to use your OS Don t want to use IE6 Don t want to use your software tools Don t want to be locked down 9

10 What is your policy? Secretive Ignored Unofficially Supported Officially Supported Subsidized 10

11 Benefit and Impact 11

12 Benefits and drawbacks Companies save 9-40% on equipment purchase cost * Exit the hardware business Employee satisfaction Higher productivity Longer work hours Helpdesk Knowledge Loaner Hardware Capability Configuration Maintenance / warranty Upgrades Software Interoperability Upgrades / updates Vulnerabilities *Source:Gartner 12

13 Organizational impact - ownership Logins Personal login information on corporate machine Social Networks / Professional Associations Corporate login information on personal machine VPN Configuration User IDs and passwords stored in browsers Software Ownership Personal software Restricted use licenses Corporate software on home equipment 13

14 Legislated Privacy Organizational impact - legal Issues EU data protection act USA HIPAA, SOX, GLBA Country, state/province, local (e.g. CA SB 1386) More laws pending Cross contamination Corporate backup includes personal information Personal backup includes corporate information 14

15 Information Leakage Family & friends Device Loss Virus Personal Spear Fishing Increased Exposure to Threats Surfing at Home <> Surfing at Work Torrents Organizational impact - Security 15

16 Organizational impact - Non Obvious Issues Acceptable use policies How to apply to personal machines? Out processing of individuals How do you know organizational data is removed from the employee machine? Software PST files Passwords / wireless / VPN Access Residual data Employee / corporate backups 16

17 Action To Take 17

18 Action to take today Is it already there? Run, don t walk to your legal staff Decide if you will allow Consumerization Don t wait for it to happen and then rush to formulate policy and procedures Decision must explicitly include all possible components Decision must be extended as new technology becomes available 18

19 Action today - Define policies Balance: Corporate vs Employee vs Customer Corporate: Must comply with laws Must maintain fiduciary responsibility Must not expose corporate assets At a minimum should address Employee responsibility Acceptable use Protection of assets 19

20 Action today - Incident response plan Even with Policies & Procedures accidents can happen Need incident response plan 20

21 Technical Solutions 21

22 Action today Security 101: Keep secret stuff separate from non secret stuff Keep corporate stuff separate from personal stuff Separate personal and corporate identities Compartmentalize the environments to reduce the risk of accidents. 22

23 lication isolation Separate user accounts Action today - Compartmentalization Virtual Desktop Infrastructure (VDI) Hypervisor on PC OS or Hypervisor on USB drive Windows-on-a-stick PC-in-my-pocket 23

24 Work and Personal Mac, PC, or Linux Fast user switching Action today - Separate user accounts Separate Context Subject to worms and viruses Can share information via common file system User 1 User 2 Host OS Computer Separate Users 24

25 Action today- VDI Virtual Desktop Infrastructure (VDI) 25

26 Aka Hosted Hypervisor Still subject to worms and viruses Action today - Type 2 hypervisor Harder to accidentally share information but cross-contamination still possible s Hosted OS s Hypervisor Host OS Computer Type 2 Hypervisor 26

27 Action not-quite-today - Type 1 hypervisor Aka Native Hypervisor Almost impossible to share information Only common attack is hypervisor itself Each OS can be attacked separately OS 1 OS 2 Hypervisor Computer Type 1 Hypervisor 27

28 Action Today - Type 2 portable hypervisor OS Partition Operating System User Settings Hypervisor File File File Hosted (Type 2) VM Running PC loads hypervisor from device OS from device and OS from host HD completely separated Does not prevent attack via host OS Does not protect the information if device is lost Does not stop access after employment 28

29 Action today - Virtualized OS-on-a-stick Encrypted OS Partition Operating System User Settings Boot Partition OS + Virtual Machine File File File On-board cryptography authenticates and protects Boots OS from device, loads hypervisor, then loads hosted OS Host provides mouse, keyboard, RAM Encryption can protect information if device is lost Limited to OS on device Management system can block device when employee leaves 29

30 Action today - Native OS-on-a-stick Encrypted OS Partition Operating System User Settings Boot Partition Boot Loader File File File On-board cryptography authenticates and protects Boots OS directly from device Host provides mouse, keyboard, RAM Encryption can protect information if device is lost Limited to OS on device Management system can block device when employee leaves 30

31 Native versus hypervisor lications Hypervisor lications PC Hardware PC Hardware Virtualized OS Native OS Note the addidonal overhead and larger agack surface of a hypervisor- based approach since two operadng systems are required. It will be nodceably slower and possibly less secure. 31

32 Action tomorrow - Native OS-on-a-stick + TPM Encrypted OS Partition Operating System User Settings Boot Partition Secure Boot Loader File File File Provides a mechanism to generate and measure system characteristics upon which a security decision can be made. In almost all commercial grade computers For more info see: the Trusted Computing Group 32

33 Action tomorrow: Native OS-on-a-stick + TPM Can also be used to seal information to a snapshot A snapshot consists of information relevant to defining an identity or entity Information can not be unsealed if any element used to seal is not an exact match or available. 33

34 Summary 34

35 Immediately Summary Consult with legal dept Review current information ownership / protection policies and make appropriate changes Put Consumerization policies in place Separate user accounts 35

36 Summary Longer Term Legal policies and procedures Enforce them! Technical policies and procedures ly, rinse, repeat Technical Tools Isolate applications, virtualization 36

37 Thank You Michael F. Angelo NetIQ Corporation 1233 West Loop South, Ste 810 Houston, TX Ron LaPedis SPYRUS, Inc Hartog Dr. San Jose, CA