BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

Transcription

1 BYOD Transformation April 3, 2013 Joe Leonard Director, Secure Networks

2 Agenda Joe Leonard Introduction CIO Top 10 Tech Priorities What is BYOD? BYOD Trends BYOD Threats Security Best Practices HIPAA Security Rule BYOD Business Challenges BYOD Architecture Q&A

3 Joe Leonard Introduction 3

4 CIO TOP 10 TECH PRIORITIES

5 CIO Top 10 Technology Priorities Analytics & Business Intelligence Mobile Technologies 1. Analytics and Business Wireless Intelligence and BYOD Cloud Computing (SaaS, IaaS, PaaS) Collaboration technologies (workflow) Legacy Modernization IT Management CRM Virtualization 2. Mobile Technologies 3. Cloud Computing (Iaas, PaaS, SaaS) 4. Collaboration Technologies (workflow) 5. Legacy Modernization 6. IT Management 7. CRM 8. Virtualization 9. ERP Applications 10.Security Cloud Computing & Data Center Virtualization Unified Communications, Web Based Collaboration & Video Core Network Infrastructures, Virtual Infrastructure, ITaaS Models Managed Services, Network Management, Cloud Orchestration Data Center Virtualization 9 Security Security *According to Gartner research combined reports 2012

6 WHAT IS BYOD?

7 WHAT DOES BYOD MEAN TO YOU?

8 BYOD TRENDS

9 MORE THAN 3 CONNECTED DEVICES PER PERSON 2014

10 How Fast is Mobile Internet Growing?

11 Connected World is Changing Business THE INTERNET OF THINGS is evolving to THE INTERNET OF EVERYTHING

12 TOTAL GLOBAL IP TRAFFIC.9 EB in EB in EB in EXABYTE EQUALS 36,000 YEARS OF HD-TV VIDEO OR 1 BILLION GB

13 Global Mobile Data Forecast by Region

14 Mobile Devices Traffic Growth

15 Mobile Video Traffic

16 BYOD THREATS

17 Bring Your Own Device (BYOD) 75 percent of companies allow employee-owned smartphones and/or tablets to be used at work Aberdeen Study. Gartner predicts that this number will rise to 90 percent by Less that 10% of respondents felt completely aware of all mobile devices accessing their enterprise infrastructure SANS BYOD Survey 2012 The BYOD movement has significant productivity, convenience and cost benefits, but it is leading to serious challenges for IT security and privacy. 17

18 2012 Mobile Landscape Source: F-Secure Mobile Threat Report Q4 2012

19 2012 Mobile Threat Families Source: F-Secure Mobile Threat Report Q4 2012

20 Threat Families Source: F-Secure Mobile Threat Report Q4 2012

21 Malware Threats Source: Kaspersky 21

22 Mobile Threats by Type Source: F-Secure Mobile Threat Report Q4 2012

23 Malware Threat Report Source: FireEye Threat Report 2H 2011

24 Malware Attacks Malware Android DroidDream malware 50 apps pulled Rogue apps Upgrade attack

25 Top 5 Mobile Threats 1. Lost or stolen device 2. Mobile malware data leakage 3. Wi-Fi hotspots 4. Vulnerabilities phone OS and applications "lost" 50 phones on purpose (msnbc.com): 5. Proximity based hacking Cell-phone Symantec conducted insurance provider an experiment Asurion earlier reports this that year, 60 where million they smartphones are lost, stolen or damaged each year. In dollar terms, according to a report conducted by mobile security firm Lookout, Americans 43 percent lost of $30 finders billion clicked dollars on worth an app of smartphones labeled "online banking." 53 percent clicked on a filed named "HR salaries." 57 percent opened a file named "saved passwords. 60 percent checked Social networking tools and personal percent tempted a folder labeled "private photos. 89 percent clicked on something they probably shouldn t have. 50 percent of the phones were returned. 25

26 SECURITY BEST PRACTICES

27 SANS Consensus Audit Guidelines (CAG) # Guidelines 1 Inventory of authorized and unauthorized devices 2 Inventory of authorized and unauthorized software 3 Secure configurations for hardware software (Laptop and Server) 4 Continuous vulnerability assessment and remediation 5 Malware defenses 6 Application software security 7 Wireless device control 8 Data recovery capability (validated manually) 9 Security skills assessment and training to fill gaps 10 Secure configurations for network devices (Firewall, Router and Switch) # Guidelines 11 Limitation and control of network ports and services 12 Controlled use of administration privileges 13 Boundary defense 14 Maintenance, monitoring and analysis of audit logs 15 Controlled access based or need to know 16 Access monitoring and control 17 Data Loss Prevention (DLP) 18 Incident response capability 19 Secure networking engineering 20 Penetration tests and red team exercises

28 HIPAA SECURITY RULE

29 History of HIPAA

30 HIPAA Security Rule What do we check? Administration Safeguards Physical Safeguards Technical Safeguards Organizational Safeguards Documentation Requirements 30

31 Administration Safeguards (a) (1) Standard: Security management (a) (2) Standard: Assigned security responsibility (a) (3) Standard: Workforce security (a) (4) Standard: Information access management (a) (5) Standard: Security awareness and training (a) (6) Standard: Security incident procedures (a) (7) Standard: Contingency plan (a) (8) Standard: Evaluation (b) (9) Standard: Business associate contracts and other arrangements

32 Physical Safeguards (a) (1) Standard: Facility access controls (b) Standard: Workstation use (c) Standard: Workstation security (d) Standard: Device and media controls

33 Technical Safeguards (a) Standard: Access control (b) Standard: Audit controls (c) (1) Standard: Integrity (d) Standard: Person or entity authentication (e) Standard: Transmission security

34 Organizational Safeguards (a) (1) Standard: Business associate contracts or other arrangements (b) (1) Standard: Requirements for Group Health Plans

35 Documentation Requirements (a) Standard: Policies and Procedures (b) (1) Standard: Documentation

36 NIST Management Controls Identifier Checks Family CA 7 Security Assessment and Authorization PL 6 Planning RA 5 Risk Assessment SA 14 System and Services Acquisition PM 11 Program Management

37 NIST Operational Controls Identifier Checks Family AT 5 Awareness and Training CM 9 Configuration Management CP 10 Contingency Planning IR 8 Incident Response MA 6 Maintenance MP 6 Media Protection PE 19 Physical and Environmental Protection PS 8 Personnel Security SI 13 System and Information Integrity

38 NIST Technical Controls Identifier Checks Family AC 22 Access Controls AU 14 Audit and Accountability IA 8 Identification and Authentication SC 34 System and Communication Protection

39 HIPAA Security Rule + NIST Example AC-1 AC-3 AC-5 AC-6 Security Controls Mapping Access Control Policy and Procedures Access Enforcement Separation of Duties Least Privilege

40 HHS Office of Civil Rights (OCR) Audits Massachusetts Eye and Ear Laptop with patient data stolen $1.5M Alaska Department of Health $1.7M One USB drive

41 BYOD BUSINESS CHALLENGES

42 APPLYING BYOD PRACTICAL THINKING NOT JUST TECHNOLOGY Transformation

43 BYOD Transformation DEVICE PROLIFERATION 15 Billion Devices by 2015 that Will Be Connecting to Your Network On Average Every Person Has 3 4 Devices On Them that Connect to the Network 75% of Staff Are Bringing Their Own Devices to Work DEVICE PROLIFERATION NEXT GENERATIKON WORKFORCE VIRTUALIZATION

44 BYOD Transformation NEXT GENERATION WORKFORCE Work Is No Longer a Place You Go to Work People Are Willing to Take a Pay Cut as Long as They Are Able to Work from Home 70% percent of end users admit to breaking IT policy to make their lives easier Need Anywhere, Anytime, Any Device Access DEVICE PROLIFERATION NEXT GENERATIKON WORKFORCE VIRTUALIZATION

45 BYOD Transformation 60% of server workloads will be virtualized by 2013 VIRTUALIZATION 20% of professional PCs will be managed under a hosted virtual desktop model by Datacenters are evolving, Applications are now objects moving through the network DEVICE PROLIFERATION NEXT GENERATIKON WORKFORCE VIRTUALIZATION

46 Top of Mind Concerns The Burden Falls on IT How do I manage the risk of employees bringing their own devices? How do I ensure consistent experience on all devices? How do I implement multiple security policies per user and device? How and What do I support? DEVICE PROLIFERATION

47 Top of Mind Concerns The Burden Falls on IT Am I hindering my workforce from being competitive? How do I retain top talent? How do I ensure compliance with HIPAA and PCI? Can I handle partners, consultants, guest appropriately? CHANGING WORKFORCE

48 Market Transition Mobility Workplace Experience Video 7 Billion New Wireless Devices by 2015 Mobile Devices IT Resources Blurring the Borders Consumer Workforce Employee Partner Physical Virtual Anyone, Anywhere, Anytime Changing the Way We Work Video projected to quadruple IP traffic by 2014 to 767 exabytes

49 BYOD ARCHITECTURE

50 BYOD Policy Considerations LIMIT BASIC ENHANCED ADVANCED Business Policy Environment Requires Tight Controls Device Types Corp Only Device Hospital (Example) IT Requirements Hospital extends wireless access to employees for corporate devices (laptop, ipad, smartphone) Visibility to who/what is on network Restrict access to only corporate issued devices

51 BYOD Policy Considerations LIMIT BASIC ENHANCED ADVANCED Business Policy Environment Requires Tight Controls Focus on Basic Services, Easy Access Device Types Corp Only Device Broader Device Types but Internet Only Simple Guest Hospital (Example) IT Requirements Hospital extends wireless access to employees for corporate devices (laptop, ipad, smartphone) Visibility to who/what is on network Restrict access to only corporate issued devices Hospital provides guest access to patients Restrict personal devices to public internet Restricted access to internal sites

52 BYOD Policy Considerations LIMIT BASIC ENHANCED ADVANCED Business Policy Environment Requires Tight Controls Focus on Basic Services, Easy Access Secure Access to Business Applications Onsite/Offsite Device Types Corp Only Device Broader Device Types but Internet Only Simple Guest Multiple Device Types + Access Methods Early BYOD Commercial Adopters Hospital (Example) Hospital extends wireless access to employees for corporate devices (laptop, ipad, smartphone) Hospital provides guest access to patients Doctor uses personal device in hospital and offsite on the train with access to some hospital applications IT Requirements Visibility to who/what is on network Restrict access to only corporate issued devices Restrict personal devices to public internet Restricted access to internal sites Allow granular onsite and offsite access to network/applications for personal and company devices

53 BYOD Policy Considerations LIMIT BASIC ENHANCED ADVANCED Business Policy Environment Requires Tight Controls Focus on Basic Services, Easy Access Secure Access to Business Applications Onsite/Offsite All Key Applications, New Services, Full Control Device Types Corp Only Device Broader Device Types but Internet Only Simple Guest Multiple Device Types + Access Methods Early BYOD Commercial Adopters Any Device, Any Ownership Innovative Organizations Hospital (Example) Hospital extends wireless access to employees for corporate devices (laptop, ipad, smartphone) Hospital provides guest access to patients Doctor uses personal device in hospital and offsite on the train with access to some hospital applications Hospital administrator is granted full network access to applications with new collaboration services IT Requirements Visibility to who/what is on network Restrict access to only corporate issued devices Restrict personal devices to public internet Restricted access to internal sites Allow granular onsite and offsite access to network/applications for personal and company devices Enable a full mobile and collaboration experience

54 Presidio BYOD Architecture Security Information Event Management - SIEM (Control) 6 Internet Mobile User 2 Wireless (Control) VPN (Control) 3 IPS Malware (Control) Switch 4 Firewall (Control) Redirect Wireless SSL VPN 5 Content Security (Control) 1 Policy Mobile Device Management MDM (Control) Mobile Device Management Device Management Selective and Full Wipe Security Enforcement Access Control Certificate Management Application Management and Distribution Content Management 54 Policy 802.1x Authentication Authorization Profiling Device Type Posture Assessment Remediation Guest Services High Availability Design Mobile Onboarding Comprehensive Reporting IPS-Malware Malware/Spyware Malicious Software DDoS Attacks Reconnaissance Attacks SIEM Logging Correlation Reporting Firewall Access Control Remote Access VPN Dynamic Access Policies Content Security Malware Defense Data Security Acceptable Use Controls

55 Summary BYOD is transforming how we work. BYOD is a layered architecture BYOD Transformation requires a clearly defined policy. Bandwidth requirements are increasing.

56 Q&A

57 Practical thinking for a connected world. THANK YOU.