Securing Institutional Data in a Mobile World

Similar documents
The Device Has Left the Building

Cloud Customer Architecture for Securing Workloads on Cloud Services

IAM Security & Privacy Policies Scott Bradner

MaaS360 Secure Productivity Suite

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Protecting Health Information

Thomas Lippert Principal Product Manager. Sophos Mobile. Spring 2017

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

Bring Your Own Device (BYOD) Best Practices & Technologies

Procedure: Bring your own device

Mobile Device policy Frequently Asked Questions April 2016

Deploying Lookout with IBM MaaS360

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Microsoft IT deploys Work Folders as an enterprise client data management solution

Changing face of endpoint security

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Go mobile. Stay in control.

Information Security BYOD Procedure

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Microsoft Administering System Center Configuration Manager and Intune

2016 BITGLASS, INC. mobile. solution brief

NOTICE OF PERSONAL DATA PROCESSING

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

EM L01 Introduction to Mobile

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

RHM Presentation. Maas 360 Mobile device management

S T A N D A R D : M O B I L E D E V I C E S

ForeScout Extended Module for VMware AirWatch MDM

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

2016 Survey: A Pulse on Mobility in Healthcare

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Mobile Security using IBM Endpoint Manager Mobile Device Management

2013 InterWorks, Page 1

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Microsoft 365 Business FAQs

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?

THREE-PART GUIDE TO DEVELOPING A BYOD STRATEGY WHITE PAPER FEBRUARY 2017

CAN MICROSOFT HELP MEET THE GDPR

Information Security Data Classification Procedure

ForeScout Extended Module for MobileIron

Information we collect in connection with your use of MoreApp's Services; and

Cloud Security Standards Supplier Survey. Version 1

Securing Today s Mobile Workforce

Phil Schwan Technical

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Embedding GDPR into the SDLC

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

XenApp, XenDesktop and XenMobile Integration

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

INFORMATION ASSET MANAGEMENT POLICY

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

Lookout Mobile Endpoint Security. Deploying Lookout with BlackBerry Unified Endpoint Management

Name of Policy: Computer Use Policy

Securing Office 365 with MobileIron

Augmenting security and management of. Office 365 with Citrix XenMobile

HIPAA Regulatory Compliance

Managing Devices and Corporate Data on ios

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Mobility, Security Concerns, and Avoidance

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

The Maximum Security Marriage: Mobile File Management is Necessary and Complementary to Mobile Device Management

BYOD: BRING YOUR OWN DEVICE.

Securing Health Data in a BYOD World

Security and Privacy Governance Program Guidelines

BASF Online Privacy Notice for the Master Builders Solutions Sweepstakes

I. INFORMATION WE COLLECT

Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos

FERPA & Student Data Communication Systems

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

ios Deployment Overview for Enterprise

Mobile Device Management: A Real Need for the Mobile World

Teradata and Protegrity High-Value Protection for High-Value Data

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

ENTERPRISE MOBILITY TRENDS

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Privacy Policy. 1. Collection and Use of Your Personal Information

Webinar: Mitigating the risks of uncontrolled content access from mobile devices. Presented By: Brian Ulmer, Product Management Director

Mobile Application Privacy Policy

A Global Look at IT Audit Best Practices

Effective October 31, Privacy Policy

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Beam Technologies Inc. Privacy Policy

At Course Completion After completing this course, students will be able to:

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

Microsoft. MS-101 EXAM Microsoft 365 Mobility and Security. m/ Product: Demo File

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Cloud Security Standards and Guidelines

As Enterprise Mobility Usage Escalates, So Does Security Risk

GDPR: The Day After. Pierre-Luc REFALO

Enterprise Mobile Management (EMM) Policies

Transcription:

University of Wisconsin Madison Securing Institutional Data in a Mobile World July 13, 2017

Securing Institutional Data in a Mobile World / Agenda 01 What is a mobile device? 02 Protecting institutional data 03 The challenge 04 What can we do? 2

01 What is a mobile device? 3

Securing Institutional Data in a Mobile World / What is a mobile device? What is a mobile device? a phone? a tablet? a laptop? anything that can be physically moved? 4

Securing Institutional Data in a Mobile World / What is a mobile device? A mobile device : is a portable computing device such as a smartphone or tablet; is typically operated by being held in the user s hand; and, is running a mobile operating system. 5

Securing Institutional Data in a Mobile World / What is a mobile device? There are over Institutionally owned Personally owned Users with two or more devices mobile devices in use at UW Madison 6

Securing Institutional Data in a Mobile World / What is a mobile device? Each of these over mobile devices are part of our attack surface 7

02 Protecting institutional data 8

Securing Institutional Data in a Mobile World / Protecting institutional data What is institutional data? data that is damaging if lost? data protected by law or policy? data that is worth money and time? data that doesn t appear valuable? 9

Securing Institutional Data in a Mobile World / Protecting institutional data Institutional data : is any data that is owned or generated by UW Madison; is often protected by law and policy; is worth money and time; and is almost always valuable to someone whether because of the data itself, or the system(s) on which it is stored or accessed. 10

Securing Institutional Data in a Mobile World / Protecting institutional data UW Madison Data Classification Restricted Sensitive Internal Public Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if: protection of the data is required by law or regulation, or Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals. Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. Data should be classified as Public prior to display on websites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates. UW Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed. 11

Securing Institutional Data in a Mobile World / Protecting institutional data UW Madison Data Classification Restricted Sensitive Internal Public Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if: protection of the data is required by law or regulation, or Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals. Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. Data should be classified as Public prior to display on websites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates. UW Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed. 12

Securing Institutional Data in a Mobile World / Protecting institutional data UW Madison Data Classification Restricted Sensitive Internal Public Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if: protection of the data is required by law or regulation, or Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals. Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. Data should be classified as Public prior to display on websites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates. UW Madison is required to self-report to the government and/or provide exceptionally notice to the grave individual damage if the data is inappropriately accessed. serious damage damage little to no damage 13

Securing Institutional Data in a Mobile World / Protecting institutional data UW Madison Data Classification Restricted Sensitive Internal Public Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if: protection of the data is required by law or regulation, or Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals. Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. Data should be classified as Public prior to display on websites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates. UW Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed. This is all institutional data. 14

Securing Institutional Data in a Mobile World / Protecting institutional data UW Madison Data Classification Restricted Sensitive Internal Public Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if: protection of the data is required by law or regulation, or UW Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed. Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals. Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public data should be treated as Internal data. This is our protected Institutional data. Data should be classified as Public prior to display on websites or once published without access restrictions; and when the unauthorized disclosure, alteration, loss or destruction of that data would result in little or no risk to the University and its affiliates. 15

Securing Institutional Data in a Mobile World / Protecting institutional data UW Madison s annual budget is of which is research. 16

Securing Institutional Data in a Mobile World / Protecting institutional data Who would want this data? 17

Securing Institutional Data in a Mobile World / Protecting institutional data Who would want this data? Anyone for whom it has value. 18

Securing Institutional Data in a Mobile World / Protecting institutional data Unlike data breaches we may know about, we may never know about the loss of research data. 19

Securing Institutional Data in a Mobile World / Protecting institutional data Protected institutional research data: the crown jewels of UW Madison as a premier research university. 20

03 The challenge 21

Securing Institutional Data in a Mobile World / The challenge The challenge: Protect institutional data accessed via mobile devices 22

Securing Institutional Data in a Mobile World / The challenge What is Mobile Device Management (MDM)? 23

Securing Institutional Data in a Mobile World / Challenges The challenge What is Mobile Device Management? (MDM)? 24

Securing Institutional Data in a Mobile World / The challenge What is Mobile Device Management (MDM)? A way to manage, administer, and secure mobile devices University-owned devices Non-university-owned devices Bring Your Own Device (BYOD) A vehicle to secure (access to) institutional data on mobile devices, while keeping personal data segregated A tool to implement enforce university IT policies for the protection of protected institutional data 25

Securing Institutional Data in a Mobile World / The challenge What is Mobile Device Management (MDM) not? A way to spy on users personal or private data A vehicle to violate the law or UW policy A tool to arbitrarily remotely wipe devices 26

Securing Institutional Data in a Mobile World / The challenge What is Mobile Device Management (MDM)? 27

Securing Institutional Data in a Mobile World / The challenge What is possible with MDM? Centralized administration Centrally-managed deployment Security policy implementation and enforcement Inventory management and tracking Containerization for certain functions Apple Device Enrollment Program (DEP) Configuration management (apps, VPN, enterprise services) Anonymized metrics collection Internal/In-house app catalogs Remote wipe administrative measures 28

Securing Institutional Data in a Mobile World / The challenge What is not possible? Monitoring of: Text messages (SMS, MMS) Phone calls (carrier or VoIP) Photos, videos, and media Personal email and messaging accounts Web bookmarks, cookies, browsing history Voicemail or other voice messages FaceTime, imessage, Signal, Telegram, WhatsApp, etc. GPS or other location data* Metadata or historical data related to any of the above * Unless it is a business requirement, with user permission 29

Securing Institutional Data in a Mobile World / The challenge When can administrative measures be taken? User request For a university-owned device, must be authorized by the Dean or Director of the employing unit, or that unit s HR department. For a non-university-owned device, must be authorized by the Dean or Director of the employing unit, in consultation with the UW Madison Chief of Police or the Provost. If ownership of the device is uncertain, it must be treated as a non-university-owned device. 30

Securing Institutional Data in a Mobile World / The challenge If an individual is determined to intentionally misappropriate institutional data, they can do so. What we are protecting against: Unintentional loss of data and devices Misconfigured devices Lax security External threats Insider threat (mitigation) 31

Securing Institutional Data in a Mobile World / The challenge User privacy is paramount Privacy First Multitenant privacy settings for data collection and display Role-based access Custom privacy notices Self-service portal AirWatch Privacy App and Privacy Officer Data encryption of PII at database level Description of what is and is not collected Users have full control over the privacy of their personal and private information 32

Securing Institutional Data in a Mobile World / The challenge The Internet of Things (IoT) Internet of Things is shorthand for Internet of Things That Should Not be Connected to the Internet. Scott Manley 33

Securing Institutional Data in a Mobile World / The challenge The Internet of Things (IoT) Is expected to exceed 20 billion devices by 2020 Are often running custom operating systems which are also often unpatchable or unmanageable Questionable security landscape Are often be small, mobile, wearable, disposable May access (or have access to) institutional data Represent both an attack vector and attack surface But, many of these devices can be managed 34

04 What can we do? 35

Securing Institutional Data in a Mobile World / What Challenges can we do? What is Mobile Device Management? Every connected device is part of our attack surface 36

Securing Institutional Data in a Mobile World / What can we do? What is possible with MDM? Centralized administration Centrally-managed deployment Security policy implementation and enforcement Inventory management and tracking Containerization for certain functions Apple Device Enrollment Program (DEP) Configuration management (apps, VPN, enterprise services) Anonymized metrics collection Internal/In-house app catalogs Remote wipe administrative measures 37

Securing Institutional Data in a Mobile World / What can we do? What is possible with MDM? Centralized administration Centrally-managed deployment Security policy implementation and enforcement Inventory Every management one of and these tracking items was Containerization discussed for certain as a functions need at the 2016 Apple Device BYOD Enrollment and Cloud Program IT (DEP) Policy Forum Configuration management (apps, VPN, enterprise services) Anonymized metrics collection Internal/In-house app catalogs Remote wipe administrative measures 38

Securing Institutional Data in a Mobile World / What can we do? What is possible with MDM? Centralized administration Centrally-managed deployment Security policy implementation and enforcement Inventory Over management 60 IT professionals and tracking at UW Containerization Madison for responded certain functions to a 2016 Apple Device survey Enrollment indicating Program a need (DEP) for MDM Configuration management (apps, VPN, enterprise services) Anonymized metrics collection Internal/In-house app catalogs Remote wipe administrative measures 39

Securing Institutional Data in a Mobile World / What can we do? A UW Madison central MDM solution 40

Securing Institutional Data in a Mobile World / What can we do? A UW Madison central MDM solution Provides reliable, uniform, managed security to mobile devices as required for UW Madison users. Enables compliance with regulatory requirements or security best practices for mobile devices. Supports remote wipe for devices with protected institutional data that are lost or stolen. Architected as an opt-in platform as directed by Deans and Directors of university components. Hosted on premise at UW Madison in the Campus Computing Infrastructure (CCI) environment. Does not require any additional software, hardware, or other infrastructure at customer location. Is suitable for managing devices that access or process Internal, Sensitive, or Restricted Data. Supports institutionally-owned or personally-owned ( Bring Your Own Device, or BYOD) devices that access protected data classes or are under a management regime. Allows binding to departmental or organizational directory services. Does not manage, access, or manipulate private personal data on personally-owned devices. Targeted at devices or systems running Apple ios or Google Android. Supports (but does not require) Apple Device Enrollment Program (DEP) for applicable ios devices. No customer license cost during the pilot. Final license cost is being negotiated with the vendor. If successful, is intended to seamlessly transition to a UW Madison production service. 41

Securing Institutional Data in a Mobile World / What can we do? A UW Madison central MDM solution protects our institutional data. Provides reliable, uniform, managed security to mobile devices as required for UW Madison users. Enables compliance with regulatory requirements or security best practices for mobile devices. Supports remote wipe for devices with protected institutional data that are lost or stolen. Architected as an opt-in platform as directed by Deans and Directors of university components. Hosted on premise at UW Madison in the Campus Computing Infrastructure (CCI) environment. Does not require any additional software, hardware, or other infrastructure at customer location. Is suitable for managing devices that access or process Internal, Sensitive, or Restricted Data. Supports institutionally-owned or personally-owned ( Bring Your Own Device, or BYOD) devices that access protected data classes or are under a management regime. Allows binding to departmental or organizational directory services. Does not manage, access, or manipulate private personal data on personally-owned devices. Targeted at devices or systems running Apple ios or Google Android. Supports (but does not require) Apple Device Enrollment Program (DEP) for applicable ios devices. No customer license cost during the pilot. Final license cost is being negotiated with the vendor. If successful, is intended to seamlessly transition to a UW Madison production service. 42

Securing Institutional Data in a Mobile World / What can we do? Visit mobile.wisc.edu/mdm Join mdm@lists.wisc.edu Participate in the MDM discussion Deploy MDM in your department or unit Raise the issue with Deans and Directors Discuss in IT policy and governance forums Advocate for central services you believe in 43

University of Wisconsin Madison Questions or comments? mobile.wisc.edu/mdm July 13, 2017

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback