develop and enforce a bring-your-own-device (byod) policy
DESCRIPTION
This presentation was delivered on November 15, 2012TRANSCRIPT
Developing and Enforcing a Bring-Your-
Own-Device (BYOD) Policy
SANS Analysts: Tony DeLaGrange, Senior Security ConsultantSecure IdeasBen Wright, SANS Instructor, Attorney, Technology Law Expert/Author
© 2012 The SANS™ Institute - www.sans.org
Lee Howarth, Senior Product Manager
Oracle Corporation
Tony DeLaGrange
• Security Consultant at Secure Ideas• Over 25 Years IT Experience
– 15 Years in financial services– Over decade in IT Security
• Co-author of SEC571– Mobile Device Security
• Open Source Project Lead– MobiSec & SH5ARK
• Co-chair of SANS first Mobile Device Security Summit
© 2012 The SANS™ Institute - www.sans.org 2
Topics Today
• Mobility Security Survey
• Mobile Security Policies
• Top 3 Security Practices
• Conclusions
© 2012 The SANS™ Institute - www.sans.org 3
Mobility Survey
• Full results here: www.sans.org/reading_room/analysts_program
• Focused on policies and controls• Survey ran in the 3rd quarter
of 2012• More than 650 people responded
– From a wide range of organizations
© 2012 The SANS™ Institute - www.sans.org 4
Criticality of Mobile Policies
© 2012 The SANS™ Institute - www.sans.org 5
• It starts withthe policies– 97% believe
it's important• Yet so many don't
have mobile policies– Improvement from
last year (58%)
Ends of the Spectrum
• Most stringent– 24% do not permit personal devices to
access company resources• Most lenient
– Besides no policy at all – 14% let employees secure their own
mobile devices• Somewhere in between
– 21% manage employees' devices– 27% use mobile sync with minimal
device management controls
© 2012 The SANS™ Institute - www.sans.org 6
Top 3 Mobile Security Practices
© 2012 The SANS™ Institute - www.sans.org 7
• Authentication to corporate resources
• Access to corporate information
• Protect corporate data on devices
Authenticating Mobile Users
© 2012 The SANS™ Institute - www.sans.org 8
Controlling Access to Resources
© 2012 The SANS™ Institute - www.sans.org 9
Challenges
• How should companies implement authentication and access controls?– User credentials?– Location?– Device type?– Applications?
• Where should organizations "touch" employee devices?– Device?– Applications?
© 2012 The SANS™ Institute - www.sans.org 10
Protecting Corporate Data
© 2012 The SANS™ Institute - www.sans.org 11
Challenges
• How should employers ensure protection of data on lost/stolen devices?– Wipe sensitive data?– Wipe entire device?– Locate the device?– Lock/Disable the device?
• How should fraud controls be implemented?
© 2012 The SANS™ Institute - www.sans.org 12
Conclusions
• Policies are important– 37% still don't have them– Many are developing policies after
building their controls• Companies are most interested in
– Authentication– Access to resources– Data protection
• Challenges with BYOD– Finding a balance in controls– While not upsetting employees too much
© 2012 The SANS™ Institute - www.sans.org 13
Bring Your Own Device (BYOD) Policy
Benjamin WrightAttorney & SANS Institute Instructorbenjaminwright.usThis is education, not legal advice.
Bring Your Own Device (BYOD)
• Rules for employees using own laptop, tablet, smartphone, webmail services for business
• Controversial topic; no perfect policy exists
• See discussions: http://goo.gl/txlCU, http://goo.gl/7bEAQ, http://goo.gl/QX6Uz, http://goo.gl/edSFF
Subpoena for Employee’s Home Hard Drive
• Local government employment dispute
• Plaintiff able to subpoena hard drive of manager’s home computer
• Wood v. Town of Warsaw, N.C., No. 7:10-CV-00219-D, 2011 WL 6748797 (E.D.N.C. Dec. 22, 2011)
Employer Liability for Security
• Massachusetts 201 CMR 17.00: PII on mobile devices must be encrypted
• Cal SB 1386 - many breach notices because of stolen, unencrypted laptops (e.g. Guin v. Brazos Higher Education)
$1.5 Million Fine + Costly Security Upgrades
• Unencrypted patient data• stolen laptop• Massachusetts Eye and Ear
Infirmary (hospital) • HIPAA penalties imposed by Dept.
Health and Human Service• http://goo.gl/acnRE
© 2012 The SANS™ Institute - www.sans.org 19
Employer Incentives
• Device and service monitoring• Data wiping (selective or whole
device)• Encryption• Confiscation if monitoring
identifies device or service as a risk or threat
Policy/Agreement Challenges
• Warning employees• Getting employee consent• Employee privacy• Liability for damage to employee
data, device or service
BYOD Policy – Sample Language
• http://goo.gl/19idt• Workable policy will come from
negotiations among stakeholders• This language tilts toward needs
of employer
"Employees are informed that when they create
electronic records or work product in the course
of their work for the Company, the records and
work product belong to the Company."
BYOD Policy
"When an employee uses his or her own device, such as
a computer, a digital tablet or a smartphone, to connect
to Company information resources, then the Company
reserves the right to take security measures relative to
the device, including but not limited to inspect the device
and . . ."
BYOD Policy Continued
Employees are informed, and employees agree, as follows: If the Company
takes control or possession of a Device or Service, or takes security
measures relative to it, then:
(a) the Company might not return the Device or Service;
(b) the employee is entitled to no compensation for loss of use, control or
possession of the Device or Service;
(c) the Device or Service could be damaged, the employee could lose data
and the employee’s data could be disclosed to others. The Company will not
be liable or responsible for such damage, loss or disclosure.
BYOD Continued
"As a matter of honor and reputation -- but not as a
matter of legal liability or obligation – the Company
aspires to be forthcoming with employees as a whole
about the practical impact of this Policy on employees
over time."
BYOD Policy Continued
Blogs: benjaminwright.us
This presentation is not legal advice for any particular situation. If you need legal advice, you should consult the lawyer who advises your organization.
Any person may reuse this material freely.
Enforcing your BYOD Mobile Access Policies
with Oracle Access Management
Lee HowarthSenior Principal Product ManagerOracle
• Establish Mobile Access Policies– Monitor and Enforce usage
• Extend Enterprise Access to Mobile Devices– Integrates native mobile apps, mobile web with
corporate systems & information– Access management, authorizations, API
security, and fraud detection– Device context based fine-grained authorization
• Enable Mobile Device Security Elements– Support for native security– Device security – jailbreak detection at login– Device lifecycle – white-list/blacklist/lost device
management– Device fingerprinting
Mobile Access Roadmap
Mobile device connection methods
• The native web browser on the device
• Native mobile device clients acting as a web browser
• Native mobile device clients connecting to gateways or applications
Copyright © 2011, Oracle. All rights reserved
• Mobile Security Platform– Authentication and SSO– Strong authentication, device
fingerprinting and risk-based access
– Mobile SDK
• Internet / Social Integration
• REST/Cloud interfaces
Mobile Requirements
Extend Enterprise Access
Mobile AuthenticationFlexible options for devices, applications and users
Mobile Single Sign-on
Many applications, one sign-on, global logout
Mobile Security Architecture
Native AppNative App
Web AppWeb App
Authorization
Authentication
User Profile
Authorization
Authentication
User Profile
REST REST
Oracle
SDK
Oracle
SDK
Security AppSecurity App
Access ManagementAccess Management
OAAM ServiceOAAM Service
OAM ServiceOAM Service Device RegistrationDevice Registration
Lost & Stolen DevicesLost & Stolen Devices
GPS/WIFI Location AwarenessGPS/WIFI Location Awareness
Device Fingerprinting & TrackingDevice Fingerprinting & Tracking
Risk-based KBA & OTPRisk-based KBA & OTP
Transactional risk analysisTransactional risk analysis
Directory ServicesDirectory Services
Platform Security Services
(OPSS)
Platform Security Services
(OPSS)
User Profile ServicesUser Profile Services
API API
API API
White Pages applicationsWhite Pages applications
User Self Registration/Self ServiceUser Self Registration/Self Service
API API
Mobile Device Mobile Interfaces IDM Infrastructure Features
OPSS ServiceOPSS Service
API API
White & Black ListsWhite & Black Lists
Get Account Information:
John, Doe
Irvine, CA 92602
Has he accessed between 00:00 –
03:00 in the last two months?
Has he used this device more than 20%
in the last three months?
Behavioral Patterns
Does subject live in same
geography as requestor?
Does he usually perform account
lookups?
Context Aware Access Management
Valid Credentials given from outside
network, but already logged in from
inside network.
Which session is really who we think it
is?
Account Detail Request
Mobile Authorization & Data Redaction
HT
TP
/ RE
ST
/ SO
AP
/ OA
uth
Clien
ts
36
- getCustomerDetail
- updateCustomer
- deleteCustomer…
Customer Service
Response
isAuthorized(user = Bob Doe, Acme Corp
Device = iOS 5.0, non-registered
Location = 37.53043790,-122.26648800
customerId = 99999
action = getCustomerDetail)
Oracle Entitlements Server
Oracle Enterprise Gateway
{ “CustomerDetailResponse“:
{ “customerID”: “99999”
“name”: “Sally Smith”
“phone”: “555-1234567”
“SSN”: “***********“
“creditCardNo”: ”@^*%&@$#%!“
“purchaseHistory”: “…”
}
}
Request
Detailed Mobile Visibility
Realtime and historic device and user access attempts and risk scores
Device characteristics analysis, including OS and SDK versions
38
Oracle Mobile Access Technology
• Oracle Enterprise Gateway– Enables Mobile Application REST API’s and protects API’s,
webservices, and SOA infrastructure from external threats and invalid / suspicious requests
– Extends Access Management with authentication, authorization, audit to REST API’s, web services
• Oracle Access Management Suite+– Mobile Identity and Access– Authentication, Registration, and User Profile Services for Mobile– Last mile security for an organizations backend web services
and SOA infrastructure– Device Fingerprinting and Registration Database– Risk-Based Authentication that Factors Mobile Context– Make Authorization Decisions and Redact Data based on User,
Mobile, or any other Context– Externalize Authorization Policies from Application Code
© 2012 The SANS™ Institute - www.sans.org
Oracle Mobile Access Management Summary
Bridges the gap between mobile devices and
enterprise IDM systems
Provides context-driven, risk-aware access
management
Simplifies developer access to IDM
Supports BYOD
Provides visibility and control
MOBILE ACCESS
MANAGEMENT
REST-ful
Interfaces
Single
Sign-on
Location
Data
Device
Registration
Device
Context
Q&A
If we don’t answer your question during the webcast, we will
post a follow up on:
http://blogs.oracle.com/oracleidm
Thank You!
Associated Paper:
http://www.sans.org/reading_room/analy
sts_program/SANS-survey-mobility.pdf