issa houston – the consumerization of it
TRANSCRIPT
ConsumerizationISSA, January 13th 2011
Michael F. Angelo Chief Security Architect NetIQ Corporation blog: http://community.netiq.com/blogs/
© 2011 NetIQ Corporation. All rights reserved.2
What is Consumerization?
Motivation
How does it impact you?
What can you do about it?
Future
Agenda
© 2011 NetIQ Corporation. All rights reserved.3
Leveraging technology, that was originally directed at the consumer,
for business purposes.
What is Consumerization?
© 2011 NetIQ Corporation. All rights reserved.4
Use of consumer based services (facilities) for work−Not going to cover
Use of consumer oriented equipment and software for work (IT)−Going to cover
Two Aspects
© 2011 NetIQ Corporation. All rights reserved.5
Exit the:−hardware inventory and repair business−phone / pager business−Internet business
Improve productivity
Improve employee satisfaction
Motivation (Corporate)
© 2011 NetIQ Corporation. All rights reserved.6
Familiarity with O/S, Software, and Hardware−Can’t do the job with a Pentium II, 512MB, and 30GB
−Can’t get information with IE6−Need features of updated applications.
Motivation (Employee)
© 2011 NetIQ Corporation. All rights reserved.7
The trend has been accelerating, as the base cost of the technology has decreased and employee experience has increased.
In addition the ever shrinking corporate budget is acting as an accelerant to the trend.
Does it Happen???
Mice Keyboards Monitors WiFi Cards Phones/PDAs Smart phones/ Laptops
© 2011 NetIQ Corporation. All rights reserved.8
Corporate Stance−Secretive−Ignored−Unofficially Supported−Officially Supported−Subsidized
Does it Happen???
© 2011 NetIQ Corporation. All rights reserved.9
“Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they’re going to have loosened control over the tools they allow in order to get it.”
-- Bruce Schneier
Does it Happen?
© 2011 NetIQ Corporation. All rights reserved.10
Information Blending
Software Licensing
Legislative Issues
What is the Impact?
© 2011 NetIQ Corporation. All rights reserved.11
Information Leakage−Family & friends−Device Loss−Virus −Personal email – Spear Fishing
Increased Exposure to Threats−Surfing at Home <> Surfing at Work−Torrents
What is the Impact?
© 2011 NetIQ Corporation. All rights reserved.12
Acceptable use policies− How to apply to personal machines?
Out processing of individuals− How do you know organizational data is removed from
the employee machine? − Software− PST files− Passwords / wireless / VPN Access
− Residual data− Employee / corporate backups
What is the Impact?
© 2011 NetIQ Corporation. All rights reserved.1323%
‘23 percent of the largest organizations surveyed have experienced a serious breach or incident because of a personal device on the corporate network.’
− RSA Study
What is the Impact?
© 2011 NetIQ Corporation. All rights reserved.14
What is your current state?−Is it already there?
Decide if you will allow Consumerization−Don’t wait for it to happen and then rush to
formulate policy and procedures−Decision must explicitly include all possible
components−Decision must be extended as new technology
becomes available
What is the Impact?
© 2011 NetIQ Corporation. All rights reserved.
Balance :− Corporate vs. Employee Accommodations− Corporate vs. Employee vs. Customer Exposures
Corporate:− Must comply with laws− Must maintain fiduciary responsibility− Must not expose corporate assets− At a minimum should address
− Employee responsibility− Acceptable use− Protection of assets
Action today - Define Policies
15
© 2011 NetIQ Corporation. All rights reserved.16
Current Tools will work, but do you want to use all of them?− Policy Compliance Tools− Configuration Enforcement Tools− Security Audit Tools− Security Vulnerability Updates− Performance Audit Tools
Action today – Identify Infrastructure to Extend
© 2011 NetIQ Corporation. All rights reserved.
Remember:
Even with Policies, Procedures, and Tools accidents can happen… Need incident response plan.
Action today - Incident response plan
17
© 2011 NetIQ Corporation. All rights reserved.18
Security 101: − Keep secret stuff separate from non–secret stuff− Keep corporate stuff separate from personal stuff
Create Virtual Containers for Corporate Work.− Provides compartmentalized facility− Re-boot to access corporate environment
Additional Ideas
© 2011 NetIQ Corporation. All rights reserved.
− Boots OS directly from device− Host provides mouse, keyboard, RAM− Encryption can protect information if device is lost− Limited to OS on device
19
Encrypted OS PartitionOperating System
Boot Partition
Boot LoaderApplications and Files
Action today - Native OS or VM on USB
© 2011 NetIQ Corporation. All rights reserved.
− Provides a mechanism to generate and measure system characteristics upon which a security decision can be made.
− TPM is in almost all commercial grade computers− For more info see: the Trusted Computing Group
www.trustedcomputinggroup.org
20
Encrypted OS Partition
Applications and Files
Operating SystemBoot Partition
Secure Boot Loader
Action tomorrow - Native OS / VM on USB + TPM
To Continue the Conversation Please See:
Twitter: @mfa007 or @NetIQFor mine, and NetIQ, Security Blogs see: http://bit.ly/11BhzC
© 2011 NetIQ Corporation. All rights reserved.22
Image Credits
http://www.flickr.com/photos/sanfranannie/3695457758/lightbox
http://www.flickr.com/photos/themuuj/3787043200/lightbox/
http://www.flickr.com/photos/nekonoir/2231873666/lightbox/
http://www.flickr.com/photos/scarpagialla/488834555/lightbox/
http://www.flickr.com/photos/schatz/484932511/lightbox/