rsa-byoc-110216214253-phpapp02
TRANSCRIPT
-
8/2/2019 rsa-byoc-110216214253-phpapp02
1/30
Session ID: xxx-xxxx
Session Classification: xxxxxxxxxxxx
John Whaley
CTO, MokaFive
BYOC: Securing Untrusted,Employee-Owned Desktops
-
8/2/2019 rsa-byoc-110216214253-phpapp02
2/30
Agenda
2
What is BYOC?
Techniques for BYOC
BYOC Security Considerations
Keys to a Successful BYOC Deployment
-
8/2/2019 rsa-byoc-110216214253-phpapp02
3/30
3
BYOC: Securing Untrusted, Employee-
Owned Desktops
-
8/2/2019 rsa-byoc-110216214253-phpapp02
4/30
What is BYOC?
BYOC = Bring your own Computer
a.k.a. BYOPC, BYOL
Three models:1. Employer provides a stipend for the employee to
purchase their laptop of choice, which will then beowned by the employee.
2. Employee chooses laptop from a list of pre-approvedmachines.
3. Employee is given instructions on how to connect tocorporate resources, but can use any machine.
4
-
8/2/2019 rsa-byoc-110216214253-phpapp02
5/30
Why BYOC?
User demand
Choice computing
Executive bling Extension of smartphones
New generation millennials
Business demand
Reduce hardware assets
Part-time workers, contractors
Enable work from anywhere
Happy employees = productive employees
Bottom line: Users are doing it, with or without IT
5
-
8/2/2019 rsa-byoc-110216214253-phpapp02
6/30
What you can apply from this session
At the end of this session, you will be able to: Understand the predominant models for BYOC and
their relative strengths and weaknesses Evaluate the security of a BYOC solution
Avoid common pitfalls in BYOC
Plan a successful BYOC deployment
6
-
8/2/2019 rsa-byoc-110216214253-phpapp02
7/30
Users vs IT
7
-
8/2/2019 rsa-byoc-110216214253-phpapp02
8/30
Example: Citrix BYOC Program
$2100 stipend (taxable)
About 50% employees opt in to program
40% of those in the program chose Macs
Employees often chipped in their own money to get abetter machine
After a three month pilot in US, rolled out globally
8
-
8/2/2019 rsa-byoc-110216214253-phpapp02
9/30
How to deliver services?
Technique 1: Provide essential services via webapplications
Technique 2: Provide a remote desktop (VDI orTS) session
Technique 3: Provide virtualized applicationsthat run locally
Technique 4: Provide managed corporate virtual
machine to run locally
9
-
8/2/2019 rsa-byoc-110216214253-phpapp02
10/30
Technique 1:
Port everything to the web
10
Good: Access from any deviceBad: Takes a long time to rewrite all your apps,no offline access
-
8/2/2019 rsa-byoc-110216214253-phpapp02
11/30
Technique 2:
Remote Desktop to VDI or TS
11
Good:
Access from many devices
Bad: Requires major server infrastructure
Cant run offline
Bad interactive performance
-
8/2/2019 rsa-byoc-110216214253-phpapp02
12/30
Technique 3:
Application Virtualization
12
Good: Can run locally, butmanaged centrally
Bad: Not cross-platform,not very secure
-
8/2/2019 rsa-byoc-110216214253-phpapp02
13/30
Technique 4:
Client-side Virtual Machine
13
Good: Secure, personalized, offline access, cross-
platform, local execution, easy recovery Bad: Minimum HW requirement
-
8/2/2019 rsa-byoc-110216214253-phpapp02
14/30
Securing the endpoint device
14
Need to treat BYOC as an untrusteddevice
No VPN DLP
Host checker
Two-factor authentication
Keyloggers, screen scrapers Encryption of data-at-rest
Domain join and group policies
Access control, remotemanagement of corporate data
Security policy enforcement
-
8/2/2019 rsa-byoc-110216214253-phpapp02
15/30
Threat Models
15
Malicious employees
Malware infections
Screen scrapers or keyloggers
Generic viruses/worms
Targeted malware
Lost or stolen laptops, borrowedmachines
Targeted attacks and espionage
-
8/2/2019 rsa-byoc-110216214253-phpapp02
16/30
Dealing with Infected Endpoint Devices
16
Anti-virus and anti-malware
OS patch level
Network quarantine
Keyloggers and screen-scrapers
Data loss prevention
-
8/2/2019 rsa-byoc-110216214253-phpapp02
17/30
Enterprise-Level Layered Security
17
7 Layers of Security
Anti-virus scan of host PC
Full virtual machine encapsulation
AES-256 encryption
Tamper resistance and copy protection
AD and two-factor authentication
Granular security policies Remote kill
-
8/2/2019 rsa-byoc-110216214253-phpapp02
18/30
Anti-virus scan of host PC
18
Protects against most known attacks/malware
Policy enforcement: Maximum age of signature file
Periodic scan frequency
Automatic keyboard/screen lock until scan completes
-
8/2/2019 rsa-byoc-110216214253-phpapp02
19/30
Full virtual machine encapsulation
19
Protects against non-targeted attacks
Run on a separate, locked-down operating system
Rejuvenate to latest golden system disk on everyboot
Out-of-band updates of golden system disk
Device passthrough of keyboard/mouse and video cardfoils most keyloggers/screen scrapers
Hardware support for encapsulation (VT-x, VT-d)
-
8/2/2019 rsa-byoc-110216214253-phpapp02
20/30
AES-256 encryption
20
Encryption of data-at-rest protects againstlost/stolen laptops Key escrow Dealing with lost/changed passwords
Administrator unlock without user password
Dont forget swap space!
-
8/2/2019 rsa-byoc-110216214253-phpapp02
21/30
-
8/2/2019 rsa-byoc-110216214253-phpapp02
22/30
AD and two-factor authentication
22
Use RSA SecurID or other second-factorauthentication
Protects against lost password, lost device;limits exposure window
-
8/2/2019 rsa-byoc-110216214253-phpapp02
23/30
Security policies
23
Targeting security policies by AD group Offline lease time: Maximum time a user can run
without checking in Auto-kill: Self-destruct after a given time
Version enforcement: Ensure users have latestsecurity patches
Peripheral restrictions: USB devices, microphone,printing, CD/DVD, etc.
AD group policies: Use existing AD policy sets
-
8/2/2019 rsa-byoc-110216214253-phpapp02
24/30
Remote kill
24
Can mark a device as lost or stolen
Device receives a kill pill, securely zeroes all
data and sends back confirmation Mitigates risk from a lost device or rogue
employee/contractor
-
8/2/2019 rsa-byoc-110216214253-phpapp02
25/30
More Challenges to BYOC
25
Supporting diverse platforms (Mac,etc.)
Offline access
Legal
Organizational / Political
-
8/2/2019 rsa-byoc-110216214253-phpapp02
26/30
Supporting Diverse Platforms
26
Mac support
Data shows Macs require much lesssupport
No mature, robust management tools forOSX hosts yet
Best: Provide corporate Windowsenvironment for Mac users
Windows 7 support Can provide virtual Windows XP
environment for now, upgrade to Win7once corp standardizes on it
Hardware support
Give minimum hardware specs for BYOPC
Require support package from vendor
-
8/2/2019 rsa-byoc-110216214253-phpapp02
27/30
Legal Challenges
27
Who owns the hardware? Who owns thesoftware? Who owns the data?
Mixing corporate and personal on the samedevice
Liability concerns
Software licensing
What to do when someone is terminated or
leaves the company?
Not much different than BYO Smartphone,work-from-home
One solution: Put corporate environment onseparate USB or SD card
Need a way to reclaim licenses, erasecorporate data (poison pill)
-
8/2/2019 rsa-byoc-110216214253-phpapp02
28/30
Organizational and Political Challenges
28
Most common: Business wants it done, but IT draggingfeet
Refocusing IT staff to focus on services, not hardware
Education: You are making me buy my own machine?
-
8/2/2019 rsa-byoc-110216214253-phpapp02
29/30
Results
29
Significant proportion choose Macs
Increased machine usage
More work on weekends and afterhours
Fewer support calls
Users more tolerant and responsible,
willing to learn Fewer lost devices
Take better care because they areinvested in it
-
8/2/2019 rsa-byoc-110216214253-phpapp02
30/30
Key Takeaways
30
1. Focus on securing the data, not the device
2. Good security practices are essential, with or withoutBYOC
3. BYOC can save money, reduce support calls, and leadto happier users