• No results found

Creating Security for BYOD Current Approaches

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Creating Security for BYOD Current Approaches"

Copied!
35
0
0

Loading.... (view fulltext now)

Download now ( 35 Page )

Full text

(1)

Patrik Ekdahl

Ericsson Research - Security

Creating Security for BYOD

(2)

Bring Your Own Device

“BYOD refers to the act of employees using their personal mobile

devices for work-related purposes.”

- Mason report 2012

Consumerisation

IT departments are too slow to adopt.

Personalisation

need for employees to feel unique.

Work-life integration

traditional workday no longer exists.

drive for more flexible technology solutions.

Productivity enhancement

using familiar technologies

increased availability

Cost

(3)

History

2000 2007 2008 2013 Blackberry 957 iPhone 2010 Several larger companies implement HTC Dream 2012 NIST draft on guidelines for BYOD security.

(4)

Corporate access

Blackberry style

Corp. network

Internet

BES

Internet

Mail Server Internet Gateway VPN Internal Data

(5)

Corporate access

Blackberry style

Corp. network

BES

Internet

Mail Server VPN

(6)

Corporate access

Mobile Device Management style

Corp. network

MDM Frontend

Exchange Server MDM Application

Internal Data

Mail Calendar

Prop. Data Access

(7)

Today’s landscape

Don’t know 4% No 51% Yes 45%

IT’s support of BYOD

(All devices, US SMEs)

0 5 10 15 20 25 100 75-99 51-74 50 26-49 1-25 0 Don’t know

Percent of Employees Who Bring their own SmartPhone

Reality

In more than 90 % of the

companies, people bring

(8)

Some more numbers..

of IT executives surveyed say that employees are using unsupported devices or apps because of personal preference, not because they need them to do critical work.

72%

(9)

Some more numbers..

of IT executives surveyed say that employees are using unsupported devices or apps because of personal preference, not because they need them to do critical work.

72%

(from a UniSys survey 2012)

IT more likely to block Angry Birds than to provide secured alternatives to public cloud storage.

(10)

Some more numbers..

of IT executives surveyed say that employees are using unsupported devices or apps because of personal preference, not because they need them to do critical work.

72%

(from a UniSys survey 2012)

75%

of IT organizations don't let people use their own apps for work purposes, with a substantial subset saying such usage should be grounds for dismissal.

IT more likely to block Angry Birds than to provide secured alternatives to public cloud storage.

(11)

Some more numbers..

of IT executives surveyed say that employees are using unsupported devices or apps because of personal preference, not because they need them to do critical work.

72%

(from a UniSys survey 2012)

75%

of IT organizations don't let people use their own apps for work purposes, with a substantial subset saying such usage should be grounds for dismissal.

38%

percent of the employees decided to ignore such edicts. These people are the ones who drive the business and tend to be in positions of authority.

IT more likely to block Angry Birds than to provide secured alternatives to public cloud storage.

(12)

Information owner model

Device owner

Information owners

Execute any apps they like.

Trust that data will not be viewed/erased by enterprise actions.

Detach from an enterprise without loosing personal data.

Trust the device to

protect data

access data

process data

store data

Terminate access to their data at any time

Device owner

Company

Bank ...

(13)

Device architecture

Hardware Context Firmware Context OS Context Application Contexts

Application Processor, Baseband Processor, Memories, Peripherals, ROM Code

Bootloader, Initialization Code Kernel

(14)

Information Domains

Hardware Context Firmware Context OS Context Application Contexts

Application Processor, Baseband Processor, Memories, Peripherals, ROM Code

Bootloader, Initialization Code Kernel

(15)

Information Domains

Firmware Context OS Context Application Contexts

Bootloader, Initialization Code Kernel

APP-1 APP-2 APP-3 APP-4 APP-5

Information

(16)

Data access

Application Contexts Information

Contexts IO-1 IO-2 IO-3 IO-4 IO-5

(17)

Data access

Application Contexts Information

Contexts IO-1 IO-2 IO-3 IO-4 IO-5

(18)

Data access

Application Contexts Information

Contexts IO-1 IO-2 IO-3 IO-4 IO-5

APP-1 APP-2 APP-3 APP-4 APP-5

Policies

(19)

Sealing the information

Rich OS

APP-3 APP-2

APP-1

Policy Enf. Engine

IO-2

(20)

Sealing the information

Rich OS

APP-3 APP-2

APP-1

Policy Enf. Engine

IO-2

IO-1 IO-3

(21)

Measuring

Rich OS

APP-3 APP-2

APP-1

Policy Enf. Engine

IO-2

(22)

Measuring

Rich OS

APP-3 APP-2

APP-1

Policy Enf. Engine

IO-2

IO-1 IO-3

(23)

Check point

Rich OS

APP-3 APP-2

APP-1

Policy Enf. Engine

IO-2

(24)

Check point

Rich OS

APP-3 APP-2

APP-1

Policy Enf. Engine

IO-2

IO-1 IO-3

Rich Environment

Trusted Environment

Execute any apps they like.

Trust that data will not be viewed/erased by enterprise actions.

Detach from an enterprise without loosing personal data.

Trust the device to protect data

access data process data

store data

(25)

Trusted Applications

Rich OS

APP-3 APP-2 APP-1

Trusted Kernel

(with PEnE)

TA-2 TA-1 TA-3

Secure Storage

(26)

Anchoring

Rich OS

APP-3 APP-2 APP-1

Rich Environment

Trusted Kernel

(with PEnE)

TA-2 TA-1 TA-3

Trusted Environment

Secure Storage

(27)

Anchoring

Trusted Kernel

(with PEnE)

TA-2 TA-1 TA-3

Secure Storage

Roots of trust

Execution

Storage

Verification

Reporting

Measurement

Isolation from Rich OS

(28)

Management

Trusted Kernel

(with PEnE)

TA-2 TA-1 TA-3

Trusted Environment

Secure Storage

(29)

Management

Rich OS APP-3 APP-2 APP-1 Rich Environment Trusted Kernel (with PEnE) TA-2 TA-1 TA-3 Trusted Environment Secure Storage

Corporate Server

Administration data packages

Install / uninstall

Key provisioning

(30)

Management

Rich OS APP-3 APP-2 APP-1 Rich Environment Trusted Kernel (with PEnE) TA-2 TA-1 TA-3 Trusted Environment Secure Storage

Corporate Server

Administration data packages

Install / uninstall

Key provisioning

State enquiring

TLS connection

Data fetch

State reporting

(31)

Check point

Rich OS

APP-3 APP-2 APP-1

Trusted Kernel

(with PEnE)

TA-2 TA-1 TA-3

Secure Storage

(32)

Check point

Rich OS

APP-3 APP-2 APP-1

Trusted Kernel

(with PEnE)

TA-2 TA-1 TA-3

Rich Environment

Trusted Environment

Secure Storage

Execute any apps they like.

Trust that data will not be viewed/erased by enterprise actions.

Detach from an enterprise without loosing personal data.

Trust the device to protect data

access data process data store data

(33)
(34)

Conclusions

Using a Trusted Execution Environment we

can build a owner-controlled BYOD solution

with hardware anchored trust.

Non-proprietary solution exists

Multiple stakeholders

Device Owner is in control

No need for BES

Hardware anchored separation

Information

Execution

(35)

References

Download now ( PDF - 35 Page - 1.41 MB )

Related documents

Static Load Balancing of Parallel PDE Solver for Distributed Computing Environment

This section outlines the method to find the best allocation of n distinguishable processors to m dis- tinguishable blocks so as to minimize the execution time.. Therefore,

Multiple Criteria Decision Analysis for Health Care Decision Making—An Introduction: Report 1 of the ISPOR MCDA Emerging Good Practices Task Force

In the Keeney and Raiffa MCDA approach, the scores are generated by tracing out the shape of the “ value function ” that relates alternatives ’ performance on the criterion to

5-SESSION CO-OP CALLOUT

Most companies recruit for full-time and internship positions, but some indicate Co-Op as a recruiting priority, while not attending Professional Practice

Patterns and predictors of violence against children in Uganda: a latent class analysis.

Children in Class 2 had a higher probability of experi- encing severe and moderate forms of physical, emotional and sexual violence by peers (male and female school students)

OpenStack Object Storage Administrator Guide

• Storage node - node that runs Account, Container, and Object services • ring - a set of mappings of OpenStack Object Storage data to physical devices To increase reliability, you

Graduate Academic Catalog

The Department of Health, Physical Education, Recreation and Dance offers a Master of Science in Education in Health and Physical Education and a Master of Science in

Spatial Data Handling in PostGIS DOROTHEA ANDERSSON

We are now using the second part of our test database (see Figure 4 ) ; the boxpoints table which contains 3000 customer points, and the box table with 51 dierent sized bounding

The Safety of Schoolchildren on London s Roads

The casualty rate for secondary schools (4.5 casualties per 1000 pupils) is significantly higher than that for primary schools (1.7), and our analysis found that a factor strongly