How We Deployed BYOD Using Mobile Device Management

35 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

How We Deployed BYOD Using

Mobile Device Management

Providing mobile access to company resources safely and securely

(2)

Children’s Healthcare of Atlanta

Table of Contents

2

1. Introduction

2. Understanding the Threat Landscape 3. Vendor Selection Approach

4. Bake-Off

5. Proof of Concept 6. Implementation 7. Governance

8. Lessons Learned 9. Q&A

(3)

Introductions

• One of the largest pediatric clinical care providers in the country

• 847,998 patient visits in 2012

• Served 346,356 children from all 159 counties in Georgia in 2012

• 3 world-class pediatric hospitals (529 beds), 20 neighborhood locations, physician group practices, and other related facilities

• Children's is the pediatric physician teaching site for Emory University School of Medicine and Morehouse School of Medicine

(4)

Children’s Healthcare of Atlanta

Introduction

4

Robert Dalrymple, MBA, CISA, CISSP

Information Security Manager with 13 years experience in Healthcare Information Security.

Frank Grogan

Information Security Administrator with 7 years experience in Healthcare Information Security.

(5)

Objective

To provide Children’s employees with flexibility in choosing their mobile device, while ensuring

appropriate security protocols are and remain in place to protect Children’s Resources and patient data.

(6)

Children’s Healthcare of Atlanta

Why did we do this?

• Provide flexibility to those who are approved to use

their personal devices to access the Children’s Resources

• Provide secure means of accessing data electronically

• Protect Children's from risk of a potential data breach

• Separate the user’s personal data from Children’s data

• Address regulations as it relates to mobile device

security

(7)

Research

(understanding the landscape)

Things to investigate:

• Device types

• Manufacturers

• OS Versions

• Known Vulnerabilities

• Jailbreaking/Rooting

• Connection Methods

(8)

Children’s Healthcare of Atlanta

Governance Resources

8

NIST Special Publication 800-53 A Rev1

Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans

NIST Special Publication 800-124 Rev 1 (Final) Jun 2013

Guidelines for Managing the Security of Mobile Devices in the Enterprise

NIST Special Publication 800-164 DRAFT Oct 2012

Guidelines on Hardware-Rooted Security in Mobile Devices

NIST Special Publication 800-53 Rev 4

Security and Privacy Controls for Federal Information Systems and Organizations

(9)

Risk Assessment

• Consider scenarios outside the scope of the project

• Document risks no matter how obscure

• Evaluate connection methods

• Apply findings to a Risk Management Framework

(10)

Children’s Healthcare of Atlanta

Vendor Selection (approach)

10 Vendor Identification • Industry Knowledge and Experience • Gartner Magic

Quadrant Position

• Gartner Critical Capabilities • Forrester Report

Vendor Elimination • Determine Children’s Requirements • Combined Requirements with Critical Capabilities • Developed Scoring Criteria • Selected the 5

Vendors / 4 Solutions that Scored Above 85%

Vendor Exclusion

• Assembled Core IS&T Team • Sent RFI

Requesting Info • Evaluated RFI

Responses • Developed

Demo Scoring Sheet

• Held On-Site Demos

• Scored Demo • Compiled

Scoring

• Discussed Results and Reached Consensus • Selected 2

Finalists

Vendor Evaluation

• Invited Finalists to Proof of Concept (Bake-Off)

• Determined Hardware Requirements • Built Test

Environment • Installed and

Configured Solutions for Testing

• Tested Solutions • Documented

Findings

Final Selection

• Held Vendor Demos for Stakeholders • Sent RFQ to

Finalists

• Assembled Side-by-Side

Comparison • Reviewed RFQ

Responses • Reviewed

Side-by-Side Comparison • Made Recommendation to Stakeholders • Stakeholders Reached a Consensus

(11)

Defining Requirements

Consider:

• What access will users be granted to the various

available resources

• Permitted device types

• Supported operating system(s)

(12)

Children’s Healthcare of Atlanta

Defining Requirements (cont.)

12

• Required level and type of reporting

• Self-Service functions

• Collecting device information

(13)

Vendor Identification

• Perform vendor research based on pre-defined

company requirements

• Ask your security colleagues for their experiences

• Gartner Magic Quadrant

• Gartner Critical Capabilities

(14)

Children’s Healthcare of Atlanta

Narrowing Down the Choices

14

• Assemble a core team of IT professionals

• Combine Company Requirements with Critical

Capabilities

• Develop Scoring Criteria for Demos

• Host Vendor Demos

(15)
(16)

Children’s Healthcare of Atlanta

Infrastructure Options / Requirements

16

Suggestions:

• Request Vendor Requirements

• Virtual vs. Physical Servers

• Vendor Owned Appliances

• Consider Final Implementation

• 3rd Party Certifications

(17)

Configuration and Testing

First:

• Acquire a good variety of test devices

Then:

• Test enrollment across all device types and allowed

OS versions

• Test basic functionality (Email, Contacts, Calendar)

• Configure basic security policy requirements

(18)

Children’s Healthcare of Atlanta

Comparisons

18

Side-By-Side comparisons are your best friend

(19)

Comparisons (cont.)

• Passcode/Password Comparison Example

Criteria Vendor 1 Vendor 2

Device Passcode Required Optional 4 Character Passcode Supported Supported Email Access Not Required Required Contacts/Calendar Access Not Required Not Required Attachments Access Optional Not Required

Secure Documents**

Requires Children’s Username & Password or Certificate to access [optional]

Does not require Children’s

(20)

Children’s Healthcare of Atlanta

Comparisons (cont.)

20

• UX Comparison

(21)
(22)

Children’s Healthcare of Atlanta

On Premise vs. SaaS Solution

22

Decision Criteria

• Infrastructure Considerations

– Hardware Costs

– Support

• Security Considerations

– Confidentiality

– Integrity

– Availability

• Speed of Deployment

• Cost Considerations

– Cost Breakdown

– Costs Analysis

(23)

Comparisons

• Infrastructure Cost Comparison Example

Criteria On-Premise Single Tenant Cloud

Multi-Tenant Cloud

Hardware Costs

• 4 - 6 VM Instances

• 2 x Database

• 2 x Application Server

• 2 x Gateway

 Optional

• ~$$$$$

• With High Availability

• Up to 5000 Devices

• One Time Expense

• 2 - 4 VM Instances

• 2 x Server

• 2 x Gateway

 Optional

• ~$ - $$

• With High Availability

• Up to 5000 Devices

(24)

Children’s Healthcare of Atlanta

Comparisons (cont.)

24

• Availability Comparison Example

Criteria

Children’s Data Center Outage On-Premise

Single Tenant

Cloud

Multi-Tenant Cloud

Able to enroll devices? No No

Able to administer accounts through MDM

Tool? No Yes (Remote)

Access to Email / Contacts / Calendar? Yes Yes Updates to Email / Contacts / Calendar? No No Disaster Recovery / Business Continuity Optional Yes

(25)

Comparisons (cont.)

• Speed of Deployment Comparison Example

Criteria On-Premise Single Tenant Cloud

Multi-Tenant Cloud

Speed of

Deployment Estimated at 45 days Estimated at 10 days

Hardware & Software

• Hardware Procurement

• Servers Software Procurement

• Hardware and Software Installations

• Installing MDM Solution

• Hardware Procurement for up to 4 servers on-site connecters

(26)

Children’s Healthcare of Atlanta 26

(27)

Internal Testing

(28)

Children’s Healthcare of Atlanta

Pilot

28

• Limit the scope to get focused feedback

• Select individuals who will actively engage and

provide good feedback

(29)

Configuration

Define Compliance Requirements:

• Passwords

– Character Types

– Complexity

– Change Frequency

• Encryption

– Container

– Whole Device

– External SD Card

• VPN

(30)

Children’s Healthcare of Atlanta

Phased Deployment

Group I Group II Group III Group IV • Children’s Owned

BlackBerries and iPhones

• Personal iPhones

• Personal Windows Phones

• iPads • Android Devices

MDM Enrollment by Device Type

MDM Features Timeline

Q1 Q2 Q3 Q4

• Email, Contacts, and Calendars

• Secure Attachments • Secure Text Messaging

• VPN

• Sharepoint

(31)

Policies and Standards

• Mobile Device Acceptable Use Policy

• Handling of ePHI on Mobile Devices Standard

(32)

Children’s Healthcare of Atlanta

Terms of Service

32

What We Did

• Copy / Paste Mobile Device AUP as Terms or Service

Things to Consider

• Absolve the company of any liability

• Document what can be done vs. what is being done

• Changes to be made at anytime

• Refer to the Mobile Device Acceptable Use Policy

• Be consistent with over arching InfoSec AUP

(33)
(34)

Children’s Healthcare of Atlanta

Lessons Learned

34

Test

Test

Test

(35)

Figure

Updating...