How We Deployed BYOD Using Mobile Device Management







Full text


How We Deployed BYOD Using

Mobile Device Management

Providing mobile access to company resources safely and securely


Children’s Healthcare of Atlanta

Table of Contents


1. Introduction

2. Understanding the Threat Landscape 3. Vendor Selection Approach

4. Bake-Off

5. Proof of Concept 6. Implementation 7. Governance

8. Lessons Learned 9. Q&A



• One of the largest pediatric clinical care providers in the country

• 847,998 patient visits in 2012

• Served 346,356 children from all 159 counties in Georgia in 2012

• 3 world-class pediatric hospitals (529 beds), 20 neighborhood locations, physician group practices, and other related facilities

• Children's is the pediatric physician teaching site for Emory University School of Medicine and Morehouse School of Medicine


Children’s Healthcare of Atlanta



Robert Dalrymple, MBA, CISA, CISSP

Information Security Manager with 13 years experience in Healthcare Information Security.

Frank Grogan

Information Security Administrator with 7 years experience in Healthcare Information Security.



To provide Children’s employees with flexibility in choosing their mobile device, while ensuring

appropriate security protocols are and remain in place to protect Children’s Resources and patient data.


Children’s Healthcare of Atlanta

Why did we do this?

• Provide flexibility to those who are approved to use

their personal devices to access the Children’s Resources

• Provide secure means of accessing data electronically

• Protect Children's from risk of a potential data breach

• Separate the user’s personal data from Children’s data

• Address regulations as it relates to mobile device




(understanding the landscape)

Things to investigate:

• Device types

• Manufacturers

• OS Versions

• Known Vulnerabilities

• Jailbreaking/Rooting

• Connection Methods


Children’s Healthcare of Atlanta

Governance Resources


NIST Special Publication 800-53 A Rev1

Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans

NIST Special Publication 800-124 Rev 1 (Final) Jun 2013

Guidelines for Managing the Security of Mobile Devices in the Enterprise

NIST Special Publication 800-164 DRAFT Oct 2012

Guidelines on Hardware-Rooted Security in Mobile Devices

NIST Special Publication 800-53 Rev 4

Security and Privacy Controls for Federal Information Systems and Organizations


Risk Assessment

• Consider scenarios outside the scope of the project

• Document risks no matter how obscure

• Evaluate connection methods

• Apply findings to a Risk Management Framework


Children’s Healthcare of Atlanta

Vendor Selection (approach)

10 Vendor Identification • Industry Knowledge and Experience • Gartner Magic

Quadrant Position

• Gartner Critical Capabilities • Forrester Report

Vendor Elimination • Determine Children’s Requirements • Combined Requirements with Critical Capabilities • Developed Scoring Criteria • Selected the 5

Vendors / 4 Solutions that Scored Above 85%

Vendor Exclusion

• Assembled Core IS&T Team • Sent RFI

Requesting Info • Evaluated RFI

Responses • Developed

Demo Scoring Sheet

• Held On-Site Demos

• Scored Demo • Compiled


• Discussed Results and Reached Consensus • Selected 2


Vendor Evaluation

• Invited Finalists to Proof of Concept (Bake-Off)

• Determined Hardware Requirements • Built Test

Environment • Installed and

Configured Solutions for Testing

• Tested Solutions • Documented


Final Selection

• Held Vendor Demos for Stakeholders • Sent RFQ to


• Assembled Side-by-Side

Comparison • Reviewed RFQ

Responses • Reviewed

Side-by-Side Comparison • Made Recommendation to Stakeholders • Stakeholders Reached a Consensus


Defining Requirements


• What access will users be granted to the various

available resources

• Permitted device types

• Supported operating system(s)


Children’s Healthcare of Atlanta

Defining Requirements (cont.)


• Required level and type of reporting

• Self-Service functions

• Collecting device information


Vendor Identification

• Perform vendor research based on pre-defined

company requirements

• Ask your security colleagues for their experiences

• Gartner Magic Quadrant

• Gartner Critical Capabilities


Children’s Healthcare of Atlanta

Narrowing Down the Choices


• Assemble a core team of IT professionals

• Combine Company Requirements with Critical


• Develop Scoring Criteria for Demos

• Host Vendor Demos


Children’s Healthcare of Atlanta

Infrastructure Options / Requirements



• Request Vendor Requirements

• Virtual vs. Physical Servers

• Vendor Owned Appliances

• Consider Final Implementation

• 3rd Party Certifications


Configuration and Testing


• Acquire a good variety of test devices


• Test enrollment across all device types and allowed

OS versions

• Test basic functionality (Email, Contacts, Calendar)

• Configure basic security policy requirements


Children’s Healthcare of Atlanta



Side-By-Side comparisons are your best friend


Comparisons (cont.)

• Passcode/Password Comparison Example

Criteria Vendor 1 Vendor 2

Device Passcode Required Optional 4 Character Passcode Supported Supported Email Access Not Required Required Contacts/Calendar Access Not Required Not Required Attachments Access Optional Not Required

Secure Documents**

Requires Children’s Username & Password or Certificate to access [optional]

Does not require Children’s


Children’s Healthcare of Atlanta

Comparisons (cont.)


• UX Comparison


Children’s Healthcare of Atlanta

On Premise vs. SaaS Solution


Decision Criteria

• Infrastructure Considerations

– Hardware Costs

– Support

• Security Considerations

– Confidentiality

– Integrity

– Availability

• Speed of Deployment

• Cost Considerations

– Cost Breakdown

– Costs Analysis



• Infrastructure Cost Comparison Example

Criteria On-Premise Single Tenant Cloud

Multi-Tenant Cloud

Hardware Costs

• 4 - 6 VM Instances

• 2 x Database

• 2 x Application Server

• 2 x Gateway

 Optional

• ~$$$$$

• With High Availability

• Up to 5000 Devices

• One Time Expense

• 2 - 4 VM Instances

• 2 x Server

• 2 x Gateway

 Optional

• ~$ - $$

• With High Availability

• Up to 5000 Devices


Children’s Healthcare of Atlanta

Comparisons (cont.)


• Availability Comparison Example


Children’s Data Center Outage On-Premise

Single Tenant


Multi-Tenant Cloud

Able to enroll devices? No No

Able to administer accounts through MDM

Tool? No Yes (Remote)

Access to Email / Contacts / Calendar? Yes Yes Updates to Email / Contacts / Calendar? No No Disaster Recovery / Business Continuity Optional Yes


Comparisons (cont.)

• Speed of Deployment Comparison Example

Criteria On-Premise Single Tenant Cloud

Multi-Tenant Cloud

Speed of

Deployment Estimated at 45 days Estimated at 10 days

Hardware & Software

• Hardware Procurement

• Servers Software Procurement

• Hardware and Software Installations

• Installing MDM Solution

• Hardware Procurement for up to 4 servers on-site connecters


Children’s Healthcare of Atlanta 26


Internal Testing


Children’s Healthcare of Atlanta



• Limit the scope to get focused feedback

• Select individuals who will actively engage and

provide good feedback



Define Compliance Requirements:

• Passwords

– Character Types

– Complexity

– Change Frequency

• Encryption

– Container

– Whole Device

– External SD Card



Children’s Healthcare of Atlanta

Phased Deployment

Group I Group II Group III Group IV • Children’s Owned

BlackBerries and iPhones

• Personal iPhones

• Personal Windows Phones

• iPads • Android Devices

MDM Enrollment by Device Type

MDM Features Timeline

Q1 Q2 Q3 Q4

• Email, Contacts, and Calendars

• Secure Attachments • Secure Text Messaging


• Sharepoint


Policies and Standards

• Mobile Device Acceptable Use Policy

• Handling of ePHI on Mobile Devices Standard


Children’s Healthcare of Atlanta

Terms of Service


What We Did

• Copy / Paste Mobile Device AUP as Terms or Service

Things to Consider

• Absolve the company of any liability

• Document what can be done vs. what is being done

• Changes to be made at anytime

• Refer to the Mobile Device Acceptable Use Policy

• Be consistent with over arching InfoSec AUP


Children’s Healthcare of Atlanta

Lessons Learned