Mobile Security & BYOD Policy

(1)

Mobile Security & BYOD Policy

Sarkis Daglian

Assistant Manager, Desktop Support

Office of Information Technology

Isaac Straley

UCI Information Security Officer

Office of Information Technology

(2)

Speakers

Sarkis Daglian

Sarkis Daglian has been with UC Irvine since 2005 and is the assistant manager of

OIT’s Desktop Support Services. He has been lead of OIT’s mobile support

effort for the past two years defining usage on the campus, making

recommendations that empower the mobile user, and coordinated the effort to

bring the Airwatch mobile device management system to the campus.

Isaac Straley

Isaac Straley has been with UC Irvine since 2005 and is the campus Information

Security Officer. He is the lead for information security and privacy, data risk

management, data breach incident response, and security/privacy compliance.

He has been recognized for his work in information security, including receiving

the 2008 3rd place Award for Excellence in Criminal Investigations from the

International Associations of Chiefs of Police. In addition to his work on campus,

he actively participates in UC-wide and EDU-wide security initiatives, such as

recently serving as Chair of the UC IT Policy and Security committee.

(3)

Assumptions

More people will use mobile devices

•  Cisco predicts more mobile devices than people

on Earth by end of 2012

Connectivity will soon be near ubiquitous

•  We use mobile for work and our personal lives

Applications and data storage will continue to

be abstracted to the cloud.

(4)

What to do about BYOD?

“Bring Your Own Device”

•  94% of users would be “very frustrated” if their company wiped

their personal data off of their mobile device

•  43% would be “very unwilling” to give up the user of

data-intensive apps such as Pandora or Spotify on their personal

devices in exchange for access to corporate information

•  64% of users would be “very frustrated” to have to enter an

enterprise password every time they wanted to access their

favorite apps, such as Facebook

•  49% of users would not opt for enterprise access if they had to

give up iCloud or Android Backup Manager for their personal

device

(5)

Bring Your Own Device (BYOD)

PRO

• User flexibility

• Less devices for users

• More advanced devices on

the network

• Devices upgraded more

frequently that organization

cycle

CON

• Less control of devices

• Data security compliance

• Who owns the data?

• How will you recover data if

someone leaves?

(6)

BYOD is not the Question

It’s already here.

“How do we secure personal devices?”

“How do we secure the data?”

•  The policies go with the data and the risk, not the

device

(7)

Defining Terms: Mobility

Data

•  Data can travel with the device

•  Data can be accessed from a variety of endpoints

•  Data may be stored in a variety of places

Connectivity

•  Anytime and anywhere

•  Unsecured wireless networks

•  Remote access

(8)

Defining Terms: Security

Confidentiality: Only authorized users can

access the data

Integrity: The data “are what they are”

Availability: The data are available and

accessible when we need them to be

(9)

The Mobile Landscape

The Dominant Players

- iOS

- Android

The Other Guys

- Windows Mobile

- Blackberry

(10)

(11)

Apple vs. Android Ecosystem

Closed vs. Open

- Apple tests and must approve every

application posted on their app store

- Android allows any application to be

available for installation without vetting.

Keeps platform truly open.

(12)

The Mobile Landscape

Cloud Storage

•  iCloud

•  Google

•  Dropbox

Far Reaching Digital Footprint Beyond Storage

•  Privacy: Social media, Geolocation

(13)

Why this matters to developers

Need to understand the possible environments

and potential consequences

Example: Storage

•  What happens if data are cached locally?

•  If dev is using third-party storage, do you know

where it is being stored (e.g., continental U.S.?)

Example: Authentication

•  Integrate authentication so user has reasonable

access limits

(14)

Examples of Breaches

Laptop theft

•  SF Police video

Apple-Amazon hack / Gizmodo journalist

Android Malware

(15)

(16)

Security & Privacy Guiding Principles

Stewardship and Accountability

Everyone has a responsibility to protect information and

individuals are held accountable.

Risk Management

Information must not be stored without understanding and

formally mitigating or accepting the risk.

Business Ownership

Information security is owned by all levels of the organization,

not just IT. Senior managers are involved in determining and

accepting information security risk.

Privacy

Privacy and security is not a "zero-sum game." All aspects of

privacy, including academic freedom, are weighed and

(17)

Architecture Principles

•  Defense In Depth

•  Least Privilege Access

•  Segmentation

•  Segregation of Duties

•  Accountability

•  Do Not Trust Services

•  Simplicity

•  Reuse

(18)

How to Manage Risk

Risk

Management

Identify

Threats

Identify

Vulnerabilities

Assess

likelihood and

impact

Implement

protective

controls

Approve risk

Measure

control

effectiveness

(19)

Levels of Risk

Low: Any data should have some protection on it

Medium: Unauthorized access to or disclosure of information in

this category could result in a serious adverse effect, cause

financial loss, cause damage to the University's reputation and

loss of confidence or public standing, constitute an unwarranted

invasion of privacy, or adversely affect a partner, e.g., a

business or agency working with the University.

High: Any confidential or personal information that is protected by

law or policy and that requires the highest level of access

control and security protection, whether in storage or in transit.

The term should not be confused with that used by the

UC-managed national laboratories where federal programs may

employ a different classification scheme.

(20)

Mobile Device Best Practices

•  Ensure your device’s operating system is up to date

•  Set up a passcode lock or pattern. The more complex the better

•  Set an auto-lock time

•  Set your device to auto-erase its contents after too many

unsuccessful password attempts

•  Only install applications from trusted sources

•  Use GPS tracking software

Optional Steps

•  Enable mobile browser fraud warnings

•  Forget wifi networks to prevent automatic rejoin

•  Keep Bluetooth turned off when not in use

(21)

What are the best policies for BYOD?

Protecting the data is everyone’s responsibility

The policy goes with data, not with the device

Security is not a binary state

•  Manage the risk and apply reasonable

protections

(22)

How to Enforce BYOD Controls

Rely on users to make determination

•  Easy to implement, low level of assurance

Tell users requirements, ask for attestation

•  Good for many risk scenarios, joint effort between

data owner, IT, and users

Use technical controls to enforce

•  For higher risk situations, attestation is not

enough

(23)

What are we trying to accomplish?

•  User and Device

Provisioning

•  Policies

•  Backup/Restore

•  Updates

•  Diagnostics

•  Software

Installation /

Restrictions

•  Asset tracking and

management

•  User support

•  Remote wipe and

remote lock

•  GPS tracking?

(24)

(25)

UCI Airwatch Implementation

Medical Center – Bradford Networks appliance

and Airwatch

Devices at Med Center register with Bradford NAC, which

authenticates a user and places them in the appropriate group

and minimum security configuration. Those requirements are

then pushed from Airwatch.

Main campus – Airwatch

Devices under Athletics IT must enroll in Airwatch to have

security protocols enforced on them to be NCAA and HIPPA

compliant. Desktop support clients are also using Airwatch as a

means to enforce data security guidelines

(26)

Take Aways

•  The world is now mobile and BYOD is here

•  Professional and personal data now reside and are

accessible on the same device

•  Protect the data, not just the device or the application

•  Involve everyone!

•  Assess the risk

•  Set guidelines, policies, and procedures to govern

levels of security required for different types of data

•  Determine how to enforce security requirements,

(27)

Mobile Security & BYOD Policy

Mobile Security & BYOD Policy

Sarkis Daglian

Assistant Manager, Desktop Support

Office of Information Technology

Isaac Straley

UCI Information Security Officer

Office of Information Technology

Speakers

Sarkis Daglian

Sarkis Daglian has been with UC Irvine since 2005 and is the assistant manager of

OIT’s Desktop Support Services. He has been lead of OIT’s mobile support

effort for the past two years defining usage on the campus, making

recommendations that empower the mobile user, and coordinated the effort to

bring the Airwatch mobile device management system to the campus.

Isaac Straley

Isaac Straley has been with UC Irvine since 2005 and is the campus Information

Security Officer. He is the lead for information security and privacy, data risk

management, data breach incident response, and security/privacy compliance.

He has been recognized for his work in information security, including receiving

the 2008 3rd place Award for Excellence in Criminal Investigations from the

International Associations of Chiefs of Police. In addition to his work on campus,

he actively participates in UC-wide and EDU-wide security initiatives, such as

recently serving as Chair of the UC IT Policy and Security committee.

Assumptions

More people will use mobile devices

• Cisco predicts more mobile devices than people

on Earth by end of 2012

Connectivity will soon be near ubiquitous

• We use mobile for work and our personal lives

Applications and data storage will continue to

be abstracted to the cloud.

What to do about BYOD?

“Bring Your Own Device”

• 94% of users would be “very frustrated” if their company wiped

their personal data off of their mobile device

• 43% would be “very unwilling” to give up the user of

data-intensive apps such as Pandora or Spotify on their personal

devices in exchange for access to corporate information

• 64% of users would be “very frustrated” to have to enter an

enterprise password every time they wanted to access their

favorite apps, such as Facebook

• 49% of users would not opt for enterprise access if they had to

give up iCloud or Android Backup Manager for their personal

device

Bring Your Own Device (BYOD)

PRO

• User flexibility

• Less devices for users

• More advanced devices on

the network

• Devices upgraded more

frequently that organization

cycle

CON

• Less control of devices

• Data security compliance

• Who owns the data?

• How will you recover data if

someone leaves?

BYOD is not the Question

It’s already here.

“How do we secure personal devices?”

“How do we secure the data?”

• The policies go with the data and the risk, not the

device

Defining Terms: Mobility

Data

• Data can travel with the device

• Data can be accessed from a variety of endpoints

• Data may be stored in a variety of places

Connectivity

• Anytime and anywhere

• Unsecured wireless networks

• Remote access

Defining Terms: Security

Confidentiality: Only authorized users can

access the data

Integrity: The data “are what they are”

Availability: The data are available and

•  Cisco predicts more mobile devices than people

•  We use mobile for work and our personal lives

•  94% of users would be “very frustrated” if their company wiped

•  43% would be “very unwilling” to give up the user of

•  64% of users would be “very frustrated” to have to enter an

•  49% of users would not opt for enterprise access if they had to

• User flexibility

• Less devices for users

• More advanced devices on

• Devices upgraded more

• Less control of devices

• Data security compliance

• Who owns the data?

• How will you recover data if

•  The policies go with the data and the risk, not the

•  Data can travel with the device

•  Data can be accessed from a variety of endpoints

•  Data may be stored in a variety of places

•  Anytime and anywhere

•  Unsecured wireless networks

•  Remote access

•  iCloud

•  Google

•  Dropbox

•  Privacy: Social media, Geolocation

•  What happens if data are cached locally?

•  If dev is using third-party storage, do you know

•  Integrate authentication so user has reasonable

•  SF Police video

•  Defense In Depth

•  Least Privilege Access

•  Segmentation

•  Segregation of Duties

•  Accountability

•  Do Not Trust Services

•  Simplicity

•  Reuse