Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Mobile Security & BYOD Policy
Sarkis Daglian
Assistant Manager, Desktop Support
Office of Information Technology
Isaac Straley
UCI Information Security Officer
Office of Information Technology
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Speakers
Sarkis Daglian
Sarkis Daglian has been with UC Irvine since 2005 and is the assistant manager of
OIT’s Desktop Support Services. He has been lead of OIT’s mobile support
effort for the past two years defining usage on the campus, making
recommendations that empower the mobile user, and coordinated the effort to
bring the Airwatch mobile device management system to the campus.
Isaac Straley
Isaac Straley has been with UC Irvine since 2005 and is the campus Information
Security Officer. He is the lead for information security and privacy, data risk
management, data breach incident response, and security/privacy compliance.
He has been recognized for his work in information security, including receiving
the 2008 3rd place Award for Excellence in Criminal Investigations from the
International Associations of Chiefs of Police. In addition to his work on campus,
he actively participates in UC-wide and EDU-wide security initiatives, such as
recently serving as Chair of the UC IT Policy and Security committee.
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Assumptions
More people will use mobile devices
• Cisco predicts more mobile devices than people
on Earth by end of 2012
Connectivity will soon be near ubiquitous
• We use mobile for work and our personal lives
Applications and data storage will continue to
be abstracted to the cloud.
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
What to do about BYOD?
“Bring Your Own Device”
• 94% of users would be “very frustrated” if their company wiped
their personal data off of their mobile device
• 43% would be “very unwilling” to give up the user of
data-intensive apps such as Pandora or Spotify on their personal
devices in exchange for access to corporate information
• 64% of users would be “very frustrated” to have to enter an
enterprise password every time they wanted to access their
favorite apps, such as Facebook
• 49% of users would not opt for enterprise access if they had to
give up iCloud or Android Backup Manager for their personal
device
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Bring Your Own Device (BYOD)
PRO
• User flexibility
• Less devices for users
• More advanced devices on
the network
• Devices upgraded more
frequently that organization
cycle
CON
• Less control of devices
• Data security compliance
• Who owns the data?
• How will you recover data if
someone leaves?
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
BYOD is not the Question
It’s already here.
“How do we secure personal devices?”
“How do we secure the data?”
• The policies go with the data and the risk, not the
device
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Defining Terms: Mobility
Data
• Data can travel with the device
• Data can be accessed from a variety of endpoints
• Data may be stored in a variety of places
Connectivity
• Anytime and anywhere
• Unsecured wireless networks
• Remote access
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Defining Terms: Security
Confidentiality: Only authorized users can
access the data
Integrity: The data “are what they are”
Availability: The data are available and
accessible when we need them to be
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
The Mobile Landscape
The Dominant Players
- iOS
- Android
The Other Guys
- Windows Mobile
- Blackberry
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Apple vs. Android Ecosystem
Closed vs. Open
- Apple tests and must approve every
application posted on their app store
- Android allows any application to be
available for installation without vetting.
Keeps platform truly open.
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
The Mobile Landscape
Cloud Storage
• iCloud
• Dropbox
Far Reaching Digital Footprint Beyond Storage
• Privacy: Social media, Geolocation
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Why this matters to developers
Need to understand the possible environments
and potential consequences
Example: Storage
• What happens if data are cached locally?
• If dev is using third-party storage, do you know
where it is being stored (e.g., continental U.S.?)
Example: Authentication
• Integrate authentication so user has reasonable
access limits
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Examples of Breaches
Laptop theft
• SF Police video
Apple-Amazon hack / Gizmodo journalist
Android Malware
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Security & Privacy Guiding Principles
Stewardship and Accountability
Everyone has a responsibility to protect information and
individuals are held accountable.
Risk Management
Information must not be stored without understanding and
formally mitigating or accepting the risk.
Business Ownership
Information security is owned by all levels of the organization,
not just IT. Senior managers are involved in determining and
accepting information security risk.
Privacy
Privacy and security is not a "zero-sum game." All aspects of
privacy, including academic freedom, are weighed and
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Architecture Principles
• Defense In Depth
• Least Privilege Access
• Segmentation
• Segregation of Duties
• Accountability
• Do Not Trust Services
• Simplicity
• Reuse
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
How to Manage Risk
Risk
Management
Identify
Threats
Identify
Vulnerabilities
Assess
likelihood and
impact
Implement
protective
controls
Approve risk
Measure
control
effectiveness
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Levels of Risk
Low: Any data should have some protection on it
Medium: Unauthorized access to or disclosure of information in
this category could result in a serious adverse effect, cause
financial loss, cause damage to the University's reputation and
loss of confidence or public standing, constitute an unwarranted
invasion of privacy, or adversely affect a partner, e.g., a
business or agency working with the University.
High: Any confidential or personal information that is protected by
law or policy and that requires the highest level of access
control and security protection, whether in storage or in transit.
The term should not be confused with that used by the
UC-managed national laboratories where federal programs may
employ a different classification scheme.
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Mobile Device Best Practices
• Ensure your device’s operating system is up to date
• Set up a passcode lock or pattern. The more complex the better
• Set an auto-lock time
• Set your device to auto-erase its contents after too many
unsuccessful password attempts
• Only install applications from trusted sources
• Use GPS tracking software
Optional Steps
• Enable mobile browser fraud warnings
• Forget wifi networks to prevent automatic rejoin
• Keep Bluetooth turned off when not in use
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
What are the best policies for BYOD?
Protecting the data is everyone’s responsibility
The policy goes with data, not with the device
Security is not a binary state
• Manage the risk and apply reasonable
protections
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
How to Enforce BYOD Controls
Rely on users to make determination
• Easy to implement, low level of assurance
Tell users requirements, ask for attestation
• Good for many risk scenarios, joint effort between
data owner, IT, and users
Use technical controls to enforce
• For higher risk situations, attestation is not
enough
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
What are we trying to accomplish?
• User and Device
Provisioning
• Policies
• Backup/Restore
• Updates
• Diagnostics
• Software
Installation /
Restrictions
• Asset tracking and
management
• User support
• Remote wipe and
remote lock
• GPS tracking?
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
UCI Airwatch Implementation
Medical Center – Bradford Networks appliance
and Airwatch
Devices at Med Center register with Bradford NAC, which
authenticates a user and places them in the appropriate group
and minimum security configuration. Those requirements are
then pushed from Airwatch.
Main campus – Airwatch
Devices under Athletics IT must enroll in Airwatch to have
security protocols enforced on them to be NCAA and HIPPA
compliant. Desktop support clients are also using Airwatch as a
means to enforce data security guidelines
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu
Take Aways
• The world is now mobile and BYOD is here
• Professional and personal data now reside and are
accessible on the same device
• Protect the data, not just the device or the application
• Involve everyone!
• Assess the risk
• Set guidelines, policies, and procedures to govern
levels of security required for different types of data
• Determine how to enforce security requirements,
Copyright ©: 2012 Regents of the University of California. All rights reserved. http://www.security.uci.edu