Security Considerations for Enterprise Mobility / BYOD

Scott Gordon (CISSP-ISSMP)

Vice President – ForeScout Technologies

Security Considerations for Enterprise Mobility / BYOD

Enterprise mobility is the use of wireless, mobile and consumer devices, as well as

mobile and cloud-based applications to enable any means access to corporate

resources.

Bring Your Own Device (BYOD) strategy is the extent that IT prohibits, tolerates,

supports or embraces the use of personal mobile devices at work and the controls to

enforce such policy.

Framing Enterprise Mobility and

IT Consumerization / BYOD

Risks

Challenge

© 2013 ForeScout Technologies, Page 2

Risks

• Data loss

Lost phone or laptop Unauthorized access Compromised system Unknown data protection • Malware

Phishing, access, mobile/app • Compliance

Rogue devices, unauthorized apps, inconsistent policy

Challenge

• Proliferation of mobile devices on corporate networks impacts security • Consumers are setting the rules

with personal and mobile device and application use

• IT teams need visibility and control; user, device, application, data and network

1.

Form a committee

2.

Gather data

3.

Identify use cases

4.

Formulate policies

Framework: Securing BYOD Implementation

4.

Formulate policies

–

Which corporate applications?

–

Which users?

–

How will data be secured?

–

Who will be responsible for BYOD support?

–

What happens if the device is lost or stolen?

–

How will the endpoint device be updated?

–

Acceptable use policies?

5.

Decide how to enforce policies

–

Network controls?

–

Device controls?

–

Data controls?

–

App controls?

6.

Build a project plan

Framework: Securing BYOD Implementation

© 2013 ForeScout Technologies, Page 4

6.

Build a project plan

–

Device enrollment

–

Remote device management?

–

Cloud storage?

–

Wipe devices when employees are terminated?

7.

Evaluate solutions

–

Ease of implementation?

–

Cost?

–

Security?

–

Usability?

1.

Form a committee

2.

Gather data

3.

Identify use cases

4.

Formulate policies

5.

Decide how to enforce policies

Framework: Securing BYOD Implementation

5.

Decide how to enforce policies

6.

Build a project plan

7.

Evaluate solutions

8.

Implement solutions

–

Network controls?

–

Device controls?

–

Data controls?

–

App controls?

1.

Form a committee

2.

Gather data

3.

Identify use cases

4.

Formulate policies

5.

Decide how to enforce policies

Framework: Securing BYOD Implementation

© 2013 ForeScout Technologies, Page 6

5.

Decide how to enforce policies

6.

Build a project plan

7.

Evaluate solutions

Mobile Security / BYOD Control Options

•

Block all personal mobile devices

•

VDI - Virtual Desktop Infrastructure

•

MAW – Mobile Application Wrapper

•

WAP – Wireless Access Point

•

MDM - Mobile Device Management

BYOD Security Control Characteristics

CHARACTERISTICS

APPROACH

Block all personal devices

• Very secure!

• Career limiting…

Manage all personal devices

(MDM)

• Good security at the device level

• Phones/tables… not Win & Macs

• Separate management console

© 2013 ForeScout Technologies, Page 8

• Separate management console

Restrict the data (VDI)

• Strong data protection

• Varying user experience

• Not for the road warrior

Control apps (MEAM, MAW)

• Secure the app and data

• Must be used with other controls

Control the network (NAC)

• Foundational

• Simple, fast, 100% coverage

1.

Form a committee

2.

Gather data

3.

Identify use cases

4.

Formulate policies

5.

Decide how to enforce policies

8 Steps to BYOD Implementation

5.

Decide how to enforce policies

6.

Build a project plan

7.

Evaluate solutions

BYOD Is Disruptive.

NAC is Fundamental to Securing BYOD

“Fighting BYOD is like the quixotic effort to resist the use of PCs or the Web in business — it’s a losing battle with no real strategic purpose or long-term upside.” 1

“Without NAC, enterprises lack visibility into the network and attached systems... NAC enables businesses to address new trends such as Bring Your Own Device (BYOD).”

© 2013 ForeScout Technologies, Page 10

1 _{Forrester “Charting The Rising Tide Of Bring-Your-Own Technology” – Q3, 2012} 2 _{Frost & Sullivan “Analysis of the Network Access Control Market,” NAD5-74 – Q1 2012}

3 _{Gartner “Bring Your Own Device: New Opportunities - May, 2012 / Gartner VP / Distinguished Analyst David Willis – Q3. 2012} 4 _{IDC “Consumerization of IT study – Closing IT Consumerization Gap” / Architecting a BYOD Enterprise” – Q3. 2012,}

“The rise of "bring your own device" programs is the single most radical shift in the economics of client computing for business since PCs invaded the workplace… With the wide range of capabilities brought by mobile device and the myriad ways in which business processes are

being reinvented as a result, we are entering a time of tremendous change.” 3

businesses to address new trends such as Bring Your Own Device (BYOD).” 2

“IT Organizations underestimate the number of personal mobile devices on their network by 50%. NAC is a fundamental technology to mobile and BYOD security, given that any mobile

Technology that identifies users and network-attached

devices and automatically enforces security policy.

What is Network Access Control (NAC)?

LIMITED _FIXED

Appliance

Policy Engine

Packet

Engine

Switch Plugin VPN Plugin Wi-Fi Plugin User Dir Plugin SEIM Plugin Windows Plugin Mac/Linux Plugin MobileNAC & MDM

DB

ePO Plugin

NAC Architecture

Visibility and control of everything on your network

© 2013 ForeScout Technologies, Page 12

What is Next-Generation NAC

Real-time Network Asset Intelligence

• Device type owner, login, location • Applications, security profile

Policy-based Controls

• Grant access, register guests • Limit or deny access

See Grant Fix Protect

Email CRM Web Guest User Sales Automated Enforcement

• Remediate OS, configuration, security agents • Start/stop applications, disable peripherals • Block worms, zero-day attacks, unwanted apps • Phased-in, manual or fully automated

What is Mobile Device Management (MDM)

Device Enrollment OTA Configuration Management Mobility Intelligence

Complete Lifecycle Management

What is MDM

© 2013 ForeScout Technologies, Page 14

Continuous Monitoring & Security Application and Doc Management Expense Management Help Desk Support

What is MDM

Device Lifecycle

Management?

MDM

Control Capabilities

The Essentials

•

Device enrollment

•

OTA configuration

•

Security policy management

•

Real-time reporting

•

Remote lock, wipe, selective wipe

•

Self-service portal

•

Enterprise App portal Device Enrollment,

Acceptable Use MDM Actions

Advanced Management

•

Email access controls

•

Application management

•

Document management

•

Certificate management

•

Profile lock-down

•

Corporate directory integration

•

Geo sensing

•

PII Protection Event-based Security & Compliance Acceptable Use

Corp App Storefront

NAC+MDM Synergies: 1+1=3

Unify visibility, compliance and access control

NAC focus is

network

MDM focus is

mobile device

MDM Alone

NAC Alone

NAC+MDM

Visibility

Full info on

Basic OS info on Complete

© 2013 ForeScout Technologies, Page 16

Visibility

Full info on

managed only.

Basic OS info on

all devices

Complete

Access Control

For managed

and email only

Partial (Missing

endpoint info)

Complete

Compliance

Managed only

Very limited

Complete

1.

Form a committee

2.

Gather data

3.

Identify use cases

4.

Formulate policies

5.

Decide how to enforce policies

8 Steps to BYOD Implementation

5.

Decide how to enforce policies

6.

Build a project plan

7.

Evaluate solutions

Large Bank BYOD Case Study

Challenge and approach

The Challenge

• Large financial services company realized that it needed a strategy for supporting • personally owned devices in the workplace.

• Firm has more than 100,000 endpoint devices distributed over 200 locations worldwide • Anticipated need to support 10,000 employee-owned smartphones, tablets and personally

owned laptops. As well as those from approved contractors.

Approach

• Risk and compliance management team led the project and was responsible for

© 2013 ForeScout Technologies, Page 18

• Risk and compliance management team led the project and was responsible for • establishing the BYOD policies.

• Identify use cases, as well as define operational and security requirements.

• Require employees and contractors to register BYPD devices via web portal and ensure manger approval before granting limited access.

• Leverage NAC platform in place to enforce network access and endpoint compliance. • Implement MDM capabilities for corp. provisioned smartphones and tablets

• Enable NAC / MDM integration to provide single-pane-of-glass

Gartner Case Study: Securing BYOD With Network Access Control, Published: August 2012, Lawrence Orans, Doc. G00226207

Tools References

• ForeScout CounterACT NAC • Fiberlink MaaS360 MDM

BYOD Case Study:

Policy

Use Case 1: Employee Owned Tablets and Smartphones

MDM Required for Device to Gain Access to Wireless BYOD Network

• MDM solution selected must integrate with NAC solution.

• MDM system provides device config. and status information to NAC console.

• NAC enables enrollment and initiates on access device provide check through MDM • Employees can use devices supporting Fiberlink : Apple, Android, Windows and

BlackBerry.

Actions:

• If the MDM agent is detected, the device is granted access to a separate wireless BYOD network.

• Citrix Systems' Receiver agent is used to grant access to a subset of applications on the corporate network, based on the user's profile, thereby creating a limited-access zone. • If the MDM agent is not detected, the device is positioned on the guest network and is limited to Internet access only. (The user must register at the guest Web portal to gain Internet access).

• Jailbroken / rootkitted devices are denied access to the network, including the guest network.

BYOD Case Study:

Policy

Use Case 2: Employee Owned Windows Laptops

NAC Used to enforce Windows endpoint security policies

• Up-to-date patches are required.

• Up-to-date antivirus signatures are required (employees can select from an approved list of solutions at the company's expense, per corporate licensing agreements).

• Disk encryption is required (employees can select from an approved list). • Specific ports must be blocked via a personal firewall (such as Telnet/SSH). • Optional NAC agent must be enabled (checks config. status of endpoint). • Data loss prevention (DLP) agent is required and must be active/up-to-date.

© 2013 ForeScout Technologies, Page 20 Actions:

• If the Windows laptop is compliant with all six of the policy criteria, it is granted full access to the corporate network.

• If the Windows laptop is noncompliant with one or more of the policies, it is positioned on the guest network and is limited to Internet access only. (The user must first register at the guest Web portal.)

• The user is presented with details on non-compliance and offered means to conform • If conformed, user is automatically re-checked and allowed access

BYOD Case Study:

Policy

Use Case 3: Employee Owned Macbook Laptops

NAC Used to enforce Windows endpoint security policies

• It must be running OS 10.5 or later.

• Optional NAC agent or agentless approach must be enabled. • DLP agent is required.

Actions:

• If the MacBook is compliant with all three of the policy criteria, it is granted full access to the corporate network.

• If the MacBook is noncompliant with one or more of the policies, it is positioned on the • If the MacBook is noncompliant with one or more of the policies, it is positioned on the guest network and is limited to Internet access only. (The user must first register at the guest Web portal.)

BYOD Case Study:

Phases

Phase 1

A pilot project, in which 200 IT staffers brought personally owned devices to work. This phase lasted for six months, during which time the project team refined the Web

registration portal and addressed early minor product integration issues with NAC and MDM.

Phase 2

The project team broadened the program with the goal of supporting 1,000

employee-owned devices. Employees in the information risk management, and the risk and

© 2013 ForeScout Technologies, Page 22

employee-owned devices. Employees in the information risk management, and the risk and compliance departments were chosen to be part of this phase. The primary focus of Phase 2 was to assess the end-user experience and the overall performance of the solution. A

secondary goal was to define and monitor role-based access.

Phase 3

The goal of Phase 3 is to open the project to all employees and contractors in the company. At the time of this writing, the company had recently implemented Phase 3.

By year-end 2014, the company expects that the project will grow to over 10,000 personally owned devices.

BYOD Case Study:

Results

• Successful extension of NAC for BYOD and operational use of NAC/MDM interoperability • Of those employees that use personally owned devices at work, 80% have chosen to comply

with co. policies and install the required MDM agent and other software on their mobile device.

• 1,000 employee-owned devices are present on the corporate network on a regular basis. • Contractor-owned and personally owned Windows laptops are the largest category,

representing about 85% of the non-corporate devices on the network.

• Smartphones and tablets represent about 10% of the non-corporate devices, and MacBooks represent about 5% of the non-corporate devices.

• The overall BYOD initiative has only added endpoint growth of approximately 1%. • 1 FTE on-site supports the broader NAC / BYOD project since deployed NAC is mature. • Policy enforcement has gone relatively smoothly. Ex. The employees had signed waivers

agreeing to the remote wipe policy. Because the policy was communicated clearly, the employees accepted the fact that they lost personal content.

BYOD Case Study:

Success Factors & Lessons Learned

• A mature NAC program contributed greatly to the success of the BYOD initiative

• A monitoring-only period of eight months, in which no policies were enforced.

• By the end of the eight months, the IT department brought the number of noncompliant Windows devices down to 1%

• Automating the classification of headless devices (printers and IP phones) was

essential to scaling the initial NAC project to support 100,000 devices

© 2013 ForeScout Technologies, Page 24

• A BYOD council meets monthly to review requests for exceptions to the policies

• Effective communications are critical in the early stages of the BYOD implementation

• The BYOD policy is outlined as part of the new employee onboarding process

• The BYOD policy has been incorporated as part of the annual recertification process, in which all employees certify that they will abide by corporate IT policies.

• Requiring managers to sponsor employees' participation in the BYOD program helps to communicate the company's position that using personally owned devices at work is a privilege, and employees must comply with corporate policies.

BYOD Case Study:

Key Findings

Key Findings

• The knowledge and experience gained in establishing and enforcing network access control (NAC) policies for corporate-owned Windows laptops can apply to BYOD devices.

• Extent policies for personally owned devices; smartphone, tablet, Windows, MAC. • Strong operational processes are needed to maintain an exception list of devices that are

exempt from NAC policies.

• An automated solution for discovering and profiling all endpoints, including exception devices, is the preferred approach.

devices, is the preferred approach.

• Supporting a large NAC implementation is not a labor-intensive effort.

• In this example, only one full-time equivalent (FTE; a senior-level engineer) is dedicated to support over 100,000 endpoints (1,000 endpoints are BYOD).

Recommendations

• Combine NAC and MDM to enforce policies in a BYOD environment.

• Personally owned devices that are not managed by MDM agents should be limited to Internet access only, or placed in a limited access zone where they can access a subset of applications and network resources as per user/group role.

• BYOD policies should be broad-based and protect the wired and wireless networks. • Use cases should address smartphones and tablets that need wireless access and

© 2013 ForeScout Technologies, Page 26

•

What types of devices are being brought in by employees?

•

When, where, and what type of access is being requested?

•

What types of applications are

users running / allow?

Team Building Exercise: Use Cases

users running / allow?

•

What type of resources are they

requesting and what do they need?

•

What are the different employee roles

within the organization?

•

What corporate applications/data will be accessible?

•

Who will be allowed to access the

application/data?

•

Will all access to corporate data be

secured? And How?

Team Building Exercise: Use Cases

© 2013 ForeScout Technologies, Page 28

•

Who will be responsible for BYOD

support?

•

How will the endpoint device be updated?

•

What happens if the device is lost or stolen?

About ForeScout

ForeScout

is the leading global provider of real-time network security solutions for Global 2000 enterprises and government

organizations.

Innovative Technologies

• Real-time visibility and control

• Leader ranking by Gartner, Forrester and Frost & Sullivan…

Global Deployments

• Financial, healthcare, education, manufacturing and government…

• Enterprise implementations (> 250k endpoints)

At a Glance

• Founded in 2000 —

HQ in Cupertino, CA

• Dominant independent vendor of Network Access Control (NAC) #2 market share, behind Cisco

• BYOD, endpoint compliance and cloud fueling growth

(> 250k endpoints)

*Magic Quadrant for Network Access Control, December 2012, Gartner Inc.

**Forrester Wave Network Access Control, Q2-2011, Forrester Research

***Analysis of the NAC Market, February 2012, Frost & Sullivan

© 2013 ForeScout Technologies, Page 30

Thank You

** The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

***Frost & Sullivan chart from 2012 market study Analysis of the Network Access Control Market: Evolving Business Practices and Technologies Rejuvenate Market Growth” Base year 2011, n-20

*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.