from mobile device policy to bring your own device (byod)
Post on 20-Jul-2015
8.490 Views
Preview:
TRANSCRIPT
From mobile devices to BYOD
Andrew Cormack, Chief regulatory adviser @Janet_LegReg
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 3
We like mobile computing
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 4
We like mobile computing
» Research and education aren’t just office hours
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 5
We like mobile computing
» Research and education aren’t just office hours
» Work wherever/whenever inspiration strikes
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 6
We like mobile computing
» Research and education aren’t just office hours
» Work wherever/whenever inspiration strikes
» Increased productivity
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 7
We like mobile computing
» Research and education aren’t just office hours
» Work wherever/whenever inspiration strikes
» Increased productivity
» Happier users
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 8
We like mobile computing
» Research and education aren’t just office hours
» Work wherever/whenever inspiration strikes
» Increased productivity
» Happier users
» Could your organisation cope without it?
Policies
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 9
How we secure it
» De jure: the things we write down
Policies
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 10
How we secure it
» De jure: the things we write down
» De facto: the things we do
› This sets policy: “email on any device”
So how do we secure mobile computing?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 11
AccessServer Device User
So how do we secure mobile computing?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 12
IMAP orweb or
VTTY ornone
AccessServer Device User
So how do we secure mobile computing?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 13
authenticationencryption
IMAP orweb or
VTTY ornone
AccessServer Device User
So how do we secure mobile computing?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 14
authenticationencryption
profilesmanagement
IMAP orweb or
VTTY ornone
AccessServer Device User
So how do we secure mobile computing?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 15
authenticationencryption
policiesguidancesupport
profilesmanagement
IMAP orweb or
VTTY ornone
AccessServer Device User
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 16
What do you do?
Discuss around table for 10 mins
Fill in the columns
What’s the difference with BYOD?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 17
authenticationencryption
policiesguidancesupport
profilesmanagement
IMAP orweb or
VTTY ornone
AccessServer Device User
What’s the difference with BYOD?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 18
authenticationencryption
policiesguidancesupport
profilesmanagement
IMAP orweb or
VTTY ornone
AccessServer Device User
What’s the difference with BYOD?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 19
authenticationencryption
policiesguidancesupport
profilesmanagement
IMAP orweb or
VTTY ornone
AccessServer Device User
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 20
What controls do you enforce on mobile devices?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 21
» Passphrase, patches, anti-virus, firewall
» Encryption, remote wipe
» Safe downloading, account/directory separation
» Thinking about where you are
What we’d like…
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 22
» Passphrase, patches, anti-virus, firewall
» Encryption, remote wipe
» Safe downloading, account/directory separation
» Thinking about where you are
Feels like basic good practice…
What we’d like…
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 23
» Passphrase, patches, anti-virus, firewall
» Encryption, remote wipe
» Safe downloading, account/directory separation
» Thinking about where you are
Feels like basic good practice…
Actually, it’s the ICO’s recommendationsfor BYOD!
» Warns against MDM/tracking of non-owned devices
What we’d like…
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 24
How to be safe without device management?
Already rely on users for some controls
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 25
How to be safe without device management?
Already rely on users for some controls
» Their behaviour may already be biggest risk
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 26
How to be safe without device management?
Already rely on users for some controls
» Their behaviour may already be biggest risk
» Especially if they have admin rights!
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 27
How to be safe without device management?
Already rely on users for some controls
Possibly move some controls to server-side
» But tightening de facto policies on existing services is a hard sell
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 28
How to be safe without device management?
Already rely on users for some controls
Possibly move some controls to server-side
» But tightening de facto policies on existing services is a hard sell
Or, encourage users to implement them
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 29
How to be safe without device management?
Already rely on users for some controls
Possibly move some controls toserver-side
» But tightening de facto policies on existing services is a hard sell
Or, encourage users to implement them
» What do you lose with corporate mobile?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 30
How to be safe without device management?
Already rely on users for some controls
Possibly move some controls to server-side
» But tightening de facto policies on existing services is a hard sell
Or, encourage users to implement them
» What do you lose with corporate mobile?
» What do you lose with BYOD?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 31
Self-interest
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 32
Self-interest
81% employees don’t care about mobile security
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 33
Self-interest
81% employees don’t care about mobile security
Surely more care about their own devices?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 34
Self-interest
81% employees don’t care about mobile security
Surely more care about their own devices?
Their BYOD security interests are same as ours
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 35
Self-interest
81% employees don’t care about mobile security
Surely more care about their own devices?
Their BYOD security interests are same as ours
» If they know why/how to do the right thing
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 36
Self-interest
81% employees don’t care about mobile security
Surely more care about their own devices?
Their BYOD security interests are same as ours
» If they know why/how to do the right thing
» Might BYOD even be more secure?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 37
How might we help?
Discuss around tables for 10 mins:
» How to motivate
» How to support
And report back good ideas…
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 38
Good questions...
“What should I do if I lose it?”
“What should I do when I pass it on?”
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 39
Good questions...
“What should I do if I lose it?”
“What should I do when I pass it on?”
“How should I back up my device?”
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 40
Good questions...
“What should I do if I lose it?”
“What should I do when I pass it on?”
“How should I back up my device?”
“How do I share files with others?”
“How do I get new apps?”
…
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 41
BYOD plan
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 42
BYOD plan
1. Review existing measures for mobile devices
› Already accepted risk: don’t demand more of BYOD
› If risk now unacceptable, change mobile
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 43
BYOD plan
1. Review existing measures for mobile devices
› Already accepted risk: don’t demand more of BYOD
› If risk now unacceptable, change mobile
2. Prepare to support device owners
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 44
BYOD plan
1. Review existing measures for mobile devices
› Already accepted risk: don’t demand more of BYOD
› If risk now unacceptable, change mobile
2. Prepare to support device owners
3. Motivate device owners
› Should improve mobile security too
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 45
BYOD future
Design systems to be BYO-by-Default?
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 46
BYOD future
Design systems to be BYO-by-Default?
» Presume it is the norm
» Identify / configure systems and data that aren’t suitable for it
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 47
BYOD future
Design systems to be BYO-by-Default?
» Presume it is the norm
» Identify / configure systems and data that aren’t suitable for it
BYOD will happen anyway
Much better to design for it than ignore it
Questions?
Or, come and discuss this afternoon…
BT paper» btplc.com/News/Articles/ShowArticle.cfm?ArticleID=F5E90F45-
966A-4872-8CF6-C2C32F608541ICO on BYOD» ico.org.uk/for_organisations/data_protection/topic_guides/online/byodCESG» gov.uk/government/collections/bring-your-own-device-guidanceMe» community.ja.net/blogs/regulatory-developments/article/mobile-
device-policy-byod» community.ja.net/blogs/regulatory-developments/tags/BYOD
References
09/03/2015 Jisc Digital Festival, 9-10 March 2015, ICC Birmingham 49
top related