Build Your Own Defense

Abbas Ali Khumanpur, CISSPSecurity Consultant, STARLINK

ISC2 Kuwait ChapterMeet

13th May 2015

AGENDA

• Evolution of Computing Space

• Why BYOD Matters

• Threat Vectors on Mobile

• BYOD Strategy

• Multiple OS & Platforms• IOS• Android• Microsoft 10

Evolution of Computing Space

SOURCES: Asymco.com, Public Filings, Morgan Stanley Research, Gartner, IDC

The PC/Web Era The Post-PC EraThe Mobile/BYOD Era

Mainframe EraApplications and Data…

behind a Glass Wall.

PC EraApplications and data on our desks…trapped at work.

Web EraAll-access, apps and content…

everywhere

BYOD EraAny app and data

For personal and work

On a device we love

Wherever we are 

Mobile will unlock human potential in the Workplace

Why BYOD Matters &Should you be worried?

• Smartphone and Tablet Technologies evolving and changing very rapidly.

• Empower Workforce through “Consumerisation of IT”• Ultimate goal: Increased Productivity with reduced costs.

BYOD DARK SIDE:• If BYOD not understood & regulated correctly, it THREATENS IT

Security

Threat Vectors on Mobile are Different from PC

Building a Successful BYOD Strategy

• According to Gartners, 90% of Enterprises (with >500 Employees) have already deployed Mobile Devices and many don’t have a STRATEGY.

• BYOD is more than just shifting ownership of device to the employee.

• It has complex and hidden implications.

Sustainability

• Secure corporate data• Minimize cost to implement and enforce• Preserve user experience• Stay up-to-date with user preference and technology

innovation

“User experience is the litmus test for policy sustainability”

Device Choice

BYOD Policy needs to be built around Device Choice

• Analyzing employee preference

• Define an Acceptable Baseline: Security and supported features

• Establishing clear communication to users about which devices are allowed or not, and why

• Ensuring the IT team has the bandwidth to stay up-to-date:

Trust Model

“The trust level of a mobile device is dynamic”

• Identifying and assessing risk for common security posture issues on personal devices

• Defining remediation options (notification, access control, quarantine, selective wipe):

• Setting tiered policy: “Based on Ownership”

User Experience & Privacy

The core tenet of successful BYOD deployments is preservation of user experience.

• User experience should not be compromised

• Identifying the activities and data IT will monitor

• Clarifying the actions IT will take and under what circumstances

Transparency will create trust

Liability• Important Considerations around BYOD liability

include:

• Assessing liability for personal web and app usage

• Evaluating the nature of BYOD reimbursement

• Assessing the risk and resulting liability of accessing and damaging personal data.

(for example, doing a full instead of selective wipe by mistake)

Managing OS & Platforms

Apple IOS

Android

Lollipop was clearly designed to change perceptions of vulnerability and fragmentation.

Android Lollipop

Android For Work

Android For Work

• Securely Deploying Enterprise Apps

• New APIs that Support Android for Work

• Separate Encryption Layer

• Separate Android for Work App Screenlock

Thank You !!!