BYOD in practice
KPMG case study
13 March 2013
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2
Agenda
Aurelia Costache
CIO KPMG Romania
Tel: + 40 744
655 830
Page
BYOD – why? 2
Business Case for Mobile devices 5
Implications 7
Challenges 11
Summary and lessons learnt 13
BYOD – Why?
Trend or necessity?
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
4
900
1,000
600
540
330
650680
260
1,160
25.039.0
9.9
5.9
2.3
18.0
30.0
6.3
29.0
Global wireless subscriber base and net additions (Q1 2012)
Global telecom sector: An overview
Source: Ericsson; Informa Research
6.2 billiontotal mobile
subscriptions as of March 2012
170 millionnet additions in the first quarter ending
March 2012
2010 2011 2012F 2013F 2014F
74% 71% 68% 65% 63%
26% 29% 32% 35% 37%
Global Mobile Services Revenues (US$ billion)
Voice
Data
966 1,014 1,054 1,087 1,114
Growing subscriber base: Mobile subscriptions at 6.2 billion in Q1 2012, ( ~87 percent penetration). Adjusted active subscriptions 4.2 billion
Sharp decline in revenue growth – down from double-digit increases between 2005 and 2008 to just 5 percent in 2011
■ Mobile service revenue to grow at CAGR 3.2 percent during 2011-14
■ Data to drive revenue growth – CAGR 12.3 percent during 2011-14, only partly offsetting the decline of voice revenues
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5
BYOD – What’s the buzz?
History
Blackberry served the corporate world
As of 2007 major growth market share of smartphones (iPhone, Android)
Recent years
Explosion of smartphone penetration
Emergence of tablets
Corporate and private phones get mixed:
“Bring your own device”
Main Drivers
Intuitive/Usable interface
Internet/cloud integration
Affordable pricing November 2012 U.S. Mobile Subscriber Market ShareSource: comScore MobiLens
Android; 54%iOS; 35%
BB; 7%
Microsoft, 3% Symbian; 1%
BYOD in KPMG
Business Case
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
7
Main elements
Analysis of national and roaming traffic data
Estimation of new traffic requirements for BYOD (national and roaming)
The used fleet was almost 2 years old and replacement had to be planned
CAPEX is lower (less devices acquired by KPMG)
OPEX is higher (more admin staff to support the new users, MDM licenses, additional traffic)
KPMG people (they can select the smart-phone they want)
Staff need for mobility (business efficiency by accessing KPMG resources on mobile devices)
The Business Case
BYOD in KPMG
Implications
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
9
Implications – Broader then expected
Implications
KPMG Global Standards
Technology
SecurityLegal
Data Privacy
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
10
KPMG Global Standards, Technology and Security
Main concerns
Ensure the necessary security features to protect corporate data and prevent data loss as well comply with KPMG Global Standards –
Security Requirements for Mobile Devices.
What happens
KPMG Approach
KPMG limited the BYOD program to main OS on the market: Android and iOS and implemented dedicated MDM solutions:
How will these security
features be deployed?
What happens when a device is
lost or stolen?
when the wrong PIN / password is entered
too many times?
What happens
happens when a device is infected
with malware?
What
What happens with the data saved to local backup or
iCloud?
GOOD for Android FAMOC for iOS
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
11
Legal and Data Privacy
Main concerns
MDM features may include activity monitoring, tracking, and remote lock & wipe.
Employees must give explicit and fully-informed consent for any organization to access and process their personal data.
Employee consent is also required should a business wish to install a MDM application on their device.
KPMG Approach
KPMG implemented a BYOD policy:• addresses the above concerns• formally communicated and acknowledged by all participants.
Policies configurations enforced using the MDM were carefully reviewed to ensure compliance with legal and Data Privacy requirements.
Poza
BYOD in KPMG
Challenges
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
13
BYOD – Challenges
Security testing phase
..included MDM solution’s Internet facing components as well the client application installed on mobile devices:
1. Application security testing (web specific attacks, application logic attacks) Testing the network communication between clients and serverData encryption / protection MITM, spoofing, etc
2. Testing the client application (agent) JailbreakPolicy bypassing Local data storage / recovery Static application analysis, etc
Vulnerabilities identified
..for all components of the solution:
for web applications’ front-end interface
for client installed on smartphones.
operational/ functional vulnerabilities (eg the application did not detect that a phone is subject to jailbreak)
Operational challenges
Complete testing & configuring of the MDM solutions
Plan the enrollment: centralize all demands trough service desk application, increase of the data traffic
Enroll all devices at the same time: activate the data services, install the MDM application on the device, configure the user account on the email server and synchronize the KPMG data account.
BYOD in KPMG
Summary & lessons learnt
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
15
Summary of BYOD in KPMG Romania
Summary of 2012 BYOD program allowing employees to use their own smart phones to access relevant corporate data:
In the past...
Around 150 BB used by Managers and above
Mainly used for corporate email access
Cloud based services (private cloud)
Expensive solution, especially in roaming
Drivers for change
Proliferation of smart devices
KPMG people
Need for mobility
Cost management
Today
260 smart devices (phones and tablets) activated
Traffic volume increased by 30%, costs reduced by 10%
After 6 months review the business case was confirmed
Legal and Data Privacy aspects considered and formalized in a BYOD policy
MDM solution implemented but processes are complex and need time to stabilize
Initiative well received by KPMG staff (user satisfaction increased)
Behavior changed (efficiency & innovation)
Iphone 4S35%
iPad11%
Samsung Galaxy SII
50%
Samsung Tab 10.12%
Other (Android)1%
© 2013KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
16
Lessons learnt
Enrolling mobile devices results in new risks
Broader then expected, e.g. legal, technology, integration, backups
Security controls work differently on mobile devices
Technical Solutions
Different security architectures to reduce risks of mobile devices
No technical solution fixes it all, mitigate risks by people, processes and technology
How to continue
Perform risk assessment before implementation
Consult with relevant experts
Implement security controls for people, process and technology
Test effectiveness of security controls
Stay up-to-date with recent developments
Structured approach, phase by phase
Unexpectedly well received by users!
© 2013 KPMG Romania, a Romanian member firm and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (“KPMG International”).