On the heels of launching our eGroup eBook, “7 Steps to a Sensible BYOD Strategy: So You Can Sleep at Night,” we recently sat down with John F. Andrews, Chief Operating Officer and Fractional CIO of Virtual C-I-O, to chat about his company’s views and opinions on BYOD. And, most importantly, how c-level executives should manage the situation.
It sounds like both eGroup and Virtual C-I-O agree on quite a bit when it comes to BYOD. Read on for more:
eGroup: What effective approaches can management take in addressing “bring your own device” to the workplace?
JFA: BYOD is a growing, undeniable reality. The CIO or company fractional CIO would be best served to embrace this trend as well as establish a program to manage its implementation, just as programs are put in place to implement other new technologies. To roll out such a program effectively, a cross-functional team of IT, finance, legal and all other affected operating entities must collaborate to address the following at minimum:
- Which employees are eligible and which are not?
- Who pays for service plans and hardware?
- Who pays for devices that are stolen or lost?
- Which applications are permitted and which are not?
- Are employees required to use mobile device management security software that encrypts company data, monitors the device usage and passwords?
- Are employees required to agree that the company can remotely wipe out any data—possibly including personal data—if the device is lost or stolen?
- Are employees responsible to back-up their own personal data?
- What disciplinary actions will be taken in response to misuse?
With these items fully vetted and addressed, a formal policy can then be developed which best fits the corporate culture, legal, financial and operating perspectives. The CIO or fractional CIO must understand that there is no “cookie cutter” approach that works for all organizations.
eGroup: How should management educate their employee users on the security risks and potential threats BYOD raises without hampering the substantial productivity benefits of BYOD?
JFA: BYOD isn’t a technology issue, it’s a policy issue. A policy issue that involves other organizations besides IT, such as finance, legal, HR and operations. Therefore, a comprehensive view is appropriate. This cross-functional group mentioned earlier, led by the CIO or fractional CIO should be responsible for developing a policy that considers all aspects of BYOD with security being a critical item. It should be formalized, institutionalized and communicated to all impacted employees just as all other business-critical policies.
eGroup: Does company management have a role in making mobile apps available to employees and their devices?
JFA: After adequate review and approval, the BYOD program should indicate which company applications can be used by each employee based on their role in the organization. The policy should also indicate which applications or application types aren’t to be used as well.
Beyond that, we see many CIOs and fractional CIOs setting up their own “app store” that BYOD participants can access to download applications and other software that they are approved for, and that provide tangible support for their jobs.
As you write in “7 Steps to a Sensible BYOD Strategy: So You Can Sleep at Night,” VMware’s Horizon Application Manager is a great example of a tool which helps CIOs deliver policy-driven application access.
eGroup: What is the best method for encouraging productive feedback from the employee end-user community to company leaders?
JFA: To gain the most candid and honest feedback, CIOs and their teams should conduct regular user surveys. Centralized suggestion mailboxes are also popular, where employee users can provide suggestions at any time on how to improve service. Both methods can be handled on an anonymous basis, again encouraging the most honest and candid feedback, without the worry of reprisals.
eGroup: Should a CEO be concerned that the company’s application usability and human factors are best-in-class?
JFA: Absolutely. Software is integrated into almost all — if not all — core processes in corporations today and can be a major differentiator – either positive or negative – on the company’s stature, reputation and desirability as a supplier or employer. The company CIO or fractional CIO can actively support the CEO’s leadership in this regard by developing a comprehensive strategic road map design for IT / business technology that includes the internal as well as external leverage that BYOD provides. In addition to tactical responsibilities, the CIO’s role involves strengthening the CEO’s company vision, as well as the long-term value proposition.
You covered your bases and protected your client devices – complex passwords, two factor authentication, application white lists, client firewalls and anti-malware. You also have taken measures to ensure that if a device is lost the data will not be compromised – encrypted hard drives, remote wipe capability, and encrypted VPN tunnels for information transfer. Now you are feeling pretty good about your client security posture. Of course, if you are not doing these things, then later I’ll have to write about why they are still important.
Now, let’s explore a very real scenario where all this security preparation will not and does not matter. While this scenario focuses on U.S. Policy examples, this applies to any governmental action in any part of the world.
Let me set the scene. You travel outside the United States, visiting a client or international branch of your organization. Everything goes well, however upon entering back into the United States, you are pulled into a room by Department of Home Land Security (DHS) personal, who kindly ask you to “power on” your device and enter your password to decrypt the contents.
Oops – Complex passwords; two-factor authentication; encrypted contents, doesn’t matter you have just handed over the keys to the kingdom. Most people in this situation may be a bit nervous, but not overly worried, because they do not believe there is anything to hide. However, as recently reported by David Kravets of Wired Magazine (http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/ ), the DHS office of Civil Rights and Civil Liberties published a two-page executive summary of its findings in regards to DHS suspicion-less search-and-seizure policy pertaining to electronic devices.
The executive summary of this report included this statement, “We also conclude that imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits,”
What does this mean?
Well, it means regardless of what you have done or not done authorities can take your equipment. If they do so after you have given them access to the machine, then they now have access to all data without a warrant, and you no longer have any control over it.
The article illustrates a real world example of this in action. Mr. Abidor, a PHD student was held while DHS agents went through his computer – and what the article doesn’t point out is that Mr. Abidor had to file a lawsuit to get the computer back. DHS held it for over two weeks, though there were no charges filed against Mr. Abidor, nor any suspicion of wrong doing alleged.
What is on your company laptops?
How much financial information, patented company information, personal identifiable information (PII), personal health information (PHI), credit card account information, among other sensitive data, are you, your colleagues, or your employees carrying around? You may think even in an extreme scenario like this, the data wouldn’t be compromised in a way that would hurt your or your company, after all the Government has protocols and processes that should protect what they have seized.
Are you ready to bet your company on it?
Today, I know of no known instances where a border seized asset led to leaking of corporate data or privacy breaches. That doesn’t mean it has not happened, or that it will not happen. How do you protect against this scenario, or even a similar one, say, in another country, where you have even less recourse against it? I outline a few options below:
How about the Public Cloud?
Be careful on the what/where/how of your provider. International and national providers are inundated with requests for access to data hosted in their “cloud” by both foreign governments, U.S. federal government, and countless other local government entities. Of particular concern is that some companies, most visibly those major communications providers, have deals in place where they make millions of dollars by sharing your information with the government. How much do they really have vested in your privacy?
Even with the spotlights put on these programs in recent years, it appears the future will be even more “cloudy” in this regard. As an example, the recent ruling of the sixth court of appeal in United States v. Skinner (http://www.ca6.uscourts.gov/opinions.pdf/12a0262p-06.pdf) ruled that police do not need a warrant to access GPS data of individuals. This data is of course held by your telephone provider, or navigation service provider. What type of doors will this open to other types of data you are storing in large national public clouds?
It is still possible to gain the efficiencies of a public cloud, while avoiding the conflicts of interest of the big players. Look for an established local or regional partner that is offering services comparable to the big players in availability and security, but is without those entangling agreements that were not made in the best interest of your data.
What about a Private Cloud?
Clearly, there is more control here. You have the most control when you own not only the servers, but the location they are housed in. At least in this scenario any entity will need a legal warrant to retrieve data from servers in your private infrastructure. Many companies are jumping on the private cloud band wagon. Companies with big data center experience, like EMC for example, are taking that knowledge to deliver reference architectures like VSPEX that blueprint a flexible and tested solution utilizing a host of technologies that can deliver on the private cloud promise. Microsoft, VMware, and even traditional network players like Cisco are offering private cloud solutions.
How do you access your data in the cloud?
Really there are two choices here, although the technology to deliver them will vary.
Encrypted VPN tunnels are the traditional method for gaining access back into a corporate network. These will work in this scenario as well, but you have a lot of issues with where data will be saved, how working copies are managed, and what is kept on a personal device. You have a wide range of choices in how this is delivered – Microsoft Direct Access, Citrix NetScaler Access Gateway, and a variety of Cisco solutions – just to name a few. The options in this space are nearly limitless, and chances are you already have one in place, even if it’s not in use.
The other option is to keep everything in the cloud, including the working environment, so there is literally nothing on the device. How is that done? Virtual Desktops.
Utilizing private cloud to deliver virtual desktops provides the best combination of usability and security. The environment is controlled completely by the organization, and no data is kept on the client device. Popular choices in this space are VMware View and Citrix XenDesktop. In addition to fully virtualized desktops, another popular option is to utilize virtual applications.
Virtual applications can be delivered like a desktop, and still benefit from saving data in the cloud. This can sometimes be easier for IT departments to deploy if they will not be able to standardize on specific desktops, and can actually be combined with virtual desktops for the most dynamic scenarios. Again, the options in this space are VMware with their Horizon Application Manager, along with Citrix and its flagship product XenApp.
In addition to the leaders, there are a multitude of startups in this space, as well as established companies that are trying to break into the market – and as such the quality and price run from free to astronomical, and everything in between.
Coming back to my initial story, during a border seizure event or similar incident, you can unlock a device and allow the ability to browse and search with without having to worry about exposing the data. If a device is lost, it can be replaced and you can get back to work immediately because your working environment is separate from the piece of hardware you are carrying around. It’s simply a usability device that acts as a stepping stone to the non-resident application execution and data storage environments.
There are many risks to your personal data, your company’s data, and a client’s data that we probably have not even thought of or experienced yet. The good news is that there are many technologies available to assist with mitigating these threats.
Over the last five years, virtual technologies have matured economically so that businesses of all sizes can take advantage of them. Indeed, even individuals can find solutions tailored to their budgets.
Virtualization can be a great platform for savings, but an even better one for protecting your data when deployed correctly.
When you think about the Bring Your Own Device (BYOD) phenomenon, does it send shivers up and down your spine?
If you answered “no” – great! Sounds like you have everything under control. But, if you answered, “yes” – you’re not alone according to our research.
These days, business and IT leadership wake up in a world where one-third of young employees use three different devices. For many, it’s a nightmare because there’s a gang of monsters hiding under the bed (i.e. security, cost, management, etc.). No wonder 73% of UK IT directors surveyed said they are concerned BYOD will cause IT costs to “spiral out of control.” Their fears are supported by Aberdeen Group’s finding that a company with 1,000 mobile devices spends an extra $170,000 per year, on average, when it uses a BYOD approach.
Yet, most IT leaders aren’t disputing the business case for BYOD.
With all this Fear, Uncertainty, and Doubt, filling the market, we’re pleased to offer advice and practical solutions in the latest eGroup eBook, “7 Steps to a Sensible BYOD Strategy (So You Can Sleep at Night).” In it, you will learn how to devise and implement an effective BYOD strategy. Enjoy – and don’t let those gang of monsters win!
Interesting article on OPEN Forum on how to avoid a network breach.
The writer, Carla Turchetti, outlined five ways to protect a business and the bottom line from network breach challenges in the year ahead. Through her sources, she boiled it down to: user safety, password strength, proper systems and control, monitoring and general vigilance.
I spoke with eGroup’s in house security expert, Adam Turner, who offered some additional advice of the technical variety for businesses hoping to prevent a security breach:
As for the how-to, one item I always stress is that information security, be it implementation, review, etc., is not a milestone. It is an ongoing process. Also, information security is everyone’s responsibility, from the front desk personnel to the head of the IT department. Security awareness training is often overlooked, but it can be a big help to a company’s data integrity. The weakest link in the chain is often the analogy, and end-users are usually that weak link.
Down to the 1’s and 0’s. I’d like to briefly cover SQL Injection (SQLi), browser and browser add-on vulnerabilities, AutoRun, and insider threats.
One of the most popular exploits these days is SQL Injection (SQLi). This is typically a targeted attack, i.e. the attacker has identified an information system in particular and wants access. SQLi takes advantage of poorly written application code, specifically the part of the application code that is inserting or retrieving information from a database. Encrypting your database cells is the best method of protection, but input validation and sanitization is the simpler route. For instance, a Date field in a website form should not allow characters that do not belong in a date, only numbers and the / character.
Another popular exploitation vector is the web browser and web browser add-ons. These exploitations usually occur by getting a user to visit a malicious website that takes advantage of a browser or browser add-on software vulnerability. Examples of exploitable browser and browser add-ons are the Internet Explorer browser, Apple’s Safari browser, Java, Adobe Flash, and Adobe Reader. These products or a combination of them are typically used by every user in the world with Internet access. This makes them very attractive to attackers. The best way to prevent these products from exploitation is to limit the external websites corporate users can visit, however this often is not acceptable to the user base. In that case, creating a white list of websites that are allowed to use client-side add-ons is the best alternative. In Internet Explorer, this is implemented by assigning business related external websites to the Trusted zone via the Site to Zone Assignment list, and locking down the Internet Zone. I would also suggest using the Google Chrome browser where possible, as it is the most secure web browser available.
AutoRun is a feature in Windows that performs automatic execution to provide convenience to the user. When you insert a software installation CD into your computer and the software’s install routine automatically launches, the AutoRun feature is what makes it happen. Using this feature, malware can spread from environment to environment silently via thumb drives and other portable media. The malware in turn can delete data or introduce a point of access for the attacker. AutoRun should be disabled by Group Policy at the Computer and User levels.
Last but certainly not least is insider threats. This usually involves disgruntled employees and terminated employees. I recently spoke to a company that was certain their voice mail server was being attacked by someone in China, until I found out their voice mail server administrator had recently been terminated. Though they had deleted his user account, it was apparent that he still had access into their system most likely through a shared user account. Employee exit policies should always involve disabling or deletion of their user accounts as well as password resets on any shared user accounts they may have had access to. However the practice of shared user accounts in generally very bad as it presents risk issues as well as audit/event investigation issues.
I’ve been struggling for a few months to find the answers to all of life’s questions… err.. I mean how to integrate an RSA SecurID soft-token with the VMware View iPad Client.
- PCI Compliance requires multi-factor authentication for remote access to your cardholder data environment. It’s also a good security practice if you use remote access.
- RSA SecurID is the most widely used form of multi-factor authentication, but there are certainly other options (Note: View only supports integration with RSA or RADIUS at this time).
- Users do not have to carry around a physical RSA keyfob.
- Users do not have to pull up the RSA app on their mobile device and remember the 8-digit token then fly over to the vmware view app and type in that code all within the 60- (or 30-) second window. That’s a little much for some folks to handle.
The intended audience of this technical post is your “all-in-one” administrator (like me) or a team of administrators across your compliance/security, VDI, or vSphere IT groups.
Read more >>