Consumerization and mobility in the enterprise – and our daily lives – is not only here to stay, but its footprint and influence is expanding. What does the broader consumerization and mobile environment look like? How do you assess the drivers for adoption and the cost/benefit of a mobile-enabled organization?
Join us for this session to get an understanding of how a large state government agency took a proactive approach to enablement that ultimately set them ahead of the security challenges, rather than behind.
Embracing the IT Consumerization Imperative NG Security
1. Barry Caplin
CISO
MN Dept. of Human Services
NG Security Summit
barry.caplin@state.mn.us
bc@bjb.org, @bcaplin, +barry caplin
securityandcoffee.blogspot.com
14. Consumer App Security
“non-standard” software a challenge
Vetting, updates/patches, malware
No real 3rd party agreements
Privacy policies, data ownership
SOPA/PIPA/CISPA
15. Legal (IANAL)
Privacy – exposing company data
Litigation hold – on 3rd party services
Separation – what’s on Dropbox?
Copyright, trademark, IP?
How do you?:
Get data from a 3rd party service?
16. BYOD Security Solutions
• Sync/MDM – Network or OTA
• VDI – Citrix or similar
• Containerization – Sandbox, MAM
• Direct Connection – Don’t!
17. DHS view - POE
• Policy • Guest wireless
• Supervisor • FAQs for
approval users/sups
• Citrix only • Metrics
• No Gov't records • $ - not yet
on POE
(unencrypted)
• 3G/4G or wired
18. Software Security Solutions
Policy – Examine existing –
augment
Process – Vetting, updates,
malware
3rd party agreements – where possible
Data classification/labeling
PIE – pre-Internet encryption
19. CoIT Nirvana
Any, Any, Any – work, device,
where
Be nimble
Data stays “home”++
Situational awareness
20. Key Points
Business Need – Partner internally
BYOD, Consumer apps, or both?
Policy, Technical, Financial aspects
Watch the data
Make easy for users
Education/Awareness
Check out my about.me, with links to twitter feed and Security and Coffee blog.
Mobile/portable devices are not new. Then an event occurred that changed the game… IBM “Portable” 5155, $4225, 30 lbs, 4.77MHz 8088; Apple Newton; AppleBook; original ThinkPad; 1 st gen android; Palm III; early Blackberry
1 st iPad, 4/3/2010. 300K iPads sold, 1M apps, 250K ebooks downloaded on the first day. Features, form factor, intuitive use made it the people’s choice.
1. mid-2011 tipping point 2. By early 2012, 50% of US mobile users use a smartphone
2012 survey of IT leaders – Mobile is #1 tech impact But Cloud is 2, CoIT 3 and Social 4 – all connected
The devices are hot and driving the space, but it’s really about the ability to have mobility – to bring the product or service to the consumer/customer. Not just “flavor of the week”.
Just say no is not a viable IT or Security strategy or response. We must partner with the business/user to provide what is needed. Just say no is an…
If your organization is saying “just say no” to consumer devices and apps, then they are already in your environment Take opportunity to partner, lead and add value.
2.5 years ago Story of call from lawyer about iPads in a meeting This lead to…
Quickly moved to last stage – evangelism Now security is dragging other groups kicking and screaming into the present. Security is leading and adding value.
Exposure is device in hand – eavesdropping, MitM Leakage is device is gone. We have all this already. Datalossdb.org and Accidental Insider. 10% of 2 nd -hand drives bought had company/private data. StarTrib malware.
1. Similarly, we have had software issues – local admin, devs, etc. can’t enumerate badness. If the service is free, we are the product not the customer.
Be sure to include legal Information Discovery, Litigation Hold are big issues.
Now for solutions – 4 general categories for devices Containerization includes Enterprise App Store
Extensible policy; Citrix (no remnants); looking at containerization; guest wireless/wired; not yet considering $ (reimbursement/stipend) Gartner says at least 3-5 years for financial payoff.
Policy already mentioned Working on process to more seamlessly allow consumer apps Know your data classifications PIE great for online storage, file sharing.
Partner; Lead; Add value Good user experience is key
Users are changing; expectations are changing; keep “eyes on the prize”; partner, solve problems, and add value