1 Bring it or leave it Dealing with very personal devices János TóthECPRD ICT Seminar, Budapest nov Dealing with very personal devices János Tóth Hungarian National Assembly

2 BYOD – Bring your own devicesAnything: Laptop, tablet, smartphone Owner is not the organization or shared ownership Not totaly controlled or maintained by the IT dept. Used for both for work and for personal „fun” There is company data on it ECPRD ICT Seminar, Budapest nov

3 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Why it is good Data Data is as near to the user as possible (in pocket) Efficiency As in every mobile device User can work anytime, anywhere Comfort User satisfaction Multipurpose tool Cost Shared beetween user and organization (benefit) ECPRD ICT Seminar, Budapest nov

4 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Why it is problem Data Dataloss and/or dataleaking Operation Purcase, maintance, service problem Too many different devices Responsibility Data and device (ownership) Cost Harder to plan Shadow IT ECPRD ICT Seminar, Budapest nov

5 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Shadow IT User built solution without organization approval Unknown Access databases, Excel with macros, Googledocs, etc. Data goes home with the user (usb stick, ) User efficiency vs. Organization efficiency Inconsistencies, time and invesment wasting Uknown, „critical” solutions harder to change Data security Uncontrolled duplications Users knows they are in possible forbiden area Jegyzet shadow it ECPRD ICT Seminar, Budapest nov

6 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.BYOD costs Cost is shared between user and organization Who will pay for what? Device Maintance, care-packs, repairs Replacements and backups Communication fees Insurance ECPRD ICT Seminar, Budapest nov

7 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Responsibilities BOYD is not just IT problem Finance Human Resources Users’ actual department No problem while the device is working …..and then? ECPRD ICT Seminar, Budapest nov

8 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.What is not BYOD Laptops, PCs given by the organization for personal (not work related) use Most company phones, smartphones „Merits” given to the employee by third party „Home use” software licenses Special telephone subscriptions ECPRD ICT Seminar, Budapest nov

9 Technical problems to solveECPRD ICT Seminar, Budapest nov

10 Authentication methodsThe first barrier both in BYOD and „Classic” use Password Not secure enough One Time Password Two factor, good enough Industry already has ready out of box solutions Digital Certificates Two factor also Multipurpose (authentication, encryption) Card, token, file Dependency from OS or hardware Used authentication methods should be re-evaluated form making BYOD policy ECPRD ICT Seminar, Budapest nov

11 Application and configuration distribution and protectionClassic central software management tools mostly requires controlled devices Install kits and serial code distribution and retrieval Logistic nightmare Virtualized images and application Still hard logistic, but solutions affordable Terminal services No logistic Application stores No logistic, but need different solution per platform ECPRD ICT Seminar, Budapest nov

12 Application and configuration distribution and protectionFunctions for IT helpdesk Remote configuration „remote desktop” solutions for non-PC devices are limited Backup and restore Company data only ;) Device tracking for retrieve lost or stolen device User sensitive area, don’t press if they don’t like it Compare with actual statistic of lost device Revoke the device BYOD rights ECPRD ICT Seminar, Budapest nov

13 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Data Protection Protection need againts: Theft or loosing of the device Encryption Remote wipe Data flow controll Downloaded sensitive working material should be separated form personal data Must aligned with local laws and policies Our current law and policy doesn’t allow document with „secret” qualification in the IT system Secret and sensitive is not the same ECPRD ICT Seminar, Budapest nov

14 Connection protectionAlready implmented and widespread Common vpn solution can be used If currently does not exist, plan to implent ECPRD ICT Seminar, Budapest nov

15 Solutions Different service and security levelsECPRD ICT Seminar, Budapest nov

16 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Prewireless BYOD Easy days (no mobile device) Device location is known Network lock was easy Device reimage and lockdown (BIOS) was easy Less computer literate users Appearance of security policy for unkown/foreign devices And sometimes totally ignored by users outside of the organization ECPRD ICT Seminar, Budapest nov

17 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Basic wireless BYOD Wifi connection limited to internet only Guest networks Open or authentication/encrypted connection How to distribute connection info? SSID: ecprd Cisco Wireless Lan Controller and Wireless Controll System Lightweight device controll Authentication (library users can use their pass to log into it) Connected devices separated Cisco Network Admission Controll/Clean Access Firewalled, http/https only Smtp banned because of shared outgoing source IP Monitored virusscan ECPRD ICT Seminar, Budapest nov

18 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Web based BYOD Independent from BYOD Webmails, webportals Easy to use in BOYD After the browser incompatibilities are solved Without hardening it is open for attacks from the internet side Native transfer protocolls – imap, pop3, smtp, rdp – is not possible Downloaded, cached data in danger Internet cafe ECPRD ICT Seminar, Budapest nov

19 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Web based BYOD Current web based services in the Hungarian National Assembly Intranet, Oracle Webforms (java based clientless database access) Webmail Law database (3rd party software) 2 factor authentication with Aladin e-Token ECPRD ICT Seminar, Budapest nov

20 Mobile Device Management (MDM)Mobile device management (MDM) includes software that provides the following functions: software distribution, policy management, inventory management, security management and service management for smartphones and media tablets. MDM functionality is similar to that of PC configuration life cycle management (PCCLM) tools; however, mobile-platform-specific requirements are often part of MDM suites. (source: Gartner glossary) ECPRD ICT Seminar, Budapest nov

21 Mobile Device ManagementGives the most help to the IT Vendor locking danger ECPRD ICT Seminar, Budapest nov

22 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Bring it or leave it Hard to avoid Plan IT and finance Try, pilot ECPRD ICT Seminar, Budapest nov

23 ECPRD ICT Seminar, Budapest 2012. nov. 15-16.Questions? ECPRD ICT Seminar, Budapest nov