Presentation on theme: "BYOD Security Maintaining a Secure Infrastructure Friday 15 th March 2013."— Presentation transcript:
BYOD Security Maintaining a Secure Infrastructure Friday 15 th March 2013
Paul Whitton ▶ Senior IT Security Specialist within ESISS ▶ TigerScheme and Crest accredited. ▶ Been working at Loughborough University since 2001 in variety of teams. ▶ Labs ▶ Staff Desktop ▶ Systems Services ▶ Networks and Security ▶ Now ESISS
About ESISS ▶ ESISS is the Education Shared Information Security Service. ▶ A collaboration with the eight universities within the East Midlands region. ▶ A genuine requirement for shared security service was identified. ▶ HEFCE pump primed for first year. ▶ Launched in August 2009, now used by over 50 UK institutions and growing
About the ESISS team ▶ Contract awarded to Loughborough University. ▶ Dedicated team providing the services. ▶ Information Security Assurance: CISSP, Tiger Scheme QSTM, CCNP, CCSP, Crest Registered Tester, etc. ▶ Trusted Introducer Accredited procedures
Technical Challenges ▶ Which device types/operating systems are allowed ▶ What apps may be installed and used ▶ What IT systems maybe accessed ▶ How data is stored on the device ▶ How data is transferred to/from the device ▶ Blurring of business and personal use
Security considerations ▶ Data privacy - personal and corporate data on the same device. This works both ways. ▶ Data privacy/remote wipe for lost/stolen devices ▶ What to do if the person who owns the device leaves the company. ▶ Copyright Infringement from the device.
How to address these issues What the Data Protection Act 1998 says: ▶ Appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data. ▶ All of the previous mentioned issues can be mitigated to some extent with a suitable/effective BYOD policy.
Designing a BYOD Policy Must meet the needs of both IT and employees E.g.: ▶ Secure corporate data ▶ Minimise cost to implement and enforce ▶ Preserve user experience ▶ Keep up with user technology and preferences.
What to consider ▶ JANET AUP already covers a fair amount of the responsibilities ▶ Maybe a need to create a social media policy ▶ Regular checks for compliance.
Device settings Best practise indicated by Gartner and elsewhere suggests devices supported should be able to support: ▶ Device Lock code ▶ Automatic device lock on idle ▶ Remote device wipe function ▶ Device data encryption
Mobile Device Management ▶ Investigate remote locate and wipe facilities ▶ Appropriate process to remove rights to lost/stolen devices. ▶ Approved devices only ▶ Educate users about untrusted apps and data protection ▶ Segregation of corporate and personal data (Mobile Application Management)
Exchange ActiveSync Policy ▶ Exchange allows admins to define a policy for any clients connecting. ▶ This can include remote wipe, enforce encryption, etc.
Virtual Desktop/Thin Client ▶ Some places are implementing virtual desktop infrastructure. ▶ This allows BYOD clients to access a normal corporate desktop by running an application ▶ Segregates corporate data from the BYOD
Type of Network Access ▶ Clients are typically wireless devices. ▶ Expect to be able to just turn wireless on and it works with minimal or no configuration
Wireless Access and Auditing ▶ eduroam ▶ Captive portal style wireless networks. ▶ Consideration for BYOD network access to main network.
eduroam ▶ Based on 802.1X standard and a hierarchy of RADIUS proxy servers. ▶ Role of the RADIUS hierarchy is to forward the users' credentials to the users' home institution, where they can be verified and validated. ▶ Can allow visitors from a participating sites to use your wireless/wired networks, but segregate them from your main network and vice versa.
Pros: Secure wireless configuration. Device only needs to be configured once for all sites Supports wireless and wired. Internationally available. Cons: Maybe complicated to setup/configure/maintain for small FE sites with small numbers of network staff.
Typical open guest network
Open guest network Pros: Easy to setup/maintain. Cons: Users can see other peoples traffic. (Mitigated to an extent by forcing the use of SSL web proxy). Requires user to configure their wireless settings for each site they visit.
Further Information ▶ ▶ /documents/library/Data_Protection/Practical_ap plication/ico_bring_your_own_device_byod_guid ance.ashx /documents/library/Data_Protection/Practical_ap plication/ico_bring_your_own_device_byod_guid ance.ashx
Any Questions? Thank you for listening https://www.esiss.ac.uk/