Information Security Updates - Joint Universities Computer ...
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Information Security Updates - Joint Universities Computer ...
Americans who use their personal mobile devices for work181%
Employees who believe that mobile devices balance work and personal life2 78%
Employees who use personal devices at work, regardless of their employer’s official BYOD policy3
67%
here is a massive upsurge
of mobile devices in the
consumer market.
Corporations are also
demanding their employees
to have instant connectivity to their
working environment. These two factors
are reshaping the IT landscape. IT
consumerization has blurred the lines
between work and personal life – especially
when it comes to mobile devices. People
use mobile devices for their personal life
and for work with the desire to access
corporation IT systems anytime and
anywhere.
According to Forrester, more than 50% of
the information workface will use three or
more devices. Gartner is also predicting
that by 2017, half of the employers will
require employees to use their own mobile
devices for work purposes.
Bring Your Own Device (BYOD) refers to
the arrangement of allowing employees to
bring personal mobile devices to perform
company work related activities. This trend
is becoming inevitable and it is imperative
that corporations form a strategy to deal
with it.
To examine the prevalence of BYOD, Dell
commissioned Vanson Bourne interviewed
1,485 IT heads from across the globe
regarding their opinion toward BYOD. The
results indicated that companies could
realize corporate gains from BYOD4.
69% or more of the surveyed organizations
believe that BYOD can help their
employees be more productive, respond
faster to customers, improve work
processes, work better in the future and
improve operational efficiencies.
BYOD poses new security threats to
companies because companies have little
control over employees’ personal mobile
devices. Sensitive corporate information
can be stored in personal mobile devices
with little protection. Malware can be
introduced into corporate environment by
negligent employees connecting their
personal mobile devices into the corporate
network.
Information Security Updates
Mobile Security – Bring Your Own Device
BYOD Cases
Insurance claim adjusters
routinely use mobile devices
and applications to help
policy holders immediately
file insurance claims after an
accident.
In healthcare, doctors and
nursing staff conduct a wide
range of bedside care
activities using mobile
technology; allowing them to
immediately share
information with hospital
pharmacies, admission
offices, insurance companies
and compliance departments.
HP – Five Steps to Enabling
a Mobile Workforce
Vanson Bourne Survey
Commissioned by Dell4
T
BYOD Security Concerns
Mobile Device Management (MDM) is
management software that allows
corporations to centrally control the policy
and configuration for employee’s mobile
devices. It helps corporations manage their
BYOD program by supporting security,
network services, software and hardware
management across multiple mobile device
platforms. This allows employees to use
personal devices for work related activities
in a much more controlled and secure
environment.
Key Functions and Features
General Policy
General policy refers to the enforcement of
corporate security policies on mobile
devices. Examples of policy restrictions
include restricting user and application
access to hardware and restriction to native
OS services (e.g. built-in web browser,
calendaring, contacts, etc.). Policy can also
control the management of wireless
network interfaces, automatically monitor,
detect and report policy violations, and
limit or prevent access based on the
operating system version, vendor model,
and whether the device has been rooted or
jail broken.
Data Communication and Storage
Data communication and storage refers to
the capability of encrypting data
communications between the mobile
device and the corporation, and encrypting
data on both built-in storage and removable
media storage. Also, there should be the
capability to support remote wiping of the
mobile device data if the device is reported
to be lost or stolen.
User and Device Authentication
It is important to authenticate a user before
granting access to corporate resources. This
includes basic parameters for password
strength and a limit on the number of
retries permitted without negative
consequences. The control should also be
able to automatically lock a mobile device
after an idle period of inactivity.
Application Management
Some MDM solutions even provide the
functionality of controlling the installation
and execution of mobile applications.
Application control can restrict permissions
(e.g. camera access, location access)
assigned to each mobile application, verify
digital signatures on applications to ensure
that only applications from trusted entities
are installed and verify that code has not
been modified.
There are also some MDM solutions
designated to perform finer grained mobile
application management. They are often
referred as Mobile Application
Management (MAM). Besides controlling
installation and execution of mobile
applications, MAM manage the entire life
cycle of mobile applications.
Case Study
The University of Kent
serves more than 16,000
undergraduate and post-
graduate students and 2,000
staff. The University
provides a Study Bedroom
Service (SBS) with nearly
4,000 wired connections to
its main campus network to
enable students to access
email, networked files,
course material, library
resources, and the Internet
using their own devices.
At the start of each term,
students now follow a
simple, online process to
register their devices for
access to the campus
network.
Bradford Networks Case
Study5
Mobile Device Management
The power of BYOD allows employees to
use personal mobile devices to access
corporate applications. What if the
application does not have a mobile
equivalent version which can be managed
under MDM?
Virtualization is a technological solution
which allows IT departments to present
corporate applications securely on user
devices regardless of the device model.
Virtualization can also provide control over
data storage and location. For mobile
devices such as tablets, virtualization
allows existing applications to be delivered
to tablet users without the need to wait for
the availability of an iOS or Android
mobile version of the application.
Considerations when Exploring
Virtualization as part of BYOD
The touch screen interface will not be
suitable for many Windows
applications.
Client-host desktop virtualization is not
an option on tablets because they do
not have sufficient computing power or
memory to run a locally hosted virtual
Windows desktop.
Application compatibility can be a
problem. Applications that are
available for a certain mobile device
platform might not be available on
others.
Even if the above challenges can be
addressed, virtualization to support
delivery of corporate applications to mobile
devices should be implemented step by step.
It is important to understand that BYOD is
not the same as MDM. MDM is only one
of the components of a complete strategy
and program implementation for securing
personal devices used for business.
Corporations are unlikely to succeed
implementing BYOD and achieve all its
benefits with just MDM alone; they also
need a strategy, supporting policies and
operational processes.
BYOD Strategy
The first upmost step is to define the
BYOD strategy and the scope of coverage.
Part of this strategy can be to implement a
stipend program to encourage employees to
use their own personal devices for work.
Whatever the strategy is, the strategy
should be clearly defined, including how to
realize the stated objectives and benefits.
The corporation should also be clear about
whether BYOD will only include personal
smartphones, tablets or even laptops.
Associated IT policies supporting BYOD
should also be defined so that the users
understand what is deemed acceptable and
what is not. If the corporation has sensitive
data, the corporation will have to determine
whether they allow certain employees to
access and store such sensitive data in their
personal devices.
MDM and virtualization should be
regarded as the technological enablers for
BYOD. A suitable MDM solution as well
as the supporting virtualization technology
should be sourced through careful testing
and selection.
Virtualization in Stages
Apigee, an application
programming interface
platform company in Palo
Alto, United States, advised
that mobile application
deployment be implemented
in three phases.
The first is to use
virtualization to deliver
existing application to
mobile devices. The second
takes an existing application
and turn it into a cross-
platform mobile app. The
third decouples the data
from the application and
picks the appropriate
application for the platform
or device being used.
Case Study
The University of São Paulo
(USP) is the largest
Brazilian university, serving
over 100,000 students on 11
campuses.
USP deployed Citrix and
NetApp technologies to
build a university-wide
cloud orchestrated by Citrix
CloudPlatform. A self-
service portal built with
Citrix CloudPortal Business
Manager provides services
to teaching and research
sites. XenDesktop powers
centrally managed desktops
and streamed applications.
Citrix and Netapp Case
Study9
Virtualization
Implementation Strategy
Important Preparations
Corporations should prepare for the worst
and know how to deal with incidents such
as employees losing their personal mobile
devices, which have been enrolled in the
BYOD program. Moreover, employees
may have questions and require technical
assistance as part of the operational support.
All these operational processes should be
developed as part of the BYOD
implementation strategy. It is also
important that security fixes are taken into
consideration so that the latest mobile
security threats do not compromise a
corporation’s IT security.
The business nature and operating
environment of universities is different
from those of commercial corporations.
Universities advocates openness and
freedom of knowledge sharing. Also, there
are vast number of students and staff
requiring network and computing access in
a university. The turnover of students is
very dynamic with new freshman and
students graduating every year.
Universities also has to support many
different work conditions including full
time staff, part time staff, visiting scholars,
research assistants, etc. Because of all these
complicated factors, the way corporations
uses MDM to control the usage of personal
mobile devices may not be entirely
applicable to universities.
Nevertheless, BYOD has already been
somewhat implemented in university
environments. Staff and students are
already connecting their personal devices
to the campus network, and authentication
is required before granting these personal
computing devices access to university IT
applications and resources. Facing the
current wave of BYOD and constant
alerting security threats affecting mobile
devices, universities will have to look
further to tighten the way BYOD should be
supported.
Case Studies –
Adopting Technologies
and Implementing
Controls
Roanoke College (Va.) uses
Apple Mobile Device
Manager and Dell’s KBOX
to manage institution-
owned Apple devices and
Dell laptops. These
“managers” push out apps
that are volume purchased
and sets up policies and
settings for wireless devices
for faculty members. IT can
also wipe lost, stolen, or
infected devices remotely
and Students can wipe their
own BYOD gadgets
through a web page.
New York Law School uses
a ForeScout CounterAct
NAC appliance to gain
visibility into the network
and provide mobile
security, endpoint
compliance (keeping
devices clean and up-to-
date), and protection
against network security
threats.
Monthly cost of Company Owned Device
Average USD80/month for a company-
owned device 77% able to reduce mobile users using
company-owned devices to 60% or less 50% can reduce even further to 20% or
less Good Technology - State of BYOD Report12
Define strategy, coverage and policies
Determine data classification and
protection
Source for MDM and virtualization
solutions
Plan in case of incidents
Revise new technologies
Monitor against OS vulnerability updates
Consult security professionals
Implication to University
STATS
IT Security Strategies for Universities
Universities can explore using Network
Access Control (NAC) to ensure that
mobile devices meet a set of security
requirements and IT standards before they
are allowed to be connected to the network.
NAC can scan device operating systems,
applications, and security software to
ensure they are up-to-date and that the
security software has recently run so that
the device is clean. A self-provisioning
portal can be setup to ease the burden of IT
department registering every single device,
and also speed up the process of registering
and validating a device with the additional
benefit of managing an inventory of
devices.
Depending on the need to control security,
MDM can still be implemented in phases
according to the supported devices and user
community. The first batch of supported
devices can be university issued devices
and then gradually cover personal devices.
As for user community, the rollout can be
initially to support full time staff, then
faculty members and non-full time staff,
and eventually the student community.
Mobile device has become an
indispensable component in our personal
life as well as work life. Many people are
already using personal mobile devices in
their work environment to perform work
related activities. The wave of BYOD is
becoming inevitable that corporations have
to look into how to support BYOD with the
proper implementation of security controls
such as MDM and virtualization
technology.
Although the work nature of university is
different from commercial corporations,
similar controls can be adopted to better
govern the usage of personal mobile
devices in the university environment.
Case Study At Ohio State, MDM will allow the university to containerize personal applications so it can wipe a BYOD with user permission, in the event of a virus infection or other security issue. According to Robinson, York College uses Bradford Networks’ Campus Manager to monitor student devices. It recognizes if they are registered as soon as the browser is opened. Unregistered devices get put on a separate VLAN, where they have access only for registration. University Business – Device Management Across the Network13
Conclusion
References 1. "BYOD Stats: What Business Leaders Need To Know Right Now." Leapfrog Extraordinary IT Services. Mar. 2013. Web. 02 July 2014. 2. "SAMSUNG Mobile Index Reveals BYOD Trend." Samsung Electronics America. Samsung U.S. News, 08 Jan. 2013. Web. 02 July 2014. 3. Jones, Jeff. "Microsoft Security Blog." BYOD- Is It Good, Bad or Ugly from the User Viewpoint? Microsoft, 26 July 2012. Web. 02 July 2014. 4. A Vanson Bourne Survey Commissioned By Dell. BYOD: Putting Users First Produces Biggest Gains, Fewest Setbacks. Vanson Bourne. Web. 5. "Bradford Network's Network Sentry Helps University of Kent Control and Manage Its Student Residence Network." Network Access Control (NAC), Network Security, BYOD, Mobile Security, Consumerization, Bradford Networks. University of Kent, Web. 6. Souppaya, Murugiah. "NIST SPECIAL PUBLICATION 800-124." Guidelines for Managing the Security of Mobile Devices in the Enterprise. National Institute of Standards and Technology, June 2013. Web. 7. "Mobile Application Management." Wikipedia. Wikimedia Foundation, 18 May 2014. Web. 8. "Embracing Bring Your Own Device (BYOD) by Dell Software." Embracing Bring Your Own Device (BYOD) by Dell Software. Dell. Web. 02 July 2014. 9. Bowker, Mark. "Desktop Virtualization." White Paper. Enterprise Strategy Group, Oct. 2009. Web. 10. Farbush, James. "Mobile App Virtualization Eases Deployment Headaches for IT." Mobile App Virtualization Eases Deployment Headaches for IT. Search Consumerization, 24 Oct. 2012. Web. 11. For Kaspersky Lab, The World’s Largest Private Developer Of Advanced Security Solutions For Home Users A. Global Corporate IT Security Risks: 2013. Kaspersky Lab, May 2013. Web. 12. "Good News: Good Technology’s 2nd Annual S... | Good Community." Recent Posts. Good, Web. 13. Geer, David. "Device Management Across the Network." University Business Magazine. UB University, Feb. 2013. Web. 02 July 2014. Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law. A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below: [email protected] Joint Universities Computer Centre Limited (JUCC) c/o Information Technology Services The University of Hong Kong Pokfulam Road, Hong Kong