BYOD Security Maintaining a Secure Infrastructure

Friday 15th March 2013

Paul Whitton

▶ Senior IT Security Specialist within ESISS▶ TigerScheme and Crest accredited.▶ Been working at Loughborough University since

2001 in variety of teams.▶ Labs▶ Staff Desktop▶ Systems Services▶ Networks and Security▶ Now ESISS

About ESISS

▶ ESISS is the Education Shared Information Security Service.

▶ A collaboration with the eight universities within

the East Midlands region.

▶ A genuine requirement for shared security

service was identified.

▶ HEFCE pump primed for first year.

▶ Launched in August 2009, now used by over 50

UK institutions and growing

About the ESISS team

▶ Contract awarded to Loughborough University.

▶ Dedicated team providing the services.

▶ Information Security Assurance:

CISSP, Tiger Scheme QSTM, CCNP, CCSP,

Crest Registered Tester, etc.

▶ Trusted Introducer Accredited procedures

BYOD Challenges

▶ Technical Challenges

▶ Security Considerations

▶ Legal Issues

Technical Challenges

▶ Which device types/operating systems are allowed

▶ What apps may be installed and used▶ What IT systems maybe accessed▶ How data is stored on the device▶ How data is transferred to/from the device▶ Blurring of business and personal use

Security considerations

▶ Data privacy - personal and corporate data on the same device. This works both ways.

▶ Data privacy/remote wipe for lost/stolen devices▶ What to do if the person who owns the device

leaves the company.▶ Copyright Infringement from the device.

How to address these issues

What the Data Protection Act 1998 says:▶ Appropriate technical and organisational

measures shall be taken against accidental loss or destruction of, or damage to, personal data.

▶ All of the previous mentioned issues can be mitigated to some extent with a suitable/effective BYOD policy.

Designing a BYOD Policy

Must meet the needs of both IT and employees

E.g.:▶ Secure corporate data▶ Minimise cost to implement and enforce▶ Preserve user experience▶ Keep up with user technology and preferences.

What to consider

▶ JANET AUP already covers a fair amount of the responsibilities

▶ Maybe a need to create a social media policy▶ Regular checks for compliance.

Device settings

Best practise indicated by Gartner and elsewhere suggests devices supported should be able to support:

▶ Device Lock code▶ Automatic device lock on idle▶ Remote device wipe function▶ Device data encryption

Mobile Device Management

▶ Investigate remote locate and wipe facilities▶ Appropriate process to remove rights to

lost/stolen devices.▶ Approved devices only▶ Educate users about untrusted apps and data

protection▶ Segregation of corporate and personal data

(Mobile Application Management)

Exchange ActiveSync Policy

▶ Exchange allows admins to define a policy for any clients connecting.

▶ This can include remote wipe, enforce encryption, etc.

Virtual Desktop/Thin Client

▶ Some places are implementing virtual desktop infrastructure.

▶ This allows BYOD clients to access a normal corporate desktop by running an application

▶ Segregates corporate data from the BYOD

Type of Network Access

▶ Clients are typically wireless devices.

▶ Expect to be able to just turn wireless on and it works with minimal or no configuration

Wireless Access and Auditing

▶ eduroam

▶ Captive portal style wireless networks.

▶ Consideration for BYOD network access to main network.

eduroam

▶ Based on 802.1X standard and a hierarchy of RADIUS proxy servers.

▶ Role of the RADIUS hierarchy is to forward the users' credentials to the users' home institution, where they can be verified and validated.

▶ Can allow visitors from a participating sites to use your wireless/wired networks, but segregate them from your main network and vice versa.

eduroam

eduroam

Pros:

Secure wireless configuration.

Device only needs to be configured once for all sites

Supports wireless and wired.

Internationally available.

Cons:

Maybe complicated to setup/configure/maintain for small FE sites with small numbers of network staff.

Typical open guest network

Open guest network

Pros:

Easy to setup/maintain.

Cons:

Users can see other peoples traffic. (Mitigated to an extent by forcing the use of SSL web proxy).

Requires user to configure their wireless settings for each site they visit.

Further Information

▶ http://www.eduroam.org

▶ www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Practical_application/ico_bring_your_own_device_byod_guidance.ashx

Any Questions?

Thank you for listening

p.whitton@lboro.ac.uk

https://www.esiss.ac.uk/