This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Developing and Enforcing a Bring-Your-
Own-Device (BYOD) Policy
SANS Analysts: Tony DeLaGrange, Senior Security ConsultantSecure IdeasBen Wright, SANS Instructor, Attorney, Technology Law Expert/Author
• How should employers ensure protection of data on lost/stolen devices?– Wipe sensitive data?– Wipe entire device?– Locate the device?– Lock/Disable the device?
• Device and service monitoring• Data wiping (selective or whole
device)• Encryption• Confiscation if monitoring
identifies device or service as a risk or threat
Policy/Agreement Challenges
• Warning employees• Getting employee consent• Employee privacy• Liability for damage to employee
data, device or service
BYOD Policy – Sample Language
• http://goo.gl/19idt• Workable policy will come from
negotiations among stakeholders• This language tilts toward needs
of employer
"Employees are informed that when they create
electronic records or work product in the course
of their work for the Company, the records and
work product belong to the Company."
BYOD Policy
"When an employee uses his or her own device, such as
a computer, a digital tablet or a smartphone, to connect
to Company information resources, then the Company
reserves the right to take security measures relative to
the device, including but not limited to inspect the device
and . . ."
BYOD Policy Continued
Employees are informed, and employees agree, as follows: If the Company
takes control or possession of a Device or Service, or takes security
measures relative to it, then:
(a) the Company might not return the Device or Service;
(b) the employee is entitled to no compensation for loss of use, control or
possession of the Device or Service;
(c) the Device or Service could be damaged, the employee could lose data
and the employee’s data could be disclosed to others. The Company will not
be liable or responsible for such damage, loss or disclosure.
BYOD Continued
"As a matter of honor and reputation -- but not as a
matter of legal liability or obligation – the Company
aspires to be forthcoming with employees as a whole
about the practical impact of this Policy on employees
over time."
BYOD Policy Continued
Blogs: benjaminwright.us
This presentation is not legal advice for any particular situation. If you need legal advice, you should consult the lawyer who advises your organization.
Any person may reuse this material freely.
Enforcing your BYOD Mobile Access Policies
with Oracle Access Management
Lee HowarthSenior Principal Product ManagerOracle
• Establish Mobile Access Policies– Monitor and Enforce usage
• Extend Enterprise Access to Mobile Devices– Integrates native mobile apps, mobile web with
corporate systems & information– Access management, authorizations, API
security, and fraud detection– Device context based fine-grained authorization
• Enable Mobile Device Security Elements– Support for native security– Device security – jailbreak detection at login– Device lifecycle – white-list/blacklist/lost device
management– Device fingerprinting
Mobile Access Roadmap
Mobile device connection methods
• The native web browser on the device
• Native mobile device clients acting as a web browser
• Native mobile device clients connecting to gateways or applications
User Self Registration/Self ServiceUser Self Registration/Self Service
API API
Mobile Device Mobile Interfaces IDM Infrastructure Features
OPSS ServiceOPSS Service
API API
White & Black ListsWhite & Black Lists
Get Account Information:
John, Doe
Irvine, CA 92602
Has he accessed between 00:00 –
03:00 in the last two months?
Has he used this device more than 20%
in the last three months?
Behavioral Patterns
Does subject live in same
geography as requestor?
Does he usually perform account
lookups?
Context Aware Access Management
Valid Credentials given from outside
network, but already logged in from
inside network.
Which session is really who we think it
is?
Account Detail Request
Mobile Authorization & Data Redaction
HT
TP
/ RE
ST
/ SO
AP
/ OA
uth
Clien
ts
36
- getCustomerDetail
- updateCustomer
- deleteCustomer…
Customer Service
Response
isAuthorized(user = Bob Doe, Acme Corp
Device = iOS 5.0, non-registered
Location = 37.53043790,-122.26648800
customerId = 99999
action = getCustomerDetail)
Oracle Entitlements Server
Oracle Enterprise Gateway
{ “CustomerDetailResponse“:
{ “customerID”: “99999”
“name”: “Sally Smith”
“phone”: “555-1234567”
“SSN”: “***********“
“creditCardNo”: ”@^*%&@$#%!“
“purchaseHistory”: “…”
}
}
Request
Detailed Mobile Visibility
Realtime and historic device and user access attempts and risk scores
Device characteristics analysis, including OS and SDK versions
38
Oracle Mobile Access Technology
• Oracle Enterprise Gateway– Enables Mobile Application REST API’s and protects API’s,
webservices, and SOA infrastructure from external threats and invalid / suspicious requests
– Extends Access Management with authentication, authorization, audit to REST API’s, web services
• Oracle Access Management Suite+– Mobile Identity and Access– Authentication, Registration, and User Profile Services for Mobile– Last mile security for an organizations backend web services
and SOA infrastructure– Device Fingerprinting and Registration Database– Risk-Based Authentication that Factors Mobile Context– Make Authorization Decisions and Redact Data based on User,
Mobile, or any other Context– Externalize Authorization Policies from Application Code