The BYOD Thread

[geniesis]

Quote:

Originally Posted by MrvNDMrtN

Theres a new challenge now...
Wanting to do presentations via apple tv wireless.

Very true.

I believe wireless vendors are now coming up with some solutions such as bonjour proxying. Aerohive having bonjour gateway and Aruba with AirGroup.

Airgroup looks to have some good promise with the ability for self-reg so users can authorize devices themselves.

So it's possible, but still very new and not all vendors have got it covered yet...AFAIK, Cisco doesn't have something in this area yet. Not to mention having having to upgrade your wireless system if you don't have that respective vendor.

Creating a whole multicast network is something not many network engineers have got great experience with. IGMP,PIM, RP, and other multicast concepts are still very foreign to the average network engineer. It's not something most companies/networks have actually implemented. Let alone attempting to secure the whole thing for BYOD.

[RaZ]

Quote:

Originally Posted by MrvNDMrtN

Theres a new challenge now...

BYOD Apple devices... MBP.. ipad/iphone.. apple tv.

Wanting to do presentations via apple tv wireless.

Think about routing/switching/multicasting/security.. the whole shebang.

currently being trialed in two class rooms... oh not apple TV as such... but using big LCD's around a class room and the teacher can drag a window from a pad to any of the screens, which are of course network connected, I don't know the full setup but it works great Wish I could create an app for it would make killer amounts of cash lol as far as I know when you drag the app to the top of the pad screen you get little box's, colored so you know which screen is which, you drag the window to the box and it puts up on the TV screen. The amount of uses this has not only in teaching but in the private sector... man - I wish I could code!

BYOD to me, is all about letting users, use what ever they like to connect to set resources, BUT, because its BYOD you have to control how they access those resources and also define what resources BYOD can and can-not use. Personal security on each of those devices is up to each owner. Network security and where those BYOD's can get to, again comes down to the usage of those devices and what resources you allow them to use.

Using Citrix to deliver the app by means of either streaming to an xenapp server and then published or by the users connecting to a locked down VDI environment to access both applications and resources such as internet and printing is really not that big of a problem. More so with controlled vlan, and physical switch security splitting the networks, eg: if I want to be on a set subnet, I need to repatch my patch point.

As for wireless security - I am not entirely sure as I am just doing the Citrix side of the project, HP will be designing the wireless network end to end, so I would hope they take AV running wild and people wanting to try hacks in to account

But this solution is all internal - no remote access outside of the building. Trial to one building first, 100% wireless delivery. So yes in a way you could say its offering services to a wild network, but that is why I say above that BYOD needs to have control as to what they can access and what they use it for. Creating a wireless network and having it apart of your normal trusted internal network with no other access controls for those wireless devices, is, IMO, very silly hence all the security concerns talked about here in this thread. I think BYOD works best when they can use remote access services like Citrix gateway or web interface, internally so its fast for set functions and that those functions are well defined.

[millsy_c]

Breaking my 5 month hiatus on ocau to chip in here (You last visited: 10th December 2011 at 3:56 PM)

The way I see it, the issue is that the users want everything. They want total control of their machine, they want to use their own machine, and they want everything cheaper.

Major problem being that they're taking and not giving. If they want to bring in their own machine, concessions need to be made somewhere in order to maintain the companies security.

I still believe VM's are approaching a good balance of security and convenience support wise, the real issue of course is securing the data on the VM. Can you encrypt the contents of a VHD?

Assuming you can, at least then you can expose a lot of your machines resources to the VM

Reading stuff like this makes you wonder though if we're screwed anyway :P

Quote:

Briggs at Deloitte said employers have generally become more savvy about cybersecurity in recent years as they move more operations online, store information in off-site data centers and accommodate a wired workforce. Mobile is simply the latest frontier, he said.

[Chaffe]

Well I will admit I have no experience in IT and will never really need to know any of the stuff mentioned in this thread but I certainly have found it quite an interesting read.

One crazy idea/thought (so feel free to ignore it). What about a dual boot on BYOD devices. The company boot volume and data being completely encrypted and the user not having any administrator rights whilst using the company boot volume. Probably a pain in the ass to setup I'd imagine.

[millsy_c]

Quote:

Originally Posted by Chaffe

Well I will admit I have no experience in IT and will never really need to know any of the stuff mentioned in this thread but I certainly have found it quite an interesting read.

One crazy idea/thought (so feel free to ignore it). What about a dual boot on BYOD devices. The company boot volume and data being completely encrypted and the user not having any administrator rights whilst using the company boot volume. Probably a pain in the ass to setup I'd imagine.

This is the approach I had thought of in the past as getting around it too. You still have the issue of data leakage though, unless you can encrypt hard disks on a partition level.
I.e. customers personal os install gets a virus. User boots into that environment, inputs the key to unlock the hdd and now the virus can go to town.
Also brings up the issue of maintaining SOE's for various machines

Found this interesting:
BYOD: If You Think You're Saving Money, Think Again

[novakain]

Quote:

Originally Posted by IACSecurity

All references I have heard, and been involved with regarding BYOD, is to allow users to do just that, access internal corporate resources with 'things'. Most of those same places I talk with have existing guest networks, and 'client interaction' networks (love that term...) and the BYOD concept for them is expanding the usage/scope of their tablets and personal laptops to allow them to perform 'work' 'work' on them, both in the office, and at home.

This is pretty much the request that would come from the end users. And for some reason, many IT departments seem to interpret this request verbatim. This does not mean that the end solution needs to be exactly what the customer asks for.

As people have already pointed out, and as you are fully aware, such a move is fraught with security risks many organisations would find innacepable if they were fully investigated. Those same organisations, however, would still want to implement a BYOD policy. And for these organisations, simply treating these devices as hostile, setting them up on the guest network, and publishing those apps that users require to do 'work' 'work' in the same way that they are published for remote use via a regular internet connection at hom,e can be a viable solution. All of the security risks may have been addressed by mitigation through technology, work process, or simply by being identified as an acceptable risk based on the company's security policy.

For example, as part of a security policy, data should be assigned a classification level. Each classification level should have clearly idenified data handling methods (how it should be stored, how access to it should be logged etc) If staff in the organisation need to access highly classified data, which is to be accessed only on computers that have no access to the internet, well, those BYOD's that need access this data would need to be locked down and administered in the same manner as corporate computers that access the same data (ie be kept on-site and never connected to the internet). If the users want to use their devices at home to connect to the internet as well, then those BYOD's would need to be treated as devices that are connected to an unfettered internet connection, and as such, would never access that sensitive data.

It all depends on the organisation - there is no cookie-cutter solution here. What is acceptable for one organisation os completely unnaceptable for another. The best thing you can do if you're a big business is have a good security policy in place (and signed off by management!), with effective data management processes attached to it. Idenitfy what management wants BYOD's to do, and implement them based on your security policy. If they insist on doing things with BYOD's that are in breach of your security policy, document it as a breach, and get management to sign off on it as such every time security is audited. It's up to them to determine if it's an acceptable risk or not.