15. Bring Your Own Device
(BYOD) Policy
Benjamin Wright
Attorney & SANS Institute Instructor
benjaminwright.us
This is education, not legal advice.
16. Bring Your Own Device (BYOD)
• Rules for employees using own
laptop, tablet, smartphone,
webmail services for business
• Controversial topic; no perfect
policy exists
• See discussions:
http://goo.gl/txlCU,
http://goo.gl/7bEAQ,
http://goo.gl/QX6Uz,
http://goo.gl/edSFF
17. Subpoena for Employee’s
Home Hard Drive
• Local government employment
dispute
• Plaintiff able to subpoena hard
drive of manager’s home
computer
• Wood v. Town of Warsaw, N.C.,
No. 7:10-CV-00219-D, 2011 WL
6748797 (E.D.N.C. Dec. 22, 2011)
18. Employer Liability for Security
• Massachusetts 201 CMR 17.00:
PII on mobile devices must be
encrypted
• Cal SB 1386 - many breach
notices because of stolen,
unencrypted laptops (e.g. Guin v.
Brazos Higher Education)
20. Employer Incentives
• Device and service monitoring
• Data wiping (selective or whole
device)
• Encryption
• Confiscation if monitoring
identifies device or service as a
risk or threat
21. Policy/Agreement Challenges
• Warning employees
• Getting employee consent
• Employee privacy
• Liability for damage to employee
data, device or service
22. BYOD Policy – Sample Language
• http://goo.gl/19idt
• Workable policy will come from
negotiations among stakeholders
• This language tilts toward needs
of employer
23. BYOD Policy
"Employees are informed that when they
create electronic records or work product in
the course of their work for the Company,
the records and work product belong to the
Company."
24. BYOD Policy Continued
"When an employee uses his or her own device,
such as a computer, a digital tablet or a
smartphone, to connect to Company information
resources, then the Company reserves the right
to take security measures relative to the device,
including but not limited to inspect the device and
. . ."
25. BYOD Continued
Employees are informed, and employees agree, as follows: If the
Company takes control or possession of a Device or Service, or
takes security measures relative to it, then:
(a) the Company might not return the Device or Service;
(b) the employee is entitled to no compensation for loss of use,
control or possession of the Device or Service;
(c) the Device or Service could be damaged, the employee could
lose data and the employee’s data could be disclosed to others.
The Company will not be liable or responsible for such damage,
loss or disclosure.
26. BYOD Policy Continued
"As a matter of honor and reputation -- but not as
a matter of legal liability or obligation – the
Company aspires to be forthcoming with
employees as a whole about the practical impact
of this Policy on employees over time."
27. Blogs:
benjaminwright.us
This presentation is not legal advice for any particular situation. If you
need legal advice, you should consult the lawyer who advises your
organization.
Any person may reuse this material freely.
28. Enforcing your BYOD
Mobile Access Policies
with Oracle Access
Management
Lee Howarth
Senior Principal Product Manager
Oracle
29. Mobile Access Roadmap
• Establish Mobile Access Policies
– Monitor and Enforce usage
• Extend Enterprise Access to Mobile
Devices
– Integrates native mobile apps, mobile web with
corporate systems & information
– Access management, authorizations, API
security, and fraud detection
– Device context based fine-grained authorization
• Enable Mobile Device Security
Elements
– Support for native security
– Device security – jailbreak detection at login
– Device lifecycle – white-list/blacklist/lost device
management
– Device fingerprinting
31. Extend Enterprise Access
Mobile Requirements
• Mobile Security Platform
– Authentication and SSO
– Strong authentication, device
fingerprinting and risk-based
access
– Mobile SDK
• Internet / Social
Integration
• REST/Cloud interfaces
34. Mobile Security Architecture
Mobile Device Mobile Interfaces IDM Infrastructure Features
Device Fingerprinting &
Access Management Tracking
Authorization
Device Registration
API OAM Service
Oracle Native App Lost & Stolen Devices
SDK OAAM Service
GPS/WIFI Location Awareness
Risk-based KBA & OTP
Authentication OPSS Service
Web App
Platform Security Services Transactional risk analysis
API (OPSS)
White & Black Lists
User Profile Directory Services User Self Registration/Self
Security REST Service
App API User Profile Services
White Pages applications
35. Context Aware Access Management
Account Detail Request
Has he accessed between 00:00 –
03:00 in the last two months?
Behavioral Patterns
Has he used this device more than
20% in the last three months?
Does subject live in same
geography as requestor?
Does he usually perform
account lookups?
Valid Credentials given from
Get Account Information: outside network, but already
logged in from inside network.
John, Doe
Irvine, CA 92602 Which session is really who we
think it is?
37. Detailed Mobile Visibility
Realtime and historic device and user access attempts and risk scores
Device characteristics analysis, including OS and SDK versions
39. Oracle Mobile Access Management
Summary
Bridges the gap between
mobile devices and REST-ful
enterprise IDM systems Interfaces
Provides context-driven, Device Device
Context Registration
risk-aware access
management
Simplifies developer Location Single
Data MANAGEMENT Sign-on
access to IDM
Supports BYOD
Provides visibility and
control
40. Q&A
If we don’t answer your question
during the webcast, we will post a
follow up on:
http://blogs.oracle.com/oracleidm
Companies managing employee devices cut in half, down from 40% to 21%.
If you were to authenticate users through location, device, and applications being requested, where does the organization need to touch the device?
How do organizations apply common fraud controls against these new devices without angering the employees who own their devices • And what if the employer needs to locate devices, or wipe sensitive access and data off devices that are infected, lost or stolen?
Internet/Social Integration – Desktop Browser or Mobile – easy add on to existing OAM
LocalUsername and Password-or-Social Logon(can be user choice)Step up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
Single Sign on between native applications, and also with mobile browser based applications
Mobile Security – web and mobile appDevice registration and fingerprintLost & stolen device securityGPS/WIFI based location awareness
Once secure access is setup, you can enforce mobile access policy
Risk analysis to determine whether to allow, flag, challenge or blockEnforce unjailbroken status, check VPN statusDetailed reporting on device attributes like OS version, GPS/WIFI geolocation, MAC/IP address