At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as embodied with the use of non-corporate owned computers in the corporate environment. With this in mind, they discussed the potential bleed out of intellectual property and mitigation techniques. You can read Michael's blogs on the subject here: http://bit.ly/11BhzC
5. What Is Consumerization? Changing the Face of Work Consumer-based Social Media for advertising Consumer-based Financial Services for accounts receivable Use of consumer or Free Software for sustaining corporate infrastructure And… What we are going to focus on: Use of personal equipment in the corporate environment 5
9. How It Happens Don’t want to use your Pentium III with 256mb RAM & 60gb HD Don’t want to use your OS Don’t want to use IE6 Don’t want to use your software tools Don’t want to be locked down 9
10. What is your policy? Secretive Ignored Unofficially Supported Officially Supported Subsidized 10
24. Organizational impact - ownership Logins Personal login information on corporate machine Social Networks / Professional Associations Corporate login information on personal machine VPN Configuration User IDs and passwords stored in browsers Software Ownership Personal software Restricted use licenses Corporate software on home equipment 13
25. Organizational impact - legal Issues Legislated Privacy EU data protection act USA HIPAA, SOX, GLBA Country, state/province, local (e.g. CA SB 1386) More laws pending Cross contamination Corporate backup includes personal information Personal backup includes corporate information 14
26. Organizational impact - Security Information Leakage Family & friends Device Loss Virus Personal email – Spear Fishing Increased Exposure to Threats Surfing at Home <> Surfing at Work Torrents 15
27. Organizational impact - Non Obvious Issues Acceptable use policies How to apply to personal machines? Out processing of individuals How do you know organizational data is removed from the employee machine? Software PST files Passwords / wireless / VPN Access Residual data Employee / corporate backups 16
29. Action to take today Is it already there? Run, don’t walk to your legal staff Decide if you will allow Consumerization Don’t wait for it to happen and then rush to formulate policy and procedures Decision must explicitly include all possible components Decision must be extended as new technology becomes available 18
30. Action today - Define policies Balance: Corporate vs Employee vs Customer Corporate: Must comply with laws Must maintain fiduciary responsibility Must not expose corporate assets At a minimum should address Employee responsibility Acceptable use Protection of assets 19
31. Action today - Incident response plan Even with Policies & Procedures accidents can happen… Need incident response plan 20
33. Action today Security 101: Keep secret stuff separate from non–secret stuff Keep corporate stuff separate from personal stuff Separate personal and corporate identities Compartmentalize the environments to reduce the risk of accidents. 22
34. Action today - Compartmentalization Application isolation Separate user accounts Virtual Desktop Infrastructure (VDI) Hypervisor on PC OS or Hypervisor on USB drive Windows-on-a-stick PC-in-my-pocket 23
35. Action today - Separate user accounts Work and Personal Mac, PC, or Linux Fast user switching Separate Context Subject to worms and viruses Can share information via common file system App App App App User 1 User 2 Host OS Computer Separate Users 24
37. Action today - Type 2 hypervisor Aka Hosted Hypervisor Still subject to worms and viruses Harder to accidentally share informationbut cross-contamination still possible Apps HostedOS Hypervisor Apps Host OS Computer Type 2 Hypervisor 26
38. Action not-quite-today - Type 1 hypervisor Aka Native Hypervisor Almost impossible to share information Only common attack is hypervisor itself Each OS can be attacked separately App App App App OS 1 OS 2 Hypervisor Computer Type 1 Hypervisor 27
39. Action Today - Type 2 portable hypervisor App App App File File File Hosted (Type 2) VM Running PC loads hypervisor from device OS from device and OS from host HD completely separated Does not prevent attack via ‘host’ OS Does not protect the information if device is lost Does not stop access after employment OS Partition Operating System Hypervisor User Settings 28
40. Action today - Virtualized OS-on-a-stick Encrypted OS Partition Operating System User Settings App App App File File File On-board cryptography authenticates and protects Boots OS from device, loads hypervisor, then loads hosted OS Host provides mouse, keyboard, RAM Encryption can protect information if device is lost Limited to OS on device Management system can block device when employee leaves Boot Partition OS + Virtual Machine 29
41. Action today - Native OS-on-a-stick Encrypted OS Partition Operating System User Settings App App App File File File On-board cryptography authenticates and protects Boots OS directly from device Host provides mouse, keyboard, RAM Encryption can protect information if device is lost Limited to OS on device Management system can block device when employee leaves Boot Partition Boot Loader 30
42. Native versus hypervisor Applications Hypervisor Applications PC Hardware PC Hardware Virtualized OS Native OS Note the additional overhead and larger attack surface of a hypervisor-based approach since two operating systems are required. It will be noticeably slower and possibly less secure. 31
43. Action tomorrow - Native OS-on-a-stick + TPM Encrypted OS Partition Operating System User Settings App App App File File File Provides a mechanism to generate and measure system characteristics upon which a security decision can be made. In almost all commercial grade computers For more info see: the Trusted Computing Group www.trustedcomputinggroup.org Boot Partition Secure Boot Loader 32
44. Action tomorrow: Native OS-on-a-stick + TPM Can also be used to ‘seal’ information to a snapshot A snapshot consists of information relevant to defining an identity or entity Information can not be ‘unsealed’ if any element used to ‘seal’ is not an exact match or available. 33
46. Summary Immediately Consult with legal dept Review current information ownership / protection policies and make appropriate changes Put Consumerization policies in place Separate user accounts 35
47. Summary Longer Term Legal policies and procedures Enforce them! Technical policies and procedures Apply, rinse, repeat Technical Tools Isolate applications, virtualization 36
48. Thank You Michael F. Angelo NetIQ Corporation 1233 West Loop South, Ste 810 Houston, TX 77027 angelom@netiq.com Ron LaPedis SPYRUS, Inc. 1860 Hartog Dr. San Jose, CA 95131 rlapedis@spyrus.com
Notas do Editor
WinMo and Blackberry not listed because they are considered to be corporate devices.Why?At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranetWinMo and Blackberry not listed because they are considered to be corporate devices.Why?At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranet
Gartner says 10% are primary system
After waiting 30 minutes for a ten year old work Pentium PC to boot Windows 98 we can see how the concept of a shiny new notebook you can call your own would be appealing
68% of SMB IT managers say their departments provide technical support for personal devices, including smartphones and computers.
ConfigurationBIOSDocuments & SettingsFirewall / Anti-Virus / Anti-malwareWireless networksVPN
Why?At the office, you've got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department.Searching your company's internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.At home, though, you zip into the 21st century. You've got a slick, late-model computer and an email account with seemingly inexhaustible storage space.And while Web search engines don't always figure out exactly what you're looking for, they're practically clairvoyant compared with your company intranet
Things that you might do at home might get you in trouble when you put your corporate information at risk by doing them …
Various laws protect customer dataEmployee must protect assets whether physical or informational. Protect devices, encrypt HD, remove HD if needed.
Paging file could be a leakage point. Keylogger
Virus on hosted OS can only take out the hosted OS, but virus on host OS can take out both.
Virus on hosted OS can only take out the hosted OS, but virus on host OS can take out both.
BIOS protections…
So VM can be modified while running through rogue / compromised environment.
So VM can be modified while running through rogue / compromised environment.
So VM can be modified while running through rogue / compromised environment.