PEM: Subscriber-Aware Policy and Why Every Large Network Needs One
Previous post “PEM: Key Component of the Next Generation University Network” provided a high-level overview of several Policy Enforcement Manager features which help K-12 Schools, Colleges and Universities transform their Networks into agile, user-focused “Data Delivery Fabrics” which redefine the way Educational Institutions provide data connectivity services to students, faculty, staff, and guests. As with all networks, schools provide access to internal resources as well as the Internet. Typically, internal network (LAN) traffic is not a major concern for network admins (although at some point WiFi saturation prompts infrastructure expansion), but Internet link saturation is a much more common and serious issue. Since any expansion of Internet access is associated with increased ongoing operating expense (opex) and, in many cases, infrastructure expansion resulting in upfront capital expense (capex). Even when an institution can afford a larger ISP link, regional Internet service providers (ISPs) may not offer the required bandwidth, or the ISP lacks sufficient infrastructure to support and/or provide increased bandwidth resources. Nobody likes slow Internet. From myriad apps constantly pulling data in the background to the always-connected lifestyle of millennial students, the need for a fast, reliable, and low-latency connection is now more critical than ever. In the environment with limited resources, such as a school’s ISP link, it is critical to have the ability to control and distribute these resources according to priorities which maximize user’s experience while still providing a healthy mix of QoS for different types of traffic. F5’s Policy Enforcement Manager (PEM) has a number of facilities to enable schools to achieve the optimal balance between performance and traffic priority. Policies, bandwidth controllers, traffic intelligence categories, and presets are among those facilities. Today we will talk about the core PEM functionality - Enforcementpolicies. There are 3 main types of PEM Enforcement policies: Pic 1. PEM Enforcement policy types Global Policy: Applied to all users: known and unknown Subscriber Policy: Applied to known users: provisioned statically or discovered via DHCP, Radius or Access Profiles & iRules Unknown Subscriber Policy: Applied to unknown users PEM uses various subscriber discovery methods which usually differ by implementation. RADIUS and DHCP “sniffing” are among the configurable discovery methods. When PEM sees traffic, it checks whether the source IP address belongs to any known user (previously-discovered subscriber). If the user is known, traffic is classified and appropriate action is taken according to Subscriber Policy of that user. However, if the source IP address is not known to PEM, the Unknown Subscriber Policy is used until that user is discovered. Global Policy is applied to all users and may contain high-level rules applicable to all users in the network (e.g. blocking of malicious URLs, suppression of certain P2P applications, etc.). Pic 2. PEM Policies example Each user can be assigned a Subscriber Policy, and as long as the user is known to PEM, all traffic associated with that user will be analyzed and given priorities according to the policy rules. Among other functions, rules are used to provide application visibility by categorizing both encrypted and unencrypted traffic into categories. URL filtering and blocking actions are also provisioned using PEM Policy rules. PEM can associate a rule with the traffic using any of the following: Classification URL category Flow Custom Classification Pic 3. Policy rule Classification example The Classification tab in enforcement policy rules has a flexible definition to match an Application or Category from the extensive list provided in drop-down menu. PEM uses signatures to detect the applications. These signatures are updated periodically by F5 and PEM can be configured to check for Signature updates automatically Daily, Weekly or Monthly. Matching criteria can provide a positive or negative matching, allowing for granular actions like QoS/bandwidth control, reporting or TCP optimization to be applied to various classified traffic types. URL category Pic 4. URL categories and URLDB URLs can be categorized according to pre-defined or custom definitions. PEM can also use external URLDB/Feed list which makes it easy to extend pre-defined Categories list and maintain central reference for Categorized URLs. URLDB is a CSV file that contains website URL and associated category ID Pic 5. Custom URLDB content example Flow PEM can use flow information as a condition to apply an enforcement policy rule. There are various types of flow-specific properties that can be configured as a matching condition: DSCP Value, Protocol, IP Type, Source/Destination Address/Port, VLAN, etc. Pic 6. Flow condition rule example Like any other BIG-IP module, PEM functionality can be extended and customized using iRules.Custom tab allows user to configure a specific condition not covered by built-in PEM functionality. As always, iRules are a powerful and flexible way to extend platform functionality. Please refer to DevCentraliRules API Wiki for PEM-specific iRules syntax. Enforcement policy rules are defined to perform a specific action within policy: limit bandwidth, close the “Gate” (block the traffic), redirect, insert HTML content, log messages etc. Some items may only be applicable to service providers - i.e. Application reporting and Rating Groups, therefore we will focus on configuration items that will be most commonly used by Education network admins. Reporting: usage, QoE, TCP Analytics Gate Status Forwarding Modify Header Insert Content QoS TCP Optimization Congestion Detection Custom Action (iRule) Rather than describing each feature separately, let’s consider a few common use cases for these rules. For example, we can create 2 rules that block all traffic classified as “Phishing and other Frauds” by assigning a Gate Status “Disabled” and limit the bandwidth of Skype to 10Mbps max system-wide and 1Mbps max per user. The Classification rule will look similar to: Pic 7. Flow condition rule example Bandwidth limiting rule uses Bandwidth controllers within QoS section: The resulting Enforcement Policy will protect users from phishing and other fraudulent sites while limiting the bandwidth of Skype (including Video calls) to 1Mbps per user (and 10 Mbps total allocated for Skype application traffic). Flexible, user-aware classifications and a variety of traffic actions can be taken by individual rules to create the intelligent environment of flexible micro-granular control. This approach balances apps and services by both speed and priority, protects users (on-campus and remote students, staff, and visitors) from fraudulent and malicious activities and enhances overall quality of user experience by optimizing TCP and pacing video by preventing congestion on the ISP link. Institutions of any size can immediately start enjoying the incredible benefits that come with introduction of PEM Policies into their network. F5 engineers are available to make every project a success, helping customers from inception to a successful deployment. Next, we will dive into how PEM can save ISP link bandwidth by forcing streaming video to fallback to lower resolution while supporting the encrypted QUIC protocol. Stay tuned!
ASM TMOS v13 Enforcement Readiness menu missing
In versions v11-v12 there was a nice feature called Enforcement Readiness under Security -> Application Security -> Policy Building which allowed me to enforce all ready entities at one time. In v13 this menu is missing, I believe that it has been moved somewhere but I can't find it. I have over 3000 signatures to enforce but under Security -> Application Security -> Attack Signatures I'm able to enforce only a few at a time.PEM: Key Component of the Next Generation University Network
In recent years, higher education institutions have become significant providers of digital services and content, ranging from mesh WiFi access to virtual-classroom services featuring high-bandwidth real-time collaboration experiences for on-campus and remote students alike. In fact, many Universities’ IT networks have become so large, they now compete with some regional Service Providers based on the amount of data they process and route within their IT infrastructure. Students, classrooms, staff, and guests all need to have reliable access to Campus LAN and Internet services simultaneously. However, with growing number of consumers, internal and outbound routes can become quickly saturated and oversubscribed, resulting in slow response times and degraded performance of the entire university network. To prevent chaos and limit data-hungry devices from clogging up data links, Universities have begun to employ certain services usually found in Service Provider (SP) networks. In particular, Policy and Charging Control (PCC) elements that: Are subscriber - aware Assign QoS to applications and services Perform application layer data inspection Enforce subscriber and application policies Ensure compliance with State and Federal laws Prevent access to inappropriate content Provide visibility and reporting So, how does the modern University achieve this without having to build a full-blown Evolved Packet Core inside their IT Network? Some have implemented the list in parts using different network elements, but this approach offers limited centralized visibility and/or traffic control, while others use the aging Cisco SCE, which will be End-of-Life on September 30th of 2018. The most progressive University IT teams quickly realized the benefits of having a subscriber-aware policy enforcement device, and turned to F5 Policy Enforcement Manager(PEM) as a full and integral solution that optimizes network resources and allows for optimal channel utilization, ultimately leading to improved user experience and substantial financial savings for Universities due to much more efficient use of available bandwidth. Pic 1. F5 Policy Enforcement Manager Any school or other organization which implemented PEM in their network can achieve a “subscriber” (in SP terms) or end-user (in enterprise terms) granularity. That means every user connecting to the School or University network can be assigned a Policy with certain rules which dictate how this user will be treated by the network. For example, some students may be given a preferential access to certain network resources and applications while faculty members may have an unrestricted Internet access with higher priority during classes and post-class activities. By categorizing users and applications network can achieve better utilization, ensure fair resource consumption and provide the best experience for all users Pic 2. Per-Subscriber Policy In addition to subscribers, PEM also implements a “per-application” concept. It provides the most comprehensive and agile configuration of policies when combined with subscriber and global policy scopes. This capability enables the University to limit or block certain application types - i.e. P2P Torrent traffic, various messengers, or social networks. Pic 3. Per-Application Policy SSL Visibility is a crucial part of Network monitoring and content filtering in Public Networks. By terminating the SSL (or TLS) connection from users and establishing new SSL connection to application servers, PEM makes it possible to perform: SNI analysis and classification Traffic content inspection and manipulation Detailed reporting and data visualization Pic 4. SSL Forward Proxy URL Classification and Filtering is another important aspect of managing IT network in Schools or Universities. Age-appropriate content must be enforced for students and other users, while maintaining the up-to-date list of blacklisted and malicious websites. PEM utilizes a Webroot-provided DB for precise URL categorization. With more than 80 URL categories available including live updates and custom categories, URL classification and enforcement becomes an effortless and efficient automatic routine. PEM also enables custom HTML content insertion into HTTP traffic, which can be used to warn users about a potentially harmful website or blocked internet resource by URL Filtering engine. Pic 5. URL Classification and Enforcement Schools can also realize significant savings on bandwidth by using Policy Enforcement Manager’s Video Pacing feature. PEM ensures that video content is pre-loaded at the same or similar pace as consumed by the user. By doing so it eliminates wasted bandwidth and traffic spikes that are produced by multiple users accessing video resources at the same time. Without video pacing, video pre-loading is triggered when a user starts watching content, making entire length of content available for viewing. Sometimes users stop watching the content before the end of video file, effectively throwing out unconsumed portion of pre-loaded video. PEM ensures that no unnecessary content is pre-loaded, so that no bandwidth is wasted. Pic 6. Video Pre-loaded, no pacing used Pic 7. PEM uses video pacing Network Visibility and Reporting plays a significant role in the Network Management domain. By knowing exactly what is happening in near real-time, Network Administrators are empowered to identify violations and fix issues before they impact other users in school network. PEM provides both on-the-box analytics and exported data to be used for reporting and visualization using third party tools. Pic 8. Data export options Policy Enforcement Manager enables Schools or Universities to implement alternative, Service Provider-oriented network architectures delivering: More granular control and visibility Optimized user experience Savings on Internet Services. Next in this series, we will be diving into deeper detail on how Universities can best leverage the various features of PEM covered here. Stay tuned!
Some questions about ASM module from a beginner
Hello Everyone, My company recently bought some ASM licences for our F5 Big IP and i'm in charge of defining the security policies but I have no experience in it so far and a read only account so it's pretty hard to run some tests and that's why i have some questions for you: 1/What's the difference between Transparent and blocking in Enforcement mod and what suits the most with both of them in signature set (learn/alarm/block)? 2/What does "staging signature" means? What if i dont set a signature set, what does the policy block? 3/ What's the difference between Block in policy (enforcement mod) and block in signature set option? Also correct me if i'm wrong but learn allows me to use the "manual traffic learning" option to see which threats the policy has detected and alarm is a log system-like? 4/What happen if i activate both block option? 5/Scenario that would be much alike what i will do to deploy my policies: I want to observe which threats and who are doing them on my VS already in production before deciding what to block, what would be the best configuration: Transparent as "enforcement mod", "attack signatures configuration" in learn/alarm mod with and ERP of let's say 30 days or something else? After finishing my analyzes, where can i see what have been signaled by the signatures and where can i decide if i block then or not. 8/What happen once the ERP is over? Do I have to change the enforcement mod once the analyse is over (Transparent ->blocking for exemple). Will my policy keep checking if new threat will be detected? I know it's a lot of questions to answer but i have no one else to turn to so thank you very much in advance. Regards,In 5 Minutes or Less: BIG-IP ASM & Cenzic Scanner
I show you in this special extended edition of In 5 Minutes or Less, how BIG-IP ASM is integrated with Cenzic Hailstorm Scanner for complete website protection. From vulnerability checking to detection to remediation, With a few clicks, you can instantly patch vulnerabilities. ps Resources: BIG-IP Application Security Manager F5 and Cenzic partnership In 5 Minutes or Less Series (22 videos – over 2 hours of In 5 Fun) F5 YouTube ChannelBYOD Policies – More than an IT Issue Part 4: User Experience and Privacy
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device Choice, Economics, User Experience & Privacy and a trust Model. Today we look at User Experience & Privacy. User Experience and Privacy Most application deployments have the user experience in mind and BYOD is no different. Employees want and need fast and secure access to the right resources, at the right time to accomplish their job. BYOD only enhances or increases the need for a rich user experience. Understand how the policy impacts user experience including battery life. Some apps can drain battery life quickly, which in turn decreases user satisfaction and can potentially limit their interactions. There may be instances where the user has chosen a third-party email application verses either the native email client or one that's supported by corporate. Certainly a dilemma but as stated earlier, a policy should state what's allowed and not allowed. MDM technology is also improving to the point that Secure apps like a browser, email client and other resources are secured on the client device. A user can still use their email client of choice for personal use but work email is delivered through the secure email client. While user experience can contribute to the happiness and productivity of the user/employee, privacy can be a huge issue when BYOD is implemented. A 2010 Supreme Court case, City of Ontario v. Quon, looked at the extent to which the right to privacy applies to electronic communications in a government workplaces. This case also looked at Fourth Amendment rights against unreasonable search and seizure. Essentially, a number of police officers were fired for sending sexually explicit message with a city issued device. The city requested an audit of the overages along with the sent messages. The officers sued since the agreement/policy they had with the city allowed them to send personal notes and pay for any overages that might occur. Plus they claimed that their constitutional right was violated along with their privacy under federal communications laws. The court ruled that since they were using city issued devices, the municipality was well within their rights to search since it was work related and it had not violated the Fourth Amendment. If everything was the same but the devices were personally owned by the officers in question, then the city could be in violation and liable. Within the BYOD policy, organizations should also establish a social contract that communicates how and when IT will monitor the device along with when/how/why a device could be wiped. As part of the BYOD Policy the User Experience & Privacy Checklist, while not inclusive, should: · Identify what activities and data must be monitored · Determine the circumstances when a device wipe must occur · Determine how employees can self-remediate · Determine which core services will be delivered to users · Draft a BYOD social contract with Human Resources ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD Policies – More than an IT Issue Part 2: Device Choice BYOD Policies – More than an IT Issue Part 3: Economics BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? Worldwide smartphone user base hits 1 billion SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSABYOD Policies – More than an IT Issue Part 3: Economics
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device Choice, Economics, User Experience & Privacy and a trust Model. Today we look at Economics. Many organizations look at BYOD as an opportunity to reduce some costs. Clearly, not having an equipment cost - $200-$600 per-device - can add up depending on the company's size. It might also make financial sense for a smaller company with few employees. Since the phone is owned by the employee, then they are probably responsible for the bill every month. Depending on their personal contract/plan, excessive charges could arise due to the extra minutes used for work related calls. Often, monthly charges are fairly consistent with established plans, and while there are times when the bill is higher due to an incidental charge to some other overage, many people fail to review their phone bill when it arrives. BYOD could force employees into a higher monthly service plan but it also gives users visibility into their usage, if for instance, the corporate BYOD policy allows for reimbursement. This can drive personal responsibility for how they use their minutes. While BYOD could reduce the overall expenditure for IT issued devices and many organizations report employees are happier and more productive when they are using the device of their desire (an enablement tool), there might be other areas that costs could increase. While the employee does spend their own money on the device, there are certainly enterprise costs to managing and securing that device. There could also be a snag however when it comes to licensing. Does BYOD also require Bring Your Own License? In many instances, this is an area that IT needs to keep an eye on and often the answer is yes. Some of the most common enterprise software licensing agreements require licensing any device used "for the benefit of the company" under the terms of the enterprise agreement. That often means that all those BYO devices might require a license to access common corporate applications. This also means that even if the user already has a particular license, which they purchased on their own or it came with the device, the organization might still need to license that device under their enterprise software agreement. This could diminish any cost savings from the BYOD initiative. There are solutions to such as using alternative products that are not restricted by licensing but, those may not have the key features required by the workforce. IT needs to understand if their license agreements are per-user or per-device and what impact that may have on a BYOD policy. A few questions that the Finance department should determine is: Should the company offer users a monthly stipend? How is productivity measured? Will the management and security cost more than IT (volume) procurement? What are the help desk expenses and policy about support calls. There certainly needs to be discussion around mobile app purchase and deployment for work use. Are there any compliance, additional audit costs or tax implications with a BYOD initiative? As part of the BYOD Policy the Economics Checklist, while not inclusive, should: · Investigate the effects of a BYOD reimbursement plan on your ability to negotiate with wireless carriers · Consider putting logging and reporting in place to monitor after-hours use · Incorporate a “help desk as a last resort” guideline into your employee BYOD social contract · Estimate costs for any increased need for compliance monitoring · Ask Finance about tax implications (cost or benefit) of a BYOD policy ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD Policies – More than an IT Issue Part 2: Device Choice BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? Worldwide smartphone user base hits 1 billion SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSABYOD Policies – More than an IT Issue Part 2: Device Choice
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Device Choice. Device Choice People have become very attached to their mobile devices. They customize and personalize and it's always with them, to the point of even falling asleep with the device. So ultimately, personal preference or the 'consumerization of IT' notion is one of the primary drivers for BYOD. Organizations need to understand, what devices employees prefer and what devices do employees already own. That would could dictate what types of devices might request access. Once organizations get a grasp on potential devices, they then need to understand each device's security posture. About 10 years ago, RIM was the first technology that really brought the Smartphone into the workplace. It was designed to address the enterprise's needs and for years was the Gold Standard for Enterprise Mobility. Management control was integrated with the device; client certificate authentication was supported; Active Directory/LDAP servers were not exposed to the external internet; the provisioning was simple and secure; organizations could manage both Internet access and intranet access, and IT had end point control. When Apple's iPhone first hit the market, it was purely a consumer device for personal use and was not business centric, like the BlackBerry. Initially, the iPhone did not have many of the features necessary to be part of the corporate environment. It was not a business capable device. It did not support applications like Exchange, which is deployed in many organizations and is critical to a user's day-to-day activities. Over time, the iPhone has become a truly business capable device with additional mechanisms to protect end users. Android, very popular with consumers, also offers numerous business apps but is susceptible to malware. Device selection is also critical to the end user experience. Surveys show that workers are actually more productive when they can use their personal smartphone for work. Productivity increases since we prefer to use our own device. In addition, since many people like to have their device with them all the time, many will answer emails or do work during non-work hours. A recent survey indicated that 80% of Americans work an extra 30 hours a month on their own time with BYOD. But we are much happier. A few blogs ago, I wrote about Good Technology’s BYOD survey, found that organizations are jumping on the phenomenon since they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. As part of the BYOD Policy the Device Choice Checklist, while not inclusive, should: · Survey employees about their preferences and current devices · Define a baseline of acceptable security and supportability features · Do homework: Read up on hardware, OS, and regional variances · Develop a certification program for future devices · Work with Human Resources on clear communication to employees about which devices are allowed–or not–and why ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSABYOD Policies – More than an IT Issue Part 1: Liability
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the end users. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Liability. Liability In addition to IT, an organization's Legal department needs to be involved with any BYOD policy creation to make sure the liability risk for both the user and company is contained and managed. While employees are an organization's greatest asset (other than Intellectual Property, potentially), they are often the culprits of data exposure, intentional or not. Organizations need to consider employee actions and the corresponding liability. If the employee owns the device, does the liability increase or decrease? Even if liability stays neutral, the overall business risk increases any time corporate data is accessed from personal employee devices, mobile or not. What happens if personal data on a personal Smartphone is damaged? What happens if it's remotely wiped by corporate IT, if it is lost? These are some areas that must be resolved with the BYOD policy. Some organizations are very clear about lost/stolen policy and users have the choice of opting out. That's just the personal liability. From a financial liability standpoint, what happens when monthly charges are reimbursed? Often, financial responsibility may dictate legal obligation. A recent Ponemon Institute and Websense survey showed that mobile devices can be a double-edge sword for enterprises. 77% of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% - believe that these tools introduce a "serious" set of risks. While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them. As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, Smartphone, and tablets while 51% said their organization has experienced a data breach due to insecure devices. As part of the BYOD Policy the Liability Checklist, while not inclusive, should: · Define baseline security requirements · Assess liability of personal web and app usage · Evaluate legal ramifications of reimbursement · Quantify the costs of monitoring and enforcement · Assess the risk and liability of damaging personal data There are probably a ton more Liability questions that should be answered but this was intended as a starting point. What other areas should legal be concerned about? ps Related BYOD–The Hottest Trend or Just the Hottest Term Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSAComplying with PCI DSS–Part 6: Maintain an Information Security Policy
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and the last entry is Maintain an Information Security Policy which includes PCI Requirement 12. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2:Complying with PCI DSS–Part 2: Protect Cardholder Data, Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program, Part 4: Complying with PCI DSS–Part 4: Implement Strong Access Control Measures and Part 5: Complying with PCI DSS–Part 5: Regularly Monitor and Test Networks. Requirement 12: Maintain a policy that addresses information security for all personnel. PCI DDS Quick Reference Guide description: A strong security policy sets the security tone for an entire organization’, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it. Solution: The spirit of this requirement is to ensure the adoption of a Corporate Information Security Policy (CISP). Although policy-based, F5 solutions don’t, by themselves, meet this requirement in context. F5 products facilitate adherence to the CISP, but they do not actually comprise a CISP. That said, F5 products can help organizations roll out business policies and security policies together. Applications needn’t be built and deployed in a vacuum; F5 technologies can be implemented in conjunction with corporate policies that address information security. Since the inception of the PCI DSS, organizations have been laboring to understand, implement, and comply with its guidelines. Often, achieving that goal requires deploying and managing several different types of devices. The BIG-IP platform enables organizations to understand inherent threats and take specific measures to protect their web application infrastructures and to satisfy many PCI DSS requirements. ps
