How We Deployed BYOD Using Mobile Device Management … · How We Deployed BYOD Using Mobile Device Management ... Proof of Concept 6. Implementation 7. ... for Infrastructure and

How We Deployed BYOD Using

Mobile Device Management

Providing mobile access to company resources safely and securely

by Frank Grogan and Robert Dalrymple

Children’s Healthcare of Atlanta

Table of Contents

2

1. Introduction

2. Understanding the Threat Landscape

3. Vendor Selection Approach

4. Bake-Off

5. Proof of Concept

6. Implementation

7. Governance

8. Lessons Learned

9. Q&A


Introductions

• One of the largest pediatric clinical care providers in the country

• 847,998 patient visits in 2012

• Served 346,356 children from all 159 counties in Georgia in 2012

• 3 world-class pediatric hospitals (529 beds), 20 neighborhood locations, physician group practices, and other related facilities

• Children's is the pediatric physician teaching site for Emory University School of Medicine and Morehouse School of Medicine

• Over 8,400 employees, 1,700 pediatric physicians, and 6,500 volunteers

3

Mission: To make kids better

today and healthier tomorrow

Vision: Best care ...

healthier kids


Introduction

4

Robert Dalrymple, MBA, CISA, CISSP

Information Security Manager with 13 years experience in Healthcare Information Security.

Frank Grogan

Information Security Administrator with 7 years experience in Healthcare Information Security.


Objective

To provide Children’s employees with flexibility in choosing their mobile device, while ensuring appropriate security protocols are and remain in place to protect Children’s Resources and patient data.

5


Why did we do this?

• Provide flexibility to those who are approved to use their personal devices to access the Children’s Resources

• Provide secure means of accessing data electronically

• Protect Children's from risk of a potential data breach

• Separate the user’s personal data from Children’s data

• Address regulations as it relates to mobile device security

6


Research

(understanding the landscape)

7

Things to investigate:

• Device types

• Manufacturers

• OS Versions

• Known Vulnerabilities

• Jailbreaking/Rooting

• Connection Methods

• Compatibility with Infrastructure


Governance Resources

8

NIST Special Publication 800-53 A Rev1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans

NIST Special Publication 800-124 Rev 1 (Final) Jun 2013 Guidelines for Managing the Security of Mobile Devices in the Enterprise

NIST Special Publication 800-164 DRAFT Oct 2012 Guidelines on Hardware-Rooted Security in Mobile Devices

NIST Special Publication 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations

http://csrc.nist.gov/publications/PubsSPs.html





Risk Assessment

9

• Consider scenarios outside the scope of the project

• Document risks no matter how obscure

• Evaluate connection methods

• Apply findings to a Risk Management Framework

• Continuous and Frequent Re-Assessment


Vendor Selection (approach)

10

Vendor Identification

• Industry Knowledge and Experience

• Gartner Magic Quadrant Position

• Gartner Critical Capabilities

• Forrester Report

Vendor Elimination

• Determine Children’s Requirements

• Combined Requirements with Critical Capabilities

• Developed Scoring Criteria

• Selected the 5 Vendors / 4 Solutions that Scored Above 85%

Vendor Exclusion

• Assembled Core IS&T Team

• Sent RFI Requesting Info

• Evaluated RFI Responses

• Developed Demo Scoring Sheet

• Held On-Site Demos

• Scored Demo

• Compiled Scoring

• Discussed Results and Reached Consensus

• Selected 2 Finalists

Vendor Evaluation

• Invited Finalists to Proof of Concept (Bake-Off)

• Determined Hardware Requirements

• Built Test Environment

• Installed and Configured Solutions for Testing

• Tested Solutions

• Documented Findings

Final Selection

• Held Vendor Demos for Stakeholders

• Sent RFQ to Finalists

• Assembled Side-by-Side Comparison

• Reviewed RFQ Responses

• Reviewed Side-by-Side Comparison

• Made Recommendation to Stakeholders

• Stakeholders Reached a Consensus


Defining Requirements

11

Consider:

• What access will users be granted to the various available resources

• Permitted device types

• Supported operating system(s)

• Deadlines


Defining Requirements (cont.)

12

• Required level and type of reporting

• Self-Service functions

• Collecting device information

• Preservation of the “Native Experience”


Vendor Identification

13

• Perform vendor research based on pre-defined company requirements

• Ask your security colleagues for their experiences

• Gartner Magic Quadrant

• Gartner Critical Capabilities

• Forrester Report


Narrowing Down the Choices

14

• Assemble a core team of IT professionals

• Combine Company Requirements with Critical Capabilities

• Develop Scoring Criteria for Demos

• Host Vendor Demos

• Compile and Discuss Results

Children’s Healthcare of Atlanta 15

Bake-Off


Infrastructure Options / Requirements

16

Suggestions:

• Request Vendor Requirements

• Virtual vs. Physical Servers

• Vendor Owned Appliances

• Consider Final Implementation

• 3rd Party Certifications

• External DNS Naming Convention


Configuration and Testing

17

First:

• Acquire a good variety of test devices

Then:

• Test enrollment across all device types and allowed OS versions

• Test basic functionality (Email, Contacts, Calendar)

• Configure basic security policy requirements

• Document everything step-by-step

• Note any inconsistencies


Comparisons

18

Side-By-Side comparisons are your best friend

• Enrollment Comparison Example


Comparisons (cont.)

19

• Passcode/Password Comparison Example

Criteria Vendor 1 Vendor 2

Device Passcode Required Optional

4 Character Passcode Supported Supported

Email Access Not Required Required

Contacts/Calendar Access Not Required Not Required

Attachments Access Optional Not Required

Secure Documents**

Requires Children’s Username

& Password or Certificate to

access [optional]

(e.g. [username]|

P@55w0rd)

Does not require Children’s

Username & Password or Certificate

to access

Secure Web Browser Requires Children’s Username

& Password or Certificate

Does not require Children’s

Username & Password or Certificate


Comparisons (cont.)

20

• UX Comparison

Vendor 1 Vendor 2


Proof of Concept


On Premise vs. SaaS Solution

22

Decision Criteria • Infrastructure Considerations

– Hardware Costs

– Support

• Security Considerations – Confidentiality

– Integrity

– Availability

• Speed of Deployment

• Cost Considerations – Cost Breakdown

– Costs Analysis

• Recommendation - Analysis


Comparisons

23

• Infrastructure Cost Comparison Example

Criteria On-Premise

Single Tenant

Cloud

Multi-Tenant

Cloud

Hardware Costs

• 4 - 6 VM Instances

• 2 x Database

• 2 x Application

Server

• 2 x Gateway

Optional

• ~$$$$$

• With High Availability

• Up to 5000 Devices

• One Time Expense

• 2 - 4 VM Instances

• 2 x Server

• 2 x Gateway

Optional

• ~$ - $$

• With High Availability

• Up to 5000 Devices

• One Time Expense


Comparisons (cont.)

24

• Availability Comparison Example

Criteria

Children’s Data Center Outage On-Premise

Single

Tenant

Cloud

Multi-Tenant

Cloud

Able to enroll devices? No No

Able to administer accounts through MDM

Tool? No Yes (Remote)

Access to Email / Contacts / Calendar? Yes Yes

Updates to Email / Contacts / Calendar? No No

Disaster Recovery / Business Continuity Optional Yes


Comparisons (cont.)

25

• Speed of Deployment Comparison Example

Criteria On-Premise

Single Tenant

Cloud

Multi-Tenant

Cloud

Speed of

Deployment Estimated at 45 days Estimated at 10 days

Hardware &

Software

• Hardware Procurement

• Servers Software

Procurement

• Hardware and Software

Installations

• Installing MDM Solution

• Hardware Procurement for up to 4 servers

on-site connecters

• Installing MDM Software connectors

Licenses

Install and Maintain licenses

for Infrastructure and MDM

Solution

Vendor will maintain licensing as part of the

subscription


Implementation


Internal Testing

27

Test, Test, Test


Pilot

28

• Limit the scope to get focused feedback

• Select individuals who will actively engage and provide good feedback

• Include representatives from key stakeholder groups


Configuration

29

Define Compliance Requirements: • Passwords

– Character Types

– Complexity

– Change Frequency

• Encryption – Container

– Whole Device

– External SD Card

• VPN

• Sync Settings

• Device Types and OS Version Minimums


Phased Deployment

Group

I

Group

II

Group

III

Group

IV

• Children’s Owned BlackBerries and iPhones

• Personal iPhones

• Personal Windows Phones

• iPads • Android Devices

MDM Enrollment by Device Type

MDM Features Timeline

Q1

Q2

Q3

Q4

• Email, Contacts, and Calendars

• Secure Attachments • Secure Text Messaging

• VPN

• Sharepoint

• Network Drives


Policies and Standards

31

• Mobile Device Acceptable Use Policy

• Handling of ePHI on Mobile Devices Standard

• Approved Access Method Standard


Terms of Service

32

What We Did

• Copy / Paste Mobile Device AUP as Terms or Service

Things to Consider

• Absolve the company of any liability

• Document what can be done vs. what is being done

• Changes to be made at anytime

• Refer to the Mobile Device Acceptable Use Policy

• Be consistent with over arching InfoSec AUP

• Have your legal department review and update


Lessons Learned


Lessons Learned

34

Test Test Test


Q&A