Upload
truongxuyen
View
220
Download
1
Embed Size (px)
Citation preview
How We Deployed BYOD Using
Mobile Device Management
Providing mobile access to company resources safely and securely
by Frank Grogan and Robert Dalrymple
Children’s Healthcare of Atlanta
Table of Contents
2
1. Introduction
2. Understanding the Threat Landscape
3. Vendor Selection Approach
4. Bake-Off
5. Proof of Concept
6. Implementation
7. Governance
8. Lessons Learned
9. Q&A
Children’s Healthcare of Atlanta
Introductions
• One of the largest pediatric clinical care providers in the country
• 847,998 patient visits in 2012
• Served 346,356 children from all 159 counties in Georgia in 2012
• 3 world-class pediatric hospitals (529 beds), 20 neighborhood locations, physician group practices, and other related facilities
• Children's is the pediatric physician teaching site for Emory University School of Medicine and Morehouse School of Medicine
• Over 8,400 employees, 1,700 pediatric physicians, and 6,500 volunteers
3
Mission: To make kids better
today and healthier tomorrow
Vision: Best care ...
healthier kids
Children’s Healthcare of Atlanta
Introduction
4
Robert Dalrymple, MBA, CISA, CISSP
Information Security Manager with 13 years experience in Healthcare Information Security.
Frank Grogan
Information Security Administrator with 7 years experience in Healthcare Information Security.
Children’s Healthcare of Atlanta
Objective
To provide Children’s employees with flexibility in choosing their mobile device, while ensuring appropriate security protocols are and remain in place to protect Children’s Resources and patient data.
5
Children’s Healthcare of Atlanta
Why did we do this?
• Provide flexibility to those who are approved to use their personal devices to access the Children’s Resources
• Provide secure means of accessing data electronically
• Protect Children's from risk of a potential data breach
• Separate the user’s personal data from Children’s data
• Address regulations as it relates to mobile device security
6
Children’s Healthcare of Atlanta
Research
(understanding the landscape)
7
Things to investigate:
• Device types
• Manufacturers
• OS Versions
• Known Vulnerabilities
• Jailbreaking/Rooting
• Connection Methods
• Compatibility with Infrastructure
Children’s Healthcare of Atlanta
Governance Resources
8
NIST Special Publication 800-53 A Rev1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
NIST Special Publication 800-124 Rev 1 (Final) Jun 2013 Guidelines for Managing the Security of Mobile Devices in the Enterprise
NIST Special Publication 800-164 DRAFT Oct 2012 Guidelines on Hardware-Rooted Security in Mobile Devices
NIST Special Publication 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations
http://csrc.nist.gov/publications/PubsSPs.html
Children’s Healthcare of Atlanta
Risk Assessment
9
• Consider scenarios outside the scope of the project
• Document risks no matter how obscure
• Evaluate connection methods
• Apply findings to a Risk Management Framework
• Continuous and Frequent Re-Assessment
Children’s Healthcare of Atlanta
Vendor Selection (approach)
10
Vendor Identification
• Industry Knowledge and Experience
• Gartner Magic Quadrant Position
• Gartner Critical Capabilities
• Forrester Report
Vendor Elimination
• Determine Children’s Requirements
• Combined Requirements with Critical Capabilities
• Developed Scoring Criteria
• Selected the 5 Vendors / 4 Solutions that Scored Above 85%
Vendor Exclusion
• Assembled Core IS&T Team
• Sent RFI Requesting Info
• Evaluated RFI Responses
• Developed Demo Scoring Sheet
• Held On-Site Demos
• Scored Demo
• Compiled Scoring
• Discussed Results and Reached Consensus
• Selected 2 Finalists
Vendor Evaluation
• Invited Finalists to Proof of Concept (Bake-Off)
• Determined Hardware Requirements
• Built Test Environment
• Installed and Configured Solutions for Testing
• Tested Solutions
• Documented Findings
Final Selection
• Held Vendor Demos for Stakeholders
• Sent RFQ to Finalists
• Assembled Side-by-Side Comparison
• Reviewed RFQ Responses
• Reviewed Side-by-Side Comparison
• Made Recommendation to Stakeholders
• Stakeholders Reached a Consensus
Children’s Healthcare of Atlanta
Defining Requirements
11
Consider:
• What access will users be granted to the various available resources
• Permitted device types
• Supported operating system(s)
• Deadlines
Children’s Healthcare of Atlanta
Defining Requirements (cont.)
12
• Required level and type of reporting
• Self-Service functions
• Collecting device information
• Preservation of the “Native Experience”
Children’s Healthcare of Atlanta
Vendor Identification
13
• Perform vendor research based on pre-defined company requirements
• Ask your security colleagues for their experiences
• Gartner Magic Quadrant
• Gartner Critical Capabilities
• Forrester Report
Children’s Healthcare of Atlanta
Narrowing Down the Choices
14
• Assemble a core team of IT professionals
• Combine Company Requirements with Critical Capabilities
• Develop Scoring Criteria for Demos
• Host Vendor Demos
• Compile and Discuss Results
Children’s Healthcare of Atlanta
Infrastructure Options / Requirements
16
Suggestions:
• Request Vendor Requirements
• Virtual vs. Physical Servers
• Vendor Owned Appliances
• Consider Final Implementation
• 3rd Party Certifications
• External DNS Naming Convention
Children’s Healthcare of Atlanta
Configuration and Testing
17
First:
• Acquire a good variety of test devices
Then:
• Test enrollment across all device types and allowed OS versions
• Test basic functionality (Email, Contacts, Calendar)
• Configure basic security policy requirements
• Document everything step-by-step
• Note any inconsistencies
Children’s Healthcare of Atlanta
Comparisons
18
Side-By-Side comparisons are your best friend
• Enrollment Comparison Example
Children’s Healthcare of Atlanta
Comparisons (cont.)
19
• Passcode/Password Comparison Example
Criteria Vendor 1 Vendor 2
Device Passcode Required Optional
4 Character Passcode Supported Supported
Email Access Not Required Required
Contacts/Calendar Access Not Required Not Required
Attachments Access Optional Not Required
Secure Documents**
Requires Children’s Username
& Password or Certificate to
access [optional]
(e.g. [username]|
P@55w0rd)
Does not require Children’s
Username & Password or Certificate
to access
Secure Web Browser Requires Children’s Username
& Password or Certificate
Does not require Children’s
Username & Password or Certificate
Children’s Healthcare of Atlanta
On Premise vs. SaaS Solution
22
Decision Criteria • Infrastructure Considerations
– Hardware Costs
– Support
• Security Considerations – Confidentiality
– Integrity
– Availability
• Speed of Deployment
• Cost Considerations – Cost Breakdown
– Costs Analysis
• Recommendation - Analysis
Children’s Healthcare of Atlanta
Comparisons
23
• Infrastructure Cost Comparison Example
Criteria On-Premise
Single Tenant
Cloud
Multi-Tenant
Cloud
Hardware Costs
• 4 - 6 VM Instances
• 2 x Database
• 2 x Application
Server
• 2 x Gateway
Optional
• ~$$$$$
• With High Availability
• Up to 5000 Devices
• One Time Expense
• 2 - 4 VM Instances
• 2 x Server
• 2 x Gateway
Optional
• ~$ - $$
• With High Availability
• Up to 5000 Devices
• One Time Expense
Children’s Healthcare of Atlanta
Comparisons (cont.)
24
• Availability Comparison Example
Criteria
Children’s Data Center Outage On-Premise
Single
Tenant
Cloud
Multi-Tenant
Cloud
Able to enroll devices? No No
Able to administer accounts through MDM
Tool? No Yes (Remote)
Access to Email / Contacts / Calendar? Yes Yes
Updates to Email / Contacts / Calendar? No No
Disaster Recovery / Business Continuity Optional Yes
Children’s Healthcare of Atlanta
Comparisons (cont.)
25
• Speed of Deployment Comparison Example
Criteria On-Premise
Single Tenant
Cloud
Multi-Tenant
Cloud
Speed of
Deployment Estimated at 45 days Estimated at 10 days
Hardware &
Software
• Hardware Procurement
• Servers Software
Procurement
• Hardware and Software
Installations
• Installing MDM Solution
• Hardware Procurement for up to 4 servers
on-site connecters
• Installing MDM Software connectors
Licenses
Install and Maintain licenses
for Infrastructure and MDM
Solution
Vendor will maintain licensing as part of the
subscription
Children’s Healthcare of Atlanta
Pilot
28
• Limit the scope to get focused feedback
• Select individuals who will actively engage and provide good feedback
• Include representatives from key stakeholder groups
Children’s Healthcare of Atlanta
Configuration
29
Define Compliance Requirements: • Passwords
– Character Types
– Complexity
– Change Frequency
• Encryption – Container
– Whole Device
– External SD Card
• VPN
• Sync Settings
• Device Types and OS Version Minimums
Children’s Healthcare of Atlanta
Phased Deployment
Group
I
Group
II
Group
III
Group
IV
• Children’s Owned BlackBerries and iPhones
• Personal iPhones
• Personal Windows Phones
• iPads • Android Devices
MDM Enrollment by Device Type
MDM Features Timeline
Q1
Q2
Q3
Q4
• Email, Contacts, and Calendars
• Secure Attachments • Secure Text Messaging
• VPN
• Sharepoint
• Network Drives
Children’s Healthcare of Atlanta
Policies and Standards
31
• Mobile Device Acceptable Use Policy
• Handling of ePHI on Mobile Devices Standard
• Approved Access Method Standard
Children’s Healthcare of Atlanta
Terms of Service
32
What We Did
• Copy / Paste Mobile Device AUP as Terms or Service
Things to Consider
• Absolve the company of any liability
• Document what can be done vs. what is being done
• Changes to be made at anytime
• Refer to the Mobile Device Acceptable Use Policy
• Be consistent with over arching InfoSec AUP
• Have your legal department review and update