Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program

According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals.  Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies.  The essential framework of the PCI DSS encompasses assessment, remediation, and reporting.  We’re exploring how F5 can help organizations gain or maintain compliance and today is Maintain a Vulnerability Management Program which includes PCI Requirements 5 and 6.  To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network and Part 2: Complying with PCI DSS–Part 2: Protect Cardholder Data

 

Requirement 5: Use and regularly update antivirus software or programs.

PCI DSS Quick Reference Guide description: Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system.  This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.

Solution: With BIG-IP APM and BIG-IP Edge Gateway, F5 provides the ability to scan any remote device or internal system to ensure that an updated antivirus package is running prior to permitting a connection to the network.  Once connections are made, BIG-IP APM and BIG-IP Edge Gateway continually monitor the user connections for a vulnerable state change, and if one is detected, can quarantine the user on the fly into a safe, secure, and isolated network.  Remediation services can include a URL redirect to an antivirus update server.  For application servers in the data center, BIG-IP products can communicate with existing network security and monitoring tools.  If an application server is found to be vulnerable or compromised, that device can be automatically quarantined or removed from the service pool.

With BIG-IP ASM, file uploads can be extracted from requests and transferred over iCAP to a central antivirus (AV) scanner.  If a file infection is detected, BIG-IP ASM will drop that request, making sure the file doesn’t reach the web server.

 

Requirement 6: Develop and maintain secure systems and applications.

PCI DSS Quick Reference Guide description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data.  Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code.  All critical systems must have the most recently released software patches to prevent exploitation.  Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program.  Secure coding practices for developing applications, change control procedures, and other secure software development practices should always be followed.

Solution: Requirements 6.1 through 6.5 deal with secure coding and application development; risk analysis, assessment, and mitigation; patching; and change control.  Requirement 6.6 states: “Ensure all public-facing web applications are protected against known attacks, either by performing code vulnerability reviews at least annually or by installing a web application firewall in front of public-facing web applications.” 

This requirement can be easily met with BIG-IP ASM, which is a leading web application firewall (WAF) offering protection for vulnerable web applications.  Using both a positive security model for dynamic application protection and a strong, signature-based negative security model, BIG-IP ASM provides application-layer protection against both targeted and generalized application attacks.  It also protects against the Open Web Application Security Project (OWASP) Top Ten vulnerabilities and threats on the Web Application Security Consortium’s (WASC) Threat Classification lists.  To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner. The scanning schedule might depend on a change in control, as when an application is initially being deployed, or other triggers such as a quarterly report.  The vulnerability scanner scours the web application, and in some cases actually attempts potential attacks, to generate a report indicating all possible vulnerabilities.  This gives the administrator managing the web security devices a clear view of all  exposed areas and potential threats to the website.  Such a report is a moment-in time assessment and might not result in full application coverage, but should give administrators a clear picture of their web application security posture.  It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not.  Otherwise, many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings.

Simply having the vulnerability report, while beneficial, doesn’t make a web application secure.  The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk.  Since recoding an application is expensive and time-consuming and may generate even more errors, many organizations deploy a WAF like BIG-IP ASM.  A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until developers have an opportunity to properly close the hole.  Often, organizations use the vulnerability scanner report to either tighten or initially generate a WAF policy.  While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate those vulnerabilities to greatly reduce the risk of application exploits.  The longer an application remains vulnerable, the more likely it is to be compromised. 

For cloud deployments, BIG-IP ASM Virtual Edition (VE) delivers the same functionality as the physical edition and helps companies maintain compliance, including compliance with PCI DSS, when they deploy applications in the cloud. If an application vulnerability is discovered, BIG-IP ASM VE can quickly be deployed in a cloud environment, enabling organizations to immediately patch vulnerabilities virtually until the development team can permanently fix the application.  Additionally, organizations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments.  But with BIG-IP ASM VE, organizations
have full control over securing their cloud infrastructure.  BIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, making BIG-IP ASM the most advanced vulnerability assessment and application protection on the market.  In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM protects the applications between scanning and patching cycles and against zero-day attacks that signature-based scanners won’t find.  Both are critical in creating a secure Application Delivery Network. 

BIG-IP ASM also makes it easy to understand where organizations stand relative to PCI DSS compliance.  With the BIG-IP ASM PCI Compliance Report, organizations can quickly see each security measure required to comply with PCI DSS 2.0 and understand which measures are or are not relevant to BIG-IP ASM functions.  For relevant security measures, the report indicates whether the organization’s BIG-IP ASM appliance complies with PCI DSS 2.0. For security measures that are not relevant to BIG-IP ASM, the report explains what action to take to achieve PCI DSS 2.0 compliance.

 
BIG-IP ASM PCI Compliance Report

Finally, with the unique F5 iHealth system, organizations can analyze the configuration of their BIG-IP products to identify any critical patches or security updates that may be necessary.

Next: Implement Strong Access Control Measures

ps

Related:

• Complying with PCI DSS–Part 1: Build and Maintain a Secure Network
• Complying with PCI DSS–Part 2: Protect Cardholder Data
• PCI Turns 2.0
• Will you Comply or just Check the Box?
• Cloud Balancing, Reverse Cloud Bursting, and Staying PCI-Compliant
• BIG-IP v10.1 Application Security Manager PCI Reporting
• Visa Kills PCI Assessments And Wants Your Processor To Support EMV
• Complying with PCI DSS

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet,cybercrime, holiday shopping, identity theft,

Connect with Peter:	Connect with F5:

Complying with PCI DSS–Part 2: Protect Cardholder Data

According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals.  Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies.  The essential framework of the PCI DSS encompasses assessment, remediation, and reporting.  We’re exploring how F5 can help organizations gain or maintain compliance and today is Protect Cardholder Data which includes PCI Requirements 3 and 4.  To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network

Requirement 3: Protect stored cardholder data.
PCI DSS Quick Reference Guide description: In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business.  Sensitive data on the magnetic stripe or chip must never be stored.  If your organization stores PAN, it is crucial to render it unreadable, for instance, [by] obfuscation [or] encryption.

Solution: The spirit of this requirement is encryption-at-rest—protecting stored cardholder data.  While F5 products do not encrypt data at rest, the BIG-IP platform has full control over the data and network path, allowing the devices to secure data both in and out of the application network.  F5 iSession tunnels create a site-to-site secure connection between two BIG-IP devices to accelerate and encrypt data transfer over the WAN.  With BIG-IP APM and BIG-IP Edge Gateway, data can be encrypted between users and applications, providing security for data in transit over the Internet.  BIG-IP APM and BIG-IP Edge Gateway can also provide a secure access path to, and control, restricted storage environments where the encryption keys are held (such as connecting a point-of-sale [POS] device to a secure back-end database to protect data in transit over insecure networks such as WiFi or mobile).   With BIG-IP Application Security Manager (ASM), data such as the primary account number (PAN) can be masked when delivered and displayed outside of the secure ADN.  BIG-IP ASM also can mask such data within its logs and reporting, ensuring that even the administrator will not be able to see it.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.
PCI DSS Quick Reference Guide description: Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks, so it is important to prevent their ability to view this data.  Encryption is a technology used to render transmitted data unreadable by any unauthorized person.

Solution: The modular BIG-IP system is built on the F5 TMOS full-proxy operating system, which enables bi-directional data flow protection and selective TLS/SSL encryption.  All or selective parts of the data stream can be masked and/or TLS/SSL encrypted on all parts of the delivery network.  The BIG-IP platform supports both SSL termination, decrypting data traffic with the user for clear-text delivery on the ADN, and SSL proxying, decrypting data traffic on BIG-IP devices for content inspection and security before re-encrypting the data back on the wire in both directions.  The BIG-IP platform, along with the F5 iRules scripting language, also supports specific data string encryption via publicly tested and secure algorithms, allowing the enterprise to selectively encrypt individual data values for delivery on the wire or for secure back-end storage.  The BIG-IP® Edge Client software module, offered with BIG-IP APM and BIG-IP Edge Gateway or as a mobile application, can encrypt any and all connections from the client to the BIG-IP device.  Customers have customized and installed BIG-IP Edge Client on ATMs and currency or coin counting kiosks to allow those devices to securely connect to a central server.  In addition, two BIG-IP devices can create an iSession tunnel to create a site-to-site connection to secure and accelerate data transfer over the WAN.


iSession tunnels create a site-to-site secure connection to accelerate data transfer over the WAN

Next: Maintain a Vulnerability Management Program

ps

Related:

• Complying with PCI DSS–Part 1: Build and Maintain a Secure Network
• PCI Turns 2.0
• Will you Comply or just Check the Box?
• Cloud Balancing, Reverse Cloud Bursting, and Staying PCI-Compliant
• BIG-IP v10.1 Application Security Manager PCI Reporting
• Visa Kills PCI Assessments And Wants Your Processor To Support EMV
• Complying with PCI DSS

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet,cybercrime, holiday shopping, identity theft,

Connect with Peter:	Connect with F5:

Complying with PCI DSS–Part 1: Build and Maintain a Secure Network

According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals.  Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies.  The essential framework of the PCI DSS encompasses assessment, remediation, and reporting.  Over the next several blogs, we’ll explore how F5 can help organizations gain or maintain compliance.   Today is Build and Maintain a Secure Network which includes PCI Requirements 1 and 2.

PCI DSS Quick Reference Guide, October 2010

The PCI DSS requirements apply to all “system components,” which are defined as any network component, server, or application included in, or connected to, the cardholder data environment.  Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP servers.  Applications include all purchased  and custom applications, including internal and external web applications.  The cardholder data environment is a combination of all the system components that come together to store and provide access to sensitive user financial information.  F5 can help with all of the core PCI DSS areas and 10 of its 12 requirements.

Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data.
PCI DSS Quick Reference Guide description: Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network.  Firewall functionality may also appear in other system components. Routers are hardware or software that connects two or more networks. All such devices are in scope for assessment of Requirement 1 if used within the cardholder data environment.  All systems must be protected from unauthorized access from the Internet, whether via e-commerce, employees’ remote desktop browsers, or employee email access.  Often, seemingly insignificant paths to and from the Internet can provide
unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Solution: F5 BIG-IP products provide strategic points of control within the Application Delivery Network (ADN) to enable truly secure networking across all systems and network and application protocols.  The BIG-IP platform provides a unified view of layers 3 through 7 for both general reporting and alerts and those required by ICSA Labs, as well as for integration with products from security information and event management (SIEM) vendors.  BIG-IP Local Traffic Manager (LTM) offers native, high-performance firewall services to protect the entire infrastructure.  BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller (ADC) designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scalability, performance, and persistence.   Running on an F5 VIPRION chassis, BIG-IP LTM can manage up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors and buffer sizes when under attack. It protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate  connections.  The BIG-IP platform, which offers a unique Layer 2–7 security architecture and full packet inspection, is an ICSA Labs Certified Network Firewall.

Replacing stateful firewall services with BIG-IP LTM in the data center architecture

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
PCI DSS Quick Reference Guide description: The easiest way for a hacker to access your internal network is to try default passwords or exploits based on the default system software settings in your payment card infrastructure.  Far too often, merchants do not change default passwords or settings upon deployment.  This is akin to leaving your store physically unlocked when you go home for the night.  Default passwords and settings for most network devices are widely known.  This information, combined with hacker tools that show what devices are on your network, can make unauthorized entry a simple task if you have failed to change the defaults.

Solution: All F5 products allow full access for administrators to change all forms of access and service authentication credentials, including administrator passwords, application service passwords, and system monitoring passwords (such as SNMP).  Products such as BIG-IP Access Policy Manager (APM) and BIG-IP Edge Gateway limit remote connectivity to only a GUI and can enforce two-factor authentication, allowing tighter control over authenticated entry points.  The BIG-IP platform allows the administrator to open up specific access points to be fitted into an existing secure network.  BIG-IP APM and BIG-IP Edge Gateway offer secure,  role-based administration (SSL/TLS and SSH protocols) and virtualization for designated access rights on a per-user or per-group basis.  Secure Vault, a hardware-secured encrypted storage system introduced in BIG-IP
version 9.4.5, protects critical data using a hardware-based key that does not reside on the appliance’s file system.  In BIG-IP v11, companies have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive.  The Secure Vault feature can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred. Secure Vault encryption may also be desirable when deploying the virtual editions of BIG-IP products, which do not support key encryption on hardware.

Next: Protect Cardholder Data

ps

Related:

• PCI Turns 2.0

• Will you Comply or just Check the Box?

• Cloud Balancing, Reverse Cloud Bursting, and Staying PCI-Compliant

• BIG-IP v10.1 Application Security Manager PCI Reporting

• Visa Kills PCI Assessments And Wants Your Processor To Support EMV

• Complying with PCI DSS

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet,cybercrime, holiday shopping, identity theft,

Connect with Peter:	Connect with F5:

Freedom vs. Control

No sooner had I posted BYOD–The Hottest Trend or Just the Hottest Term, last week than yet another BYOD survey hit the news.  The full results will be released in a webinar tomorrow but SANS announced their First Annual Survey Results on Mobility Security.   Last December, SANS launched its first ever mobility survey to discover if and how organizations are managing risk around their end user mobile devices.  The survey of 500 IT pros found that a meager 9% of organizations felt they were fully aware of the devices accessing corporate resources, while 50% felt only vaguely or fairly aware of the mobile devices accessing their resources.  In addition, more than 60 % of organizations allow staff to bring their own devices.  With so many companies allowing BYOD, controls and policies are very important to securing business environments.

Courtesy: SANS Mobility BYOD Security Survey

Deb Radcliff, executive editor, SANS Analyst Program said, ‘Another interesting note is that organizations are reaching for everything at their disposal to manage this risk,…Among them are user education, MDM (mobile device management), logging and monitoring, NAC and guest networking, and configuration controls.’  Less than 20% are using end point security tools, and out of those, more are using agent-based tools rather than agent-less.  According to the survey, 17% say they have stand-alone BYOD security and usage policies; 24% say they have BYOD policies added to their existing policies; 26% say they "sort of" have policies; 3% don't know; and 31% say they do not have any BYOD policies.  Over 50% say employee education is one way they secure the devices, and 73% include user education with other security policies. 

The BYOD challenges, I think, falls under an age old dilemma: Freedom vs. Control.  We see this clash in world politics, we’ve seen it pertaining to the internet itself, we may even experience it at home with our offspring.  The freedom to select, use, work and play with the desired mobile device of our choosing bumping up against a company’s mandate to protect and secure access to sensitive corporate information.  There can be tension between a free and open culture verses the benefits of control and information management.  Sometimes people equate freedom with having control over things yet when it comes to controlling others, many of us feel slightly uncomfortable on either end of the leash.  Sometimes oversight is necessary if someone does not have self-control.  BYOD is a revolution, a drastic change in how organizations manage devices and manage access to information.  If you look at revolutions through the years, often it’s about freedom vs. control.  I’m certainly not suggesting an employee coup of the executive floor but remember there are two distinct and diverse powers at play here and successful BYOD deployments need to involve both people and technology. 

ps

Resources

• SANS Mobility BYOD Security Survey
• Are your employees on a BYOD binge?
• SANS Survey: BYOD Widespread But Lacking Sufficient Oversight
• SANS First Annual Survey Results on Mobility Security: Lack of Awareness, Chaos Pervades with BYOD
• BYOD–The Hottest Trend or Just the Hottest Term
• Only 9 Percent of Organizations Are Aware of the Devices Accessing Their Corporate Data
• Evolving (or not) with Our Devices
• The New Wallet: Is it Dumb to Carry a Smartphone?
• Audio Tech Brief - Secure iPhone Access to Corporate Web Applications
• Freedom vs Control – important lessons to be learned
• New security flaws detected in mobile devices
• Freedom and Control | Psychology Today
• Devo - Freedom Of Choice (Video)

 

Technorati Tags: F5, smartphone, integration, byod, Pete Silva, security, business, education, technology, application delivery, ipad,mobile device, context-aware,android, iPhone, web, internet, security

Connect with Peter:	Connect with F5:

BYOD–The Hottest Trend or Just the Hottest Term

It goes by many names: ‘Bring Your Own Danger’, ‘Bring Your Own Disaster’ and what most people call ‘Bring Your Own Device’ and everyone it seems is writing, talking and surveying about BYOD.  What used to be inconceivable, using your own personal mobile device/smartphone for work, is now one of the hottest trends or at least, one of the hottest topics being discussed throughout the IT industry.  The idea of using a personal smartphone at work sprouted, I think, when many executives got their first iPhone back in 2007 and wanted access to corporate resources.  As more smartphones made their way into employee’s hands, the requests for corporate access only grew.  Initially resistant to the idea due to security concerns, IT seems to be slowly adopting the concept based on the many blogs, articles and surveys that have littered the internet of late.  But, it is a true trend that will transform IT or simply a trending term getting a lot of attention?  We’ll be right back after these important messages.

Just Kidding.  Most likely the former.

While many of the cautionary articles talk about potentially grim disasters, they do acknowledge that BYOD is not going away and in fact, is gaining ground.  Greater productivity and cost savings seem to be the driving factors.  Let’s take a quick look at the smattering of articles surrounding this offshoot of IT consumerization.

The Mobile Device Threat: Shocking Mobile Security Stats:  A nice slide show featuring highlights from a recent Ponemon Institute and Websense survey.  Right out of the gate they talk about how mobile devices are a double-edge sword for enterprises.  77 % of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% -  believe that these tools introduce a "serious" set of risks.  While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them.  As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, smartphones, and tablets while 51% said their organization has experienced a data breach due to insecure devices.  While 45% do have a corporate use policy, less than half of those actually enforce it.  In terms of recommendations based on their findings they said, be sure to understand the risk that mobile devices create in the workplace; educate employees about the importance of safeguarding their devices; create a mobile device corporate policy and leverage mobile device management solutions, security access controls, and even cloud services to keep confidential data out of the eyes of unauthorized viewers.

10 myths of BYOD in the enterprise: A nice top 10 from TechRepublic primarily pulling data from a recent Avanade survey of more than 600 IT and business leaders.  The notion of IT resistance to BYOD is somewhat squashed here with nine out of 10 respondents (according to the results) saying their employees are using their own tech at work.  They found that more Androids are encroaching the workplace; that employees are actually using it for work rather than playing games and that nearly 80% of enterprises will make investments this year to manage consumer technologies.  There’s 7 more myths along with a couple nice graphics to go along with the list.  Interesting and quick read.

When Business and Personal Combine: This Wall Street Journal article talks specifically about the conundrum companies and employees face when a remote wipe comes into play.  What happens, or really, how to deal with situations when there is a fear of a data breach yet wiping the device also deletes all the employee’s personal data, like family pictures.  Policies, use agreements and mobile device management (MDM) solutions are potential solutions.

The new BYOD: Businesses are now driving adoption: Rather than the perils of BYOD, this InfoWorld article talks about how enterprises are starting to actively encourage BYOD, not just passively accept it.  Reporting on Good Technology’s recent BYOD survey, they found that organizations are jumping on the phenomenon sine they see real ROI from encouraging BYOD.  The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service.  They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD.  This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD.  Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work.

BYOD Is The Challenge Of The Decade:  Europe is also seeing the BYOD trend.  This TechWeek Europe article talks about the familiar threats of malware, spyware, worms and other malicious software but also says that BYOD success depends on both people and technology.  That it’s important to involve management early, consider the legal and financial ramifications along with risks to the business to then make an informed decision about a BYOD plan.  Not sure if it’s the challenge of the decade but it’s a great headline and will continue to fluster IT in the coming years.

IT Security's Scariest Acronym: BYOD, Bring Your Own Device: This PCWorld article uses Nemertes Research data to cover the discrepancies between how companies treat laptops (which can be mobile) and mobile devices themselves.  They both have VPN capabilities and device encryption available but stray in different directions after that commonality.  The obvious difference is laptops are usually IT owned and smartphones are personally owned.  They suggest that it’s a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, "Is this difference based on valid reasons or a result of legacy thinking?"

BYOD Challenge: How IT Can Keep User-Owned iPhones And iPads Secure In Enterprise: This article looks at both the technical and personal challenges to securing employee-owned devices along with suggestions like user education, cost sharing, purchase assistance, tiered access, reward for enrollment and reward for good behavior.  I like the last one since much of our challenges and much of what I write about is human behavior, the human condition and why we do the risky things we do.

BYOD: Manage the Risks and Opportunities: Bankinfosecurity.com is one of my weekly stops on the internet circuit.  While this article is more a primer for an upcoming webinar, it does offer a number a good questions to ask while considering a BYOD strategy.  They also say that it's no longer a question of whether to allow employees to use their own devices – the questions are now about inventory, security, privacy, compliance, policy and opportunity.

Some BYOD thoughts based on all of the above, in no particular order:

• Have a BYOD policy or forbid the use all together. Two things can happen if not: personal devices are being blocked and organizations are losing productivity OR the personal devices are accessing the network (with or without an organization's consent) and nothing is being done pertaining to security or compliance.
• Ensure employees understand what can and cannot be accessed with personal devices along with understanding the risks (both users and IT) associated with such access. What's the written policy and how is it enforced.  Acceptable use.
• Ensure procedures are in place (and understood) in cases of an employee leaving the company; what happens when a device is lost or stolen (ramifications of remote wiping a personal device); what types/strength of passwords are required; record retention and destruction; the allowed types of devices; what types of encryption is used.
• Organizations need to balance the acceptance of consumer-focused smartphones/tablets with control of those devices to protect their networks.
• Organizations need to have a complete inventory of employee's personal devices - at least the one’s requesting access.
• Organizations need the ability to enforce mobile policies.  Securing the devices.
• Organizations need to balance the company's security with the employee's privacy like, off-hours browsing activity on a personal device.
• Personally, I do find that if I’m playing a game at 9pm and an email comes in, I typically read it.

F5 has a number of solutions to help organizations conquer their BYOD fears.  From the Edge Client, to our BIG-IP Global Access Solutions  (BIG-IP APM and BIG-IP Edge Gateway) to the recent MDM partnership announcements, we can help ensure secure and fast application performance for mobile users.

ps

Related or, …and the Rest:

• The Dark Side of BYOD – Remote Wiping and Other Issues
• How do we manage the BYOD boom, at the technical end?
• BYOD: Bring your own device could spell end for work PC
• Bring Your Own Device: Risks and rewards
• What Risk Does 'BYOD' Pose To Your Business? Survey Says
• Mobile Device Security Threats Attract Cybercriminals
• The BYOD Security Dilemma
• BYOD and the hidden risk of IT security
• BYOD Policy Template
• Secure iPhone Access to Corporate Web Applications

Technorati Tags: F5, smartphone, integration, byod, Pete Silva, security, business, education, technology, application delivery, ipad, mobile device, context-aware,android, iPhone, web, internet, security

Connect with Peter:	Connect with F5:

In 5 Minutes or Less - FirePass SSL VPN XML Configuration Export

I show you how to export your FirePass SSL VPN configuration into an easy to read XML file, In 5 Minutes or Less.  If you like the ‘In 5 Minutes or Less’ series, check out the playlist on F5’s YouTube channel along with the rest of our videos.

In 5 Minutes or Less - FirePass SSL VPN XML Configuration Export

 

ps

Related:

• F5’s YouTube Channel
• ‘In 5 Minutes or Less’ Series
• Ode to FirePass
• Secure Access with the BIG-IP System | (whitepaper)
• FirePass to BIG-IP APM Migration Service
• F5 FirePass to BIG-IP APM Migration Datasheet
• FirePass Wiki Home
• Audio Tech Brief - Secure iPhone Access to Corporate Web Applications
• In 5 Minutes or Less - F5 FirePass v7 Endpoint Security
• Pete Silva Demonstrates the FirePass SSL-VPN

Technorati Tags: F5, big-ip, integration, firepass, Pete Silva, security, business, education, technology, application delivery, ssl vpn, remote access, context-aware, infrastructure 2.0, video, web, internet

Connect with Peter:	Connect with F5: