byod_byoc ppt - cba psl - 2015-10-28
TRANSCRIPT
MITIGATING PRIVACY AND DATA SECURITY R ISKS IN BYOD AND BYOC
I N T E R N AT I O N A L A S S O C I AT I O N O F P R I V A C Y P R O F E S S I O N A L S
W W W . P R I V A C Y A S S O C I A T I O N . O R G
Presented to the CBA Public Sector Lawyers Forum and Privacy and Access Law Committee
By: Abigail Dubiniecki, B.C.L., LL.B., CIPM Legal Counsel, Canadian Air Transport Security Authority
October 28, 2015
WHAT IS BYOD?
INSERT PHOTO OF DATA ENVIRONMENTALISM
The use by employees of personal electronic communication devices, such as smart phones and tablets (“personal devices”) to perform some or all of their work duties, usually while connected to the employer’s network.
OR AS GARTNER, A GLOBAL IT RESEARCH & ADVISORY COMPANY DESCRIBES IT….
Bring Your Own Device:
The practice of deliberately breaching enterprise security by putting sensitive data on an unknown, uncontrolled, untrusted, unmanaged device.
TECH-SAVVY EMPLOYEES WHO LOVE THE FUNCTIONALITY & FAMILIARITY OF THEIR MOBILE DEVICES & APPS WANT TO INCORPORATE THEM
INTO THEIR PROFESSIONAL LIVES.
BYOD & BYO
C AS
INEVITA
BLE“NO ONE IS GOING TO GIVE UP THEIR DEVICES DURING WORK HOURS AND IF YOU TRY AND BAN THEM, THEY’LL JUST USE THEM ON THE SLY. FORCING PEOPLE TO GO UNDERGROUND WITH THEIR SMARTPHONES INCREASES RATHER THAN DECREASES YOUR SECURITY RISKS…”
“WHETHER YOU LIKE IT OR NOT, ENDORSE IT OR NOT, YOUR EMPLOYEES
WILL USE THEIR OWN DEVICES FOR WORK RELATED ACTIVITIES , SO SETTING
PARAMETERS IS CRITICAL, AND BOTH YOUR POLICY AND DATA SECURITY
PROTOCOLS NEED TO BE TIGHT”
EVEN FORMER SECRETARIES OF STATE DO IT
• Data mining (Yahoo)
• Terms of use monitoring
• E-discovery/spoliation
• ATIP/FIPPA compliance
• Privilege • Trade secrets
• Unknown 3rd parties
• Savvy subpoenas
• Security (hackers)
• Info-governance (CIA)
PERSONAL EMAIL ACCOUNTS FOR PUBLIC BUSINESS – MANY RISKS WITH LITTLE REWARD?
BYOD has a close cousin lurking in the shadows…
“Bring Your Own Cloud” (BYOC)
The use of third party, cloud-based applications to generate, store, share, or otherwise transmit data for work-related purposes. Also called “shadow IT” when
done without corporate approval or blessing.
MOST POPULAR APPS ARE CLOUD-BASED…
WITH FAR-REACHING, NON-NEGOTIABLE PERMISSIONS…
CLOUD USE AS BREACHBitGlass 2015 experiment: Deliberately posted Excel spreadsheet containing fake credit card, SSNs, fake names, phone numbers, addresses and profiles to a public DropBox account & to a few cybercrime fora.Findings• First 8 days, no movement, 200 views. 4 days later, 800 views. • After 12 days: opened at least 1081 times in 22 different countries, with
clusters in Russia and Nigeria.• Footprint of private chatroom? Coordinated criminal enterprise? Dark web?Ponemon study showed it takes over 40 days to detect a non-malicious breach. Often takes months, not days to discover a breach, even a malicious one. Target : 24 days. Home Depot: 4 months. PF Chang’s: 10 months.
THE NON-MALICIOUS INSIDER AS THREAT“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious…Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today,...”
– Ponemon 2013 Cost of Data Breach
Gartner says that by 2017, 75 percent of mobile security breaches will be the result of mobile application misconfiguration. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”
ESDC (2012) and CRA (2006) breaches illustrate that even without BYOD, non-malicious insiders played key roles in serious breaches of personal information. “Employees must therefore be provided timely access to training to ensure that they have the necessary knowledge, skills and competencies to effectively carry out their [ILM] duties.
Click icon to add picture
DIFFER
ENT, Y
ET THE SAME
Thou
gh corpora
tion re
linquish
es co
ntrol in
an im
portan
t way
,
Informati
on Li
fe Cyc
le Man
agem
ent (
ILM) p
rincip
les, p
rivac
y oblig
ation
s,
discov
ery ob
ligati
ons, an
d fair i
nformati
on prin
ciples
contin
ue to a
pply.
Data security is about people, and organizations are only as strong as their weakest link. Employees are the biggest wild card, whether or not BYOD or BYOC are formally permitted.
A PARADIGM SHIFTBYOD & BYOC put privacy, security (and your data) in the hands of the
biggest wild cards – employees, 3rd party app developers, cloud providers, family members, data brokers, and networks.
BYOD and BYOC can be secure, but drastic changes required. This is as much a Legal issue as it is an IT issue
Re-orient enterprise security programs: Track & protect data, monitor & enforce compliance, protect privacy, meet regulatory requirements = info-governance, HR, risk management,
cybersecurity. Re-think traditional IM/IT approaches: Outlaw (good luck) or
leverage the Cloud & 3rd-party apps while protecting security & privacy. ISO 27018; SLAs; shareware (Soonr, Druva InSync),
IBM Cloud Security Enforcer.
BYOD & BYOC BLUR PROFESSIONAL AND PERSONAL, CREATING VARIOUS RISKS: (1) PRIVACY(2) DATA & IT SECURITY(3) COMPLIANCE(4) HR/IP
WE CAN’T H
AVE P
RIVACY
WITHOUT S
ECURITY
Monitoring abnormal activity can identify potential misuse of information or policy breaches & permit early intervention to prevent leaks BUT can lead to over-collection of PII, incl. metadata, such as:• IP address• Geo-location/geo-fencing• Identification & authentication• Keystroke & screen shots• Filters & firewalls• DLP• Logs, browser history• Usage stats
BUT IF W
E DON’T
BALANCE D
ATA PROTE
CTION W
ITH EM
PLOYEE
PRIVACY, PROTE
CTIVE M
EASURES
CAN LEAD TO
INVASIVE
SURVEILLA
NCE
PRIVACY IN THE DIGITAL AGEThe devices which give us this freedom also generate immense stores of data about our movements and our
lives. Ever-improving GPS technology even allows these devices to track the locations of their owners. Private digital devices record not only our core biographical information but our conversations, photos, browsing interests, purchase records, and leisure pursuits. Our
digital footprint is often enough to reconstruct the events of our lives, our relationships with others, our likes and dislikes, our fears, hopes, opinions, beliefs
and ideas. Our digital devices are windows to our inner private
lives. ..our law must also evolve so that modern mobile devices do not become the telescreens of George
Orwell’s 1984.
PRIVACY IN THE DIGITAL AGESearches of Text Messages and Email - Akin to
WiretappingR. v. TELUS Communications Co., 2013 SCC 16:
Printing of stored text messages subject to wiretap provisions.
R. v. Pelucco, 2015 BCCA 370: Applies to sent text messages.
R. v. S.M., 2012 ONSC 2949: Text conversation is similar to voice conversation.
R. v. Ley and Wiwchar, 2014 BCSC 2108: Zoomed casino CCTV live feed to read text
messages.
EMPLOYEES HAVE A REASONABLE EXPECTATION OF PRIVACY, EVEN ON WORK-ISSUED DEVICESComputers that are used for personal purposes,
regardless of where they are found or to whom they belong, “contain the details of our financial, medical, and personal situations”…. This is
particularly the case where, as here, the computer is used to browse the Web. Internet-connected devices
“reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read,
watch, or listen to on the Internet”. (R.v.Cole, 2012 SCC 53)
A REASONABLE THOUGH DIMINISHED EXPECTATION OF PRIVACY IS NONETHELESS A REASONABLE EXPECTATION OF PRIVACY
THE POLICIES, PRACTICES, AND CUSTOMS OF THE WORKPLACE ARE RELEVANT TO THE EXTENT THAT THEY CONCERN THE USE OF
COMPUTERS BY EMPLOYEES. THESE “OPERATIONAL REALITIES” MAY DIMINISH THE EXPECTATION OF PRIVACY THAT REASONABLE
EMPLOYEES MIGHT OTHERWISE HAVE IN THEIR PERSONAL INFORMATION.
EVEN AS MODIFIED BY PRACTICE, HOWEVER, WRITTEN POLICIES ARE NOT DETERMINATIVE OF A PERSON’S REASONABLE
EXPECTATION OF PRIVACY. WHATEVER THE POLICIES STATE, ONE MUST CONSIDER THE TOTALITY OF THE CIRCUMSTANCES IN
ORDER TO DETERMINE WHETHER PRIVACY IS A REASONABLE EXPECTATION IN THE PARTICULAR SITUATION.
INFORMATIONAL PRIVACY RIGHTS IN THE DIGITAL AGE
PER THE SUPREMES
RIGHT TO PRIVACY, INCLUDING INFORMATIONAL PRIVACY, IS A PRINCIPLE OF FUNDAMENTAL JUSTICE & ESSENTIAL ASPECT OF
LIBERTY IN A FREE AND DEMOCRATIC SOCIETY (MILLS)
INFORMATIONAL PRIVACY INCLUDES RIGHT TO ANONYMITY (SPENCER)
SMART PHONES ARE THE FUNCTIONAL EQUIVALENT OF COMPUTERS, AND CELL PHONE SEARCHES MAYCONSTITUTE “VERY SIGNIFICANT INTRUSIONS OF PRIVACY” (R V. FEARON, 2014 SCC 77)
3 MAJOR TYPES OF RISK AT A GLANCEPa
rticip
ant P
rivac
y • Apps• Location• Wireless
usage• BGI • Texts• Support• VPN usage• Phone
activity
Cybe
r & D
ata
Secu
rity• Malware
• Breach• Cloud• Exfiltration• Device
loss• Social
media• Sharing • Cyber
attack• Bandwidth
Com
plia
nce
/ HR
/Leg
al• ATIP/LAC• E-discovery• CASL 2.0• OT / costs• Privilege• Security
classification• 3rd party
confidentiality
• Exceptions
THE OTHER CLINTON SCANDAL – EMAIL-GATE
• Mingled personal & work emails
• Incomplete FOIA response: 30,490 of 62,320 e-mails were printed & given to State Department. 31,380 were not because “private”.
• Who vetted messages? • Security clearance?• Keyword searches generally
can either be over-inclusive or under-inclusive."The current controversy over Secretary Clinton’s use of a private e-
mail network for transacting government business presents a wonderful opportunity to have a lively discussion on what information governance means in 2015, for both the public sector and the private sector…The circumstances surrounding Mrs. Clinton’s actions are so highly unusual, and so packed with legal issues going to recordkeeping, open government, privacy, security, not to mention the limitations of keyword searching,…
PART II: W
HAT’S AN
EMPLO
YER TO
DO?
• Seize the opportunity
• Adopt PbD & SbD• Customize• Compromise• Collaborate• Contract
Creatin
g BYOD &
BYOC program
s that
strike
s a bala
nce betw
een
data se
curit
y and priv
acy,
and w
hich re
spec
ts ILM
and ot
her
complia
nce oblig
ation
s
ASK WHY AND HOW?
W H Y ?
Organization’s objective? Employee’s objective?Employee’s favourite devices, apps, functionsIT capability & toleranceConsult stakeholdersAlign expectations & objectives of eachTrade-offs?
H O W ?
Voluntary? Mandatory?Level of AccessSensitivity of dataEligibility/SegmentationEnrollment/ApprovalDevices/OS/AppsSupport – self-serveExceptions (VIPs)
BYOD SPECTRUM: FROM ROGUE TO MANAGED
Rogue (on the sly)/unmanaged (free-for-all) Wi-Fi Access only (internet) – no Corporate Data, can surf Corporate Data via Intranet (kiosk-style) or push/pull
notifications Email, address book, calendar (Outlook/BB model) Other Corporate Databases – read-only Corporate d-bases/apps – Write/create/edit Full functionality (same access as corp-issued workstation, e.g.
VDI) Workstation + - add mobile app functionality – complete mobilityConsider why and how you hope BYOD will meet organization needs.
Corp
orat
e Ac
cess
and
Con
trol
LEVERAGING TH
E CLOUD
• SLAs• PbD/SbD apps• ISO Cloud
Standard• Specialized
clouds• Private clouds
Options t
o reg
ain co
ntrol, i
mprove s
ecurit
y hav
e
chan
ged th
e lan
dscape,
lettin
g organ
izatio
ns finall
y
benefi
t from
the c
loud
BYOC SPECTRUM: FROM ROGUE TO MANAGED
Rogue (on the sly)/unmanaged (free-for-all, head in sand approach) Blanket prohibition (how to monitor & enforce?) Good app / bad app list with clear policies (violate provider Ts & Cs?) Corporate-issued/designed apps (copy-paste issues; can you compete?) 3rd party apps – Business versions of retail apps (Evernote, DropBox) 3rd party apps – designed for business (Soonr), law-specific (InSync) App-agnostic platforms (IBM Cloud Security Enforcer)
Consider why and how BYOC will meet organization needs, leverage Cloud and implement standards (ISO 27018; TBS & regulator guidance). Where is data stored? Store-in-Canada requirements must be met. Location, location, location!!! See
Taking Privacy into Account Before Making Contracting Decisions (data must be stored in Canada)Co
rpor
ate
Acce
ss a
nd C
ontro
l
SEGREGATE PERSONAL FROM PROFESSIONAL
Integrated (Native) Segregated (Container) Virtualized (Thin Client)
Lowest-risk: no corporate work or data “sticks” to device
MDM solution & BYOC policy & tools required
Higher Risk Lower
Risk
MDM SOLUTIONS – NOT A SILVER BULLET
When considering allowing the connection of mobile device platforms into the GC corporate enterprise, managers must realize that MDM solutions are not
the silver bullet to solving the security issues brought by these platforms. They must consider both the limitations and capabilities of the MDM
solution, and the choice of the mobile device platform and the device’s set of implemented
security controls.CSEC ITSB-64
PIA• Data
flow/inventory• User Segments• Defaults –
disable unless justified
• Justify rest of PI• How used?
TRA• Snapshot in time• External/internal• Monitoring &
enforcement • Cyber risk?• 3rd parties?• Business
Continuity
ASSEMBLE THE DREAM TEAM: IT, LEGAL, PRIVACY, IM, RISK MANAGEMENT
Policy Baseline• Risk appetite• Monitoring• Enforcement• Expectation of
privacy• Acceptable use• Gaps?
Other issues• HR
management• IT capability• Level of
security awareness
• Culture• Accountability
ALIGN WITH CORPORATE STRATEGY
Policy – Build into Code of Ethics
• Eligibility• Security
requirements• Acceptable use• Mine/yours• Download restrictions• No expectation of
privacy • Reserve rights• Mandatory training • Privilege can be
revoked (leave, departures)
Privacy Notice & User Agreement
• Risks (back-up)/Support
• Loss/Remote-Wipe• Compliance w/ all
policies• OT, stipend,
reimbursement?• ILM obligations• Corporate data in
corporate apps only - classification
• Privacy expectations• Specific monitoring if
nec.• ATIP/e-Discovery obs
CLEAR POLICY – NOTICE - CONSENT
TREASURY BOARD GUIDANCEPolicy on Acceptable Network and Device Use3.1 The Government of Canada recognizes that open access to Government of Canada electronic networks and devices, including the Internet, is essential to transforming the way public servants work and serve Canadians. Open access to the Internet including Government of Canada and external Web 2.0 tools and services will enhance productivity, communication and collaboration, and encourage the sharing of knowledge and expertise to support innovation. 3.2 This policy applies to the use of Government of Canada electronic networks for conducting government business and professional and limited personal use, regardless of location of access or device used.
TREASURY BOARD GUIDANCE Guideline on Acceptable Network and Device Use2. Defining Professional and Personal UseIn an interactive and mobile work environment, it is important that employees are aware of the expectations of acceptable use when using Government of Canada electronic networks and devices, and Web 2.0 tools and services. This is particularly pertinent given that the networks, devices and social media platforms used for professional purposes are sometimes the same as those used for personal activities, thus potentially blurring the boundaries between the professional and personal use by public servants.
This guideline applies to professional and personal use of Government of Canada electronic networks and devices, and Web 2.0 tools and services by authorized individuals, irrespective of location of access. This includes using government-issued devices on government and public networks, as well as using personal devices, if permitted, on Government of Canada networks (e.g., use of a Virtual Private Network on a personal computer).
Training & Awareness
• Pre-req.• Annual/semi-
annual• Consent Form –
incl. preservation obs & legal holds
• Assume nothing• Make it fun
Monitoring & Enforcement
• Message (Cole)• ActionReassessment: • Expand? • Update? • Insure?
PREPARE, REINFORCE, REASSESS
The regulators speakBYOD: Is Your Organization Ready? (Ontario)IT Security and Employee Privacy (BC)Is a Bring Your Own Device Program the Right Choice for your Organization? (Canada, Alberta, BC)Bring Your Own Device (Saskatchewan)White House BYOD Toolkit (US)Pentagon to launch BYOD pilot this summer (US)Bring Your Own Device (BYOD) Considerations for Executives (PDF) (AUS)Fact Sheet: Introduction to Cloud Computing (OPC)Industry Cloud Computing Consultation RFI (TBS – 2014)Cloud Computing Guidelines for Public Bodies (BC)Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations (OPC, Alberta, BC)
The Regulators Speak….
The regulators speakIXmaps: Mapping Canadian Privacy Risks in the Internet Cloud (OPC funded research project)Assessing the Privacy Implications of Extra-National Outsourcing to the Cloud (OPC-funded research project)Certification/ accreditation (FedRAMP (US), ISO/IEC 27018) Guidelines on Security and Privacy in Cloud Computing (US) Federal Cloud Computing Strategy (USA)
Bernier, Chantal (Dentons Canada LLP), Privacy on the Cloud: Comparative Analysis with Canadian Law of ISO/IEC 27018 – A Code of Practice for PII Portection in Public Clouds acting as PII Processors, 16 June 2015.
Bernier, Chantal (Dentons Canada LLP), Privacy and Security Guidance: Cloud Computing in the MUSH Sector, 16 June 2015. Millard, Christopher (Ed.), Cloud Computing Law, Oxford: Oxford University Press, 2013
More on the Cloud….
A B O U T T H E I N T E R N AT I O N A L A SS O C I AT I O N O F P R I VA C Y P R O F E SS I O N A L S ( I A P P)
L A R G E S T P R I V A C Y A S S O C I A T I O N I N T H E W O R L D W I T H M O R E T H A N 1 5 , 0 0 0 M E M B E R S I N 8 3 C O U N T R I E S . I S O C E R T I F I C A T I O N
L E A R N , C E R T I F Y, C O N N E C T, T R A I N … J O I N!
Next Ottawa KnowledgeNet – November 24 - DELOITTE:
E V E RY T H I N G Y O U E V E R W A N T E D T O K N O W A B O U T T H E E U ' S G E N E R A L D ATA P R O T E C T I O N
R E G U L AT I O N A N D D E - I D E N T I F I C AT I O N ( W I T H A H A N D S - O N E X E R C I S E )
Check out a KnowledgeNet or Privacy After Hours event near you!
QUESTIONS?
Abigail Dubiniecki, B.C.L., LL.B., CIPMLegal Counsel, Canadian Air Transport Security Authority
(CATSA) IAPP KnowledgeNet Chair, Ottawa Chapter
Secretary-Treasurer, CBA Public Sector Lawyers Forum
Email: [email protected] LinkedIn: https://ca.linkedin.com/in/abigaild
THANK YOU!